Before performing AWS functions, verify credentials

2019-02-06 14:28:27 +02:00 · 2019-02-06 14:28:27 +02:00 · 10d513a6d5
parent acc1c5207d
commit 10d513a6d5
3 changed files with 29 additions and 7 deletions
--- a/monkey/common/cloud/aws_service.py
+++ b/monkey/common/cloud/aws_service.py
@ -1,4 +1,5 @@
 import boto3
+from botocore.exceptions import ClientError

 __author__ = 'itay.mizeretz'

@ -39,6 +40,14 @@ class AwsService(object):
    def get_regions():
        return AwsService.get_session().get_available_regions('ssm')

+    @staticmethod
+    def test_client():
+        try:
+            AwsService.get_client('ssm').describe_instance_information()
+            return True
+        except ClientError:
+            return False
+
    @staticmethod
    def get_instances():
        return \
--- a/monkey/monkey_island/cc/resources/remote_run.py
+++ b/monkey/monkey_island/cc/resources/remote_run.py
@ -15,7 +15,6 @@ class RemoteRun(flask_restful.Resource):
    def run_aws_monkeys(self, request_body):
        instances = request_body.get('instances')
        island_ip = request_body.get('island_ip')
-        RemoteRunAwsService.update_aws_auth_params()
        return RemoteRunAwsService.run_aws_monkeys(instances, island_ip)

    @jwt_required()
@ -25,7 +24,9 @@ class RemoteRun(flask_restful.Resource):
            is_aws = RemoteRunAwsService.is_running_on_aws()
            resp = {'is_aws': is_aws}
            if is_aws:
-                RemoteRunAwsService.update_aws_auth_params()
+                is_auth = RemoteRunAwsService.update_aws_auth_params()
+                resp['auth'] = is_auth
+                if is_auth:
                    resp['instances'] = AwsService.get_instances()
            return jsonify(resp)

@ -34,9 +35,14 @@ class RemoteRun(flask_restful.Resource):
    @jwt_required()
    def post(self):
        body = json.loads(request.data)
+        resp = {}
        if body.get('type') == 'aws':
+            is_auth = RemoteRunAwsService.update_aws_auth_params()
+            resp['auth'] = is_auth
+            if is_auth:
                result = self.run_aws_monkeys(body)
-            return jsonify({'result': result})
+                resp['result'] = result
+            return jsonify(resp)

        # default action
        return make_response({'error': 'Invalid action'}, 500)
--- a/monkey/monkey_island/cc/services/remote_run_aws.py
+++ b/monkey/monkey_island/cc/services/remote_run_aws.py
@ -10,6 +10,7 @@ __author__ = "itay.mizeretz"

 class RemoteRunAwsService:
    aws_instance = None
+    is_auth = False

    def __init__(self):
        pass
@ -48,13 +49,19 @@ class RemoteRunAwsService:
    def update_aws_auth_params():
        """
        Updates the AWS authentication parameters according to config
-        :return: None
+        :return: True if new params allow successful authentication. False otherwise
        """
        access_key_id = ConfigService.get_config_value(['cnc', 'aws_config', 'aws_access_key_id'], False, True)
        secret_access_key = ConfigService.get_config_value(['cnc', 'aws_config', 'aws_secret_access_key'], False, True)
+
+        if (access_key_id != AwsService.access_key_id) or (secret_access_key != AwsService.secret_access_key):
            AwsService.set_auth_params(access_key_id, secret_access_key)
+            RemoteRunAwsService.is_auth = AwsService.test_client()
+
        AwsService.set_region(RemoteRunAwsService.aws_instance.region)

+        return RemoteRunAwsService.is_auth
+
    @staticmethod
    def get_bitness(instances):
        """