From 8fc30a727d1493dc967fa0979078cbeac9e91d69 Mon Sep 17 00:00:00 2001
From: "max.bed4d" <max.bed4d@googlemail.com>
Date: Mon, 22 Jul 2024 17:08:15 +0100
Subject: [PATCH 1/4] add checksum to prevent re-encryption

---
 etc/kayobe/ansible/wazuh-secrets.yml | 32 ++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/etc/kayobe/ansible/wazuh-secrets.yml b/etc/kayobe/ansible/wazuh-secrets.yml
index a1b725aba..2a6801fdd 100644
--- a/etc/kayobe/ansible/wazuh-secrets.yml
+++ b/etc/kayobe/ansible/wazuh-secrets.yml
@@ -14,13 +14,45 @@
         path: "{{ wazuh_secrets_path | dirname }}"
         state: directory
 
+    - name: Check whether wazuh-secrets.yml exists
+      stat:
+        path: "{{ wazuh_secrets_path }}"
+      register: waz_exist_result
+
+    - name: Decrypt wazuh-secrets to checksum
+      no_log: True
+      copy:
+        content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
+        dest: "{{ wazuh_secrets_path }}"
+        decrypt: true
+      vars:
+        ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
+      when: waz_exist_result.stat.exists
+
+    - name: Template new secrets
+      no_log: True
+      template:
+        src: wazuh-secrets.yml.j2
+        dest: "/tmp/wazuh-secrets.yml"
+      when: waz_exist_result.stat.exists
+
+    - name: Copy for checksum
+      no_log: True
+      copy:
+        content: "{{ lookup('ansible.builtin.file', '/tmp/wazuh-secrets.yml') }}"
+        dest: "{{ wazuh_secrets_path }}"
+        checksum: yes
+      when: waz_exist_result.stat.exists
+
     - name: Template new secrets
       no_log: True
       template:
         src: wazuh-secrets.yml.j2
         dest: "{{ wazuh_secrets_path }}"
+      when: not waz_exist_result.stat.exists
 
     - name: In-place encrypt wazuh-secrets
+      no_log: True
       copy:
         content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
         dest: "{{ wazuh_secrets_path }}"

From 8c6dccedee8b767548be6fe23e03a934286449ed Mon Sep 17 00:00:00 2001
From: Massimiliano Favaro-Bedford <78351765+MaxBed4d@users.noreply.github.com>
Date: Thu, 7 Nov 2024 16:47:04 +0000
Subject: [PATCH 2/4] Update wazuh-secrets.yml

---
 etc/kayobe/ansible/wazuh-secrets.yml | 26 +-------------------------
 1 file changed, 1 insertion(+), 25 deletions(-)

diff --git a/etc/kayobe/ansible/wazuh-secrets.yml b/etc/kayobe/ansible/wazuh-secrets.yml
index 2a6801fdd..0cbbd75c3 100644
--- a/etc/kayobe/ansible/wazuh-secrets.yml
+++ b/etc/kayobe/ansible/wazuh-secrets.yml
@@ -19,31 +19,6 @@
         path: "{{ wazuh_secrets_path }}"
       register: waz_exist_result
 
-    - name: Decrypt wazuh-secrets to checksum
-      no_log: True
-      copy:
-        content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
-        dest: "{{ wazuh_secrets_path }}"
-        decrypt: true
-      vars:
-        ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
-      when: waz_exist_result.stat.exists
-
-    - name: Template new secrets
-      no_log: True
-      template:
-        src: wazuh-secrets.yml.j2
-        dest: "/tmp/wazuh-secrets.yml"
-      when: waz_exist_result.stat.exists
-
-    - name: Copy for checksum
-      no_log: True
-      copy:
-        content: "{{ lookup('ansible.builtin.file', '/tmp/wazuh-secrets.yml') }}"
-        dest: "{{ wazuh_secrets_path }}"
-        checksum: yes
-      when: waz_exist_result.stat.exists
-
     - name: Template new secrets
       no_log: True
       template:
@@ -59,3 +34,4 @@
         decrypt: false
       vars:
         ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
+      when: not waz_exist_result.stat.exists

From 53027c66f40f786a79a1c5bad1d19896904c9bdb Mon Sep 17 00:00:00 2001
From: Max Bedford <max.bed4d@googlemail.com>
Date: Tue, 19 Nov 2024 13:33:35 +0000
Subject: [PATCH 3/4] replace speech marks with quote marks to avoid character
 errors

---
 etc/kayobe/ansible/templates/wazuh-secrets.yml.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2 b/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2
index 887cc6b44..847c679bd 100644
--- a/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2
+++ b/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2
@@ -7,7 +7,7 @@ secrets_wazuh:
   # Strengthen default wazuh api user pass
   wazuh_api_users:
     - username: "wazuh"
-      password: "{{ secrets_wazuh.wazuh_api_users[0].password | default(lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1, length=30)) }}"
+      password: '{{ secrets_wazuh.wazuh_api_users[0].password | default(lookup("community.general.random_string", min_lower=1, min_upper=1, min_special=1, min_numeric=1, length=30, override_special=override_special_characters)) }}'
   # OpenSearch 'admin' user pass
   opendistro_admin_password: "{{ secrets_wazuh.opendistro_admin_password | default(lookup('password', '/dev/null'), true) }}"
   # OpenSearch 'kibanaserver' user pass

From 74f582ab7e4eb03c5dbb2f67a3910ebf7cfc1a9a Mon Sep 17 00:00:00 2001
From: Max Bedford <max.bed4d@googlemail.com>
Date: Tue, 19 Nov 2024 14:06:36 +0000
Subject: [PATCH 4/4] add existing file encryption check

---
 etc/kayobe/ansible/wazuh-secrets.yml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/etc/kayobe/ansible/wazuh-secrets.yml b/etc/kayobe/ansible/wazuh-secrets.yml
index 0cbbd75c3..67897ba4c 100644
--- a/etc/kayobe/ansible/wazuh-secrets.yml
+++ b/etc/kayobe/ansible/wazuh-secrets.yml
@@ -3,6 +3,7 @@
   gather_facts: false
   vars:
     wazuh_secrets_path: "{{ kayobe_env_config_path }}/wazuh-secrets.yml"
+    override_special_characters: '"#$%&()*+,-./:;<=>?@[\]^_{|}~'
   tasks:
     - name: install passlib[bcrypt]
       pip:
@@ -19,6 +20,22 @@
         path: "{{ wazuh_secrets_path }}"
       register: waz_exist_result
 
+    - name: Check if secret is encrypted
+      block:
+        - name: Try to decrypt secret
+          no_log: True
+          copy:
+            content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
+            dest: "{{ wazuh_secrets_path }}"
+            decrypt: True
+          vars:
+            ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
+      rescue:
+        - name: Secrets already decrypted
+          ansible.builtin.debug:
+            msg: 'Secret was already decrypted'
+      when: waz_exist_result.stat.exists
+
     - name: Template new secrets
       no_log: True
       template:
@@ -34,4 +51,3 @@
         decrypt: false
       vars:
         ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
-      when: not waz_exist_result.stat.exists