From 1fa8294ee6c96a22e2f004f5aacf49f277d1285f Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 13 Feb 2023 14:56:51 -0500
Subject: [PATCH] influx upgrade

---
 salt/common/tools/sbin/so-influxdb-manage | 78 +++++++++++++++--------
 salt/common/tools/sbin/so-user            |  9 +++
 salt/influxdb/init.sls                    | 12 ++--
 3 files changed, 70 insertions(+), 29 deletions(-)

diff --git a/salt/common/tools/sbin/so-influxdb-manage b/salt/common/tools/sbin/so-influxdb-manage
index 964a1b517..96b0c01f9 100644
--- a/salt/common/tools/sbin/so-influxdb-manage
+++ b/salt/common/tools/sbin/so-influxdb-manage
@@ -18,6 +18,8 @@ usage() {
     echo "  userenable     Enables a user, requires: <email>"
     echo "  userdisable    Disables a user, requires: <email>"
     echo "  userpass       Updates a user's password, requires: <email>"
+    echo "  userpromote    Promotes a user to admin: <email>"
+    echo "  userdemote     Demotes a user from admin: <email>"
     echo ""
     echo "If required, the password will be read from STDIN."
     exit 1
@@ -27,13 +29,14 @@ if [ $# -lt 1 ]; then
   usage
 fi
 
+COMMAND=$(basename $0)
 OP=$1
 shift
 
 set -eo pipefail
 
 log() {
-  echo -e "$(date) | InfluxDB | $@" >&2
+  echo -e "$(date) | $COMMAND | $@" >&2
 }
 
 check_response() {
@@ -61,17 +64,6 @@ lookup_user_id() {
   echo "$uid"
 }
 
-lookup_org_id() {
-  response=$(request orgs?limit=100)
-  check_response "$response"
-  oid=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id")
-  if [[ -z "$oid" ]]; then
-    log "Organization not found"
-    exit 1
-  fi
-  echo "$oid"
-}
-
 lookup_stack_id() {
   oid=$1
 
@@ -86,15 +78,6 @@ lookup_stack_id() {
   echo "$stackid"
 }
 
-add_user_to_org() {
-  uid=$1
-  oid=$2
-
-  log "Adding new user to organization"
-  response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}")
-  check_response "$response"
-}
-
 change_password() {
   uid=$1
 
@@ -137,6 +120,30 @@ setup_bucket() {
   check_response "$response"
 }
 
+lookup_org_id_with_wait() {
+  max_attempts=30
+  attempts=0
+  wait=10
+  while [[ $attempts -lt $max_attempts ]]; do
+    response=$(request orgs?org=Security+Onion)
+    check_response "$response"
+    oid=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id")
+    if [[ -z $oid ]]; then
+      attempts=$((attempts+1))
+      log "Server does not appear to be running or fully initialized - will try again in $wait seconds ($attempts / $max_attempts)"
+      sleep $wait
+    else
+      echo "$oid"
+      return
+    fi
+  done
+  
+  log "Server has not started after $max_attempts attempts - aborting"
+  exit 1
+}
+
+oid=$(lookup_org_id_with_wait)
+
 case "$OP" in
 
   setup)
@@ -146,7 +153,6 @@ case "$OP" in
     newest=$(ls -1t /opt/so/conf/influxdb/templates/ | head -1)
     if [ /opt/so/conf/influxdb/templates/$newest -nt /opt/so/conf/influxdb/last_template_setup ]; then
       log "Updating templates"
-      oid=$(lookup_org_id)
       stackid=$(lookup_stack_id "$oid")
       for file in /opt/so/conf/influxdb/templates/*; do
         if [[ "$templates_array" != "" ]]; then
@@ -164,7 +170,6 @@ case "$OP" in
     # Setup buckets and retention periods if at least one has been modified since the last setup
     if [ /opt/so/conf/influxdb/buckets.json -nt /opt/so/conf/influxdb/last_bucket_setup ]; then
       log "Updating buckets and retention periods"
-      oid=$(lookup_org_id)
       for rp in so_short_term so_long_term; do
         bucket=telegraf/$rp
         log "Ensuring bucket is created and configured; bucket=$bucket"
@@ -189,11 +194,14 @@ case "$OP" in
     [ $# -ne 1 ] && usage
     email=$1
     log "Adding new user; email=$email"
-    oid=$(lookup_org_id)
     response=$(request users -X POST -d "{\"name\":\"$email\"}")
     check_response "$response"
     uid=$(echo "$response" | jq -r .id)
-    add_user_to_org "$uid" "$oid"
+
+    log "Adding new user to organization"
+    response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}")
+    check_response "$response"
+
     change_password "$uid"
     ;;
 
@@ -232,6 +240,26 @@ case "$OP" in
     check_response "$response"
     ;;
 
+  userpromote)
+    [ $# -ne 1 ] && usage
+    email=$1
+    log "Promoting user to admin; email=$email"
+    uid=$(lookup_user_id "$email")
+    response=$(request orgs/$oid/members/$uid -X DELETE)
+    response=$(request orgs/$oid/owners -X POST -d "{\"id\":\"$uid\"}")
+    check_response "$response"
+    ;;
+
+  userdemote)
+    [ $# -ne 1 ] && usage
+    email=$1
+    log "Demoting user from admin; email=$email"
+    uid=$(lookup_user_id "$email")
+    response=$(request orgs/$oid/owners/$uid -X DELETE)
+    response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}")
+    check_response "$response"
+    ;;
+
   *)
     usage
     ;;
diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index da6f3a4fb..4ad3983b4 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -588,6 +588,9 @@ case "${operation}" in
     syncAll
     echo "Successfully added new user to SOC"
     echo "$password" | so-influxdb-manage useradd "$email"
+    if [[ "$role" == "superuser" ]]; then
+      echo "$password" | so-influxdb-manage userpromote "$email"
+    fi
     ;;
 
   "list")
@@ -605,6 +608,9 @@ case "${operation}" in
     if addUserRole "$email" "$role"; then
       syncElastic
       echo "Successfully added role to user"
+      if [[ "$role" == "superuser" ]]; then
+        echo "$password" | so-influxdb-manage userpromote "$email"
+      fi
     fi
     ;;
 
@@ -618,6 +624,9 @@ case "${operation}" in
     deleteUserRole "$email" "$role"
     syncElastic
     echo "Successfully removed role from user"
+    if [[ "$role" == "superuser" ]]; then
+      echo "$password" | so-influxdb-manage userdemote "$email"
+    fi
     ;;
 
   "password")
diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls
index ff6466bb4..4872a5a40 100644
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -71,10 +71,6 @@ influxdb_curl_config:
     - show_changes: False
     - makedirs: True
 
-influxdb-setup:
-  cmd.run:
-    - name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log
-
 so-influxdb:
   docker_container.running:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }}
@@ -113,6 +109,14 @@ append_so-influxdb_so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-influxdb
 
+influxdb-setup:
+  cmd.run:
+    - name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log
+    - require:
+      - file: influxdbbucketsconf
+      - file: influxdb_curl_conf
+      - docker_container: so-influxdb
+
 # Install cron job to determine size of influxdb for telegraf
 get_influxdb_size:
   cron.present: