From d2947796ff6df1587315e77944871c2bd447bac0 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 1 Feb 2022 14:55:27 -0500 Subject: [PATCH] Island: Remove ScoutSuiteRuleService --- .../scoutsuite/data_parsing/rule_parser.py | 40 ----- .../scoutsuite/scoutsuite_rule_service.py | 29 --- .../services/zero_trust/raw_scoutsute_data.py | 169 ------------------ .../data_parsing/test_rule_parser.py | 48 ----- .../test_scoutsuite_rule_service.py | 66 ------- 5 files changed, 352 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_parser.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/scoutsuite_rule_service.py delete mode 100644 monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/raw_scoutsute_data.py delete mode 100644 monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/test_rule_parser.py delete mode 100644 monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/scoutsuite/test_scoutsuite_rule_service.py diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_parser.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_parser.py deleted file mode 100644 index 7db9a5988..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_parser.py +++ /dev/null @@ -1,40 +0,0 @@ -from enum import Enum - -from common.utils.code_utils import get_value_from_dict -from common.utils.exceptions import RulePathCreatorNotFound -from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators_list import ( # noqa: E501 - RULE_PATH_CREATORS_LIST, -) - - -def __build_rule_to_rule_path_creator_hashmap(): - hashmap = {} - for rule_path_creator in RULE_PATH_CREATORS_LIST: - for rule_name in rule_path_creator.supported_rules: - hashmap[rule_name] = rule_path_creator - return hashmap - - -RULE_TO_RULE_PATH_CREATOR_HASHMAP = __build_rule_to_rule_path_creator_hashmap() - - -class RuleParser: - @staticmethod - def get_rule_data(scoutsuite_data: dict, rule_name: Enum) -> dict: - rule_path = RuleParser._get_rule_path(rule_name) - return get_value_from_dict(scoutsuite_data, rule_path) - - @staticmethod - def _get_rule_path(rule_name: Enum): - creator = RuleParser._get_rule_path_creator(rule_name) - return creator.build_rule_path(rule_name) - - @staticmethod - def _get_rule_path_creator(rule_name: Enum): - try: - return RULE_TO_RULE_PATH_CREATOR_HASHMAP[rule_name] - except KeyError: - raise RulePathCreatorNotFound( - f"Rule path creator not found for rule {rule_name.value}. Make sure to assign" - f"this rule to any rule path creators." - ) diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/scoutsuite_rule_service.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/scoutsuite_rule_service.py deleted file mode 100644 index a97a1a2c8..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/scoutsuite_rule_service.py +++ /dev/null @@ -1,29 +0,0 @@ -from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule -from monkey_island.cc.services.zero_trust.scoutsuite.consts import rule_consts - - -class ScoutSuiteRuleService: - @staticmethod - def get_rule_from_rule_data(rule_data: dict) -> ScoutSuiteRule: - rule = ScoutSuiteRule() - rule.description = rule_data["description"] - rule.path = rule_data["path"] - rule.level = rule_data["level"] - rule.items = rule_data["items"] - rule.dashboard_name = rule_data["dashboard_name"] - rule.checked_items = rule_data["checked_items"] - rule.flagged_items = rule_data["flagged_items"] - rule.service = rule_data["service"] - rule.rationale = rule_data["rationale"] - rule.remediation = rule_data["remediation"] - rule.compliance = rule_data["compliance"] - rule.references = rule_data["references"] - return rule - - @staticmethod - def is_rule_dangerous(rule: ScoutSuiteRule): - return rule.level == rule_consts.RULE_LEVEL_DANGER and len(rule.items) != 0 - - @staticmethod - def is_rule_warning(rule: ScoutSuiteRule): - return rule.level == rule_consts.RULE_LEVEL_WARNING and len(rule.items) != 0 diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/raw_scoutsute_data.py b/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/raw_scoutsute_data.py deleted file mode 100644 index 9905868af..000000000 --- a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/raw_scoutsute_data.py +++ /dev/null @@ -1,169 +0,0 @@ -# This is what our codebase receives after running ScoutSuite module. -# Object '...': {'...': '...'} represents continuation of similar objects as above -RAW_SCOUTSUITE_DATA = { - "sg_map": { - "sg-abc": {"region": "ap-northeast-1", "vpc_id": "vpc-abc"}, - "sg-abcd": {"region": "ap-northeast-2", "vpc_id": "vpc-abc"}, - "...": {"...": "..."}, - }, - "subnet_map": { - "subnet-abc": {"region": "ap-northeast-1", "vpc_id": "vpc-abc"}, - "subnet-abcd": {"region": "ap-northeast-1", "vpc_id": "vpc-abc"}, - "...": {"...": "..."}, - }, - "provider_code": "aws", - "provider_name": "Amazon Web Services", - "environment": None, - "result_format": "json", - "partition": "aws", - "account_id": "125686982355", - "last_run": { - "time": "2021-02-05 16:03:04+0200", - "run_parameters": { - "services": [], - "skipped_services": [], - "regions": [], - "excluded_regions": [], - }, - "version": "5.10.0", - "ruleset_name": "default", - "ruleset_about": "This ruleset", - "summary": { - "ec2": { - "checked_items": 3747, - "flagged_items": 262, - "max_level": "warning", - "rules_count": 28, - "resources_count": 176, - }, - "s3": { - "checked_items": 88, - "flagged_items": 25, - "max_level": "danger", - "rules_count": 18, - "resources_count": 5, - }, - "...": {"...": "..."}, - }, - }, - "metadata": { - "compute": { - "summaries": { - "external attack surface": { - "cols": 1, - "path": "service_groups.compute.summaries.external_attack_surface", - "callbacks": [["merge", {"attribute": "external_attack_surface"}]], - } - }, - "...": {"...": "..."}, - }, - "...": {"...": "..."}, - }, - # This is the important part, which we parse to get resources - "services": { - "ec2": { - "regions": { - "ap-northeast-1": { - "vpcs": { - "vpc-abc": { - "id": "vpc-abc", - "security_groups": { - "sg-abc": { - "name": "default", - "rules": { - "ingress": { - "protocols": { - "ALL": { - "ports": { - "1-65535": { - "cidrs": [{"CIDR": "0.0.0.0/0"}] - } - } - } - }, - "count": 1, - }, - "egress": { - "protocols": { - "ALL": { - "ports": { - "1-65535": { - "cidrs": [{"CIDR": "0.0.0.0/0"}] - } - } - } - }, - "count": 1, - }, - }, - } - }, - } - }, - "...": {"...": "..."}, - } - }, - # Interesting info, maybe could be used somewhere in the report - "external_attack_surface": { - "52.52.52.52": { - "protocols": {"TCP": {"ports": {"22": {"cidrs": [{"CIDR": "0.0.0.0/0"}]}}}}, - "InstanceName": "InstanceName", - "PublicDnsName": "ec2-52-52-52-52.eu-central-1.compute.amazonaws.com", - } - }, - # We parse these into ScoutSuite security rules - "findings": { - "ec2-security-group-opens-all-ports-to-all": { - "description": "Security Group Opens All Ports to All", - "path": "ec2.regions.id.vpcs.id.security_groups" - ".id.rules.id.protocols.id.ports.id.cidrs.id.CIDR", - "level": "danger", - "display_path": "ec2.regions.id.vpcs.id.security_groups.id", - "items": [ - "ec2.regions.ap-northeast-1.vpcs.vpc-abc.security_groups" - ".sg-abc.rules.ingress.protocols.ALL.ports.1-65535.cidrs.0.CIDR" - ], - "dashboard_name": "Rules", - "checked_items": 179, - "flagged_items": 2, - "service": "EC2", - "rationale": "It was detected that all ports in the security group are " - "open <...>", - "remediation": None, - "compliance": None, - "references": None, - }, - "...": {"...": "..."}, - }, - }, - "...": {"...": "..."}, - }, - "service_list": [ - "acm", - "awslambda", - "cloudformation", - "cloudtrail", - "cloudwatch", - "config", - "directconnect", - "dynamodb", - "ec2", - "efs", - "elasticache", - "elb", - "elbv2", - "emr", - "iam", - "kms", - "rds", - "redshift", - "route53", - "s3", - "ses", - "sns", - "sqs", - "vpc", - "secretsmanager", - ], - "service_groups": {"...": {"...": "..."}}, -} diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/test_rule_parser.py b/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/test_rule_parser.py deleted file mode 100644 index 819d6fe76..000000000 --- a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/test_rule_parser.py +++ /dev/null @@ -1,48 +0,0 @@ -from enum import Enum - -import pytest -from tests.unit_tests.monkey_island.cc.services.zero_trust.raw_scoutsute_data import ( - RAW_SCOUTSUITE_DATA, -) - -from common.utils.exceptions import RulePathCreatorNotFound -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import SERVICES -from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_parser import RuleParser - - -class ExampleRules(Enum): - NON_EXSISTENT_RULE = "bogus_rule" - - -ALL_PORTS_OPEN = EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL - -EXPECTED_RESULT = { - "description": "Security Group Opens All Ports to All", - "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id" - ".cidrs.id.CIDR", - "level": "danger", - "display_path": "ec2.regions.id.vpcs.id.security_groups.id", - "items": [ - "ec2.regions.ap-northeast-1.vpcs.vpc-abc.security_groups." - "sg-abc.rules.ingress.protocols.ALL.ports.1-65535.cidrs.0.CIDR" - ], - "dashboard_name": "Rules", - "checked_items": 179, - "flagged_items": 2, - "service": "EC2", - "rationale": "It was detected that all ports in the security group are open <...>", - "remediation": None, - "compliance": None, - "references": None, -} - - -def test_get_rule_data(): - # Test proper parsing of the raw data to rule - results = RuleParser.get_rule_data(RAW_SCOUTSUITE_DATA[SERVICES], ALL_PORTS_OPEN) - assert results == EXPECTED_RESULT - - with pytest.raises(RulePathCreatorNotFound): - RuleParser.get_rule_data(RAW_SCOUTSUITE_DATA[SERVICES], ExampleRules.NON_EXSISTENT_RULE) - pass diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/scoutsuite/test_scoutsuite_rule_service.py b/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/scoutsuite/test_scoutsuite_rule_service.py deleted file mode 100644 index d389ce904..000000000 --- a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/scoutsuite/test_scoutsuite_rule_service.py +++ /dev/null @@ -1,66 +0,0 @@ -from copy import deepcopy - -from tests.unit_tests.monkey_island.cc.services.zero_trust.test_common.scoutsuite_finding_data import ( # noqa: E501 - RULES, -) - -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_consts import ( - RULE_LEVEL_DANGER, - RULE_LEVEL_WARNING, -) -from monkey_island.cc.services.zero_trust.scoutsuite.scoutsuite_rule_service import ( - ScoutSuiteRuleService, -) - -example_scoutsuite_data = { - "checked_items": 179, - "compliance": None, - "dashboard_name": "Rules", - "description": "Security Group Opens All Ports to All", - "flagged_items": 2, - "items": [ - "ec2.regions.eu-central-1.vpcs.vpc-0ee259b1a13c50229.security_groups.sg-035779fe5c293fc72" - ".rules.ingress.protocols.ALL.ports.1-65535.cidrs.2.CIDR", - "ec2.regions.eu-central-1.vpcs.vpc-00015526b6695f9aa.security_groups.sg-019eb67135ec81e65" - ".rules.ingress.protocols.ALL.ports.1-65535.cidrs.0.CIDR", - ], - "level": "danger", - "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id" - ".cidrs.id.CIDR", - "rationale": "It was detected that all ports in the security group are open, " - "and any source IP address" - " could send traffic to these ports, which creates a wider attack surface " - "for resources " - "assigned to it. Open ports should be reduced to the minimum needed to " - "correctly", - "references": [], - "remediation": None, - "service": "EC2", -} - - -def test_get_rule_from_rule_data(): - assert ScoutSuiteRuleService.get_rule_from_rule_data(example_scoutsuite_data) == RULES[0] - - -def test_is_rule_dangerous(): - test_rule = deepcopy(RULES[0]) - assert ScoutSuiteRuleService.is_rule_dangerous(test_rule) - - test_rule.level = RULE_LEVEL_WARNING - assert not ScoutSuiteRuleService.is_rule_dangerous(test_rule) - - test_rule.level = RULE_LEVEL_DANGER - test_rule.items = [] - assert not ScoutSuiteRuleService.is_rule_dangerous(test_rule) - - -def test_is_rule_warning(): - test_rule = deepcopy(RULES[0]) - assert not ScoutSuiteRuleService.is_rule_warning(test_rule) - - test_rule.level = RULE_LEVEL_WARNING - assert ScoutSuiteRuleService.is_rule_warning(test_rule) - - test_rule.items = [] - assert not ScoutSuiteRuleService.is_rule_warning(test_rule)