From c19dc9dcad74f50f75c9d69bb13fe2bb4504b149 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 7 Jun 2021 14:33:04 -0400 Subject: [PATCH] island: Add config validation to IslandConfigOptions --- monkey/monkey_island/cc/server_setup.py | 29 +++++++++++++++---- .../cc/services/utils/file_handling.py | 16 ---------- .../cc/setup/certificate_setup.py | 18 ------------ .../cc/setup/island_config_options.py | 25 +++++++++++++++- 4 files changed, 47 insertions(+), 41 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/utils/file_handling.py delete mode 100644 monkey/monkey_island/cc/setup/certificate_setup.py diff --git a/monkey/monkey_island/cc/server_setup.py b/monkey/monkey_island/cc/server_setup.py index 7e32ce26b..8adcbdaa5 100644 --- a/monkey/monkey_island/cc/server_setup.py +++ b/monkey/monkey_island/cc/server_setup.py @@ -26,7 +26,7 @@ from monkey_island.cc.server_utils.island_logger import reset_logger, setup_logg from monkey_island.cc.services.initialize import initialize_services # noqa: E402 from monkey_island.cc.services.reporting.exporter_init import populate_exporter_list # noqa: E402 from monkey_island.cc.services.utils.network_utils import local_ip_addresses # noqa: E402 -from monkey_island.cc.setup.certificate_setup import setup_certificate # noqa: E402 +from monkey_island.cc.setup import island_config_options # noqa: E402 from monkey_island.cc.setup.island_config_options import IslandConfigOptions # noqa: E402 from monkey_island.cc.setup.mongo.database_initializer import init_collections # noqa: E402 from monkey_island.cc.setup.mongo.mongo_setup import ( # noqa: E402 @@ -43,6 +43,8 @@ def run_monkey_island(): island_args = parse_cli_args() config_options, server_config_path = _setup_data_dir(island_args) + _exit_on_invalid_config_options(config_options) + _configure_logging(config_options) _initialize_globals(config_options, server_config_path) @@ -66,6 +68,14 @@ def _setup_data_dir(island_args: IslandCmdArgs) -> Tuple[IslandConfigOptions, st exit(1) +def _exit_on_invalid_config_options(config_options: IslandConfigOptions): + try: + island_config_options.raise_on_invalid_options(config_options) + except Exception as ex: + print(f"Configuration error: {ex}") + exit(1) + + def _configure_logging(config_options): reset_logger() setup_logging(config_options.data_dir, config_options.log_level) @@ -82,8 +92,6 @@ def _start_island_server(should_setup_only, config_options: IslandConfigOptions) populate_exporter_list() app = init_app(MONGO_URL) - crt_path, key_path = setup_certificate(config_options.crt_path, config_options.key_path) - init_collections() if should_setup_only: @@ -92,14 +100,23 @@ def _start_island_server(should_setup_only, config_options: IslandConfigOptions) bootloader_server_thread = _start_bootloader_server() + logger.info( + f"Using certificate path: {config_options.crt_path}, and key path: " + "{config_options.key_path}." + ) + if env_singleton.env.is_debug(): - app.run(host="0.0.0.0", debug=True, ssl_context=(crt_path, key_path)) + app.run( + host="0.0.0.0", + debug=True, + ssl_context=(config_options.crt_path, config_options.key_path), + ) else: http_server = WSGIServer( ("0.0.0.0", env_singleton.env.get_island_port()), app, - certfile=crt_path, - keyfile=key_path, + certfile=config_options.crt_path, + keyfile=config_options.key_path, ) _log_init_info() http_server.serve_forever() diff --git a/monkey/monkey_island/cc/services/utils/file_handling.py b/monkey/monkey_island/cc/services/utils/file_handling.py deleted file mode 100644 index e6c4839d2..000000000 --- a/monkey/monkey_island/cc/services/utils/file_handling.py +++ /dev/null @@ -1,16 +0,0 @@ -import os - -from common.utils.exceptions import InsecurePermissionsError -from monkey_island.cc.server_utils.file_utils import has_expected_permissions - - -def ensure_file_existence(file: str) -> None: - if not os.path.exists(file): - raise FileNotFoundError(f"File not found at {file}. Exiting.") - - -def ensure_file_permissions(file: str) -> None: - if not has_expected_permissions(path=file, expected_permissions="0o400"): - raise InsecurePermissionsError( - f"{file} has insecure permissions. Required permissions: 400. Exiting." - ) diff --git a/monkey/monkey_island/cc/setup/certificate_setup.py b/monkey/monkey_island/cc/setup/certificate_setup.py deleted file mode 100644 index 273bbee1b..000000000 --- a/monkey/monkey_island/cc/setup/certificate_setup.py +++ /dev/null @@ -1,18 +0,0 @@ -import logging - -from monkey_island.cc.services.utils.file_handling import ( - ensure_file_existence, - ensure_file_permissions, -) - -logger = logging.getLogger(__name__) - - -def setup_certificate(crt_path: str, key_path: str) -> (str, str): - for file in [crt_path, key_path]: - ensure_file_existence(file) - ensure_file_permissions(file) - - logger.info(f"Using certificate path: {crt_path}, and key path: {key_path}.") - - return crt_path, key_path diff --git a/monkey/monkey_island/cc/setup/island_config_options.py b/monkey/monkey_island/cc/setup/island_config_options.py index 9704e5f45..78865acbe 100644 --- a/monkey/monkey_island/cc/setup/island_config_options.py +++ b/monkey/monkey_island/cc/setup/island_config_options.py @@ -1,5 +1,8 @@ from __future__ import annotations +import os + +from common.utils.exceptions import InsecurePermissionsError from monkey_island.cc.server_utils.consts import ( DEFAULT_CERTIFICATE_PATHS, DEFAULT_CRT_PATH, @@ -8,7 +11,7 @@ from monkey_island.cc.server_utils.consts import ( DEFAULT_LOG_LEVEL, DEFAULT_START_MONGO_DB, ) -from monkey_island.cc.server_utils.file_utils import expand_path +from monkey_island.cc.server_utils.file_utils import expand_path, has_expected_permissions class IslandConfigOptions: @@ -31,3 +34,23 @@ class IslandConfigOptions: "ssl_certificate_key_file", DEFAULT_KEY_PATH ) ) + + +def raise_on_invalid_options(options: IslandConfigOptions): + _raise_if_not_isfile(options.crt_path) + _raise_if_incorrect_permissions(options.crt_path, 0o400) + + _raise_if_not_isfile(options.key_path) + _raise_if_incorrect_permissions(options.key_path, 0o400) + + +def _raise_if_not_isfile(f: str): + if not os.path.isfile(f): + raise FileNotFoundError(f"{f} does not exist or is not a regular file.") + + +def _raise_if_incorrect_permissions(f: str, expected_permissions: int): + if not has_expected_permissions(f, expected_permissions): + raise InsecurePermissionsError( + f"The file {f} has incorrect permissions. Expected: {oct(expected_permissions)}" + )