From ca98168da1f8b08ee0d3eb16d8909ef50ff0454b Mon Sep 17 00:00:00 2001
From: Antoine Cotten <hello@acotten.com>
Date: Fri, 11 Feb 2022 19:06:13 +0100
Subject: [PATCH] Quote passwords to prevent interpreting leading special chars

Closes #667
---
 .github/workflows/ci.yml                           | 14 ++++++--------
 docker-compose.yml                                 |  6 +++---
 extensions/apm-server/config/apm-server.yml        |  2 +-
 extensions/curator/config/curator.yml              |  2 +-
 .../enterprise-search/config/enterprise-search.yml |  2 +-
 .../enterprise-search-compose.yml                  |  2 +-
 extensions/filebeat/config/filebeat.yml            |  2 +-
 extensions/metricbeat/config/metricbeat.yml        |  2 +-
 kibana/config/kibana.yml                           |  2 +-
 9 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8c42731..8c5d5d0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -65,13 +65,12 @@ jobs:
 
           # Change password of 'elastic' user from 'changeme' to 'testpasswd' in config files
 
-          sed -i -e 's/\(xpack.monitoring.elasticsearch.username:\) elastic/\1 logstash_system/g' -e 's/\(xpack.monitoring.elasticsearch.password:\) changeme/\1 testpasswd/g' logstash/config/logstash.yml
           sed -i 's/\(password =>\) "changeme"/\1 "testpasswd"/g' logstash/pipeline/logstash.conf
-          sed -i 's/\(elasticsearch.password:\) changeme/\1 testpasswd/g' kibana/config/kibana.yml
-          sed -i -e 's/\(elasticsearch.password:\) changeme/\1 testpasswd/g' -e 's/\(secret_management.encryption_keys:\)/\1 [test-encrypt]/g' extensions/enterprise-search/config/enterprise-search.yml
-          sed -i 's/\(password:\) changeme/\1 testpasswd/g' extensions/apm-server/config/apm-server.yml
-          sed -i 's/\(password:\) changeme/\1 testpasswd/g' extensions/metricbeat/config/metricbeat.yml
-          sed -i 's/\(password:\) changeme/\1 testpasswd/g' extensions/filebeat/config/filebeat.yml
+          sed -i 's/\(elasticsearch.password:\) '\''changeme'\''/\1 testpasswd/g' kibana/config/kibana.yml
+          sed -i -e 's/\(elasticsearch.password:\) '\''changeme'\''/\1 testpasswd/g' -e 's/\(secret_management.encryption_keys:\)/\1 [test-encrypt]/g' extensions/enterprise-search/config/enterprise-search.yml
+          sed -i 's/\(password:\) '\''changeme'\''/\1 testpasswd/g' extensions/apm-server/config/apm-server.yml
+          sed -i 's/\(password:\) '\''changeme'\''/\1 testpasswd/g' extensions/metricbeat/config/metricbeat.yml
+          sed -i 's/\(password:\) '\''changeme'\''/\1 testpasswd/g' extensions/filebeat/config/filebeat.yml
 
           # Run Elasticsearch and wait for its availability
 
@@ -286,9 +285,8 @@ jobs:
 
           # Change password of 'elastic' user from 'changeme' to 'testpasswd' in config files
 
-          sed -i -e 's/\(xpack.monitoring.elasticsearch.username:\) elastic/\1 logstash_system/g' -e 's/\(xpack.monitoring.elasticsearch.password:\) changeme/\1 testpasswd/g' logstash/config/logstash.yml
           sed -i 's/\(password =>\) "changeme"/\1 "testpasswd"/g' logstash/pipeline/logstash.conf
-          sed -i 's/\(elasticsearch.password:\) changeme/\1 testpasswd/g' kibana/config/kibana.yml
+          sed -i 's/\(elasticsearch.password:\) '\''changeme'\''/\1 testpasswd/g' kibana/config/kibana.yml
 
           # Run Elasticsearch and wait for its availability
 
diff --git a/docker-compose.yml b/docker-compose.yml
index c7429e5..91dc17d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,8 +13,8 @@ services:
       - "9200:9200"
       - "9300:9300"
     environment:
-      ES_JAVA_OPTS: "-Xmx256m -Xms256m"
-      ELASTIC_PASSWORD: changeme
+      ES_JAVA_OPTS: -Xmx256m -Xms256m
+      ELASTIC_PASSWORD: 'changeme'
       # Use single node discovery in order to disable production mode and avoid bootstrap checks.
       # see: https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
       discovery.type: single-node
@@ -35,7 +35,7 @@ services:
       - "5000:5000/udp"
       - "9600:9600"
     environment:
-      LS_JAVA_OPTS: "-Xmx256m -Xms256m"
+      LS_JAVA_OPTS: -Xmx256m -Xms256m
     networks:
       - elk
     depends_on:
diff --git a/extensions/apm-server/config/apm-server.yml b/extensions/apm-server/config/apm-server.yml
index 493a49e..e78ea7d 100644
--- a/extensions/apm-server/config/apm-server.yml
+++ b/extensions/apm-server/config/apm-server.yml
@@ -5,4 +5,4 @@ output:
   elasticsearch:
     hosts: ['http://elasticsearch:9200']
     username: elastic
-    password: changeme
+    password: 'changeme'
diff --git a/extensions/curator/config/curator.yml b/extensions/curator/config/curator.yml
index 8b06971..f4cf8de 100644
--- a/extensions/curator/config/curator.yml
+++ b/extensions/curator/config/curator.yml
@@ -5,7 +5,7 @@ client:
   hosts:
     - elasticsearch
   port: 9200
-  http_auth: elastic:changeme
+  http_auth: 'elastic:changeme'
 
 logging:
   loglevel: INFO
diff --git a/extensions/enterprise-search/config/enterprise-search.yml b/extensions/enterprise-search/config/enterprise-search.yml
index eb94457..49947c4 100644
--- a/extensions/enterprise-search/config/enterprise-search.yml
+++ b/extensions/enterprise-search/config/enterprise-search.yml
@@ -22,7 +22,7 @@ kibana.host: http://localhost:5601
 # Elasticsearch URL and credentials
 elasticsearch.host: http://elasticsearch:9200
 elasticsearch.username: elastic
-elasticsearch.password: changeme
+elasticsearch.password: 'changeme'
 
 # Allow Enterprise Search to modify Elasticsearch settings. Used to enable auto-creation of Elasticsearch indexes.
 allow_es_settings_modification: true
diff --git a/extensions/enterprise-search/enterprise-search-compose.yml b/extensions/enterprise-search/enterprise-search-compose.yml
index cd58caa..dd57424 100644
--- a/extensions/enterprise-search/enterprise-search-compose.yml
+++ b/extensions/enterprise-search/enterprise-search-compose.yml
@@ -13,7 +13,7 @@ services:
         read_only: true
     environment:
       JAVA_OPTS: -Xmx2g -Xms2g
-      ENT_SEARCH_DEFAULT_PASSWORD: changeme
+      ENT_SEARCH_DEFAULT_PASSWORD: 'changeme'
     ports:
       - '3002:3002'
     networks:
diff --git a/extensions/filebeat/config/filebeat.yml b/extensions/filebeat/config/filebeat.yml
index 347d070..18cf5f6 100644
--- a/extensions/filebeat/config/filebeat.yml
+++ b/extensions/filebeat/config/filebeat.yml
@@ -20,7 +20,7 @@ processors:
 output.elasticsearch:
   hosts: ['http://elasticsearch:9200']
   username: elastic
-  password: changeme
+  password: 'changeme'
 
 ## HTTP endpoint for health checking
 ## https://www.elastic.co/guide/en/beats/filebeat/current/http-endpoint.html
diff --git a/extensions/metricbeat/config/metricbeat.yml b/extensions/metricbeat/config/metricbeat.yml
index eac94d6..3294035 100644
--- a/extensions/metricbeat/config/metricbeat.yml
+++ b/extensions/metricbeat/config/metricbeat.yml
@@ -34,7 +34,7 @@ processors:
 output.elasticsearch:
   hosts: ['http://elasticsearch:9200']
   username: elastic
-  password: changeme
+  password: 'changeme'
 
 ## HTTP endpoint for health checking
 ## https://www.elastic.co/guide/en/beats/metricbeat/current/http-endpoint.html
diff --git a/kibana/config/kibana.yml b/kibana/config/kibana.yml
index 456b3f7..9025104 100644
--- a/kibana/config/kibana.yml
+++ b/kibana/config/kibana.yml
@@ -10,4 +10,4 @@ monitoring.ui.container.elasticsearch.enabled: true
 ## X-Pack security credentials
 #
 elasticsearch.username: kibana_system
-elasticsearch.password: changeme
+elasticsearch.password: 'changeme'