Island: Use dict_encryptor to encrypt/decrypt ssh_key_pairs

Remove unneeded decrypt_ssh_keypairs
This commit is contained in:
Ilija Lazoroski 2022-04-07 11:14:22 +02:00
parent 12937f9880
commit 30ccb2aee3
1 changed files with 25 additions and 16 deletions

View File

@ -21,7 +21,13 @@ from common.config_value_paths import (
) )
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.server_utils.consts import ISLAND_PORT from monkey_island.cc.server_utils.consts import ISLAND_PORT
from monkey_island.cc.server_utils.encryption import get_datastore_encryptor from monkey_island.cc.server_utils.encryption import (
SensitiveField,
StringEncryptor,
decrypt_dict,
encrypt_dict,
get_datastore_encryptor,
)
from monkey_island.cc.services.config_manipulator import update_config_per_mode from monkey_island.cc.services.config_manipulator import update_config_per_mode
from monkey_island.cc.services.config_schema.config_schema import SCHEMA from monkey_island.cc.services.config_schema.config_schema import SCHEMA
from monkey_island.cc.services.mode.island_mode_service import ModeNotSetError, get_mode from monkey_island.cc.services.mode.island_mode_service import ModeNotSetError, get_mode
@ -41,6 +47,11 @@ ENCRYPTED_CONFIG_VALUES = [
AWS_KEYS_PATH + ["aws_session_token"], AWS_KEYS_PATH + ["aws_session_token"],
] ]
SENSITIVE_SSH_KEY_FIELDS = [
SensitiveField(path="private_key", field_encryptor=StringEncryptor),
SensitiveField(path="public_key", field_encryptor=StringEncryptor),
]
class ConfigService: class ConfigService:
default_config = None default_config = None
@ -94,7 +105,12 @@ class ConfigService:
if isinstance(config, str): if isinstance(config, str):
config = get_datastore_encryptor().decrypt(config) config = get_datastore_encryptor().decrypt(config)
elif isinstance(config, list): elif isinstance(config, list):
if config:
if isinstance(config[0], str):
config = [get_datastore_encryptor().decrypt(x) for x in config] config = [get_datastore_encryptor().decrypt(x) for x in config]
elif isinstance(config[0], dict) and "public_key" in config[0]:
config = [decrypt_dict(SENSITIVE_SSH_KEY_FIELDS, x) for x in config]
return config return config
@staticmethod @staticmethod
@ -132,6 +148,9 @@ class ConfigService:
if item_value in items_from_config: if item_value in items_from_config:
return return
if should_encrypt: if should_encrypt:
if isinstance(item_value, dict):
item_value = encrypt_dict(SENSITIVE_SSH_KEY_FIELDS, item_value)
else:
item_value = get_datastore_encryptor().encrypt(item_value) item_value = get_datastore_encryptor().encrypt(item_value)
mongo.db.config.update( mongo.db.config.update(
{"name": "newconfig"}, {"$addToSet": {item_key: item_value}}, upsert=False {"name": "newconfig"}, {"$addToSet": {item_key: item_value}}, upsert=False
@ -348,7 +367,7 @@ class ConfigService:
and "public_key" in flat_config[key][0] and "public_key" in flat_config[key][0]
): ):
flat_config[key] = [ flat_config[key] = [
ConfigService.decrypt_ssh_key_pair(item) for item in flat_config[key] decrypt_dict(SENSITIVE_SSH_KEY_FIELDS, item) for item in flat_config[key]
] ]
else: else:
flat_config[key] = [ flat_config[key] = [
@ -375,9 +394,9 @@ class ConfigService:
# Check if array of shh key pairs and then decrypt # Check if array of shh key pairs and then decrypt
if isinstance(config_arr[i], dict) and "public_key" in config_arr[i]: if isinstance(config_arr[i], dict) and "public_key" in config_arr[i]:
config_arr[i] = ( config_arr[i] = (
ConfigService.decrypt_ssh_key_pair(config_arr[i]) decrypt_dict(SENSITIVE_SSH_KEY_FIELDS, config_arr[i])
if is_decrypt if is_decrypt
else ConfigService.decrypt_ssh_key_pair(config_arr[i], True) else encrypt_dict(SENSITIVE_SSH_KEY_FIELDS, config_arr[i])
) )
else: else:
config_arr[i] = ( config_arr[i] = (
@ -392,16 +411,6 @@ class ConfigService:
else get_datastore_encryptor().encrypt(config_arr) else get_datastore_encryptor().encrypt(config_arr)
) )
@staticmethod
def decrypt_ssh_key_pair(pair, encrypt=False):
if encrypt:
pair["public_key"] = get_datastore_encryptor().encrypt(pair["public_key"])
pair["private_key"] = get_datastore_encryptor().encrypt(pair["private_key"])
else:
pair["public_key"] = get_datastore_encryptor().decrypt(pair["public_key"])
pair["private_key"] = get_datastore_encryptor().decrypt(pair["private_key"])
return pair
@staticmethod @staticmethod
def is_test_telem_export_enabled(): def is_test_telem_export_enabled():
return ConfigService.get_config_value(EXPORT_MONKEY_TELEMS_PATH) return ConfigService.get_config_value(EXPORT_MONKEY_TELEMS_PATH)