Change the way the Wazuh admin password is generated to always be valid

MaxBed4d · MaxBed4d · commit e3a6ef41600e · 2024-07-18T11:48:40.000+01:00
diff --git a/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2 b/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2
@@ -7,7 +7,7 @@ secrets_wazuh:
   # Strengthen default wazuh api user pass
   wazuh_api_users:
     - username: "wazuh"
-      password: "{{ secrets_wazuh.wazuh_api_users[0].password | default(lookup('password', '/dev/null length=30' ), true) }}"
+      password: "{{ secrets_wazuh.wazuh_api_users[0].password | wazuh_password }}"
   # OpenSearch 'admin' user pass
   opendistro_admin_password: "{{ secrets_wazuh.opendistro_admin_password | default(lookup('password', '/dev/null'), true) }}"
   # OpenSearch 'kibanaserver' user pass
diff --git a/etc/kayobe/ansible/wazuh-secrets.yml b/etc/kayobe/ansible/wazuh-secrets.yml
@@ -14,6 +14,54 @@
         path: "{{ wazuh_secrets_path | dirname }}"
         state: directory
 
+    - name: Generate a random password which meets the Wazuh password requirements
+      cmd: python3
+      stdin: |
+        import random
+        import string
+        import re
+
+        # The password requirements required by Wazuh (wazuh/framework/wazuh/security.py)
+        valid_password = re.compile(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]).{8,}$')
+
+        # Generate a random password containg at least one of each: 
+        # special character, digit, lowercase letter, uppercase letter
+        def pw_gen(pw_len):
+            random_pass = ([random.choice("@$!%*?&-_"),
+                              random.choice(string.digits),
+                              random.choice(string.ascii_lowercase),
+                              random.choice(string.ascii_uppercase),
+                              ]
+                              + [random.choice(string.ascii_lowercase
+                                              + string.ascii_uppercase
+                                              + "@$!%*?&-_"
+                                              + string.digits) for i in range(pw_len)])
+
+            random.shuffle(random_pass)
+            random_pass = ''.join(random_pass)
+            return random_pass
+
+        # Check if the generated password meets the requirements
+        def check_user_password(password):
+          if valid_password.match(password):
+              return True
+          else:
+              return False
+        
+        # Generate a password
+        random_pass = pw_gen(30)
+
+        # Check if the generated password meets the requirements
+        # if not, keep generating a new password until it does
+        while not check_user_password(random_pass):
+            random_pass = pw_gen(30)
+          
+      register: random_pass
+
+    - name: Store the valid password
+      set_fact:
+        wazuh_password: "{{ random_pass }}"
+
     - name: Template new secrets
       template:
         src: wazuh-secrets.yml.j2
