Merge pull request #260 from guardicore/feature/add-island-password-auth

Add option for password authentication with island

monkey/infection_monkey/requirements_linux.txt

@@ -1,6 +1,6 @@
 enum34
 impacket
-PyCrypto
+pycryptodome
 pyasn1
 cffi
 twisted

monkey/infection_monkey/requirements_windows.txt

@@ -1,6 +1,6 @@
 enum34
 impacket
-PyCrypto
+pycryptodome
 pyasn1
 cffi
 twisted

monkey/monkey_island/cc/environment/__init__.py

@@ -1,6 +1,7 @@
 import abc
 from datetime import timedelta
 import os
+from Crypto.Hash import SHA3_512
 
 __author__ = 'itay.mizeretz'
 
@@ -13,6 +14,12 @@ class Environment(object):
     _DEBUG_SERVER = False
     _AUTH_EXPIRATION_TIME = timedelta(hours=1)
 
+    def __init__(self):
+        self.config = None
+
+    def set_config(self, config):
+        self.config = config
+
     def get_island_port(self):
         return self._ISLAND_PORT
 
@@ -25,6 +32,11 @@ class Environment(object):
     def get_auth_expiration_time(self):
         return self._AUTH_EXPIRATION_TIME
 
+    def hash_secret(self, secret):
+        h = SHA3_512.new()
+        h.update(secret)
+        return h.hexdigest()
+
     @abc.abstractmethod
     def is_auth_enabled(self):
         return

monkey/monkey_island/cc/environment/aws.py

@@ -1,7 +1,7 @@
 import cc.auth
 from cc.environment import Environment
 from common.cloud.aws import AWS
-
+from Crypto.Hash import SHA3_512
 __author__ = 'itay.mizeretz'
 
 
@@ -23,5 +23,5 @@ class AwsEnvironment(Environment):
 
     def get_auth_users(self):
         return [
-            cc.auth.User(1, 'monkey', self._instance_id)
+            cc.auth.User(1, 'monkey', self.hash_secret(self._instance_id))
         ]

monkey/monkey_island/cc/environment/environment.py

@@ -1,16 +1,22 @@
 import json
 import logging
-import standard
-import aws
+
+from cc.environment import standard
+from cc.environment import aws
+from cc.environment import password
+
+__author__ = 'itay.mizeretz'
 
 logger = logging.getLogger(__name__)
 
 AWS = 'aws'
 STANDARD = 'standard'
+PASSWORD = 'password'
 
 ENV_DICT = {
-    'standard': standard.StandardEnvironment,
-    'aws': aws.AwsEnvironment
+    STANDARD: standard.StandardEnvironment,
+    AWS: aws.AwsEnvironment,
+    PASSWORD: password.PasswordEnvironment,
 }
 
 
@@ -25,8 +31,10 @@ def load_env_from_file():
     return config_json['server_config']
 
 try:
-    __env_type = load_env_from_file()
+    config_json = load_server_configuration_from_file()
+    __env_type = config_json['server_config']
     env = ENV_DICT[__env_type]()
+    env.set_config(config_json)
     logger.info('Monkey\'s env is: {0}'.format(env.__class__.__name__))
 except Exception:
     logger.error('Failed initializing environment', exc_info=True)

monkey/monkey_island/cc/environment/password.py

@@ -0,0 +1,15 @@
+from cc.environment import Environment
+import cc.auth
+
+__author__ = 'itay.mizeretz'
+
+
+class PasswordEnvironment(Environment):
+
+    def is_auth_enabled(self):
+        return True
+
+    def get_auth_users(self):
+        return [
+            cc.auth.User(1, self.config['user'], self.config['hash'])
+        ]

monkey/monkey_island/cc/ui/package.json

@@ -90,6 +90,7 @@
     "react-router-dom": "^4.3.1",
     "react-table": "^6.8.6",
     "react-toggle": "^4.0.1",
-    "redux": "^4.0.0"
+    "redux": "^4.0.0",
+    "sha3": "^2.0.0"
   }
 }

monkey/monkey_island/cc/ui/src/server_config/PasswordConfig.js

@@ -0,0 +1,9 @@
+import BaseConfig from './BaseConfig';
+
+class PasswordConfig extends BaseConfig{
+  isAuthEnabled() {
+    return true;
+  }
+}
+
+export default PasswordConfig;

monkey/monkey_island/cc/ui/src/server_config/ServerConfig.js

@@ -1,12 +1,14 @@
 import StandardConfig from './StandardConfig';
 import AwsConfig from './AwsConfig';
+import PasswordConfig from "./PasswordConfig";
 
 const SERVER_CONFIG_JSON = require('../../../server_config.json');
 
 const CONFIG_DICT =
   {
     'standard': StandardConfig,
-    'aws': AwsConfig
+    'aws': AwsConfig,
+    'password': PasswordConfig
   };
 
 export const SERVER_CONFIG = new CONFIG_DICT[SERVER_CONFIG_JSON['server_config']]();

monkey/monkey_island/cc/ui/src/services/AuthService.js

@@ -1,3 +1,4 @@
+import { SHA3 } from 'sha3';
 import decode from 'jwt-decode';
 import {SERVER_CONFIG} from '../server_config/ServerConfig';
 
@@ -6,7 +7,7 @@ export default class AuthService {
 
   login = (username, password) => {
     if (this.AUTH_ENABLED) {
-      return this._login(username, password);
+      return this._login(username, this.hashSha3(password));
     } else {
       return {result: true};
     }
@@ -20,6 +21,12 @@ export default class AuthService {
     }
   };
 
+  hashSha3(text) {
+    let hash = new SHA3(512);
+    hash.update(text);
+    return this._toHexStr(hash.digest());
+  }
+
   _login = (username, password) => {
     return this._authFetch('/api/auth', {
       method: 'POST',
@@ -103,4 +110,9 @@ export default class AuthService {
     return localStorage.getItem('jwt')
   }
 
+  _toHexStr(byteArr) {
+    return byteArr.reduce((acc, x) => (acc + ('0' + x.toString(0x10)).slice(-2)), '');
+  }
+
+
 }

monkey/monkey_island/deb-package/monkey_island_pip_requirements.txt

@@ -13,7 +13,7 @@ jsonschema
 netifaces
 ipaddress
 enum34
-PyCrypto
+pycryptodome
 boto3
 awscli
 virtualenv

monkey/monkey_island/requirements.txt

@@ -13,6 +13,6 @@ jsonschema
 netifaces
 ipaddress
 enum34
-PyCrypto
+pycryptodome
 boto3
 awscli