From b8a10f2e8680792ca4c56eb2f650df0699d51eee Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 28 May 2021 14:49:43 -0400
Subject: [PATCH] Support multiple elastic system users

---
 salt/common/tools/sbin/so-common |  3 +-
 salt/common/tools/sbin/so-user   | 51 ++++++++++++++++++++++++++++----
 2 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common
index b48f84b90..a89f93eea 100755
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -252,6 +252,7 @@ lookup_salt_value() {
 	key=$1
 	group=$2
 	kind=$3
+	output=${4:-newline_values_only}
 
 	if [ -z "$kind" ]; then
 		kind=pillar
@@ -261,7 +262,7 @@ lookup_salt_value() {
 		group=${group}:
 	fi
 
-	salt-call --no-color  ${kind}.get ${group}${key} --out=newline_values_only
+	salt-call --no-color  ${kind}.get ${group}${key} --out=${output}
 }
 
 lookup_pillar() {
diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 1ff637d23..d8d8fe34a 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -136,17 +136,56 @@ function createElasticTmpFile() {
   echo "$tmpFile"
 }
 
+function syncElasticSystemUser() {
+  json=$1
+  userid=$2
+  usersFile=$3
+
+  user=$(echo "$json" | jq -r ".local.users.$userid.user")
+  pass=$(echo "$json" | jq -r ".local.users.$userid.pass")
+  
+  [[ -z "$user" || -z "$pass" ]] && fail "Elastic auth credentials for system user '$userid' are missing"
+  hash=$(hashPassword "$pass")
+
+  echo "${user}:${hash}" >> "$usersFile"
+}
+
+function syncElasticSystemRole() {
+  json=$1
+  userid=$2
+  role=$3
+  rolesFile=$4
+
+  user=$(echo "$json" | jq -r ".local.users.$userid.user")
+  
+  [[ -z "$user" ]] && fail "Elastic auth credentials for system user '$userid' are missing"
+
+  echo "${role}:${user}" >> "$rolesFile"
+}
+
 function syncElastic() {
   usersFileTmp=$(createElasticTmpFile "${elasticUsersFile}")
   rolesFileTmp=$(createElasticTmpFile "${elasticRolesFile}")
 
-  sysUser=$(lookup_pillar "auth:user" "elasticsearch")
-  sysPass=$(lookup_pillar "auth:pass" "elasticsearch")
-  [[ -z "$sysUser" || -z "$sysPass" ]] && fail "Elastic auth credentials for system user are missing"
-  sysHash=$(hashPassword "$sysPass")
+  authPillarJson=$(lookup_salt_value "auth" "elasticsearch" "pillar" "json")
+
+  syncElasticSystemUser "$authPillarJson" "so_elastic_user"  "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_elastic_user"  "superuser" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_kibana_user"   "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_kibana_user"   "kibana_system" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_logstash_user" "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_logstash_user" "logstash_system" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_beats_user"    "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_beats_user"    "beats_system" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_monitor_user"  "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_monitor_user"  "remote_monitoring_collector" "$rolesFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_monitor_user"  "remote_monitoring_agent" "$rolesFileTmp"
 
   # Generate the new users file
-  echo "${sysUser}:${sysHash}" >> "$usersFileTmp"
   echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
     "from identity_credential_identifiers ici, identity_credentials ic " \
     "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
@@ -159,7 +198,7 @@ function syncElastic() {
   [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile"
 
   # Generate the new users_roles file
-  echo "superuser:${sysUser}" >> "$rolesFileTmp"
+  
   echo "select 'superuser:' || ici.identifier " \
     "from identity_credential_identifiers ici, identity_credentials ic " \
     "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \