From 10d513a6d599a4b36ff998466bc8b9647ead965b Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Wed, 6 Feb 2019 14:28:27 +0200 Subject: [PATCH] Before performing AWS functions, verify credentials --- monkey/common/cloud/aws_service.py | 9 +++++++++ monkey/monkey_island/cc/resources/remote_run.py | 16 +++++++++++----- .../monkey_island/cc/services/remote_run_aws.py | 11 +++++++++-- 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/monkey/common/cloud/aws_service.py b/monkey/common/cloud/aws_service.py index 351c032f5..6479721c8 100644 --- a/monkey/common/cloud/aws_service.py +++ b/monkey/common/cloud/aws_service.py @@ -1,4 +1,5 @@ import boto3 +from botocore.exceptions import ClientError __author__ = 'itay.mizeretz' @@ -39,6 +40,14 @@ class AwsService(object): def get_regions(): return AwsService.get_session().get_available_regions('ssm') + @staticmethod + def test_client(): + try: + AwsService.get_client('ssm').describe_instance_information() + return True + except ClientError: + return False + @staticmethod def get_instances(): return \ diff --git a/monkey/monkey_island/cc/resources/remote_run.py b/monkey/monkey_island/cc/resources/remote_run.py index 08a3cb157..5484d23d2 100644 --- a/monkey/monkey_island/cc/resources/remote_run.py +++ b/monkey/monkey_island/cc/resources/remote_run.py @@ -15,7 +15,6 @@ class RemoteRun(flask_restful.Resource): def run_aws_monkeys(self, request_body): instances = request_body.get('instances') island_ip = request_body.get('island_ip') - RemoteRunAwsService.update_aws_auth_params() return RemoteRunAwsService.run_aws_monkeys(instances, island_ip) @jwt_required() @@ -25,8 +24,10 @@ class RemoteRun(flask_restful.Resource): is_aws = RemoteRunAwsService.is_running_on_aws() resp = {'is_aws': is_aws} if is_aws: - RemoteRunAwsService.update_aws_auth_params() - resp['instances'] = AwsService.get_instances() + is_auth = RemoteRunAwsService.update_aws_auth_params() + resp['auth'] = is_auth + if is_auth: + resp['instances'] = AwsService.get_instances() return jsonify(resp) return {} @@ -34,9 +35,14 @@ class RemoteRun(flask_restful.Resource): @jwt_required() def post(self): body = json.loads(request.data) + resp = {} if body.get('type') == 'aws': - result = self.run_aws_monkeys(body) - return jsonify({'result': result}) + is_auth = RemoteRunAwsService.update_aws_auth_params() + resp['auth'] = is_auth + if is_auth: + result = self.run_aws_monkeys(body) + resp['result'] = result + return jsonify(resp) # default action return make_response({'error': 'Invalid action'}, 500) diff --git a/monkey/monkey_island/cc/services/remote_run_aws.py b/monkey/monkey_island/cc/services/remote_run_aws.py index 560245556..0310cd9f9 100644 --- a/monkey/monkey_island/cc/services/remote_run_aws.py +++ b/monkey/monkey_island/cc/services/remote_run_aws.py @@ -10,6 +10,7 @@ __author__ = "itay.mizeretz" class RemoteRunAwsService: aws_instance = None + is_auth = False def __init__(self): pass @@ -48,13 +49,19 @@ class RemoteRunAwsService: def update_aws_auth_params(): """ Updates the AWS authentication parameters according to config - :return: None + :return: True if new params allow successful authentication. False otherwise """ access_key_id = ConfigService.get_config_value(['cnc', 'aws_config', 'aws_access_key_id'], False, True) secret_access_key = ConfigService.get_config_value(['cnc', 'aws_config', 'aws_secret_access_key'], False, True) - AwsService.set_auth_params(access_key_id, secret_access_key) + + if (access_key_id != AwsService.access_key_id) or (secret_access_key != AwsService.secret_access_key): + AwsService.set_auth_params(access_key_id, secret_access_key) + RemoteRunAwsService.is_auth = AwsService.test_client() + AwsService.set_region(RemoteRunAwsService.aws_instance.region) + return RemoteRunAwsService.is_auth + @staticmethod def get_bitness(instances): """