Merge pull request #2081 from guardicore/1965-reset-repository-encryptor

1965 reset repository encryptor
2022-07-12 11:39:48 -04:00 · 2022-07-12 11:39:48 -04:00 · 9bee01917e
parent a20a7710aa eac318ada0
commit 9bee01917e
3 changed files with 84 additions and 42 deletions
--- a/monkey/monkey_island/cc/services/authentication_service.py
+++ b/monkey/monkey_island/cc/services/authentication_service.py
@ -10,6 +10,7 @@ from common.utils.exceptions import (
 from monkey_island.cc.models import UserCredentials
 from monkey_island.cc.repository import IUserRepository
 from monkey_island.cc.server_utils.encryption import (
+    ILockableEncryptor,
    reset_datastore_encryptor,
    unlock_datastore_encryptor,
 )
@ -17,39 +18,52 @@ from monkey_island.cc.setup.mongo.database_initializer import reset_database


 class AuthenticationService:
-    def __init__(self, data_dir: Path, user_datastore: IUserRepository):
+    def __init__(
+        self,
+        data_dir: Path,
+        user_repository: IUserRepository,
+        repository_encryptor: ILockableEncryptor,
+    ):
        self._data_dir = data_dir
-        self._user_datastore = user_datastore
+        self._user_repository = user_repository
+        self._repository_encryptor = repository_encryptor

    def needs_registration(self) -> bool:
-        return not self._user_datastore.has_registered_users()
+        return not self._user_repository.has_registered_users()

    def register_new_user(self, username: str, password: str):
        if not username or not password:
            raise InvalidRegistrationCredentialsError("Username or password can not be empty.")

        credentials = UserCredentials(username, _hash_password(password))
-        self._user_datastore.add_user(credentials)
-        self._reset_datastore_encryptor(username, password)
+        self._user_repository.add_user(credentials)
+        self._reset_repository_encryptor(username, password)
        reset_database()

    def authenticate(self, username: str, password: str):
        try:
-            registered_user = self._user_datastore.get_user_credentials(username)
+            registered_user = self._user_repository.get_user_credentials(username)
        except UnknownUserError:
            raise IncorrectCredentialsError()

        if not _credentials_match_registered_user(username, password, registered_user):
            raise IncorrectCredentialsError()

-        self._unlock_datastore_encryptor(username, password)
+        self._unlock_repository_encryptor(username, password)

-    def _unlock_datastore_encryptor(self, username: str, password: str):
+    def _unlock_repository_encryptor(self, username: str, password: str):
        secret = _get_secret_from_credentials(username, password)
+        self._repository_encryptor.unlock(secret.encode())
+
+        # Legacy datastore encryptor will be removed soon
        unlock_datastore_encryptor(self._data_dir, secret)

-    def _reset_datastore_encryptor(self, username: str, password: str):
+    def _reset_repository_encryptor(self, username: str, password: str):
        secret = _get_secret_from_credentials(username, password)
+        self._repository_encryptor.reset_key()
+        self._repository_encryptor.unlock(secret.encode())
+
+        # Legacy datastore encryptor will be removed soon
        reset_datastore_encryptor(self._data_dir, secret)


--- a/monkey/monkey_island/cc/services/initialize.py
+++ b/monkey/monkey_island/cc/services/initialize.py
@ -31,6 +31,7 @@ from monkey_island.cc.repository import (
    RetrievalError,
 )
 from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH
+from monkey_island.cc.server_utils.encryption import ILockableEncryptor, RepositoryEncryptor
 from monkey_island.cc.services import AWSService, IslandModeService
 from monkey_island.cc.services.post_breach_files import PostBreachFilesService
 from monkey_island.cc.services.run_local_monkey import LocalMonkeyRunService
@ -48,6 +49,7 @@ from .reporting.report import ReportService
 logger = logging.getLogger(__name__)

 AGENT_BINARIES_PATH = Path(MONKEY_ISLAND_ABS_PATH) / "cc" / "binaries"
+REPOSITORY_KEY_FILE_NAME = "repository_key.bin"


 def initialize_services(data_dir: Path) -> DIContainer:
@ -56,6 +58,9 @@ def initialize_services(data_dir: Path) -> DIContainer:

    container.register_instance(AWSInstance, AWSInstance())
    container.register_instance(MongoClient, MongoClient(MONGO_URL, serverSelectionTimeoutMS=100))
+    container.register_instance(
+        ILockableEncryptor, RepositoryEncryptor(data_dir / REPOSITORY_KEY_FILE_NAME)
+    )

    _register_repositories(container, data_dir)
    _register_services(container)
--- a/monkey/tests/unit_tests/monkey_island/cc/services/test_authentication_service.py
+++ b/monkey/tests/unit_tests/monkey_island/cc/services/test_authentication_service.py
@ -10,6 +10,7 @@ from common.utils.exceptions import (
 )
 from monkey_island.cc.models import UserCredentials
 from monkey_island.cc.repository import IUserRepository
+from monkey_island.cc.server_utils.encryption import ILockableEncryptor
 from monkey_island.cc.services import AuthenticationService, authentication_service

 USERNAME = "user1"
@ -48,6 +49,11 @@ def mock_unlock_datastore_encryptor():
    return MagicMock()


+@pytest.fixture
+def mock_repository_encryptor():
+    return MagicMock(spec=ILockableEncryptor)
+
+
@pytest.fixture(autouse=True)
 def patch_datastore_utils(
    monkeypatch,
@ -64,20 +70,20 @@ def patch_datastore_utils(
    )


-def test_needs_registration__true(tmp_path):
+def test_needs_registration__true(tmp_path, mock_repository_encryptor):
    has_registered_users = False
    mock_user_datastore = MockUserDatastore(lambda: has_registered_users, None, None)

-    a_s = AuthenticationService(tmp_path, mock_user_datastore)
+    a_s = AuthenticationService(tmp_path, mock_user_datastore, mock_repository_encryptor)

    assert a_s.needs_registration()


-def test_needs_registration__false(tmp_path):
+def test_needs_registration__false(tmp_path, mock_repository_encryptor):
    has_registered_users = True
    mock_user_datastore = MockUserDatastore(lambda: has_registered_users, None, None)

-    a_s = AuthenticationService(tmp_path, mock_user_datastore)
+    a_s = AuthenticationService(tmp_path, mock_user_datastore, mock_repository_encryptor)

    assert not a_s.needs_registration()

@ -85,39 +91,45 @@ def test_needs_registration__false(tmp_path):
@pytest.mark.slow
@pytest.mark.parametrize("error", [InvalidRegistrationCredentialsError, AlreadyRegisteredError])
 def test_register_new_user__fails(
-    tmp_path, mock_reset_datastore_encryptor, mock_reset_database, error
+    tmp_path, mock_reset_datastore_encryptor, mock_reset_database, mock_repository_encryptor, error
 ):
    mock_user_datastore = MockUserDatastore(lambda: True, MagicMock(side_effect=error), None)

-    a_s = AuthenticationService(tmp_path, mock_user_datastore)
+    a_s = AuthenticationService(tmp_path, mock_user_datastore, mock_repository_encryptor)

    with pytest.raises(error):
        a_s.register_new_user(USERNAME, PASSWORD)

    mock_reset_datastore_encryptor.assert_not_called()
+    mock_repository_encryptor.reset_key().assert_not_called()
+    mock_repository_encryptor.unlock.assert_not_called()
    mock_reset_database.assert_not_called()


 def test_register_new_user__empty_password_fails(
-    tmp_path, mock_reset_datastore_encryptor, mock_reset_database
+    tmp_path, mock_reset_datastore_encryptor, mock_reset_database, mock_repository_encryptor
 ):
    mock_user_datastore = MockUserDatastore(lambda: False, None, None)

-    a_s = AuthenticationService(tmp_path, mock_user_datastore)
+    a_s = AuthenticationService(tmp_path, mock_user_datastore, mock_repository_encryptor)

    with pytest.raises(InvalidRegistrationCredentialsError):
        a_s.register_new_user(USERNAME, "")

    mock_reset_datastore_encryptor.assert_not_called()
+    mock_repository_encryptor.reset_key().assert_not_called()
+    mock_repository_encryptor.unlock.assert_not_called()
    mock_reset_database.assert_not_called()


@pytest.mark.slow
-def test_register_new_user(tmp_path, mock_reset_datastore_encryptor, mock_reset_database):
+def test_register_new_user(
+    tmp_path, mock_reset_datastore_encryptor, mock_reset_database, mock_repository_encryptor
+):
    mock_add_user = MagicMock()
    mock_user_datastore = MockUserDatastore(lambda: False, mock_add_user, None)

-    a_s = AuthenticationService(tmp_path, mock_user_datastore)
+    a_s = AuthenticationService(tmp_path, mock_user_datastore, mock_repository_encryptor)

    a_s.register_new_user(USERNAME, PASSWORD)

@ -127,30 +139,16 @@ def test_register_new_user(tmp_path, mock_reset_datastore_encryptor, mock_reset_
    mock_reset_datastore_encryptor.assert_called_once()
    assert mock_reset_datastore_encryptor.call_args[0][1] != USERNAME

+    mock_repository_encryptor.reset_key.assert_called_once()
+    mock_repository_encryptor.unlock.assert_called_once()
+    assert mock_repository_encryptor.unlock.call_args[0][0] != USERNAME
+
    mock_reset_database.assert_called_once()


@pytest.mark.slow
-def test_authenticate__success(tmp_path, mock_unlock_datastore_encryptor):
-    mock_user_datastore = MockUserDatastore(
-        lambda: True,
-        None,
-        lambda _: UserCredentials(USERNAME, PASSWORD_HASH),
-    )
-
-    a_s = AuthenticationService(tmp_path, mock_user_datastore)
-
-    # If authentication fails, this function will raise an exception and the test will fail.
-    a_s.authenticate(USERNAME, PASSWORD)
-    mock_unlock_datastore_encryptor.assert_called_once()
-
-
-@pytest.mark.slow
-@pytest.mark.parametrize(
-    ("username", "password"), [("wrong_username", PASSWORD), (USERNAME, "wrong_password")]
-)
-def test_authenticate__failed_wrong_credentials(
-    tmp_path, mock_unlock_datastore_encryptor, username, password
+def test_authenticate__success(
+    tmp_path, mock_unlock_datastore_encryptor, mock_repository_encryptor
 ):
    mock_user_datastore = MockUserDatastore(
        lambda: True,
@ -158,22 +156,47 @@ def test_authenticate__failed_wrong_credentials(
        lambda _: UserCredentials(USERNAME, PASSWORD_HASH),
    )

-    a_s = AuthenticationService(tmp_path, mock_user_datastore)
+    a_s = AuthenticationService(tmp_path, mock_user_datastore, mock_repository_encryptor)
+
+    # If authentication fails, this function will raise an exception and the test will fail.
+    a_s.authenticate(USERNAME, PASSWORD)
+    mock_unlock_datastore_encryptor.assert_called_once()
+    mock_repository_encryptor.unlock.assert_called_once()
+
+
+@pytest.mark.slow
+@pytest.mark.parametrize(
+    ("username", "password"), [("wrong_username", PASSWORD), (USERNAME, "wrong_password")]
+)
+def test_authenticate__failed_wrong_credentials(
+    tmp_path, mock_unlock_datastore_encryptor, username, password, mock_repository_encryptor
+):
+    mock_user_datastore = MockUserDatastore(
+        lambda: True,
+        None,
+        lambda _: UserCredentials(USERNAME, PASSWORD_HASH),
+    )
+
+    a_s = AuthenticationService(tmp_path, mock_user_datastore, mock_repository_encryptor)

    with pytest.raises(IncorrectCredentialsError):
        a_s.authenticate(username, password)

    mock_unlock_datastore_encryptor.assert_not_called()
+    mock_repository_encryptor.unlock.assert_not_called()


-def test_authenticate__failed_no_registered_user(tmp_path, mock_unlock_datastore_encryptor):
+def test_authenticate__failed_no_registered_user(
+    tmp_path, mock_unlock_datastore_encryptor, mock_repository_encryptor
+):
    mock_user_datastore = MockUserDatastore(
        lambda: True, None, MagicMock(side_effect=UnknownUserError)
    )

-    a_s = AuthenticationService(tmp_path, mock_user_datastore)
+    a_s = AuthenticationService(tmp_path, mock_user_datastore, mock_repository_encryptor)

    with pytest.raises(IncorrectCredentialsError):
        a_s.authenticate(USERNAME, PASSWORD)

    mock_unlock_datastore_encryptor.assert_not_called()
+    mock_repository_encryptor.unlock.assert_not_called()