Use a script to extract the secrets

cisagov · Oct 4, 2024 · 0355f0b · 0355f0b
1 parent 67af23b
commit 0355f0b
Show file tree

Hide file tree

Showing 2 changed files with 114 additions and 6 deletions.
diff --git a/scripts/extract_secrets.sh b/scripts/extract_secrets.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# Function to print usage
+print_usage() {
+    echo "Usage: source $0 [-p]"
+    echo "  -p    Print the secret values (use with caution)"
+}
+
+# Default behavior: don't print secrets
+PRINT_SECRETS=false
+
+# Parse command line options
+while getopts ":p" opt; do
+    case ${opt} in
+        p )
+            PRINT_SECRETS=true
+            ;;
+        \? )
+            print_usage
+            return 1
+            ;;
+    esac
+done
+
+# Source the profile to ensure podman is available in the current shell
+if [ -f ~/.profile ]; then
+    . ~/.profile
+else
+    echo "~/.profile not found. Make sure podman is in your PATH."
+    return 1
+fi
+
+# Find the full path to podman
+PODMAN_PATH=$(which podman)
+
+if [ -z "$PODMAN_PATH" ]; then
+    echo "podman command not found. Please ensure it's installed and in your PATH."
+    return 1
+fi
+
+echo "Found podman at: $PODMAN_PATH"
+
+# Run the podman secret ls command with sudo and capture the output
+output=$(sudo "$PODMAN_PATH" secret ls)
+
+# Check if the command was successful
+if [ $? -ne 0 ]; then
+    echo "Failed to run 'sudo $PODMAN_PATH secret ls'. Check your permissions and podman installation."
+    return 1
+fi
+
+# Process the output and create a string of export commands
+export_commands=""
+while IFS= read -r line; do
+    if [[ $line != ID* ]]; then  # Skip the header line
+        # Parse the line into variables
+        read -r id name driver created updated <<< "$line"
+
+        # Use the name as-is for the variable name
+        var_name=$name
+
+        # Set the value as the ID (since we can't access the actual secret)
+        secret_value=$id
+
+        # Add export command to the string
+        export_commands+="export $var_name='$secret_value'; "
+
+        if $PRINT_SECRETS; then
+            echo "Exported $var_name: $secret_value"
+        else
+            echo "Exported $var_name"
+        fi
+    fi
+done <<< "$output"
+
+# Execute the export commands
+eval "$export_commands"
+
+if $PRINT_SECRETS; then
+    echo "Exported variables with values:"
+    env | grep -E "^(wazuh|wazuh_api|kibana_system|elastic)="
+else
+    echo "Exported variables (values hidden):"
+    env | grep -E "^(wazuh|wazuh_api|kibana_system|elastic)=" | cut -d= -f1
+fi
+
+echo ""
+echo "To use these variables in your current shell, source this script instead of executing it:"
+echo "source $0        # to export variables without printing values"
+echo "source $0 -p     # to export variables and print values (use with caution)"
diff --git a/testing/v2/installers/install_v2/install.sh b/testing/v2/installers/install_v2/install.sh
@@ -51,14 +51,33 @@ max_attempts=30
 attempt=0
 while [ $attempt -lt $max_attempts ]; do
     if ssh -o StrictHostKeyChecking=no $user@$hostname bash << EOF
-        source /opt/lme/lme-environment.env
+        # Source the environment file as root to get necessary variables
+        sudo bash << SUDO_EOF
+            set -a
+            source /opt/lme/lme-environment.env
+            set +a
+            echo "IPVAR=\$IPVAR" > /tmp/lme_env
+            echo "LOCAL_KBN_URL=\$LOCAL_KBN_URL" >> /tmp/lme_env
+SUDO_EOF
+        
+        # Read the exported variables
+        set -a
+        source /tmp/lme_env
+        set +a
+        
+        # Remove the temporary file
+        rm /tmp/lme_env
+
+        # Source the secrets
+        . ~/LME/scripts/extract_secrets.sh
+
         check_service() {
             local url=\$1
             local auth=\$2
             curl -k -s -o /dev/null -w '%{http_code}' --insecure -u "\${auth}" "\${url}" | grep -q '200'
         }
-        check_service "https://\${IPVAR}:9200" "\${ELASTIC_USERNAME}:\${ELASTICSEARCH_PASSWORD}" && \
-        check_service "\${LOCAL_KBN_URL}" "\${ELASTIC_USERNAME}:\${ELASTICSEARCH_PASSWORD}"
+        check_service "https://\${IPVAR}:9200" "elastic:\${elastic}" && \
+        check_service "\${LOCAL_KBN_URL}" "elastic:\${elastic}"
 EOF
     then
         echo "Both Elasticsearch and Kibana are up!"
@@ -75,11 +94,10 @@ if [ $attempt -eq $max_attempts ]; then
 fi
 
 echo "Running check-fleet script"
-ssh -o StrictHostKeyChecking=no $user@$hostname ". ~/.bashrc && cd ~/LME && ./testing/v2/installers/lib/check_fleet.sh"
+ssh -o StrictHostKeyChecking=no $user@$hostname "sudo -E bash -c 'source /opt/lme/lme-environment.env && su $user -c \". ~/.bashrc && cd ~/LME && ./testing/v2/installers/lib/check_fleet.sh\"'"
 
 echo "Running set-fleet script"
-ssh -o StrictHostKeyChecking=no $user@$hostname ". ~/.bashrc && cd ~/LME && ./scripts/set-fleet.sh"
-
+ssh -o StrictHostKeyChecking=no $user@$hostname "sudo -E bash -c 'source /opt/lme/lme-environment.env && su $user -c \". ~/.bashrc && cd ~/LME && ./scripts/set-fleet.sh\"'"
 
 echo "Installation and configuration completed successfully."