Reset elastic password cli tool

docs/reference/commands/index.asciidoc

@@ -12,6 +12,7 @@ tasks from the command line:
 * <<elasticsearch-croneval>>
 * <<elasticsearch-keystore>>
 * <<node-tool>>
+* <<reset-elastic-password>>
 * <<saml-metadata>>
 * <<setup-passwords>>
 * <<shard-tool>>
@@ -25,6 +26,7 @@ include::certutil.asciidoc[]
 include::croneval.asciidoc[]
 include::keystore.asciidoc[]
 include::node-tool.asciidoc[]
+include::reset-elastic-password.asciidoc[]
 include::saml-metadata.asciidoc[]
 include::service-tokens-command.asciidoc[]
 include::setup-passwords.asciidoc[]

docs/reference/commands/reset-elastic-password.asciidoc

@@ -0,0 +1,57 @@
+[roles="xpack"]
+[[reset-elastic-password]]
+== elasticsearch-reset-elastic-password
+
+The `elasticsearch-reset-elastic-password` command resets the password for the
+`elastic` <<built-in-users,built-in superuser>>.
+
+[discrete]
+=== Synopsis
+
+[source,shell]
+----
+bin/elasticsearch-reset-elastic-password
+[-a, --auto] [-b, --batch] [-h, --help]
+[-E <KeyValuePair] [-i, --interactive]
+----
+
+[discrete]
+=== Description
+
+This command resets the password of the `elastic` superuser. By default, a
+strong password is generated for you. If you wish to choose the password, you
+can run the tool in interactive mode with `-i`, where you will be prompted to
+enter the desired password. It uses a temporary superuser in the
+<<file-realm, file realm>> that is automatically generated and then removed,
+in order to submit the request to change the `elastic` user password.
+
+This command uses an HTTP connection to connect to the cluster and run the user
+management requests. The command automatically attempts to establish the connection
+over HTTPS by using the `xpack.security.http.ssl` settings in
+the `elasticsearch.yml` file. If you do not use the default config directory
+location, ensure that the *ES_PATH_CONF* environment variable returns the
+correct path before you run the `elasticsearch-create-enrollment-token` command. You can
+override settings in your `elasticsearch.yml` file by using the `-E` command
+option. For more information about debugging connection failures, see
+<<trb-security-setup>>.
+
+[discrete]
+[[reset-elastic-password-parameters]]
+=== Parameters
+
+`-a, --auto`:: Reset the password of `elastic` to an auto-generated strong password. (Default)
+
+`-b, --batch`:: If enabled, runs the reset password process without prompting the user for verification.
+
+`-i, --interactive`:: When specified, the tool prompts the user for the password of the `elastic` user.
+
+[discrete]
+=== Examples
+
+The following example resets the password of the `elastic` user to an auto-generated value and
+prints the new password in the console.
+
+[source,shell]
+----
+bin/elasticsearch-reset-elastic-password
+----

x-pack/plugin/security/src/main/bin/elasticsearch-create-enrollment-token

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+ES_MAIN_CLASS=org.elasticsearch.xpack.security.enrollment.tool.CreateEnrollmentTokenTool \
+  ES_ADDITIONAL_SOURCES="x-pack-env;x-pack-security-env" \
+  "`dirname "$0"`"/elasticsearch-cli \
+  "$@"

x-pack/plugin/security/src/main/bin/elasticsearch-reset-elastic-password

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+ES_MAIN_CLASS=org.elasticsearch.xpack.security.tool.ResetElasticPasswordTool \
+  ES_ADDITIONAL_SOURCES="x-pack-env;x-pack-security-env" \
+  "`dirname "$0"`"/elasticsearch-cli \
+  "$@"

x-pack/plugin/security/src/main/bin/elasticsearch-reset-elastic-password.bat

@@ -0,0 +1,21 @@
+@echo off
+
+rem Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+rem or more contributor license agreements. Licensed under the Elastic License
+rem 2.0; you may not use this file except in compliance with the Elastic License
+rem 2.0.
+
+setlocal enabledelayedexpansion
+setlocal enableextensions
+
+set ES_MAIN_CLASS=org.elasticsearch.xpack.security.tool.ResetElasticPasswordTool
+set ES_ADDITIONAL_SOURCES=x-pack-env;x-pack-security-env
+set ES_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/security-cli
+call "%~dp0elasticsearch-cli.bat" ^
+  %%* ^
+  || goto exit
+
+endlocal
+endlocal
+:exit
+exit /b %ERRORLEVEL%

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/enrollment/tool/CreateEnrollmentTokenTool.java

@@ -0,0 +1,89 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.enrollment.tool;
+
+import joptsimple.OptionSet;
+import joptsimple.OptionSpec;
+
+import org.elasticsearch.cli.ExitCodes;
+import org.elasticsearch.cli.Terminal;
+import org.elasticsearch.cli.UserException;
+import org.elasticsearch.common.settings.KeyStoreWrapper;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.core.CheckedFunction;
+import org.elasticsearch.env.Environment;
+import org.elasticsearch.xpack.core.XPackSettings;
+import org.elasticsearch.xpack.security.enrollment.CreateEnrollmentToken;
+import org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand;
+import org.elasticsearch.xpack.security.tool.CommandLineHttpClient;
+
+import java.util.List;
+import java.util.function.Function;
+
+public class CreateEnrollmentTokenTool extends BaseRunAsSuperuserCommand {
+
+    private final OptionSpec<String> scope;
+    private final CheckedFunction<Environment, CreateEnrollmentToken, Exception> createEnrollmentTokenFunction;
+    static final List<String> ALLOWED_SCOPES = List.of("node", "kibana");
+
+    CreateEnrollmentTokenTool() {
+        this(
+            environment -> new CommandLineHttpClient(environment),
+            environment -> KeyStoreWrapper.load(environment.configFile()),
+            environment -> new CreateEnrollmentToken(environment)
+        );
+    }
+
+    CreateEnrollmentTokenTool(
+        Function<Environment, CommandLineHttpClient> clientFunction,
+        CheckedFunction<Environment, KeyStoreWrapper, Exception> keyStoreFunction,
+        CheckedFunction<Environment, CreateEnrollmentToken, Exception> createEnrollmentTokenFunction
+    ) {
+        super(clientFunction, keyStoreFunction, "Creates enrollment tokens for elasticsearch nodes and kibana instances");
+        this.createEnrollmentTokenFunction = createEnrollmentTokenFunction;
+        scope = parser.acceptsAll(List.of("scope", "s"), "The scope of this enrollment token, can be either \"node\" or \"kibana\"")
+            .withRequiredArg()
+            .required();
+    }
+
+    public static void main(String[] args) throws Exception {
+        exit(new CreateEnrollmentTokenTool().main(args, Terminal.DEFAULT));
+    }
+
+    @Override
+    protected void validate(Terminal terminal, OptionSet options, Environment env) throws Exception {
+        if (XPackSettings.ENROLLMENT_ENABLED.get(env.settings()) == false) {
+            throw new UserException(
+                ExitCodes.CONFIG,
+                "[xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token"
+            );
+        }
+        final String tokenScope = scope.value(options);
+        if (ALLOWED_SCOPES.contains(tokenScope) == false) {
+            terminal.errorPrintln("The scope of this enrollment token, can only be one of " + ALLOWED_SCOPES);
+            throw new UserException(ExitCodes.USAGE, "Invalid scope");
+        }
+    }
+
+    @Override
+    protected void executeCommand(Terminal terminal, OptionSet options, Environment env) throws Exception {
+        final String username = getUsername();
+        final String tokenScope = scope.value(options);
+        try (SecureString password = getPassword()) {
+            CreateEnrollmentToken createEnrollmentTokenService = createEnrollmentTokenFunction.apply(env);
+            if (tokenScope.equals("node")) {
+                terminal.println(createEnrollmentTokenService.createNodeEnrollmentToken(username, password));
+            } else {
+                terminal.println(createEnrollmentTokenService.createKibanaEnrollmentToken(username, password));
+            }
+        } catch (Exception e) {
+            terminal.errorPrintln("Unable to create enrollment token for scope [" + tokenScope + "]");
+            throw new UserException(ExitCodes.CANT_CREATE, e.getMessage(), e.getCause());
+        }
+    }
+}