From 6e821c5bbcfa10b691eca4c41cf01c4dd22516c5 Mon Sep 17 00:00:00 2001 From: vakarisz Date: Thu, 28 Jul 2022 13:06:20 +0300 Subject: [PATCH 1/3] Island: Remove POST in propagation credentials endpoint Post is not used, because configuration credentials are put all at once and stolen credentials are added via telemetry --- .../cc/resources/propagation_credentials.py | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/monkey/monkey_island/cc/resources/propagation_credentials.py b/monkey/monkey_island/cc/resources/propagation_credentials.py index f3cd05132..f1ae01c81 100644 --- a/monkey/monkey_island/cc/resources/propagation_credentials.py +++ b/monkey/monkey_island/cc/resources/propagation_credentials.py @@ -28,30 +28,13 @@ class PropagationCredentials(AbstractResource): return propagation_credentials, HTTPStatus.OK - def post(self, collection=None): - credentials = [Credentials.from_mapping(c) for c in request.json] - - if collection == _configured_collection: - self._credentials_repository.save_configured_credentials(credentials) - elif collection == _stolen_collection: - self._credentials_repository.save_stolen_credentials(credentials) - elif collection is None: - return {}, HTTPStatus.METHOD_NOT_ALLOWED - else: - return {}, HTTPStatus.NOT_FOUND - - return {}, HTTPStatus.NO_CONTENT - def put(self, collection=None): credentials = [Credentials.from_mapping(c) for c in request.json] if collection == _configured_collection: self._credentials_repository.remove_configured_credentials() self._credentials_repository.save_configured_credentials(credentials) - elif collection == _stolen_collection: - self._credentials_repository.remove_stolen_credentials() - self._credentials_repository.save_stolen_credentials(credentials) - elif collection is None: + elif collection is None or collection == _stolen_collection: return {}, HTTPStatus.METHOD_NOT_ALLOWED else: return {}, HTTPStatus.NOT_FOUND From 6d146dae94e5beae8389d8c11cba9498e4f1b84d Mon Sep 17 00:00:00 2001 From: vakarisz Date: Thu, 28 Jul 2022 13:24:41 +0300 Subject: [PATCH 2/3] Island, UI: Remove delete method from propagation credentials Instead of delete, put should be used with an empty list of credentials --- .../cc/resources/propagation_credentials.py | 13 ------------- .../cc/ui/src/components/pages/ConfigurePage.js | 2 +- .../components/ui-components/IslandResetModal.tsx | 2 +- 3 files changed, 2 insertions(+), 15 deletions(-) diff --git a/monkey/monkey_island/cc/resources/propagation_credentials.py b/monkey/monkey_island/cc/resources/propagation_credentials.py index f1ae01c81..a017d2625 100644 --- a/monkey/monkey_island/cc/resources/propagation_credentials.py +++ b/monkey/monkey_island/cc/resources/propagation_credentials.py @@ -30,7 +30,6 @@ class PropagationCredentials(AbstractResource): def put(self, collection=None): credentials = [Credentials.from_mapping(c) for c in request.json] - if collection == _configured_collection: self._credentials_repository.remove_configured_credentials() self._credentials_repository.save_configured_credentials(credentials) @@ -40,15 +39,3 @@ class PropagationCredentials(AbstractResource): return {}, HTTPStatus.NOT_FOUND return {}, HTTPStatus.NO_CONTENT - - def delete(self, collection=None): - if collection == _configured_collection: - self._credentials_repository.remove_configured_credentials() - elif collection == _stolen_collection: - self._credentials_repository.remove_stolen_credentials() - elif collection is None: - self._credentials_repository.remove_all_credentials() - else: - return {}, HTTPStatus.NOT_FOUND - - return {}, HTTPStatus.NO_CONTENT diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js b/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js index bb1d1a281..c7561eb4b 100644 --- a/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js +++ b/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js @@ -252,7 +252,7 @@ class ConfigurePageComponent extends AuthComponent { this.props.onStatusChange(); } ) - .then(this.authFetch(CONFIGURED_PROPAGATION_CREDENTIALS_URL, {method: 'DELETE'})) ; + .then(this.authFetch(CONFIGURED_PROPAGATION_CREDENTIALS_URL, {method: 'PUT', body: '[]'})) ; }; sendPbaRemoveRequest(apiEndpoint) { diff --git a/monkey/monkey_island/cc/ui/src/components/ui-components/IslandResetModal.tsx b/monkey/monkey_island/cc/ui/src/components/ui-components/IslandResetModal.tsx index c744c869a..639ee2c19 100644 --- a/monkey/monkey_island/cc/ui/src/components/ui-components/IslandResetModal.tsx +++ b/monkey/monkey_island/cc/ui/src/components/ui-components/IslandResetModal.tsx @@ -109,7 +109,7 @@ const IslandResetModal = (props: Props) => { }}) .then(res => { if (res.status === 200) { - return auth.authFetch('/api/propagation-credentials/configured-credentials', {method: 'DELETE'}) + return auth.authFetch('/api/propagation-credentials/configured-credentials', {method: 'PUT', body:'[]'}) }}) .then(res => { if (res.status === 200) { From 6eda7cb4f11a93d3fd2ba069ede016756f588d57 Mon Sep 17 00:00:00 2001 From: vakarisz Date: Thu, 28 Jul 2022 13:51:05 +0300 Subject: [PATCH 3/3] UT: Change UTs in propagation credentials Changes address the changes for PUT, POST and DELETE methods --- .../resources/test_propagation_credentials.py | 58 +++++-------------- 1 file changed, 15 insertions(+), 43 deletions(-) diff --git a/monkey/tests/unit_tests/monkey_island/cc/resources/test_propagation_credentials.py b/monkey/tests/unit_tests/monkey_island/cc/resources/test_propagation_credentials.py index 37fdb131b..5991abec5 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/resources/test_propagation_credentials.py +++ b/monkey/tests/unit_tests/monkey_island/cc/resources/test_propagation_credentials.py @@ -82,43 +82,26 @@ def test_propagation_credentials_endpoint__get_stolen(flask_client, credentials_ assert actual_propagation_credentials[1] == LM_HASH_CREDENTIALS -@pytest.mark.parametrize("url", [CONFIGURED_CREDENTIALS_URL, STOLEN_CREDENTIALS_URL]) -def test_propagation_credentials_endpoint__post_stolen(flask_client, credentials_repository, url): - pre_populate_repository(url, credentials_repository, [PASSWORD_CREDENTIALS_1]) - - resp = flask_client.post( - url, - json=[ - Credentials.to_mapping(LM_HASH_CREDENTIALS), - Credentials.to_mapping(NT_HASH_CREDENTIALS), - ], - ) - assert resp.status_code == HTTPStatus.NO_CONTENT - - resp = flask_client.get(url) - retrieved_propagation_credentials = [Credentials.from_mapping(creds) for creds in resp.json] - - assert resp.status_code == HTTPStatus.OK - assert len(retrieved_propagation_credentials) == 3 - assert PASSWORD_CREDENTIALS_1 in retrieved_propagation_credentials - assert LM_HASH_CREDENTIALS in retrieved_propagation_credentials - assert NT_HASH_CREDENTIALS in retrieved_propagation_credentials - - -@pytest.mark.parametrize("url", [CONFIGURED_CREDENTIALS_URL, STOLEN_CREDENTIALS_URL]) -def test_stolen_propagation_credentials_endpoint_delete(flask_client, credentials_repository, url): +def test_configured_propagation_credentials_endpoint_put(flask_client, credentials_repository): pre_populate_repository( - url, credentials_repository, [PASSWORD_CREDENTIALS_1, LM_HASH_CREDENTIALS] + CONFIGURED_CREDENTIALS_URL, + credentials_repository, + [PASSWORD_CREDENTIALS_1, LM_HASH_CREDENTIALS], ) - resp = flask_client.delete(url) + resp = flask_client.put(CONFIGURED_CREDENTIALS_URL, json=[]) assert resp.status_code == HTTPStatus.NO_CONTENT - resp = flask_client.get(url) + resp = flask_client.get(CONFIGURED_CREDENTIALS_URL) assert len(json.loads(resp.text)) == 0 -def test_propagation_credentials_endpoint__propagation_credentials_post_not_allowed(flask_client): - resp = flask_client.post(ALL_CREDENTIALS_URL, json=[]) +def test_stolen_propagation_credentials_endpoint__put_not_allowed(flask_client): + resp = flask_client.put(STOLEN_CREDENTIALS_URL, json=[]) + assert resp.status_code == HTTPStatus.METHOD_NOT_ALLOWED + + +def test_all_propagation_credentials_endpoint__put_not_allowed(flask_client): + resp = flask_client.put(ALL_CREDENTIALS_URL, json=[]) assert resp.status_code == HTTPStatus.METHOD_NOT_ALLOWED @@ -130,17 +113,6 @@ def test_propagation_credentials_endpoint__get_not_found(flask_client): assert resp.status_code == HTTPStatus.NOT_FOUND -def test_propagation_credentials_endpoint__post_not_found(flask_client): - resp = flask_client.post( - NON_EXISTENT_COLLECTION_URL, - json=[ - Credentials.to_mapping(LM_HASH_CREDENTIALS), - Credentials.to_mapping(NT_HASH_CREDENTIALS), - ], - ) - assert resp.status_code == HTTPStatus.NOT_FOUND - - -def test_propagation_credentials_endpoint__delete_not_found(flask_client): - resp = flask_client.delete(NON_EXISTENT_COLLECTION_URL) +def test_propagation_credentials_endpoint__put_not_found(flask_client): + resp = flask_client.put(NON_EXISTENT_COLLECTION_URL, json=[]) assert resp.status_code == HTTPStatus.NOT_FOUND