p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Island: Make AuthenticationService explicitly stateful

This commit is contained in:
Mike Salvatore 2022-07-12 08:04:01 -04:00
parent fb1a3bcd74
commit 96a7968565
8 changed files with 59 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
monkey/monkey_island/cc/resources/auth/auth.py
View File

@ -29,6 +29,9 @@ class Authenticate(AbstractResource):
urls = ["/api/auth"] urls = ["/api/auth"]
def __init__(self, authentication_service: AuthenticationService):
self._authentication_service = authentication_service
def post(self): def post(self):
""" """
Example request: \ Example request: \
@ -41,7 +44,7 @@ class Authenticate(AbstractResource):
username, password = get_username_password_from_request(request) username, password = get_username_password_from_request(request)
try: try:
AuthenticationService.authenticate(username, password) self._authentication_service.authenticate(username, password)
access_token = create_access_token(username) access_token = create_access_token(username)
except IncorrectCredentialsError: except IncorrectCredentialsError:
return make_response({"error": "Invalid credentials"}, 401) return make_response({"error": "Invalid credentials"}, 401)

7
monkey/monkey_island/cc/resources/auth/registration.py
View File

@ -14,14 +14,17 @@ class Registration(AbstractResource):
urls = ["/api/registration"] urls = ["/api/registration"]
def __init__(self, authentication_service: AuthenticationService):
self._authentication_service = authentication_service
def get(self): def get(self):
return {"needs_registration": AuthenticationService.needs_registration()} return {"needs_registration": self._authentication_service.needs_registration()}
def post(self): def post(self):
username, password = get_username_password_from_request(request) username, password = get_username_password_from_request(request)
try: try:
AuthenticationService.register_new_user(username, password) self._authentication_service.register_new_user(username, password)
return make_response({"error": ""}, 200) return make_response({"error": ""}, 200)
# API Spec: HTTP status code for AlreadyRegisteredError should be 409 (CONFLICT) # API Spec: HTTP status code for AlreadyRegisteredError should be 409 (CONFLICT)
except (InvalidRegistrationCredentialsError, AlreadyRegisteredError) as e: except (InvalidRegistrationCredentialsError, AlreadyRegisteredError) as e:

42
monkey/monkey_island/cc/services/authentication/authentication_service.py
View File

@ -18,52 +18,40 @@ from .user_creds import UserCreds
class AuthenticationService: class AuthenticationService:
DATA_DIR = None def __init__(self, data_dir: Path, user_datastore: IUserDatastore):
user_datastore = None self._data_dir = data_dir
self._user_datastore = user_datastore
# TODO: A number of these services should be instance objects instead of def needs_registration(self) -> bool:
# static/singleton hybrids. At the moment, this requires invasive refactoring that's return not self._user_datastore.has_registered_users()
# not a priority.
@classmethod
def initialize(cls, data_dir: Path, user_datastore: IUserDatastore):
cls.DATA_DIR = data_dir
cls.user_datastore = user_datastore
@classmethod def register_new_user(self, username: str, password: str):
def needs_registration(cls) -> bool:
return not cls.user_datastore.has_registered_users()
@classmethod
def register_new_user(cls, username: str, password: str):
if not username or not password: if not username or not password:
raise InvalidRegistrationCredentialsError("Username or password can not be empty.") raise InvalidRegistrationCredentialsError("Username or password can not be empty.")
credentials = UserCreds(username, _hash_password(password)) credentials = UserCreds(username, _hash_password(password))
cls.user_datastore.add_user(credentials) self._user_datastore.add_user(credentials)
cls._reset_datastore_encryptor(username, password) self._reset_datastore_encryptor(username, password)
reset_database() reset_database()
@classmethod def authenticate(self, username: str, password: str):
def authenticate(cls, username: str, password: str):
try: try:
registered_user = cls.user_datastore.get_user_credentials(username) registered_user = self._user_datastore.get_user_credentials(username)
except UnknownUserError: except UnknownUserError:
raise IncorrectCredentialsError() raise IncorrectCredentialsError()
if not _credentials_match_registered_user(username, password, registered_user): if not _credentials_match_registered_user(username, password, registered_user):
raise IncorrectCredentialsError() raise IncorrectCredentialsError()
cls._unlock_datastore_encryptor(username, password) self._unlock_datastore_encryptor(username, password)
@classmethod def _unlock_datastore_encryptor(self, username: str, password: str):
def _unlock_datastore_encryptor(cls, username: str, password: str):
secret = _get_secret_from_credentials(username, password) secret = _get_secret_from_credentials(username, password)
unlock_datastore_encryptor(cls.DATA_DIR, secret) unlock_datastore_encryptor(self._data_dir, secret)
@classmethod def _reset_datastore_encryptor(self, username: str, password: str):
def _reset_datastore_encryptor(cls, username: str, password: str):
secret = _get_secret_from_credentials(username, password) secret = _get_secret_from_credentials(username, password)
reset_datastore_encryptor(cls.DATA_DIR, secret) reset_datastore_encryptor(self._data_dir, secret)
def _hash_password(plaintext_password: str) -> str: def _hash_password(plaintext_password: str) -> str:

4
monkey/monkey_island/cc/services/initialize.py
View File

@ -41,6 +41,7 @@ from monkey_island.cc.services.telemetry.processing.processing import (
from monkey_island.cc.setup.mongo.mongo_setup import MONGO_URL from monkey_island.cc.setup.mongo.mongo_setup import MONGO_URL
from . import AuthenticationService, JsonFileUserDatastore from . import AuthenticationService, JsonFileUserDatastore
from .authentication.i_user_datastore import IUserDatastore
from .reporting.report import ReportService from .reporting.report import ReportService
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -64,7 +65,6 @@ def initialize_services(data_dir: Path) -> DIContainer:
# This is temporary until we get DI all worked out. # This is temporary until we get DI all worked out.
PostBreachFilesService.initialize(container.resolve(IFileRepository)) PostBreachFilesService.initialize(container.resolve(IFileRepository))
AuthenticationService.initialize(data_dir, JsonFileUserDatastore(data_dir))
ReportService.initialize(container.resolve(AWSService)) ReportService.initialize(container.resolve(AWSService))
return container return container
@ -95,6 +95,7 @@ def _register_repositories(container: DIContainer, data_dir: Path):
container.register_instance( container.register_instance(
ICredentialsRepository, container.resolve(MongoCredentialsRepository) ICredentialsRepository, container.resolve(MongoCredentialsRepository)
) )
container.register_instance(IUserDatastore, container.resolve(JsonFileUserDatastore))
def _decorate_file_repository(file_repository: IFileRepository) -> IFileRepository: def _decorate_file_repository(file_repository: IFileRepository) -> IFileRepository:
@ -140,6 +141,7 @@ def _register_services(container: DIContainer):
container.register_instance(AWSService, container.resolve(AWSService)) container.register_instance(AWSService, container.resolve(AWSService))
container.register_instance(LocalMonkeyRunService, container.resolve(LocalMonkeyRunService)) container.register_instance(LocalMonkeyRunService, container.resolve(LocalMonkeyRunService))
container.register_instance(IslandModeService, container.resolve(IslandModeService)) container.register_instance(IslandModeService, container.resolve(IslandModeService))
container.register_instance(AuthenticationService, container.resolve(AuthenticationService))
def _patch_credentials_parser(container: DIContainer): def _patch_credentials_parser(container: DIContainer):

24
monkey/tests/unit_tests/monkey_island/cc/resources/auth/conftest.py Normal file
View File

@ -0,0 +1,24 @@
from unittest.mock import MagicMock
import pytest
from tests.common import StubDIContainer
from monkey_island.cc.services import AuthenticationService
@pytest.fixture
def mock_authentication_service():
mock_service = MagicMock(spec=AuthenticationService)
mock_service.authenticate = MagicMock()
return mock_service
@pytest.fixture
def flask_client(build_flask_client, mock_authentication_service):
container = StubDIContainer()
container.register_instance(AuthenticationService, mock_authentication_service)
with build_flask_client(container) as flask_client:
yield flask_client

10
monkey/tests/unit_tests/monkey_island/cc/resources/auth/test_auth.py
View File

@ -11,16 +11,6 @@ PASSWORD = "test_password"
TEST_REQUEST = f'{{"username": "{USERNAME}", "password": "{PASSWORD}"}}' TEST_REQUEST = f'{{"username": "{USERNAME}", "password": "{PASSWORD}"}}'
@pytest.fixture
def mock_authentication_service(monkeypatch):
mock_service = MagicMock()
mock_service.authenticate = MagicMock()
monkeypatch.setattr("monkey_island.cc.resources.auth.auth.AuthenticationService", mock_service)
return mock_service
@pytest.fixture @pytest.fixture
def make_auth_request(flask_client): def make_auth_request(flask_client):
url = Authenticate.urls[0] url = Authenticate.urls[0]

13
monkey/tests/unit_tests/monkey_island/cc/resources/auth/test_registration.py
View File

@ -12,19 +12,6 @@ USERNAME = "test_user"
PASSWORD = "test_password" PASSWORD = "test_password"
@pytest.fixture
def mock_authentication_service(monkeypatch):
mock_service = MagicMock()
mock_service.register_new_user = MagicMock()
mock_service.needs_registration = MagicMock()
monkeypatch.setattr(
"monkey_island.cc.resources.auth.registration.AuthenticationService", mock_service
)
return mock_service
@pytest.fixture @pytest.fixture
def make_registration_request(flask_client): def make_registration_request(flask_client):
def inner(request_body): def inner(request_body):

24
monkey/tests/unit_tests/monkey_island/cc/services/test_authentication_service.py
View File

@ -69,8 +69,7 @@ def test_needs_registration__true(tmp_path):
has_registered_users = False has_registered_users = False
mock_user_datastore = MockUserDatastore(lambda: has_registered_users, None, None) mock_user_datastore = MockUserDatastore(lambda: has_registered_users, None, None)
a_s = AuthenticationService() a_s = AuthenticationService(tmp_path, mock_user_datastore)
a_s.initialize(tmp_path, mock_user_datastore)
assert a_s.needs_registration() assert a_s.needs_registration()
@ -79,8 +78,7 @@ def test_needs_registration__false(tmp_path):
has_registered_users = True has_registered_users = True
mock_user_datastore = MockUserDatastore(lambda: has_registered_users, None, None) mock_user_datastore = MockUserDatastore(lambda: has_registered_users, None, None)
a_s = AuthenticationService() a_s = AuthenticationService(tmp_path, mock_user_datastore)
a_s.initialize(tmp_path, mock_user_datastore)
assert not a_s.needs_registration() assert not a_s.needs_registration()
@ -92,8 +90,7 @@ def test_register_new_user__fails(
): ):
mock_user_datastore = MockUserDatastore(lambda: True, MagicMock(side_effect=error), None) mock_user_datastore = MockUserDatastore(lambda: True, MagicMock(side_effect=error), None)
a_s = AuthenticationService() a_s = AuthenticationService(tmp_path, mock_user_datastore)
a_s.initialize(tmp_path, mock_user_datastore)
with pytest.raises(error): with pytest.raises(error):
a_s.register_new_user(USERNAME, PASSWORD) a_s.register_new_user(USERNAME, PASSWORD)
@ -107,8 +104,7 @@ def test_register_new_user__empty_password_fails(
): ):
mock_user_datastore = MockUserDatastore(lambda: False, None, None) mock_user_datastore = MockUserDatastore(lambda: False, None, None)
a_s = AuthenticationService() a_s = AuthenticationService(tmp_path, mock_user_datastore)
a_s.initialize(tmp_path, mock_user_datastore)
with pytest.raises(InvalidRegistrationCredentialsError): with pytest.raises(InvalidRegistrationCredentialsError):
a_s.register_new_user(USERNAME, "") a_s.register_new_user(USERNAME, "")
@ -122,8 +118,7 @@ def test_register_new_user(tmp_path, mock_reset_datastore_encryptor, mock_reset_
mock_add_user = MagicMock() mock_add_user = MagicMock()
mock_user_datastore = MockUserDatastore(lambda: False, mock_add_user, None) mock_user_datastore = MockUserDatastore(lambda: False, mock_add_user, None)
a_s = AuthenticationService() a_s = AuthenticationService(tmp_path, mock_user_datastore)
a_s.initialize(tmp_path, mock_user_datastore)
a_s.register_new_user(USERNAME, PASSWORD) a_s.register_new_user(USERNAME, PASSWORD)
@ -144,8 +139,7 @@ def test_authenticate__success(tmp_path, mock_unlock_datastore_encryptor):
lambda _: UserCreds(USERNAME, PASSWORD_HASH), lambda _: UserCreds(USERNAME, PASSWORD_HASH),
) )
a_s = AuthenticationService() a_s = AuthenticationService(tmp_path, mock_user_datastore)
a_s.initialize(tmp_path, mock_user_datastore)
# If authentication fails, this function will raise an exception and the test will fail. # If authentication fails, this function will raise an exception and the test will fail.
a_s.authenticate(USERNAME, PASSWORD) a_s.authenticate(USERNAME, PASSWORD)
@ -165,8 +159,7 @@ def test_authenticate__failed_wrong_credentials(
lambda _: UserCreds(USERNAME, PASSWORD_HASH), lambda _: UserCreds(USERNAME, PASSWORD_HASH),
) )
a_s = AuthenticationService() a_s = AuthenticationService(tmp_path, mock_user_datastore)
a_s.initialize(tmp_path, mock_user_datastore)
with pytest.raises(IncorrectCredentialsError): with pytest.raises(IncorrectCredentialsError):
a_s.authenticate(username, password) a_s.authenticate(username, password)
@ -179,8 +172,7 @@ def test_authenticate__failed_no_registered_user(tmp_path, mock_unlock_datastore
lambda: True, None, MagicMock(side_effect=UnknownUserError) lambda: True, None, MagicMock(side_effect=UnknownUserError)
) )
a_s = AuthenticationService() a_s = AuthenticationService(tmp_path, mock_user_datastore)
a_s.initialize(tmp_path, mock_user_datastore)
with pytest.raises(IncorrectCredentialsError): with pytest.raises(IncorrectCredentialsError):
a_s.authenticate(USERNAME, PASSWORD) a_s.authenticate(USERNAME, PASSWORD)