From a6a4c03029567d8d008e82c60dbb44f2fb6d9049 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 26 May 2021 12:08:10 -0400
Subject: [PATCH] Improve error scenarios for user sync; Ensure user sync runs
 before Elastic container starts

---
 salt/common/tools/sbin/so-user | 5 +++++
 salt/elasticsearch/init.sls    | 8 ++++++++
 2 files changed, 13 insertions(+)

diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index b516cf6ad..7362c94a2 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -142,6 +142,7 @@ function syncElastic() {
 
   sysUser=$(lookup_pillar "auth:user" "elasticsearch")
   sysPass=$(lookup_pillar "auth:pass" "elasticsearch")
+  [[ -z "$sysUser" || -z "$sysPass" ]] && fail "Elastic auth credentials for system user are missing"
   sysHash=$(hashPassword "$sysPass")
 
   # Generate the new users file
@@ -153,7 +154,9 @@ function syncElastic() {
     sqlite3 "$databasePath" | \
     jq -r '.user + ":" + .data.hashed_password' \
     >> "$usersFileTmp"
+  [[ $? != 0 ]] && fail "Unable to read credential hashes from database"
   mv -f "$usersFileTmp" "$elasticUsersFile"
+  [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile"
 
   # Generate the new users_roles file
   echo "superuser:${sysUser}" >> "$rolesFileTmp"
@@ -163,7 +166,9 @@ function syncElastic() {
     "order by ici.identifier;" | \
     sqlite3 "$databasePath" \
     >> "$rolesFileTmp"
+  [[ $? != 0 ]] && fail "Unable to read credential IDs from database"
   mv -f "$rolesFileTmp" "$elasticRolesFile"
+  [[ $? != 0 ]] && fail "Unable to create users file: $elasticRolesFile"
 }
 
 function syncAll() {
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index c6ac600ef..dd4af7696 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -169,6 +169,14 @@ eslogdir:
     - group: 939
     - makedirs: True
 
+# Must run before elasticsearch docker container is started!
+syncesusers:
+  cmd.run:
+    - name: so-user sync
+    - creates:
+      - /opt/so/conf/elasticsearch/users
+      - /opt/so/conf/elasticsearch/users_roles
+
 so-elasticsearch:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}