From fac6f970bb8d13da10c286072028e5c090adc7d5 Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Sun, 25 Nov 2018 18:38:44 +0200 Subject: [PATCH 1/2] Add support for strings to be encrypted --- monkey/monkey_island/cc/services/config.py | 39 ++++++++++++++++------ 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/monkey/monkey_island/cc/services/config.py b/monkey/monkey_island/cc/services/config.py index 64b359f61..9ebe7189c 100644 --- a/monkey/monkey_island/cc/services/config.py +++ b/monkey/monkey_island/cc/services/config.py @@ -869,6 +869,7 @@ SCHEMA = { } } +# This should be used for config values of array type (array of strings only) ENCRYPTED_CONFIG_ARRAYS = \ [ ['basic', 'credentials', 'exploit_password_list'], @@ -877,6 +878,12 @@ ENCRYPTED_CONFIG_ARRAYS = \ ['internal', 'exploits', 'exploit_ssh_keys'] ] +# This should be used for config values of string type +ENCRYPTED_CONFIG_STRINGS = \ + [ + + ] + class ConfigService: default_config = None @@ -913,8 +920,11 @@ class ConfigService: config = mongo.db.config.find_one({'name': 'initial' if is_initial_config else 'newconfig'}, {config_key: 1}) for config_key_part in config_key_as_arr: config = config[config_key_part] - if should_decrypt and (config_key_as_arr in ENCRYPTED_CONFIG_ARRAYS): - config = [encryptor.dec(x) for x in config] + if should_decrypt: + if config_key_as_arr in ENCRYPTED_CONFIG_ARRAYS: + config = [encryptor.dec(x) for x in config] + elif config_key_as_arr in ENCRYPTED_CONFIG_STRINGS: + config = encryptor.dec(config) return config @staticmethod @@ -1071,7 +1081,7 @@ class ConfigService: """ Same as decrypt_config but for a flat configuration """ - keys = [config_arr_as_array[2] for config_arr_as_array in ENCRYPTED_CONFIG_ARRAYS] + keys = [config_arr_as_array[2] for config_arr_as_array in (ENCRYPTED_CONFIG_ARRAYS + ENCRYPTED_CONFIG_STRINGS)] for key in keys: if isinstance(flat_config[key], collections.Sequence) and not isinstance(flat_config[key], string_types): # Check if we are decrypting ssh key pair @@ -1085,18 +1095,25 @@ class ConfigService: @staticmethod def _encrypt_or_decrypt_config(config, is_decrypt=False): - for config_arr_as_array in ENCRYPTED_CONFIG_ARRAYS: + for config_arr_as_array in (ENCRYPTED_CONFIG_ARRAYS + ENCRYPTED_CONFIG_STRINGS): config_arr = config + prev_config_arr = None + for config_key_part in config_arr_as_array: + prev_config_arr = config_arr config_arr = config_arr[config_key_part] - for i in range(len(config_arr)): - # Check if array of shh key pairs and then decrypt - if isinstance(config_arr[i], dict) and 'public_key' in config_arr[i]: - config_arr[i] = ConfigService.decrypt_ssh_key_pair(config_arr[i]) if is_decrypt else \ - ConfigService.decrypt_ssh_key_pair(config_arr[i], True) - else: - config_arr[i] = encryptor.dec(config_arr[i]) if is_decrypt else encryptor.enc(config_arr[i]) + if isinstance(config_arr, collections.Sequence) and not isinstance(config_arr, string_types): + for i in range(len(config_arr)): + # Check if array of shh key pairs and then decrypt + if isinstance(config_arr[i], dict) and 'public_key' in config_arr[i]: + config_arr[i] = ConfigService.decrypt_ssh_key_pair(config_arr[i]) if is_decrypt else \ + ConfigService.decrypt_ssh_key_pair(config_arr[i], True) + else: + config_arr[i] = encryptor.dec(config_arr[i]) if is_decrypt else encryptor.enc(config_arr[i]) + else: + prev_config_arr[config_arr_as_array[-1]] =\ + encryptor.dec(config_arr) if is_decrypt else encryptor.enc(config_arr) @staticmethod def decrypt_ssh_key_pair(pair, encrypt=False): From f6a0937b220290ff273ec05c6872990487586bff Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Sun, 25 Nov 2018 18:45:55 +0200 Subject: [PATCH 2/2] rename var + comment --- monkey/monkey_island/cc/services/config.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/monkey/monkey_island/cc/services/config.py b/monkey/monkey_island/cc/services/config.py index 9ebe7189c..1b2966026 100644 --- a/monkey/monkey_island/cc/services/config.py +++ b/monkey/monkey_island/cc/services/config.py @@ -1097,10 +1097,11 @@ class ConfigService: def _encrypt_or_decrypt_config(config, is_decrypt=False): for config_arr_as_array in (ENCRYPTED_CONFIG_ARRAYS + ENCRYPTED_CONFIG_STRINGS): config_arr = config - prev_config_arr = None + parent_config_arr = None + # Because the config isn't flat, this for-loop gets the actual config value out of the config for config_key_part in config_arr_as_array: - prev_config_arr = config_arr + parent_config_arr = config_arr config_arr = config_arr[config_key_part] if isinstance(config_arr, collections.Sequence) and not isinstance(config_arr, string_types): @@ -1112,7 +1113,7 @@ class ConfigService: else: config_arr[i] = encryptor.dec(config_arr[i]) if is_decrypt else encryptor.enc(config_arr[i]) else: - prev_config_arr[config_arr_as_array[-1]] =\ + parent_config_arr[config_arr_as_array[-1]] =\ encryptor.dec(config_arr) if is_decrypt else encryptor.enc(config_arr) @staticmethod