From 8c6489a49a945ee08c2906bd9955bc858bbb489b Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 24 May 2021 15:48:05 -0400
Subject: [PATCH] Initial pass at synchronizing users file

---
 salt/common/tools/sbin/so-user | 21 ++++++++++++++++++---
 salt/elasticsearch/init.sls    |  2 ++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index edfa4b303..dbd755bc4 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -40,6 +40,7 @@ email=$2
 kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434}
 databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite}
 bcryptRounds=${BCRYPT_ROUNDS:-12}
+extractedHashFile=${EXTRACTED_HASH_FILE:-/opt/so/conf/elasticsearch/users}
 
 function fail() {
   msg=$1
@@ -108,15 +109,19 @@ function updatePassword() {
 
   if [[ -n $identityId ]]; then
     # Generate password hash
-    passwordHash=$(echo "${password}" | htpasswd -niBC $bcryptRounds SOUSER) | cut -c 11-
-    passwordHash="\$2a${passwordHash}
-
+    passwordHash=$(echo "${password}" | htpasswd -niBC $bcryptRounds SOUSER)
+    passwordHash=$(echo "$passwordHash" | cut -c 11-)
+    passwordHash="\$2a${passwordHash}"
     # Update DB with new hash
     echo "update identity_credentials set config=CAST('{\"hashed_password\":\"${passwordHash}\"}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
     [[ $? != 0 ]] && fail "Unable to update password"
   fi
 }
 
+function extractHashes() {
+  echo "select ici.identifier || ':' || json_extract(ic.config, '$.hashed_password') from identity_credential_identifiers ici, identity_credentials ic where ici.identity_credential_id=ic.id and json_extract(ic.config, '$.hashed_password') is not null order by ici.identifier" | sqlite3 "$databasePath" > "$extractedHashFile"
+}
+
 function listUsers() {
   response=$(curl -Ss -L ${kratosUrl}/identities)
   [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
@@ -208,6 +213,7 @@ case "${operation}" in
     validateEmail "$email"
     updatePassword
     createUser "$email"
+    extractHashes
     echo "Successfully added new user to SOC"
     check_container thehive && echo $password | so-thehive-user-add "$email"
     check_container fleet && echo $password | so-fleet-user-add "$email"
@@ -223,6 +229,7 @@ case "${operation}" in
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
     updateUser "$email"
+    extractHashes
     echo "Successfully updated user"
     ;;
 
@@ -231,6 +238,7 @@ case "${operation}" in
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
     updateStatus "$email" 'active'
+    extractHashes
     echo "Successfully enabled user"
     check_container thehive && so-thehive-user-enable "$email" true
     check_container fleet && so-fleet-user-enable "$email" true   
@@ -241,6 +249,7 @@ case "${operation}" in
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
     updateStatus "$email" 'locked'
+    extractHashes
     echo "Successfully disabled user"
     check_container thehive && so-thehive-user-enable "$email" false
     check_container fleet && so-fleet-user-enable "$email" false   
@@ -251,11 +260,17 @@ case "${operation}" in
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
     deleteUser "$email"
+    extractHashes
     echo "Successfully deleted user"
     check_container thehive && so-thehive-user-enable "$email" false
     check_container fleet && so-fleet-user-enable "$email" false
     ;;
 
+  "sync")
+    extractHashes
+    echo "Synchronization complete"
+    ;;
+
   "validate")
     validateEmail "$email"
     updatePassword
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index df297986a..c6ac600ef 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -202,6 +202,8 @@ so-elasticsearch:
     - binds:
       - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
       - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
+      - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro
+      - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro
       - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
       - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
       - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro