feature: 'so-user add' using hashed password

[petiepooo]

Using the Linux CLI's chpasswd command as a model, it would be very useful to have the ability to add users using an existing hashed password. For example:

Usage: /usr/sbin/so-user <operation> [supporting parameters]

  where <operation> is one of the following

       add: Adds a new user to the identity system
            Required parameters:
              --email <email>
            Optional parameters:
              --role <role>             (defaults to analyst)
              --firstName <firstName>   (defaults to blank)
              --lastName <lastName>     (defaults to blank)
              --note <note>             (defaults to blank)
              --skip-sync               (defers the Elastic sync until the next scheduled time)
              --encryptedPW <pw>        (defaults to interactive prompt)

and used something like:

so-user add --email [email protected] --role superuser --encryptedPW '$2a$12$SKtbf2YedMUlr3Hp.futbfBO7L0KPrGAxkfg2YedMU'

[petiepooo]

I see the problem. With the addition of influxdb, not having the unhashed password means we can't create that user with the same password using so-influxdb-manage. That said, for users that only access SOC or Kibana, the following patch allows creating the user using the existing password hash as recovered from the /opt/so/saltstack/local/salt/elasticsearch/files/users file:

+++ ./so-user   2024-05-07 15:03:00.150787246 +0000
@@ -30,6 +30,7 @@
               --firstName <firstName>   (defaults to blank)
               --lastName <lastName>     (defaults to blank)
               --note <note>             (defaults to blank)
+              --encryptedPW <pwhash>    (defaults to blank)
               --skip-sync               (defers the Elastic sync until the next scheduled time)

    addrole: Grants a role to an existing user
@@ -119,6 +120,10 @@
       note=$1
       shift
       ;;
+    --encryptedPW)
+      encryptedPW=$1
+      shift
+      ;;
     --skip-sync)
       SKIP_SYNC=1
       ;;
@@ -218,7 +223,11 @@
 function updatePassword() {
   identityId=$1

-  if [ -z "$password" ]; then
+  if [ "$encryptedPW" ]; then
+    [[ "${encryptedPW:0:7}" == "\$2a\$12\$" ]] || fail "invalid ecrypted password type $hashType"
+    passwordHash=${encryptedPW}
+    password=${encryptedPW:8:8} # set to portion of hash just to have something to send to influxdb
+  elif [ -z "$password" ]; then
     # Read password from stdin (show prompt only if no stdin was piped in)
     test -t 0
     if [[ $? == 0 ]]; then
@@ -231,7 +240,9 @@

   if [[ -n "$identityId" ]]; then
     # Generate password hash
-    passwordHash=$(hashPassword "$password")
+    if [ -z "$passwordHash" ]; then
+      passwordHash=$(hashPassword "$password")
+    fi
     # Update DB with new hash
     echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     # Deactivate MFA

Also, it's worth noting that once a user is created in SOC, they can reset their own password there, and that would also sync their influxdb credential, giving them the access that this method does not.