+
+
The Infection Monkey is comprised of two parts:
* Monkey - A tool which infects other machines and propagates to them
diff --git a/monkey_island/cc/app.py b/monkey_island/cc/app.py
index 9c85f6230..4733d5089 100644
--- a/monkey_island/cc/app.py
+++ b/monkey_island/cc/app.py
@@ -1,22 +1,26 @@
+import os
from datetime import datetime
+
import bson
-from bson.json_util import dumps
-from flask import Flask, send_from_directory, redirect, make_response
import flask_restful
+from bson.json_util import dumps
+from flask import Flask, send_from_directory, make_response
from werkzeug.exceptions import NotFound
+from cc.auth import init_jwt
from cc.database import mongo
+from cc.environment.environment import env
from cc.resources.client_run import ClientRun
-from cc.resources.monkey import Monkey
+from cc.resources.edge import Edge
from cc.resources.local_run import LocalRun
-from cc.resources.telemetry import Telemetry
+from cc.resources.monkey import Monkey
from cc.resources.monkey_configuration import MonkeyConfiguration
from cc.resources.monkey_download import MonkeyDownload
from cc.resources.netmap import NetMap
-from cc.resources.edge import Edge
from cc.resources.node import Node
from cc.resources.report import Report
from cc.resources.root import Root
+from cc.resources.telemetry import Telemetry
from cc.resources.telemetry_feed import TelemetryFeed
from cc.services.config import ConfigService
@@ -70,6 +74,12 @@ def init_app(mongo_url):
api.representations = {'application/json': output_json}
app.config['MONGO_URI'] = mongo_url
+
+ app.config['SECRET_KEY'] = os.urandom(32)
+ app.config['JWT_AUTH_URL_RULE'] = '/api/auth'
+ app.config['JWT_EXPIRATION_DELTA'] = env.get_auth_expiration_time()
+
+ init_jwt(app)
mongo.init_app(app)
with app.app_context():
diff --git a/monkey_island/cc/auth.py b/monkey_island/cc/auth.py
new file mode 100644
index 000000000..a32d6ec9d
--- /dev/null
+++ b/monkey_island/cc/auth.py
@@ -0,0 +1,53 @@
+from functools import wraps
+
+from flask import current_app, abort
+from flask_jwt import JWT, _jwt_required, JWTError
+from werkzeug.security import safe_str_cmp
+
+from cc.environment.environment import env
+
+__author__ = 'itay.mizeretz'
+
+
+class User(object):
+ def __init__(self, id, username, secret):
+ self.id = id
+ self.username = username
+ self.secret = secret
+
+ def __str__(self):
+ return "User(id='%s')" % self.id
+
+
+def init_jwt(app):
+ users = env.get_auth_users()
+ username_table = {u.username: u for u in users}
+ userid_table = {u.id: u for u in users}
+
+ def authenticate(username, secret):
+ user = username_table.get(username, None)
+ if user and safe_str_cmp(user.secret.encode('utf-8'), secret.encode('utf-8')):
+ return user
+
+ def identity(payload):
+ user_id = payload['identity']
+ return userid_table.get(user_id, None)
+
+ if env.is_auth_enabled():
+ JWT(app, authenticate, identity)
+
+
+def jwt_required(realm=None):
+ def wrapper(fn):
+ @wraps(fn)
+ def decorator(*args, **kwargs):
+ if env.is_auth_enabled():
+ try:
+ _jwt_required(realm or current_app.config['JWT_DEFAULT_REALM'])
+ except JWTError:
+ abort(401)
+ return fn(*args, **kwargs)
+
+ return decorator
+
+ return wrapper
diff --git a/monkey_island/cc/environment/__init__.py b/monkey_island/cc/environment/__init__.py
new file mode 100644
index 000000000..712ba232a
--- /dev/null
+++ b/monkey_island/cc/environment/__init__.py
@@ -0,0 +1,33 @@
+import abc
+from datetime import timedelta
+
+__author__ = 'itay.mizeretz'
+
+
+class Environment(object):
+ __metaclass__ = abc.ABCMeta
+
+ _ISLAND_PORT = 5000
+ _MONGO_URL = "mongodb://localhost:27017/monkeyisland"
+ _DEBUG_SERVER = False
+ _AUTH_EXPIRATION_TIME = timedelta(hours=1)
+
+ def get_island_port(self):
+ return self._ISLAND_PORT
+
+ def get_mongo_url(self):
+ return self._MONGO_URL
+
+ def is_debug(self):
+ return self._DEBUG_SERVER
+
+ def get_auth_expiration_time(self):
+ return self._AUTH_EXPIRATION_TIME
+
+ @abc.abstractmethod
+ def is_auth_enabled(self):
+ return
+
+ @abc.abstractmethod
+ def get_auth_users(self):
+ return
diff --git a/monkey_island/cc/environment/aws.py b/monkey_island/cc/environment/aws.py
new file mode 100644
index 000000000..b85a7d2e4
--- /dev/null
+++ b/monkey_island/cc/environment/aws.py
@@ -0,0 +1,24 @@
+import urllib2
+
+import cc.auth
+from cc.environment import Environment
+
+__author__ = 'itay.mizeretz'
+
+
+class AwsEnvironment(Environment):
+ def __init__(self):
+ super(AwsEnvironment, self).__init__()
+ self._instance_id = AwsEnvironment._get_instance_id()
+
+ @staticmethod
+ def _get_instance_id():
+ return urllib2.urlopen('http://169.254.169.254/latest/meta-data/instance-id').read()
+
+ def is_auth_enabled(self):
+ return True
+
+ def get_auth_users(self):
+ return [
+ cc.auth.User(1, 'monkey', self._instance_id)
+ ]
diff --git a/monkey_island/cc/environment/environment.py b/monkey_island/cc/environment/environment.py
new file mode 100644
index 000000000..8eb97a999
--- /dev/null
+++ b/monkey_island/cc/environment/environment.py
@@ -0,0 +1,23 @@
+import json
+import standard
+import aws
+
+ENV_DICT = {
+ 'standard': standard.StandardEnvironment,
+ 'aws': aws.AwsEnvironment
+}
+
+
+def load_env_from_file():
+ with open('server_config.json', 'r') as f:
+ config_content = f.read()
+ config_json = json.loads(config_content)
+ return config_json['server_config']
+
+
+try:
+ __env_type = load_env_from_file()
+ env = ENV_DICT[__env_type]()
+except Exception:
+ print('Failed initializing environment: %s' % __env_type)
+ raise
diff --git a/monkey_island/cc/environment/standard.py b/monkey_island/cc/environment/standard.py
new file mode 100644
index 000000000..8df00a2c3
--- /dev/null
+++ b/monkey_island/cc/environment/standard.py
@@ -0,0 +1,12 @@
+from cc.environment import Environment
+
+__author__ = 'itay.mizeretz'
+
+
+class StandardEnvironment(Environment):
+
+ def is_auth_enabled(self):
+ return False
+
+ def get_auth_users(self):
+ return []
diff --git a/monkey_island/cc/island_config.py b/monkey_island/cc/island_config.py
deleted file mode 100644
index 0a8f33bac..000000000
--- a/monkey_island/cc/island_config.py
+++ /dev/null
@@ -1,5 +0,0 @@
-__author__ = 'itay.mizeretz'
-
-ISLAND_PORT = 5000
-DEFAULT_MONGO_URL = "mongodb://localhost:27017/monkeyisland"
-DEBUG_SERVER = False
diff --git a/monkey_island/cc/main.py b/monkey_island/cc/main.py
index e2f97cde5..e0f6ab079 100644
--- a/monkey_island/cc/main.py
+++ b/monkey_island/cc/main.py
@@ -11,7 +11,7 @@ if BASE_PATH not in sys.path:
from cc.app import init_app
from cc.utils import local_ip_addresses
-from cc.island_config import DEFAULT_MONGO_URL, ISLAND_PORT, DEBUG_SERVER
+from cc.environment.environment import env
from cc.database import is_db_server_up
if __name__ == '__main__':
@@ -19,20 +19,20 @@ if __name__ == '__main__':
from tornado.httpserver import HTTPServer
from tornado.ioloop import IOLoop
- mongo_url = os.environ.get('MONGO_URL', DEFAULT_MONGO_URL)
+ mongo_url = os.environ.get('MONGO_URL', env.get_mongo_url())
while not is_db_server_up(mongo_url):
print('Waiting for MongoDB server')
time.sleep(1)
app = init_app(mongo_url)
- if DEBUG_SERVER:
+ if env.is_debug():
app.run(host='0.0.0.0', debug=True, ssl_context=('server.crt', 'server.key'))
else:
http_server = HTTPServer(WSGIContainer(app),
ssl_options={'certfile': os.environ.get('SERVER_CRT', 'server.crt'),
'keyfile': os.environ.get('SERVER_KEY', 'server.key')})
- http_server.listen(ISLAND_PORT)
- print('Monkey Island Server is running on https://{}:{}'.format(local_ip_addresses()[0], ISLAND_PORT))
+ http_server.listen(env.get_island_port())
+ print('Monkey Island Server is running on https://{}:{}'.format(local_ip_addresses()[0], env.get_island_port()))
IOLoop.instance().start()
diff --git a/monkey_island/cc/resources/local_run.py b/monkey_island/cc/resources/local_run.py
index 3d18b49e6..c588eaf80 100644
--- a/monkey_island/cc/resources/local_run.py
+++ b/monkey_island/cc/resources/local_run.py
@@ -6,8 +6,8 @@ import sys
from flask import request, jsonify, make_response
import flask_restful
+from cc.environment.environment import env
from cc.resources.monkey_download import get_monkey_executable
-from cc.island_config import ISLAND_PORT
from cc.services.node import NodeService
from cc.utils import local_ip_addresses
@@ -36,7 +36,7 @@ def run_local_monkey():
# run the monkey
try:
- args = ['"%s" m0nk3y -s %s:%s' % (target_path, local_ip_addresses()[0], ISLAND_PORT)]
+ args = ['"%s" m0nk3y -s %s:%s' % (target_path, local_ip_addresses()[0], env.get_island_port())]
if sys.platform == "win32":
args = "".join(args)
pid = subprocess.Popen(args, shell=True).pid
diff --git a/monkey_island/cc/resources/monkey.py b/monkey_island/cc/resources/monkey.py
index 37722262c..d344949bc 100644
--- a/monkey_island/cc/resources/monkey.py
+++ b/monkey_island/cc/resources/monkey.py
@@ -15,23 +15,20 @@ __author__ = 'Barak'
class Monkey(flask_restful.Resource):
+
+ # Used by monkey. can't secure.
def get(self, guid=None, **kw):
NodeService.update_dead_monkeys() # refresh monkeys status
if not guid:
guid = request.args.get('guid')
- timestamp = request.args.get('timestamp')
if guid:
monkey_json = mongo.db.monkey.find_one_or_404({"guid": guid})
return monkey_json
- else:
- result = {'timestamp': datetime.now().isoformat()}
- find_filter = {}
- if timestamp is not None:
- find_filter['modifytime'] = {'$gt': dateutil.parser.parse(timestamp)}
- result['objects'] = [x for x in mongo.db.monkey.find(find_filter)]
- return result
+ return {}
+
+ # Used by monkey. can't secure.
def patch(self, guid):
monkey_json = json.loads(request.data)
update = {"$set": {'modifytime': datetime.now()}}
@@ -51,6 +48,7 @@ class Monkey(flask_restful.Resource):
return mongo.db.monkey.update({"_id": monkey["_id"]}, update, upsert=False)
+ # Used by monkey. can't secure.
def post(self, **kw):
monkey_json = json.loads(request.data)
monkey_json['creds'] = []
diff --git a/monkey_island/cc/resources/monkey_configuration.py b/monkey_island/cc/resources/monkey_configuration.py
index 6d622b1cd..0bd30db3f 100644
--- a/monkey_island/cc/resources/monkey_configuration.py
+++ b/monkey_island/cc/resources/monkey_configuration.py
@@ -1,18 +1,20 @@
import json
-from flask import request, jsonify
import flask_restful
+from flask import request, jsonify
-from cc.database import mongo
+from cc.auth import jwt_required
from cc.services.config import ConfigService
__author__ = 'Barak'
class MonkeyConfiguration(flask_restful.Resource):
+ @jwt_required()
def get(self):
return jsonify(schema=ConfigService.get_config_schema(), configuration=ConfigService.get_config())
+ @jwt_required()
def post(self):
config_json = json.loads(request.data)
if config_json.has_key('reset'):
@@ -20,4 +22,3 @@ class MonkeyConfiguration(flask_restful.Resource):
else:
ConfigService.update_config(config_json)
return self.get()
-
diff --git a/monkey_island/cc/resources/monkey_download.py b/monkey_island/cc/resources/monkey_download.py
index b311c4472..ac1f9de2d 100644
--- a/monkey_island/cc/resources/monkey_download.py
+++ b/monkey_island/cc/resources/monkey_download.py
@@ -47,9 +47,12 @@ def get_monkey_executable(host_os, machine):
class MonkeyDownload(flask_restful.Resource):
+
+ # Used by monkey. can't secure.
def get(self, path):
return send_from_directory('binaries', path)
+ # Used by monkey. can't secure.
def post(self):
host_json = json.loads(request.data)
host_os = host_json.get('os')
diff --git a/monkey_island/cc/resources/netmap.py b/monkey_island/cc/resources/netmap.py
index 12418ef6b..3ba7fafa8 100644
--- a/monkey_island/cc/resources/netmap.py
+++ b/monkey_island/cc/resources/netmap.py
@@ -1,5 +1,6 @@
import flask_restful
+from cc.auth import jwt_required
from cc.services.edge import EdgeService
from cc.services.node import NodeService
from cc.database import mongo
@@ -8,6 +9,7 @@ __author__ = 'Barak'
class NetMap(flask_restful.Resource):
+ @jwt_required()
def get(self, **kw):
monkeys = [NodeService.monkey_to_net_node(x) for x in mongo.db.monkey.find({})]
nodes = [NodeService.node_to_net_node(x) for x in mongo.db.node.find({})]
diff --git a/monkey_island/cc/resources/node.py b/monkey_island/cc/resources/node.py
index 5a6c52e1b..bc00c40cf 100644
--- a/monkey_island/cc/resources/node.py
+++ b/monkey_island/cc/resources/node.py
@@ -1,12 +1,14 @@
from flask import request
import flask_restful
+from cc.auth import jwt_required
from cc.services.node import NodeService
__author__ = 'Barak'
class Node(flask_restful.Resource):
+ @jwt_required()
def get(self):
node_id = request.args.get('id')
if node_id:
diff --git a/monkey_island/cc/resources/report.py b/monkey_island/cc/resources/report.py
index e967b207f..1a00fa609 100644
--- a/monkey_island/cc/resources/report.py
+++ b/monkey_island/cc/resources/report.py
@@ -1,10 +1,13 @@
import flask_restful
+from cc.auth import jwt_required
from cc.services.report import ReportService
__author__ = "itay.mizeretz"
class Report(flask_restful.Resource):
+
+ @jwt_required()
def get(self):
return ReportService.get_report()
diff --git a/monkey_island/cc/resources/root.py b/monkey_island/cc/resources/root.py
index 25d7dfed7..04129f257 100644
--- a/monkey_island/cc/resources/root.py
+++ b/monkey_island/cc/resources/root.py
@@ -3,6 +3,7 @@ from datetime import datetime
import flask_restful
from flask import request, make_response, jsonify
+from cc.auth import jwt_required
from cc.database import mongo
from cc.services.config import ConfigService
from cc.services.node import NodeService
@@ -13,6 +14,8 @@ __author__ = 'Barak'
class Root(flask_restful.Resource):
+
+ @jwt_required()
def get(self, action=None):
if not action:
action = request.args.get('action')
diff --git a/monkey_island/cc/resources/telemetry.py b/monkey_island/cc/resources/telemetry.py
index 94c4046b5..e1b17ac9a 100644
--- a/monkey_island/cc/resources/telemetry.py
+++ b/monkey_island/cc/resources/telemetry.py
@@ -7,6 +7,7 @@ import dateutil
import flask_restful
from flask import request
+from cc.auth import jwt_required
from cc.database import mongo
from cc.services.config import ConfigService
from cc.services.edge import EdgeService
@@ -16,6 +17,7 @@ __author__ = 'Barak'
class Telemetry(flask_restful.Resource):
+ @jwt_required()
def get(self, **kw):
monkey_guid = request.args.get('monkey_guid')
telem_type = request.args.get('telem_type')
@@ -36,6 +38,7 @@ class Telemetry(flask_restful.Resource):
result['objects'] = self.telemetry_to_displayed_telemetry(mongo.db.telemetry.find(find_filter))
return result
+ # Used by monkey. can't secure.
def post(self):
telemetry_json = json.loads(request.data)
telemetry_json['timestamp'] = datetime.now()
diff --git a/monkey_island/cc/resources/telemetry_feed.py b/monkey_island/cc/resources/telemetry_feed.py
index 9a7e507ef..f14c5d29f 100644
--- a/monkey_island/cc/resources/telemetry_feed.py
+++ b/monkey_island/cc/resources/telemetry_feed.py
@@ -5,6 +5,7 @@ import flask_restful
from flask import request
import flask_pymongo
+from cc.auth import jwt_required
from cc.database import mongo
from cc.services.node import NodeService
@@ -12,6 +13,7 @@ __author__ = 'itay.mizeretz'
class TelemetryFeed(flask_restful.Resource):
+ @jwt_required()
def get(self, **kw):
timestamp = request.args.get('timestamp')
if "null" == timestamp or timestamp is None: # special case to avoid ugly JS code...
diff --git a/monkey_island/cc/server_config.json b/monkey_island/cc/server_config.json
new file mode 100644
index 000000000..2d1a5995b
--- /dev/null
+++ b/monkey_island/cc/server_config.json
@@ -0,0 +1,3 @@
+{
+ "server_config": "standard"
+}
\ No newline at end of file
diff --git a/monkey_island/cc/services/config.py b/monkey_island/cc/services/config.py
index 1e7420648..f9a7d80d2 100644
--- a/monkey_island/cc/services/config.py
+++ b/monkey_island/cc/services/config.py
@@ -1,7 +1,7 @@
from cc.database import mongo
from jsonschema import Draft4Validator, validators
-from cc.island_config import ISLAND_PORT
+from cc.environment.environment import env
from cc.utils import local_ip_addresses
__author__ = "itay.mizeretz"
@@ -885,8 +885,8 @@ class ConfigService:
@staticmethod
def set_server_ips_in_config(config):
ips = local_ip_addresses()
- config["cnc"]["servers"]["command_servers"] = ["%s:%d" % (ip, ISLAND_PORT) for ip in ips]
- config["cnc"]["servers"]["current_server"] = "%s:%d" % (ips[0], ISLAND_PORT)
+ config["cnc"]["servers"]["command_servers"] = ["%s:%d" % (ip, env.get_island_port()) for ip in ips]
+ config["cnc"]["servers"]["current_server"] = "%s:%d" % (ips[0], env.get_island_port())
@staticmethod
def save_initial_config_if_needed():
diff --git a/monkey_island/cc/ui/package.json b/monkey_island/cc/ui/package.json
index 5ee2e5389..6759c4530 100644
--- a/monkey_island/cc/ui/package.json
+++ b/monkey_island/cc/ui/package.json
@@ -65,6 +65,8 @@
"core-js": "^2.5.1",
"fetch": "^1.1.0",
"js-file-download": "^0.4.1",
+ "json-loader": "^0.5.7",
+ "jwt-decode": "^2.2.0",
"normalize.css": "^4.0.0",
"prop-types": "^15.5.10",
"rc-progress": "^2.2.5",
diff --git a/monkey_island/cc/ui/src/components/AuthComponent.js b/monkey_island/cc/ui/src/components/AuthComponent.js
new file mode 100644
index 000000000..428c3272a
--- /dev/null
+++ b/monkey_island/cc/ui/src/components/AuthComponent.js
@@ -0,0 +1,12 @@
+import React from 'react';
+import AuthService from '../services/AuthService';
+
+class AuthComponent extends React.Component {
+ constructor(props) {
+ super(props);
+ this.auth = new AuthService();
+ this.authFetch = this.auth.authFetch;
+ }
+}
+
+export default AuthComponent;
diff --git a/monkey_island/cc/ui/src/components/Main.js b/monkey_island/cc/ui/src/components/Main.js
index ffd318527..771e2257a 100644
--- a/monkey_island/cc/ui/src/components/Main.js
+++ b/monkey_island/cc/ui/src/components/Main.js
@@ -1,5 +1,5 @@
import React from 'react';
-import {NavLink, Route, BrowserRouter as Router} from 'react-router-dom';
+import {BrowserRouter as Router, NavLink, Redirect, Route} from 'react-router-dom';
import {Col, Grid, Row} from 'react-bootstrap';
import {Icon} from 'react-fa';
@@ -11,6 +11,8 @@ import TelemetryPage from 'components/pages/TelemetryPage';
import StartOverPage from 'components/pages/StartOverPage';
import ReportPage from 'components/pages/ReportPage';
import LicensePage from 'components/pages/LicensePage';
+import AuthComponent from 'components/AuthComponent';
+import LoginPageComponent from 'components/pages/LoginPage';
require('normalize.css/normalize.css');
require('react-data-components/css/table-twbs.css');
@@ -22,7 +24,43 @@ let logoImage = require('../images/monkey-icon.svg');
let infectionMonkeyImage = require('../images/infection-monkey.svg');
let guardicoreLogoImage = require('../images/guardicore-logo.png');
-class AppComponent extends React.Component {
+class AppComponent extends AuthComponent {
+ updateStatus = () => {
+ if (this.auth.loggedIn()){
+ this.authFetch('/api')
+ .then(res => res.json())
+ .then(res => {
+ // This check is used to prevent unnecessary re-rendering
+ let isChanged = false;
+ for (let step in this.state.completedSteps) {
+ if (this.state.completedSteps[step] !== res['completed_steps'][step]) {
+ isChanged = true;
+ break;
+ }
+ }
+ if (isChanged) {
+ this.setState({completedSteps: res['completed_steps']});
+ }
+ });
+ }
+ };
+
+ renderRoute = (route_path, page_component, is_exact_path = false) => {
+ let render_func = (props) => {
+ if (this.auth.loggedIn()) {
+ return page_component;
+ } else {
+ return Congrats! You have successfully set up the Monkey Island server. 👏 👏
+Congrats! You have successfully set up the Monkey Island + server. 👏 👏
The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infections. @@ -20,7 +21,8 @@ class RunServerPageComponent extends React.Component { center and reports to this Monkey Island Command and Control server.
- To read more about the Monkey, visit infectionmonkey.com + To read more about the Monkey, visit infectionmonkey.com
Go ahead and run the monkey.
diff --git a/monkey_island/cc/ui/src/components/pages/StartOverPage.js b/monkey_island/cc/ui/src/components/pages/StartOverPage.js
index 2889a7067..87716659f 100644
--- a/monkey_island/cc/ui/src/components/pages/StartOverPage.js
+++ b/monkey_island/cc/ui/src/components/pages/StartOverPage.js
@@ -2,8 +2,9 @@ import React from 'react';
import {Col} from 'react-bootstrap';
import {Link} from 'react-router-dom';
import {ModalContainer, ModalDialog} from 'react-modal-dialog';
+import AuthComponent from '../AuthComponent';
-class StartOverPageComponent extends React.Component {
+class StartOverPageComponent extends AuthComponent {
constructor(props) {
super(props);
@@ -15,7 +16,7 @@ class StartOverPageComponent extends React.Component {
}
updateMonkeysRunning = () => {
- fetch('/api')
+ this.authFetch('/api')
.then(res => res.json())
.then(res => {
// This check is used to prevent unnecessary re-rendering
@@ -104,7 +105,7 @@ class StartOverPageComponent extends React.Component {
this.setState({
cleaned: false
});
- fetch('/api?action=reset')
+ this.authFetch('/api?action=reset')
.then(res => res.json())
.then(res => {
if (res['status'] === 'OK') {
diff --git a/monkey_island/cc/ui/src/components/pages/TelemetryPage.js b/monkey_island/cc/ui/src/components/pages/TelemetryPage.js
index 03c57807e..099c20a43 100644
--- a/monkey_island/cc/ui/src/components/pages/TelemetryPage.js
+++ b/monkey_island/cc/ui/src/components/pages/TelemetryPage.js
@@ -2,6 +2,7 @@ import React from 'react';
import {Col} from 'react-bootstrap';
import JSONTree from 'react-json-tree'
import {DataTable} from 'react-data-components';
+import AuthComponent from '../AuthComponent';
const renderJson = (val) =>