wazuh · AlexRuiz7 · Dec 18, 2024 · Dec 17, 2024 · Dec 17, 2024 · Dec 18, 2024
@@ -24,6 +24,11 @@ After installing Imposter, set up a new Imposter instance using the following co
 IMPOSTER_OPENAPI_REMOTE_FILE_CACHE=true IMPOSTER_JS_PLUGIN=js-graal-compat imposter up -p 55000 -t jvm
 ```
 
+Runing Imposter with SSL / TSL.
+```bash
+IMPOSTER_OPENAPI_REMOTE_FILE_CACHE=true IMPOSTER_JS_PLUGIN=js-graal-compat java -jar ~/.imposter/engines/imposter-4.2.4.jar --plugin openapi --tlsEnabled --configDir ~/wazuh/wazuh-indexer-plugins/imposter --listenPort 55000 --keystorePath ~/wazuh/wazuh-indexer-plugins/imposter/imposter.jks --keystorePassword password
+```
+
 - `IMPOSTER_OPENAPI_REMOTE_FILE_CACHE=true` enables caching the `specFile`.
 - `IMPOSTER_JS_PLUGIN=js-graal-compat` allows compatibility with JavaScript libraries for dynamic loading.
 

@@ -1,19 +1,52 @@
 plugin: openapi
 specFile: https://raw.githubusercontent.com/wazuh/wazuh/refs/heads/master/api/api/spec/spec.yaml
+
+# ===================================================== #
+#   SECURITY
+# ===================================================== #
+
+security:
+  # no requests permitted by default
+  default: Deny
+
+  # only requests meeting these conditions are permitted
+  conditions:
+    - effect: Permit
+      requestHeaders:
+        Authorization:
+          value: Bearer .*
+          operator: Matches
+
+
 resources:
-  # ===================================================== #
-  #   SECURITY
-  # ===================================================== #
+  - method: GET
+    path: /_spec/*
+    response:
+      statusCode: 200
+    security:
+      default: Permit
+
+  - method: GET
+    path: /
+    response:
+      statusCode: 200
+    security:
+      default: Permit
 
   # Login
   - method: POST
     path: /security/user/authenticate
     response:
       statusCode: 200
       scriptFile: security/login.js
-
+    security:
+      conditions:
+        - effect: Permit
+          requestHeaders:
+            Authorization:
+              value: Basic .*
+              operator: Matches
+
   # Orders
   - method: POST
-    path: /orders
-    response:
-      statusCode: 200
+    path: /orders
@@ -177,8 +177,8 @@ testClusters.integTest {
     }
 
     // add customized keystore
-    keystore 'm_api.auth.username', 'admin'
-    keystore 'm_api.auth.password', 'test'
+    keystore 'm_api.auth.username', 'wazuh'
+    keystore 'm_api.auth.password', 'wazuh'
     keystore 'm_api.uri', 'https://127.0.0.1:55000' // base URI of the M_API
 }
 

@@ -5,15 +5,6 @@ info:
 servers:
   - url: http://127.0.0.1:9200/_plugins/_command_manager
 paths:
-  /security/user/authenticate:
-    post:
-      tags:
-        - "authentication"
-      summary: Mock of the Wazuh Server M_API authentication endpoint.
-      description: Returns a JWT.
-      responses:
-        "200":
-          description: OK
   /commands:
     post:
       tags:

@@ -79,8 +79,8 @@ public class CommandManagerPlugin extends Plugin
         implements ActionPlugin, ReloadablePlugin, JobSchedulerExtension {
     public static final String COMMAND_MANAGER_BASE_URI = "/_plugins/_command_manager";
     public static final String COMMANDS_URI = COMMAND_MANAGER_BASE_URI + "/commands";
-    public static final String COMMAND_MANAGER_INDEX_NAME = ".commands";
-    public static final String COMMAND_MANAGER_INDEX_TEMPLATE_NAME = "index-template-commands";
+    public static final String INDEX_NAME = ".commands";
+    public static final String INDEX_TEMPLATE_NAME = "index-template-commands";
     public static final String COMMAND_DOCUMENT_PARENT_OBJECT_NAME = "command";
     public static final String JOB_INDEX_NAME = ".scheduled-commands";
     public static final String JOB_INDEX_TEMPLATE_NAME = "index-template-scheduled-commands";
@@ -108,17 +108,21 @@ public Collection<Object> createComponents(
             NamedWriteableRegistry namedWriteableRegistry,
             IndexNameExpressionResolver indexNameExpressionResolver,
             Supplier<RepositoriesService> repositoriesServiceSupplier) {
+        // Command index repository initialization.
         this.commandIndex = new CommandIndex(client, clusterService, threadPool);
+
+        // Plugin settings initialization.
         PluginSettings.getInstance(environment.settings());
 
-        // JobSchedulerExtension stuff
+        // Scheduled job initialization
+        // NOTE it's very likely that client and thread pool may not be required as the command
+        // index
+        // repository already use them. All queries to the index should be under this class.
         CommandManagerJobRunner.getInstance()
-                .setThreadPool(threadPool)
                 .setClient(client)
-                .setClusterService(clusterService)
-                .setEnvironment(environment);
-
-        scheduleCommandJob(client, clusterService, threadPool);
+                .setThreadPool(threadPool)
+                .setIndexRepository(this.commandIndex);
+        this.scheduleCommandJob(client, clusterService, threadPool);
 
         return Collections.emptyList();
     }
@@ -178,11 +182,7 @@ public List<Setting<?>> getSettings() {
 
     @Override
     public void reload(Settings settings) {
-        // secure settings should be readable
-        // final PluginSettings commandManagerSettings =
-        // PluginSettings.getClientSettings(secureSettingsPassword);
-        // I don't know what I have to do when we want to reload the settings already
-        // xxxService.refreshAndClearCache(commandManagerSettings);
+        // TODO
     }
 
     @Override

@@ -16,12 +16,16 @@
  */
 package com.wazuh.commandmanager.auth;
 
+import org.apache.hc.client5.http.utils.Base64;
 import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.HttpHeaders;
 import org.apache.hc.core5.http.message.BasicHeader;
 
+import java.nio.charset.StandardCharsets;
+
 import reactor.util.annotation.Nullable;
 
+/** Class that manages authorization for Wazuh's Management API. */
 public class AuthCredentials {
     /** Wazuh API username for basic authentication */
     private final String username;
@@ -32,6 +36,12 @@ public class AuthCredentials {
     /** Token for the Wazuh API as obtained from /security/user/authenticate */
     private String token;
 
+    /**
+     * Default constructor
+     *
+     * @param username username.
+     * @param password password.
+     */
     public AuthCredentials(String username, String password) {
         this.username = username;
         this.password = password;
@@ -43,10 +53,18 @@ private Header getTokenHeader() {
     }
 
     private Header getBasicAuthHeader() {
+        final String auth = this.username + ":" + this.password;
+        final byte[] encodedAuth = Base64.encodeBase64(auth.getBytes(StandardCharsets.ISO_8859_1));
         return new BasicHeader(
-                HttpHeaders.AUTHORIZATION, "Basic " + this.username + ":" + this.password);
+                HttpHeaders.AUTHORIZATION,
+                "Basic " + new String(encodedAuth, StandardCharsets.ISO_8859_1));
     }
 
+    /**
+     * Returns appropriate authorization headers depending on whether the token is set
+     *
+     * @return HTTP authorization hheader.
+     */
     public Header getAuthAsHeaders() {
         if (this.token != null) {
             return this.getTokenHeader();
@@ -55,7 +73,9 @@ public Header getAuthAsHeaders() {
     }
 
     /**
-     * @param token
+     * Sets the token.
+     *
+     * @param token Authorization Bearer token.
      */
     public void setToken(@Nullable String token) {
         this.token = token;
@@ -64,7 +84,7 @@ public void setToken(@Nullable String token) {
     /**
      * Checks if the token is different from null.
      *
-     * @return
+     * @return whether the token is set.
      */
     public boolean isTokenSet() {
         return this.token != null;

@@ -16,14 +16,9 @@
  */
 package com.wazuh.commandmanager.auth;
 
+/** HTTPAuthenticator interface. */
 public interface HTTPAuthenticator {
 
-    //    String getType();
-
-    AuthCredentials getCredentials();
-
+    /** Authentication logic for a HTTP service such as a Restful API. */
     void authenticate();
-
-    //    Optional<SimpleResponse> reAuthenticate(AuthCredentials credentials);
-
 }