Support the usage of special character in passwords

molecule/elasticsearch_default/converge.yml

@@ -13,6 +13,10 @@
     elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
     elasticsearch_heap: "1"
     elasticstack_no_log: false
+    # Passwords with arbitrary special characters (space, single quote, $, backtick) to test
+    # that they reach the keystore (stdin) and certutil/openssl (argv) without mangling.
+    elasticsearch_bootstrap_pw: "Bp'$pa ss`5"
+    elasticsearch_tls_key_passphrase: "Es'$ke y`6"
   tasks:
     - name: Include Elastics repos role
       ansible.builtin.include_role:

molecule/elasticstack_default/converge.yml

@@ -17,6 +17,14 @@
     elasticsearch_heap: "1"
     elasticstack_full_stack: true
     elasticstack_no_log: false
+    # Passphrases with arbitrary special characters (space, single quote, $, backtick) to test
+    # that they reach certutil/openssl/keystore without shell or shlex mangling. ca_pass and
+    # cert_pass are global (cert_pass feeds elasticsearch + kibana); logstash and beats have
+    # their own passphrase variables.
+    elasticstack_ca_pass: "Ca'$pa ss`1"
+    elasticstack_cert_pass: "Es'$ce rt`2"
+    logstash_tls_key_passphrase: "Ls'$pa ss`3"
+    beats_tls_key_passphrase: "Be'$pa ss`4"
     logstash_pipeline_unsafe_shutdown: true
     logstash_redis_password: "{{ lookup('ansible.builtin.password', '/tmp/redispassword', chars=['ascii_letters'], length=15) }}"
     redis_requirepass: "{{ logstash_redis_password }}"

roles/beats/tasks/beats-security.yml

@@ -121,21 +121,32 @@
     - renew_ca
     - renew_beats_cert
 
+# argv (a list) instead of a folded string: avoids shlex.split() so passphrases with
+# arbitrary special characters (spaces, quotes, $, `, ...) are passed literally.
 - name: Create individual certificates for Beats
-  ansible.builtin.command: >
-    /usr/share/elasticsearch/bin/elasticsearch-certutil cert
-    --days {{ beats_cert_validity_period }}
-    --ca {{ elasticstack_ca_dir }}/elastic-stack-ca.p12
-    --ca-pass {{ elasticstack_ca_pass }}
-    --name {{ ansible_hostname }}
-    --ip {{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
-    --dns {{ ansible_hostname }},{{ ansible_fqdn }},{{ inventory_hostname }}
-    --pass {{ beats_tls_key_passphrase }}
-    --pem
-    --out {{ elasticstack_ca_dir }}/{{ ansible_hostname }}-beats.zip
-  delegate_to: "{{ elasticstack_ca_host }}"
-  args:
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-certutil
+      - cert
+      - --days
+      - "{{ beats_cert_validity_period }}"
+      - --ca
+      - "{{ elasticstack_ca_dir }}/elastic-stack-ca.p12"
+      - --ca-pass
+      - "{{ elasticstack_ca_pass }}"
+      - --name
+      - "{{ ansible_hostname }}"
+      - --ip
+      - "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+      - --dns
+      - "{{ ansible_hostname }},{{ ansible_fqdn }},{{ inventory_hostname }}"
+      - --pass
+      - "{{ beats_tls_key_passphrase }}"
+      - --pem
+      - --out
+      - "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-beats.zip"
     creates: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-beats.zip"
+  delegate_to: "{{ elasticstack_ca_host }}"
   tags:
     - certificates
     - renew_ca

roles/elasticsearch/tasks/elasticsearch-keystore.yml

@@ -10,24 +10,27 @@
   changed_when: false
   register: elasticsearch_keystore
 
-- name: Set bootstrap password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    echo "{{ elasticsearch_bootstrap_pw }}" |
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    add -x 'bootstrap.password'
+- name: Set bootstrap password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - add
+      - -x
+      - bootstrap.password
+    stdin: "{{ elasticsearch_bootstrap_pw }}"
   when: "'bootstrap.password' not in elasticsearch_keystore.stdout_lines"
   changed_when: false
   no_log: true
   notify:
     - Restart Elasticsearch
   ignore_errors: "{{ ansible_check_mode }}"
 
-- name: Get xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    show 'xpack.security.http.ssl.keystore.secure_password'
+- name: Get xpack.security.http.ssl.keystore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - show
+      - xpack.security.http.ssl.keystore.secure_password
   when:
     - "'xpack.security.http.ssl.keystore.secure_password' in elasticsearch_keystore.stdout_lines"
     - elasticsearch_http_security
@@ -36,12 +39,15 @@
   no_log: true
   changed_when: false
 
-- name: Set xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    echo "{{ elasticsearch_tls_key_passphrase }}" |
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    add -f -x 'xpack.security.http.ssl.keystore.secure_password'
+- name: Set xpack.security.http.ssl.keystore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - add
+      - -f
+      - -x
+      - xpack.security.http.ssl.keystore.secure_password
+    stdin: "{{ elasticsearch_tls_key_passphrase }}"
   changed_when: false
   no_log: true
   when:
@@ -50,11 +56,12 @@
   notify:
     - Restart Elasticsearch
 
-- name: Remove xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    remove 'xpack.security.http.ssl.keystore.secure_password'
+- name: Remove xpack.security.http.ssl.keystore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - remove
+      - xpack.security.http.ssl.keystore.secure_password
   changed_when: false
   no_log: true
   when:
@@ -63,11 +70,12 @@
   notify:
     - Restart Elasticsearch
 
-- name: Get xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    show 'xpack.security.http.ssl.truststore.secure_password'
+- name: Get xpack.security.http.ssl.truststore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - show
+      - xpack.security.http.ssl.truststore.secure_password
   when:
     - "'xpack.security.http.ssl.truststore.secure_password' in elasticsearch_keystore.stdout_lines"
     - elasticsearch_http_security
@@ -76,12 +84,15 @@
   no_log: true
   changed_when: false
 
-- name: Set xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    echo "{{ elasticsearch_tls_key_passphrase }}" |
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    add -f -x 'xpack.security.http.ssl.truststore.secure_password'
+- name: Set xpack.security.http.ssl.truststore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - add
+      - -f
+      - -x
+      - xpack.security.http.ssl.truststore.secure_password
+    stdin: "{{ elasticsearch_tls_key_passphrase }}"
   changed_when: false
   no_log: true
   when:
@@ -90,11 +101,12 @@
   notify:
     - Restart Elasticsearch
 
-- name: Remove xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    remove 'xpack.security.http.ssl.truststore.secure_password'
+- name: Remove xpack.security.http.ssl.truststore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - remove
+      - xpack.security.http.ssl.truststore.secure_password
   changed_when: false
   no_log: true
   when:
@@ -103,11 +115,12 @@
   notify:
     - Restart Elasticsearch
 
-- name: Get xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    show 'xpack.security.transport.ssl.keystore.secure_password'
+- name: Get xpack.security.transport.ssl.keystore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - show
+      - xpack.security.transport.ssl.keystore.secure_password
   when:
     - "'xpack.security.transport.ssl.keystore.secure_password' in elasticsearch_keystore.stdout_lines"
     - elasticsearch_security
@@ -116,12 +129,15 @@
   no_log: true
   changed_when: false
 
-- name: Set xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    echo "{{ elasticsearch_tls_key_passphrase }}" |
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    add -f -x 'xpack.security.transport.ssl.keystore.secure_password'
+- name: Set xpack.security.transport.ssl.keystore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - add
+      - -f
+      - -x
+      - xpack.security.transport.ssl.keystore.secure_password
+    stdin: "{{ elasticsearch_tls_key_passphrase }}"
   changed_when: false
   no_log: true
   when:
@@ -130,11 +146,12 @@
   notify:
     - Restart Elasticsearch
 
-- name: Remove xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    remove 'xpack.security.transport.ssl.keystore.secure_password'
+- name: Remove xpack.security.transport.ssl.keystore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - remove
+      - xpack.security.transport.ssl.keystore.secure_password
   changed_when: false
   no_log: true
   when:
@@ -143,11 +160,12 @@
   notify:
     - Restart Elasticsearch
 
-- name: Get xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    show 'xpack.security.transport.ssl.truststore.secure_password'
+- name: Get xpack.security.transport.ssl.truststore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - show
+      - xpack.security.transport.ssl.truststore.secure_password
   when:
     - "'xpack.security.transport.ssl.truststore.secure_password' in elasticsearch_keystore.stdout_lines"
     - elasticsearch_security
@@ -156,12 +174,15 @@
   no_log: true
   changed_when: false
 
-- name: Set xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    echo "{{ elasticsearch_tls_key_passphrase }}" |
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    add -f -x 'xpack.security.transport.ssl.truststore.secure_password'
+- name: Set xpack.security.transport.ssl.truststore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - add
+      - -f
+      - -x
+      - xpack.security.transport.ssl.truststore.secure_password
+    stdin: "{{ elasticsearch_tls_key_passphrase }}"
   changed_when: false
   no_log: true
   when:
@@ -170,11 +191,12 @@
   notify:
     - Restart Elasticsearch
 
-- name: Remove xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
-  ansible.builtin.shell: >
-    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
-    /usr/share/elasticsearch/bin/elasticsearch-keystore
-    remove 'xpack.security.transport.ssl.truststore.secure_password'
+- name: Remove xpack.security.transport.ssl.truststore.secure_password
+  ansible.builtin.command:
+    argv:
+      - /usr/share/elasticsearch/bin/elasticsearch-keystore
+      - remove
+      - xpack.security.transport.ssl.truststore.secure_password
   changed_when: false
   no_log: true
   when: