New endpoint for user administration (CRUD)

Introduction

Hi team, In API 3.9 there is a script configure_api.sh that allows you to configure a single user, the purpose of this issue is to create the endpoints for the CRUD cycle of users.

Restrictions

• The two users created by default (wazuh, wazuh-api) should not be allowed to be deleted.
• Changes must be propagated between all nodes in cluster, all nodes must have a copy of users information.

Design

In order to propagate the changes to all the nodes of the cluster two options are considered: - A distributed call that executes the same sentence in all the nodes of the cluster, the main disadvantage of this solution is that if a node is down or has no connection at the time when users are modified. This will be without copy of users, its advantage is that the implementation is simple. - As a result of the solution commented before, to solve its inconvenience we can create a new task in the cluster that updates the information of the users database like agent info thread nodes every certain time and this way each node has the updated information. - Use rqlite

Design of endpoints

User administration

• Get the information of all users, the password must not appear.
  • GET security/users
• Get the information of the specified user, the password must not appear.
  • GET security/users/{user_id}
• Create a new user, the content of the body must be (username: "username", password: "password")
  • POST security/users
• Modify a specified user, the content of the body must be (password: "password")
  • PUT security/users/{user_id}
• Delete a specified user
  • DELETE security/users/{user_id}

Coding

To enable all these features we will have to create a new file called user_manager.py in the framework/wazuh folder, this file will have the following functions: - This function will provide as much information as possible about the users:

python
def get_users(pretty=False, wait_for_complete=False, limit=None, search=None, sort=None)

And one example of its output:

bash
{
  "data": {
    "items": [
      {
        "username": "wazuh"
      },
      {
        "username": "wazuh-api"
      }
    ],
    "totalItems": 2
  }
}

• This function will provide as much information as possible about one specified user:

python
def get_user_id(user_id, pretty=False, wait_for_complete=False)

And one example of its output:

bash
{
  "data": {
    "items": [
      {
        "username": "wazuh"
      }
    ],
    "totalItems": 2
  }
}

• This function will create a user with the data that we provide in the body of the request.

python
def create_user(username, password, pretty=False, wait_for_complete=False)

The body of the request must be:

"username": "new", "password": "newpass"

And one example of its output:

bash
{
  "data": {
    "message": "User created correctly"
  }
}

• This function will update an specified user with the data that we provide in the body of the request.

python
def update_user(password, pretty=False, wait_for_complete=False)

The body of the request must be:

"password": "newpassupdated"

And one example of its output:

bash
{
  "data": {
    "message": "User updated correctly"
  }
}

• This function will delete an specified user.

python
def delete_user(username, pretty=False, wait_for_complete=False)

And one example of its output:

bash
{
  "data": {
    "message": "User deleted correctly"
  }
}

Script configure_api.sh

As for the functionality available in configure_api.sh to change port, add a proxy to the api and enable or disable https, it will be updated so that the changes are applied in the new API. Changes should be made to uWSGI so update the script for the new components.

We have to update the paths and adapt the rules to the new format included in uwsig.yaml

ToDo

• [x] Implement CRUD endpoints

• [x] Update the configure_api.sh file

Best regards, Adri

该提问来源于开源项目：wazuh/wazuh