From 5787b348fe5c57bc77e658a49824af590043a557 Mon Sep 17 00:00:00 2001
From: Jose M <jm.garcia@wazuh.com>
Date: Tue, 2 Jul 2019 19:07:37 +0200
Subject: [PATCH] Upgrade elasticsearch tasks. Fix permissions.

---
 .../ansible-elasticsearch/tasks/main.yml      | 94 +++++++++++++++----
 1 file changed, 76 insertions(+), 18 deletions(-)

diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
index 5a60e6d8..8ed1c926 100644
--- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
+++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
@@ -48,16 +48,6 @@
     - ansible_service_mgr != "systemd"
     - ansible_os_family == "RedHat"
 
-- name: Configure Elasticsearch.
-  template:
-    src: elasticsearch.yml.j2
-    dest: /etc/elasticsearch/elasticsearch.yml
-    owner: root
-    group: elasticsearch
-    mode: 0660
-  notify: restart elasticsearch
-  tags: configure
-
 - name: Configure Elasticsearch JVM memmory.
   template:
     src: jvm.options.j2
@@ -70,17 +60,29 @@
 
 # fix in new PR (ignore_errors)
 
+- import_tasks: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"
+
+- name: Check if certificate exists locally
+  stat:
+    path: "{{node_certs_destination}}/{{ elasticsearch_node_name }}.crt"
+  register: certificate_file_exists
+  when:
+    - elasticsearch_xpack_security
+
 - name: Write the instances.yml file in the selected node (force = no)
   template:
     src: instances.yml.j2
     dest: "{{node_certs_source}}/instances.yml"
     force: no
+  register: instances_file_exists
   tags:
     - config
     - xpack-security
   when:
     - node_certs_generator
     - elasticsearch_xpack_security
+    - not certificate_file_exists.stat.exists
 
 - name: Update instances.yml status after generation
   stat:
@@ -105,6 +107,8 @@
     - instances_file_exists.stat.exists
     - elasticsearch_xpack_security
     - not xpack_certs_zip.stat.exists
+    - not certificate_file_exists.stat.exists
+  register: certs_file_generated
   tags: xpack-security
 
 - name: Unzip generated certs.zip
@@ -115,6 +119,8 @@
   when: 
     - node_certs_generator
     - elasticsearch_xpack_security
+    - certs_file_generated is defined
+    - not certificate_file_exists.stat.exists
   tags: xpack-security
 
 - name: Copy key & certificate files in generator node (locally)
@@ -132,13 +138,7 @@
     src: "{{node_certs_source}}/ca/"
     dest: "{{node_certs_destination}}/"
   delegate_to: "{{ node_certs_generator_ip }}"
-  when: 
-    - node_certs_generator
-    - elasticsearch_xpack_security
-  tags: xpack-security
-
-- name: Remove generated certs file
-  shell: /bin/rm -f {{node_certs_source}}/certs.zip*
+  register: check_certs_permissions
   when: 
     - node_certs_generator
     - elasticsearch_xpack_security
@@ -149,6 +149,7 @@
   when:
     - not node_certs_generator
     - elasticsearch_xpack_security
+    - not certificate_file_exists.stat.exists
   tags: xpack-security
 
 - name: Importing ca certificate file from generator node 
@@ -156,13 +157,45 @@
   when:
     - not node_certs_generator
     - elasticsearch_xpack_security
+    - not certificate_file_exists.stat.exists
+  register: check_certs_permissions
   tags: xpack-security
 
+- name: Ensuring certificates folder owner
+  shell: "chown -R elasticsearch: {{node_certs_destination}}/"
+  when:
+    - check_certs_permissions is defined
+  tags: xpack-security
+
+- name: Ensuring certificates folder owner
+  shell: "chmod -R 770 {{node_certs_destination}}/"
+  when:
+    - check_certs_permissions is defined
+  tags: xpack-security
+  
+
+- name: Remove generated certs file
+  shell: /bin/rm -f {{node_certs_source}}/certs.zip*
+  when: 
+    - node_certs_generator
+    - elasticsearch_xpack_security
+  tags: xpack-security
+
+- name: Configure Elasticsearch.
+  template:
+    src: elasticsearch.yml.j2
+    dest: /etc/elasticsearch/elasticsearch.yml
+    owner: root
+    group: elasticsearch
+    mode: 0660
+  notify: restart elasticsearch
+  tags: configure
+
 - name: Set elasticsearch bootstrap password
   shell: "echo '{{elasticsearch_xpack_security_password}}' | {{node_certs_source}}/bin/elasticsearch-keystore add -xf 'bootstrap.password'"
   when:
     - elasticsearch_xpack_security
-
+  
 - name: Reload systemd
   systemd: daemon_reload=true
   ignore_errors: true
@@ -184,6 +217,31 @@
     - configure
     - init
 
+- name: Check for Wazuh Alerts template (http)
+  uri:
+    url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
+    method: GET
+    status_code: 200, 404
+  when: 
+    - elasticsearch_bootstrap_node or single_node
+    - not elasticsearch_xpack_security
+  poll: 30
+  register: wazuh_alerts_template_exits
+  tags: init
+
+- name: Installing Wazuh Alerts template (http)
+  uri:
+    url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
+    method: PUT
+    status_code: 200
+    body_format: json
+    body: "{{ lookup('template','wazuh-elastic7-template-alerts.json.j2') }}"
+  when: 
+    - wazuh_alerts_template_exits.status is defined
+    - wazuh_alerts_template_exits.status != 200
+    - not elasticsearch_xpack_security
+  tags: init
+
 - import_tasks: "RMRedHat.yml"
   when: ansible_os_family == "RedHat"