Changed the character set of generated passwords

Passwords which may be passed via HTTP basic auth (as "<username>:<password>") shouldn't contain a colon. Although it should work according to corresponding RFC, a colon in password causes problems in some servers (Cortex at minimum). Therefore, we only allow letters and numbers in most of the automatically generated passwords.

Changed the character set of generated passwords
7fa298e7 · Václav Bartoš · 3fdab5f2 · 7fa298e7 · 7fa298e7 · 7fa298e7
Commit 7fa298e7 authored 2 years ago by Václav Bartoš
--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
@@ -138,7 +138,7 @@
  expect:
    command: roles/ca/files/easyrsa/easyrsa export-p12 "{{item.CN}}"
    responses:
-      Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+      Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}} chars=ascii_letters,digits')}}"
  with_items:
    - "{{USER_MGMT_ADMIN_USER}}"
    - "{{soctools_users}}"
@@ -157,7 +157,7 @@
 #  expect:
 #    command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.crt.pem" -clcerts -nokeys
 #    responses:
-#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}} chars=ascii_letters,digits')}}"
 #  with_items:
 #    - "{{USER_MGMT_ADMIN_USER}}"
@@ -165,6 +165,6 @@
 #  expect:
 #    command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.key.pem" -nocerts -nodes
 #    responses:
-#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}} chars=ascii_letters,digits')}}"
 #  with_items:
 #    - "{{USER_MGMT_ADMIN_USER}}"
--- a/roles/cortex/tasks/configure.yml
+++ b/roles/cortex/tasks/configure.yml
@@ -36,7 +36,7 @@
 - name: generate api key for admin user
  remote_user: root
-  shell: "curl -XPOST -u 'admin:{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass')}}' 'http://127.0.0.1:9001/api/user/admin/key/renew'"
+  shell: "curl -XPOST -u 'admin:{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass chars=ascii_letters,digits')}}' 'http://127.0.0.1:9001/api/user/admin/key/renew'"
  run_once: True
  register: cortexadminuserkey
  args:

--- a/roles/cortex/templates/admin.json
+++ b/roles/cortex/templates/admin.json
-{"login":"admin","name":"Admin","password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass')}}","roles":["superadmin"],"organization":"cortex"}
+{"login":"admin","name":"Admin","password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass chars=ascii_letters,digits')}}","roles":["superadmin"],"organization":"cortex"}
--- a/roles/cortex/templates/application.conf.j2
+++ b/roles/cortex/templates/application.conf.j2
@@ -6,7 +6,7 @@
 #
 # IMPORTANT: If you deploy your application to several  instances,  make
 # sure to use the same key.
-play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_secret_key')}}"
+play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_secret_key chars=ascii_letters,digits')}}"
 ## ElasticSearch
 search {
@@ -34,7 +34,7 @@ search {
 ##   ## Authentication configuration
 ##   search.username = "cortex"
-##   search.password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}"
+##   search.password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe chars=ascii_letters,digits')}}"
 ##
 ##   ## SSL configuration
 ##   search.keyStore {

--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -17,8 +17,8 @@ defaults
  timeout server  20s
 userlist mycredentials
-   user {{soctools_users[0].username}} insecure-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].username}}')}}
+   user {{soctools_users[0].username}} insecure-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].username}} chars=ascii_letters,digits')}}
-   user {{soctools_users[0].email}} insecure-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].username}}')}}
+   user {{soctools_users[0].email}} insecure-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].username}} chars=ascii_letters,digits')}}
 listen stats
        bind 0.0.0.0:8888 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
@@ -26,7 +26,7 @@ listen stats
        stats hide-version
        stats uri     /
        stats realm   HAProxy Statistics
-        stats auth    haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats')}}
+        stats auth    haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats chars=ascii_letters,digits')}}
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/stats_whitelist.lst }
 listen nifiserv

--- a/roles/keycloak/tasks/init.yml
+++ b/roles/keycloak/tasks/init.yml
@@ -28,7 +28,7 @@
 - name: Set admin password
  remote_user: jboss
-  command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keycloak_admin')}}"
+  command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keycloak_admin chars=ascii_letters,digits')}}"
  ignore_errors: True
 - name: Configure logging format

--- a/roles/keycloak/templates/initkeycloakrealm.sh.j2
+++ b/roles/keycloak/templates/initkeycloakrealm.sh.j2
@@ -6,7 +6,7 @@ exec > /opt/jboss/keycloak/initkeycloak.log 2>&1
 kcadm.sh config truststore --trustpass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} /opt/jboss/keycloak/cacerts.jks
-kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keycloak_admin')}}"
+kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keycloak_admin chars=ascii_letters,digits')}}"
 kcadm.sh create realms -b '{ "enabled": "true", "id": "{{openid_realm}}", "realm": "{{openid_realm}}"}'
 kcadm.sh create realms/{{openid_realm}}/authentication/flows/browser/copy -b '{ "id": "browser-x509", "newName": "X.509 Browser" }'
 BROWSERFORM=$(kcadm.sh create realms/{{openid_realm}}/authentication/flows/X.509%20Browser/executions/execution -i -b '{ "provider": "auth-x509-client-username-form" }')
@@ -19,7 +19,7 @@ kcadm.sh create realms/{{openid_realm}}/groups -b '{"name":"GN43WP8T31"}'
 kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{USER_MGMT_ADMIN_USER.DN}}"],"CN": ["{{USER_MGMT_ADMIN_USER.CN}}"]},"username":"{{USER_MGMT_ADMIN_USER.username}}","groups": ["/GN43WP8T31"] }'
 {% for user in soctools_users %}
 kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{user.DN}}"],"CN": ["{{user.CN}}"]},"username":"{{user.username}}","emailVerified":"","email":"{{user.email}}","firstName":"{{user.firstname}}","lastName":"{{user.lastname}}","groups": ["/GN43WP8T31"] }'
-kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN)}}
+kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN+' chars=ascii_letters,digits')}}
 {% endfor %}
 NIFICLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"soctools-nifi","protocol":"openid-connect","clientAuthenticatorType": "client-secret","redirectUris": ["https://{{soctoolsproxy}}:9443/*" ],"webOrigins": [], "publicClient": false }')

--- a/roles/misp/tasks/config.yml
+++ b/roles/misp/tasks/config.yml
 ---
 - name: Change password of default user
-  shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '{{playbook_dir}}/secrets/passwords/misp_admin') }}"
+  shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '{{playbook_dir}}/secrets/passwords/misp_admin chars=ascii_letters,digits') }}"
 - name: Configure MISP
  shell: '/var/www/MISP/app/Console/cake Admin setSetting {{item.var}} {{item.value}}'

--- a/roles/nifi/templates/flow.xml.j2
+++ b/roles/nifi/templates/flow.xml.j2
@@ -12619,7 +12619,7 @@
    <variable name="elastic_username" value="{{ elastic_username }}" />
    <variable name="misp_url" value="{{ misp_url }}" />
    <variable name="elastic_urls" value="https://soctools-opensearch-1:9200/,https://soctools-opensearch-2:9200/" />
-    <variable name="elastic_password" value="{{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass')}}" />
+    <variable name="elastic_password" value="{{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits')}}" />
  </rootGroup>
  <controllerServices />
  <reportingTasks />

--- a/roles/opensearch-dashboards/files/env.js.j2
+++ b/roles/opensearch-dashboards/files/env.js.j2
 // Default plugin configuration
 export const THEHIVE_URL = 'https://{{soctoolsproxy}}:9000';
-export const THEHIVE_API_KEY = '{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_kibana_secret_key')}}';
+export const THEHIVE_API_KEY = '{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_kibana_secret_key chars=ascii_letters,digits')}}';
 export const THEHIVE_OWNER = '{{THEHIVE_KIBANA_USER.username}}'; // default owner account of the created cases
--- a/roles/opensearch-dashboards/tasks/init.yml
+++ b/roles/opensearch-dashboards/tasks/init.yml
@@ -78,7 +78,7 @@
 - name: Check Opensearch Dashboards health
  remote_user: dashboards
  shell: 'curl -k -b /tmp/cookie.txt -c /tmp/cookie.txt -X "GET" "https://{{soctoolsproxy}}:5601/api/status" \
-          --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
              | egrep "status....overall....since...[0-9]{4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}.[0-9]{3}Z...state...green"'
  register: result
  until: result.rc == 0
@@ -96,7 +96,7 @@
  remote_user: dashboards
  shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/saved_objects/_import?overwrite=true" \
          -b /tmp/cookie.txt -c /tmp/cookie.txt \
-          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
          -H "osd-xsrf: reporting" -H "Content-Type: multipart/form-data" \
          -F "file=@/tmp/opensearch-dashboards_graphs.ndjson"'
  ignore_errors: True
@@ -111,7 +111,7 @@
  remote_user: dashboards
  shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/v1/configuration/rolesmapping/all_access" \
          -b /tmp/cookie.txt -c /tmp/cookie.txt \
-          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
          -H "osd-xsrf: reporting" -H "Content-Type: application/json" \
          -d @/tmp/role.json'

--- a/roles/opensearch-dashboards/tasks/start.yml
+++ b/roles/opensearch-dashboards/tasks/start.yml
@@ -15,7 +15,7 @@
 - name: Check Opensearch Dashboards health
  remote_user: dashboards
  shell: 'curl -k -b /tmp/cookie.txt -c /tmp/cookie.txt -X "GET" "https://{{soctoolsproxy}}:5601/api/status" \
-          --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
              | egrep "status....overall....since...[0-9]{4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}.[0-9]{3}Z...state...green"'
  register: result
  until: result.rc == 0

--- a/roles/opensearch-dashboards/tasks/update-config.yml
+++ b/roles/opensearch-dashboards/tasks/update-config.yml
@@ -30,7 +30,7 @@
  remote_user: dashboards
  shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/saved_objects/_import?overwrite=true" \
          -b /tmp/cookie.txt -c /tmp/cookie.txt \
-          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
          -H "osd-xsrf: reporting" -H "Content-Type: multipart/form-data" \
          -F "file=@/tmp/opensearch-dashboards_graphs.ndjson"'
  ignore_errors: True
--- a/roles/opensearches/tasks/init.yml
+++ b/roles/opensearches/tasks/init.yml
@@ -37,7 +37,7 @@
 - name: Change password for admin
  remote_user: opensearch
-  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass')}} | tail -n 1
+  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits')}} | tail -n 1
  register: adminhash
 - set_fact:
@@ -46,7 +46,7 @@
 - name: Change password for cortex
  remote_user: opensearch
-  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_opensearch')}} | tail -n 1
+  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_opensearch chars=ascii_letters,digits')}} | tail -n 1
  register: cortexhash
 - set_fact:
@@ -77,7 +77,7 @@
 - name: Configure Opensearch security
  remote_user: opensearch
-  shell: "export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash ./plugins/opensearch-security/tools/securityadmin.sh -h {{groups['opensearchescontainers'][0]}} -cd /opt/opensearch/config/opensearch-security/ -ks '/opt/opensearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} -ts /opt/opensearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster"
+  shell: "export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash ./plugins/opensearch-security/tools/securityadmin.sh -h {{groups['opensearchescontainers'][0]}} -cd /opt/opensearch/config/opensearch-security/ -ks '/opt/opensearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}} chars=ascii_letters,digits')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}} chars=ascii_letters,digits')}} -ts /opt/opensearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster"
  when: "'{{groups['opensearchescontainers'][0]}}' in inventory_hostname"
 - name: Set Autostart for supervisord's services

--- a/roles/thehive/tasks/createusers.yml
+++ b/roles/thehive/tasks/createusers.yml
@@ -10,7 +10,7 @@
 - name: create users
  remote_user: root
-  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/{{ item.username}}.json"
+  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/{{ item.username}}.json"
  args:
    warn: false
  with_items:

--- a/roles/thehive/tasks/kibanauser.yml
+++ b/roles/thehive/tasks/kibanauser.yml
@@ -8,7 +8,7 @@
 - name: create kibana user
  remote_user: root
-  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/kibanauser.json | cut -d\\\" -f4"
+  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/kibanauser.json | cut -d\\\" -f4"
  register: kibanauser
  args:
    warn: false
@@ -18,7 +18,7 @@
 - name: create API key for kibana user
  remote_user: root
-  shell: "curl -XPOST -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/v1/user/{{kibanauser.stdout}}/key/renew 2> /dev/null | tee /tmp/kibanaapikey"
+  shell: "curl -XPOST -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/v1/user/{{kibanauser.stdout}}/key/renew 2> /dev/null | tee /tmp/kibanaapikey"
  register: kibanaapikey
  args:
    warn: false

--- a/roles/thehive/tasks/organization.yml
+++ b/roles/thehive/tasks/organization.yml
@@ -5,7 +5,7 @@
    url: "http://127.0.0.1:9000/api/organisation"
    method: POST
    headers:
-      Authorization: "Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}"
+      Authorization: "Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}"
    body_format: form-urlencoded
    body:
      name: "{{ org_name }}"

--- a/roles/thehive/templates/adminpass.json
+++ b/roles/thehive/templates/adminpass.json
-{"password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/thehive_adminpass')}}"}
+{"password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/thehive_adminpass chars=ascii_letters,digits')}}"}
--- a/roles/thehive/templates/application.conf.j2
+++ b/roles/thehive/templates/application.conf.j2
@@ -5,7 +5,7 @@
 ## Include Play secret key
 # More information on secret key at https://www.playframework.com/documentation/2.8.x/ApplicationSecret
 #include "/etc/thehive/secret.conf"
-play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}"
+play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}"
 ## Database configuration
 db.janusgraph {

--- a/utils/flow2template.py
+++ b/utils/flow2template.py
@@ -23,7 +23,7 @@ for v in et.findall(".//variable"):
    elif a['name']=="elastic_username":
        a['value']="{{ elastic_username }}"
    elif a['name']=="elastic_password":
-        a['value']="{{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass')}}"
+        a['value']="{{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits')}}"
 for v in et.findall(".//controllerService[name='Soctools CA']/property[name='Truststore Password']/value"):
    v.text="{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"