From 285d73d52632a4b06d37166af8ab58fd934d7b07 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 18 Apr 2025 14:07:32 -0400
Subject: [PATCH] enable/disable soqemussh. allow for pw to be set

---
 pillar/top.sls                         |  5 +++
 salt/_runners/setup_hypervisor.py      | 29 ++++++++++---
 salt/top.sls                           |  3 +-
 salt/vm/defaults.yaml                  |  5 +++
 salt/vm/map.jinja                      | 25 ++++++++++++
 salt/vm/soc_vm.yaml                    | 10 +++++
 salt/{vm_status => vm/status}/init.sls |  0
 salt/vm/user/init.sls                  | 56 ++++++++++++++++++++++++++
 8 files changed, 127 insertions(+), 6 deletions(-)
 create mode 100644 salt/vm/defaults.yaml
 create mode 100644 salt/vm/map.jinja
 create mode 100644 salt/vm/soc_vm.yaml
 rename salt/{vm_status => vm/status}/init.sls (100%)
 create mode 100644 salt/vm/user/init.sls

diff --git a/pillar/top.sls b/pillar/top.sls
index c118073a1..1fdb59deb 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -26,6 +26,11 @@ base:
     - nginx.soc_nginx
     - nginx.adv_nginx
 
+  'salt-cloud:driver:libvirt':
+    - match: grain
+    - vm.soc_vm
+    - vm.adv_vm
+
   '*_manager or *_managersearch or *_managerhype':
     - match: compound
     - node_data.ips
diff --git a/salt/_runners/setup_hypervisor.py b/salt/_runners/setup_hypervisor.py
index 35d1bad21..028771291 100644
--- a/salt/_runners/setup_hypervisor.py
+++ b/salt/_runners/setup_hypervisor.py
@@ -10,8 +10,6 @@
 #    software that is protected by the license key."
 
 """
-TODO: Remove passwd hash prior to release. used for development
-
 This runner performs the initial setup required for hypervisor hosts in the Security Onion environment.
 It handles downloading the Oracle Linux KVM image, setting up SSH keys for secure communication,
 and creating virtual machines with cloud-init configuration.
@@ -715,6 +713,24 @@ def create_vm(vm_name: str, disk_size: str = '220G'):
             log.error("CREATEVM: Failed to read SSH public key: %s", str(e))
             return {'success': False, 'error': 'Failed to read SSH public key'}
 
+        # Read pillar data for soqemussh password hash
+        pillar_path = '/opt/so/saltstack/local/pillar/vm/soc_vm.sls'
+        password_hash = None
+        passwd_line = ""  # Default to empty if no hash found
+        try:
+            if os.path.exists(pillar_path):
+                with salt.utils.files.fopen(pillar_path, 'r') as f:
+                    pillar_data = yaml.safe_load(f)
+                    if pillar_data:
+                        password_hash = pillar_data.get('vm', {}).get('user', {}).get('soqemussh', {}).get('passwordHash')
+            if password_hash:
+                passwd_line = f"      passwd: {password_hash}\n"
+                log.info("CREATEVM: Found soqemussh password hash in pillar.")
+            else:
+                log.info("CREATEVM: No soqemussh password hash found in pillar, omitting passwd line.")
+        except Exception as e:
+            log.warning(f"CREATEVM: Error reading or parsing pillar file {pillar_path}: {str(e)}. Omitting passwd line.")
+
         # Read and encode GPG keys
         keys_dir = '/opt/so/saltstack/default/salt/repo/client/files/oracle/keys'
         oracle_key = _read_and_encode_key(os.path.join(keys_dir, 'RPM-GPG-KEY-oracle'))
@@ -752,8 +768,7 @@ users:
       shell: /bin/bash
       sudo: ALL=(ALL) NOPASSWD:ALL
       lock_passwd: false
-      passwd: $6$THWuTZMZhIVMGaaw$w9kozn7z7i0Y9LRVGZwN6mcZag4vMpE3hW6eCtKNHlFpL1XLcOdiIr29JyDxx3MLBXNedIqnqcj4psqCjv58d.
-      ssh_authorized_keys:
+{passwd_line}      ssh_authorized_keys:
         - {ssh_pub_key}
 
 # Configure where output will go
@@ -796,6 +811,10 @@ write_files:
     content: |
       {securityonion_key}
 
+# Run on every boot - this will only run *after* the first boot and successful cloud-init run
+bootcmd:
+  - if [ -f /var/lib/cloud/instance/boot-finished ]; then touch /etc/cloud/cloud-init.disabled; fi
+
 runcmd:
   # Import GPG keys and remove repo files except securityonion.repo
   - rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
@@ -811,7 +830,6 @@ runcmd:
   - pvresize /dev/vda2
   - lvextend -l +100%FREE /dev/vg_main/lv_root
   - xfs_growfs /dev/vg_main/lv_root
-  - touch /etc/cloud/cloud-init.disabled
   - rm -f /etc/sysconfig/network-scripts/ifcfg-eth0
 
 power_state:
@@ -819,6 +837,7 @@ power_state:
   mode: poweroff
   timeout: 30
   condition: True
+  message: Cloud-init completed, powering off
 """
         user_data_path = os.path.join(vm_dir, 'user-data')
         with salt.utils.files.fopen(user_data_path, 'w') as f:
diff --git a/salt/top.sls b/salt/top.sls
index 4f8029706..073f24d29 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -11,7 +11,8 @@ base:
   'salt-cloud:driver:libvirt':
     - match: grain
     - storage
-    - vm_status
+    - vm.status
+    - vm.user
 
   '*':
     - cron.running
diff --git a/salt/vm/defaults.yaml b/salt/vm/defaults.yaml
new file mode 100644
index 000000000..f9d607532
--- /dev/null
+++ b/salt/vm/defaults.yaml
@@ -0,0 +1,5 @@
+vm:
+  user:
+    soqemussh:
+      enabled: False
+      passwordHash:
diff --git a/salt/vm/map.jinja b/salt/vm/map.jinja
new file mode 100644
index 000000000..c55784e8f
--- /dev/null
+++ b/salt/vm/map.jinja
@@ -0,0 +1,25 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. 
+   
+   Note: Per the Elastic License 2.0, the second limitation states:
+
+    "You may not move, change, disable, or circumvent the license key functionality
+     in the software, and you may not remove or obscure any functionality in the
+     software that is protected by the license key." #}
+
+{% if 'vrt' in salt['pillar.get']('features', []) %}
+
+{%   import_yaml 'vm/defaults.yaml' as VMDEFAULTS %}
+{%   set VMMERGED = salt['pillar.get']('vm', VMDEFAULTS.vm, merge=True) %}
+
+{% else %}
+
+{% do salt.log.error(
+  'Hypervisor nodes are a feature supported only for customers with a valid license.'
+  'Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com'
+  'for more information about purchasing a license to enable this feature.'
+) %}
+
+{% endif %}
diff --git a/salt/vm/soc_vm.yaml b/salt/vm/soc_vm.yaml
new file mode 100644
index 000000000..3b3cdbbfa
--- /dev/null
+++ b/salt/vm/soc_vm.yaml
@@ -0,0 +1,10 @@
+vm:
+  user:
+    soqemussh:
+      enabled:
+        description: Enable or disable the soqemussh user.
+        forcedType: bool
+      passwordHash:
+        description: 'Enter a SHA-512 password hash to set the soqemussh user password. Generate this hash by running the following command on the manager: `openssl passwd -6`'
+        forcedType: string
+        global: True
diff --git a/salt/vm_status/init.sls b/salt/vm/status/init.sls
similarity index 100%
rename from salt/vm_status/init.sls
rename to salt/vm/status/init.sls
diff --git a/salt/vm/user/init.sls b/salt/vm/user/init.sls
new file mode 100644
index 000000000..48185a9da
--- /dev/null
+++ b/salt/vm/user/init.sls
@@ -0,0 +1,56 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+#
+# Note: Per the Elastic License 2.0, the second limitation states:
+#
+#   "You may not move, change, disable, or circumvent the license key functionality
+#    in the software, and you may not remove or obscure any functionality in the
+#    software that is protected by the license key."
+
+{% if 'vrt' in salt['pillar.get']('features', []) %}
+
+{%   from 'vm/map.jinja' import VMMERGED %}
+
+{%   if VMMERGED.user.soqemussh.enabled %}
+
+vm_user_soqemussh:
+  user.present:
+    - name: soqemussh
+    - shell: /bin/bash
+    - home: /home/soqemussh
+{%     if VMMERGED.user.soqemussh.passwordHash %}
+    - password: '{{ VMMERGED.user.soqemussh.passwordHash }}'
+{%     endif %}
+
+vm_user_soqemussh_home_directory:
+  file.directory:
+    - name: /home/soqemussh
+    - user: soqemussh
+    - group: soqemussh
+    - mode: 700
+    - recurse:
+      - user
+      - group
+
+{%   else %}
+
+vm_user_soqemussh:
+  user.absent:
+    - name: soqemussh
+    - force: True
+
+{%   endif %}
+
+{% else %}
+
+{{sls}}_no_license_detected:
+  test.fail_without_changes:
+    - name: {{sls}}_no_license_detected
+    - comment:
+      - "Hypervisor nodes are a feature supported only for customers with a valid license.
+      Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
+      for more information about purchasing a license to enable this feature."
+
+{% endif %}