Add custom API user support

2020-10-27 15:02:27 +01:00 · 2020-10-27 15:02:27 +01:00 · a77be1f959
commit a77be1f959
parent 912d669281
2 changed files with 108 additions and 39 deletions
--- a/roles/wazuh/ansible-wazuh-manager/files/create_user.py
+++ b/roles/wazuh/ansible-wazuh-manager/files/create_user.py
@ -0,0 +1,86 @@
+import logging
+import sys
+import json
+import random
+import string
+import argparse
+import os
+
+# Set framework path
+sys.path.append("/var/ossec/framework")
+
+try:
+    from wazuh.security import (
+        create_user,
+        get_users,
+        get_roles,
+        set_user_role,
+        update_user,
+    )
+except Exception as e:
+    logging.error("No module 'wazuh' found.")
+    sys.exit(1)
+
+
+def db_users():
+    users_result = get_users()
+    return {user["username"]: user["id"] for user in users_result.affected_items}
+
+
+def db_roles():
+    roles_result = get_roles()
+    return {role["name"]: role["id"] for role in roles_result.affected_items}
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='add_user script')
+    parser.add_argument('--username', action="store", dest="username")
+    parser.add_argument('--password', action="store", dest="password")
+    results = parser.parse_args()
+
+    username = results.username
+    password = results.password
+
+    initial_users = db_users()
+    if username not in initial_users:
+        # create a new user
+        create_user(username=username, password=password)
+        users = db_users()
+        uid = users[username]
+        roles = db_roles()
+        rid = roles["administrator"]
+        set_user_role(
+            user_id=[
+                str(uid),
+            ],
+            role_ids=[
+                str(rid),
+            ],
+        )
+    else:
+        # modify an existing user ("wazuh" or "wazuh-wui")
+        uid = initial_users[username]
+        update_user(
+            user_id=[
+                str(uid),
+            ],
+            password=password,
+        )
+    # set a random password for all other users
+    for name, id in initial_users.items():
+        if name != username:
+            random_pass = "".join(
+                random.choices(
+                    string.ascii_uppercase
+                    + string.ascii_lowercase
+                    + string.digits
+                    + "@$!%*?&-_",
+                    k=16,
+                )
+            )
+            update_user(
+                user_id=[
+                    str(id),
+                ],
+                password=random_pass,
+            )
--- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
@ -277,46 +277,29 @@
  tags:
    - config

-# - name: Get API auth token
-#   uri:
-#     url: "https://{{ inventory_hostname }}:55000/security/user/authenticate?raw=true"
-#     method: GET
-#     user: wazuh
-#     password: wazuh
-#     validate_certs: no
-#     force_basic_auth: yes
-#     return_content: yes
-#     status_code: 200
-#   retries: 10
-#   delay: 5
-#   until: token.status == 200
-#   register: token
-#   tags: 
-#     - config_api_users
-#   when:
-#     - wazuh_api_users is defined
-#     - wazuh_manager_config.cluster.node_type == "master"
+- name: Create custom API user
+  block:
+    - name: Copy create_user script
+      copy:
+        src: create_user.py
+        dest: /var/ossec/framework/scripts/create_user.py
+        owner: root
+        group: ossec
+        mode: 0644

-# - name: Create Wazuh-API Users
-#   block:
-#     - name: Create new user
-#       uri:
-#         url: "https://{{ inventory_hostname }}:55000/security/users"
-#         method: POST
-#         body_format: json
-#         body:
-#           username: "{{ item.username }}"
-#           password: "{{ item.password }}"
-#         validate_certs: no
-#         status_code: 200
-#         headers: 
-#           Authorization: "Bearer {{ token.content }}"
-#       with_items:
-#         - "{{ wazuh_api_users }}"
-#       register: user_creation
-  # when:
-  #   - wazuh_api_users is defined
-  #   - wazuh_manager_config.cluster.node_type == "master"
+    - name: Execute create_user script
+      script:
+        chdir: /var/ossec/framework/scripts/
+        cmd: create_user.py --username "{{ item.username }}" --password "{{ item.password }}"
+        executable: /var/ossec/framework/python/bin/python3
+      with_items:
+        - "{{ wazuh_api_users }}"
+
+  tags:
+    - config_api_users
+  when:
+    - wazuh_api_users is defined
+    - wazuh_manager_config.cluster.node_type == "master"

 - name: Agentless Hosts & Passwd
  template: