diff --git a/CHANGELOG.md b/CHANGELOG.md
index 584c1703d..1fd81aa7f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
- "Back door user" post-breach action. #1410
- Stale code in the Windows system info collector that collected installed
packages and WMI info. #1389
+- Remove insecure access feature in the Monkey Island. #1418
### Fixed
- Misaligned buttons and input fields on exploiter and network configuration
diff --git a/docs/content/FAQ/_index.md b/docs/content/FAQ/_index.md
index 32ae18617..e2ccc2d7e 100644
--- a/docs/content/FAQ/_index.md
+++ b/docs/content/FAQ/_index.md
@@ -52,12 +52,11 @@ Monkey in the newly created folder.
## Reset/enable the Monkey Island password
When you first access the Monkey Island server, you'll be prompted to create an account.
-To reset the credentials or enable/disable the authentication,
-edit the `server_config.json` file manually
+To reset the credentials, edit the `server_config.json` file manually
(located in the [data directory](/reference/data_directory)).
In order to reset the credentials, the following edits need to be made:
-1. Delete the `user` field if one exists. It will look like this:
+1. Delete the `user` field. It will look like this:
```json
{
...
@@ -65,7 +64,7 @@ In order to reset the credentials, the following edits need to be made:
...
}
```
-1. Delete the `password_hash` field if one exists. It will look like this:
+1. Delete the `password_hash` field. It will look like this:
```json
{
...
diff --git a/docs/content/setup/accounts-and-security.md b/docs/content/setup/accounts-and-security.md
index cd87c2f19..b5664bf95 100644
--- a/docs/content/setup/accounts-and-security.md
+++ b/docs/content/setup/accounts-and-security.md
@@ -11,8 +11,6 @@ tags: ["usage", "password"]
The first time you launch Monkey Island (the Infection Monkey C&C server), you'll be prompted to create an account and secure your island. After account creation, the server will only be accessible via the credentials you entered.
-If you want an island to be accessible without credentials, press *I want anyone to access the island*. Please note that this option is insecure, and you should only use it in development environments.
-
## Resetting your account credentials
This procedure is documented in [the FAQ]({{< ref "/faq/#how-do-i-reset-the-monkey-island-password" >}}).
diff --git a/monkey/monkey_island/cc/app.py b/monkey/monkey_island/cc/app.py
index b3254d7cb..0bc20852f 100644
--- a/monkey/monkey_island/cc/app.py
+++ b/monkey/monkey_island/cc/app.py
@@ -23,7 +23,6 @@ from monkey_island.cc.resources.client_run import ClientRun
from monkey_island.cc.resources.configuration_export import ConfigurationExport
from monkey_island.cc.resources.configuration_import import ConfigurationImport
from monkey_island.cc.resources.edge import Edge
-from monkey_island.cc.resources.environment import Environment
from monkey_island.cc.resources.exploitations.manual_exploitation import ManualExploitation
from monkey_island.cc.resources.exploitations.monkey_exploitation import MonkeyExploitation
from monkey_island.cc.resources.island_configuration import IslandConfiguration
@@ -125,7 +124,6 @@ def init_api_resources(api):
api.add_resource(Root, "/api")
api.add_resource(Registration, "/api/registration")
api.add_resource(Authenticate, "/api/auth")
- api.add_resource(Environment, "/api/environment")
api.add_resource(Monkey, "/api/monkey", "/api/monkey/", "/api/monkey/<string:guid>")
api.add_resource(Bootloader, "/api/bootloader/<string:os>")
api.add_resource(LocalRun, "/api/local-monkey", "/api/local-monkey/")
diff --git a/monkey/monkey_island/cc/environment/__init__.py b/monkey/monkey_island/cc/environment/__init__.py
index 1792ea99b..2c43eb9be 100644
--- a/monkey/monkey_island/cc/environment/__init__.py
+++ b/monkey/monkey_island/cc/environment/__init__.py
@@ -77,9 +77,6 @@ class Environment(object, metaclass=ABCMeta):
def testing(self, value):
self._testing = value
- def save_config(self):
- self._config.save_to_file()
-
def get_config(self) -> EnvironmentConfig:
return self._config
diff --git a/monkey/monkey_island/cc/environment/environment_singleton.py b/monkey/monkey_island/cc/environment/environment_singleton.py
index 82c6b90b0..4c5c6f744 100644
--- a/monkey/monkey_island/cc/environment/environment_singleton.py
+++ b/monkey/monkey_island/cc/environment/environment_singleton.py
@@ -1,16 +1,13 @@
import logging
-import monkey_island.cc.resources.auth.user_store as user_store
-from monkey_island.cc.environment import EnvironmentConfig, aws, password, standard
+from monkey_island.cc.environment import EnvironmentConfig, aws, password
logger = logging.getLogger(__name__)
AWS = "aws"
-STANDARD = "standard"
PASSWORD = "password"
ENV_DICT = {
- STANDARD: standard.StandardEnvironment,
AWS: aws.AwsEnvironment,
PASSWORD: password.PasswordEnvironment,
}
@@ -24,16 +21,6 @@ def set_env(env_type: str, env_config: EnvironmentConfig):
env = ENV_DICT[env_type](env_config)
-def set_to_standard():
- global env
- if env:
- env_config = env.get_config()
- env_config.server_config = "standard"
- set_env("standard", env_config)
- env.save_config()
- user_store.UserStore.set_users(env.get_auth_users())
-
-
def initialize_from_file(file_path):
try:
config = EnvironmentConfig(file_path)
diff --git a/monkey/monkey_island/cc/environment/standard.py b/monkey/monkey_island/cc/environment/standard.py
deleted file mode 100644
index 3bc823b9b..000000000
--- a/monkey/monkey_island/cc/environment/standard.py
+++ /dev/null
@@ -1,12 +0,0 @@
-from monkey_island.cc.environment import Environment
-from monkey_island.cc.resources.auth.auth_user import User
-
-
-class StandardEnvironment(Environment):
- _credentials_required = False
-
- NO_AUTH_USER = "1234567890!@#$%^&*()_nothing_up_my_sleeve_1234567890!@#$%^&*()"
- NO_AUTH_SECRET = "$2b$12$frH7uEwV3jkDNGgReW6j2udw8hy/Yw1SWAqytrcBYK48kn1V5lQIa"
-
- def get_auth_users(self):
- return [User(1, StandardEnvironment.NO_AUTH_USER, StandardEnvironment.NO_AUTH_SECRET)]
diff --git a/monkey/monkey_island/cc/resources/environment.py b/monkey/monkey_island/cc/resources/environment.py
deleted file mode 100644
index feb0c138c..000000000
--- a/monkey/monkey_island/cc/resources/environment.py
+++ /dev/null
@@ -1,22 +0,0 @@
-import json
-import logging
-
-import flask_restful
-from flask import request
-
-import monkey_island.cc.environment.environment_singleton as env_singleton
-
-logger = logging.getLogger(__name__)
-
-
-class Environment(flask_restful.Resource):
- def patch(self):
- env_data = json.loads(request.data)
- if env_data["server_config"] == "standard":
- if env_singleton.env.needs_registration():
- env_singleton.set_to_standard()
- logger.warning(
- "No user registered, Island on standard mode - no credentials required to "
- "access."
- )
- return {}
diff --git a/monkey/monkey_island/cc/ui/src/components/Main.tsx b/monkey/monkey_island/cc/ui/src/components/Main.tsx
index 65ecfc6be..cfd04b39d 100644
--- a/monkey/monkey_island/cc/ui/src/components/Main.tsx
+++ b/monkey/monkey_island/cc/ui/src/components/Main.tsx
@@ -67,7 +67,6 @@ class AppComponent extends AuthComponent {
loading: true,
completedSteps: completedSteps,
islandMode: undefined,
- noAuthLoginAttempted: undefined
};
this.interval = undefined;
this.setMode();
@@ -77,45 +76,44 @@ class AppComponent extends AuthComponent {
if (this.state.isLoggedIn === false) {
return
}
- this.auth.loggedIn()
- .then(res => {
- if (this.state.isLoggedIn !== res) {
- this.setState({
- isLoggedIn: res
- });
- }
- if (!res) {
- this.auth.needsRegistration()
- .then(result => {
- this.setState({
- needsRegistration: result
- });
- })
- }
+ let res = this.auth.loggedIn();
- if (res) {
- this.setMode()
- .then(() => {
- if (this.state.islandMode === null) {
- return
- }
- this.authFetch('/api')
- .then(res => res.json())
- .then(res => {
- let completedSteps = CompletedSteps.buildFromResponse(res.completed_steps);
- // This check is used to prevent unnecessary re-rendering
- if (_.isEqual(this.state.completedSteps, completedSteps)) {
- return;
- }
- this.setState({completedSteps: completedSteps});
- this.showInfectionDoneNotification();
- });
- }
- )
-
- }
+ if (this.state.isLoggedIn !== res) {
+ this.setState({
+ isLoggedIn: res
});
+ }
+
+ if (!res) {
+ this.auth.needsRegistration()
+ .then(result => {
+ this.setState({
+ needsRegistration: result
+ });
+ })
+ }
+
+ if (res) {
+ this.setMode()
+ .then(() => {
+ if (this.state.islandMode === null) {
+ return
+ }
+ this.authFetch('/api')
+ .then(res => res.json())
+ .then(res => {
+ let completedSteps = CompletedSteps.buildFromResponse(res.completed_steps);
+ // This check is used to prevent unnecessary re-rendering
+ if (_.isEqual(this.state.completedSteps, completedSteps)) {
+ return;
+ }
+ this.setState({completedSteps: completedSteps});
+ this.showInfectionDoneNotification();
+ });
+ }
+ )
+ }
};
setMode = () => {
diff --git a/monkey/monkey_island/cc/ui/src/components/pages/LoginPage.js b/monkey/monkey_island/cc/ui/src/components/pages/LoginPage.js
index 961c1899c..0a281157f 100644
--- a/monkey/monkey_island/cc/ui/src/components/pages/LoginPage.js
+++ b/monkey/monkey_island/cc/ui/src/components/pages/LoginPage.js
@@ -48,12 +48,11 @@ class LoginPageComponent extends React.Component {
this.redirectToRegistration()
}
})
- this.auth.loggedIn()
- .then(res => {
- if (res) {
- this.redirectToHome();
- }
- });
+
+ if (this.auth.loggedIn()) {
+ this.redirectToHome();
+ }
+
}
render() {
diff --git a/monkey/monkey_island/cc/ui/src/components/pages/RegisterPage.js b/monkey/monkey_island/cc/ui/src/components/pages/RegisterPage.js
index 7dfd51276..55a5fcebf 100644
--- a/monkey/monkey_island/cc/ui/src/components/pages/RegisterPage.js
+++ b/monkey/monkey_island/cc/ui/src/components/pages/RegisterPage.js
@@ -7,8 +7,6 @@ import ParticleBackground from '../ui-components/ParticleBackground';
class RegisterPageComponent extends React.Component {
- NO_AUTH_API_ENDPOINT = '/api/environment';
-
register = (event) => {
event.preventDefault();
this.auth.register(this.username, this.password).then(res => {
@@ -24,30 +22,6 @@ class RegisterPageComponent extends React.Component {
});
};
- setNoAuth = () => {
- let options = {};
- options['headers'] = {
- 'Accept': 'application/json',
- 'Content-Type': 'application/json'
- };
- options['method'] = 'PATCH';
- options['body'] = JSON.stringify({'server_config': 'standard'});
-
- return fetch(this.NO_AUTH_API_ENDPOINT, options)
- .then(res => {
- if (res.status === 200) {
- this.auth.attemptNoAuthLogin().then(() => {
- this.redirectToHome();
- });
- } else {
- this.setState({
- failed: true,
- error: res['error']
- });
- }
- })
- }
-
updateUsername = (evt) => {
this.username = evt.target.value;
};
@@ -96,13 +70,6 @@ class RegisterPageComponent extends React.Component {
<Button className={'monkey-submit-button'} type={'submit'} >
Let's go!
</Button>
- <Row>
- <Col>
- <a href='#' onClick={this.setNoAuth} className={'no-auth-link'}>
- I want anyone to access the island
- </a>
- </Col>
- </Row>
<Row>
<Col>
{
diff --git a/monkey/monkey_island/cc/ui/src/server_config/ServerConfig.js b/monkey/monkey_island/cc/ui/src/server_config/ServerConfig.js
index 14bd5c3ba..270c28710 100644
--- a/monkey/monkey_island/cc/ui/src/server_config/ServerConfig.js
+++ b/monkey/monkey_island/cc/ui/src/server_config/ServerConfig.js
@@ -1,4 +1,3 @@
-import StandardConfig from './StandardConfig';
import AwsConfig from './AwsConfig';
import PasswordConfig from './PasswordConfig';
@@ -6,7 +5,6 @@ import SERVER_CONFIG_JSON from '../../../server_config.json';
const CONFIG_DICT =
{
- 'standard': StandardConfig,
'aws': AwsConfig,
'password': PasswordConfig
};
diff --git a/monkey/monkey_island/cc/ui/src/server_config/StandardConfig.js b/monkey/monkey_island/cc/ui/src/server_config/StandardConfig.js
deleted file mode 100644
index c3ace9a97..000000000
--- a/monkey/monkey_island/cc/ui/src/server_config/StandardConfig.js
+++ /dev/null
@@ -1,10 +0,0 @@
-import BaseConfig from './BaseConfig';
-
-class StandardConfig extends BaseConfig {
-
- isAuthEnabled() {
- return false;
- }
-}
-
-export default StandardConfig;
diff --git a/monkey/monkey_island/cc/ui/src/services/AuthService.js b/monkey/monkey_island/cc/ui/src/services/AuthService.js
index d7d1b9c2f..11cf37044 100644
--- a/monkey/monkey_island/cc/ui/src/services/AuthService.js
+++ b/monkey/monkey_island/cc/ui/src/services/AuthService.js
@@ -1,8 +1,6 @@
import decode from 'jwt-decode';
export default class AuthService {
- NO_AUTH_CREDS = '1234567890!@#$%^&*()_nothing_up_my_sleeve_1234567890!@#$%^&*()';
-
SECONDS_BEFORE_JWT_EXPIRES = 20;
AUTHENTICATION_API_ENDPOINT = '/api/auth';
REGISTRATION_API_ENDPOINT = '/api/registration';
@@ -16,7 +14,7 @@ export default class AuthService {
};
jwtHeader = () => {
- if (this._loggedIn()) {
+ if (this.loggedIn()) {
return 'Bearer ' + this._getToken();
}
};
@@ -68,7 +66,7 @@ export default class AuthService {
'Content-Type': 'application/json'
};
- if (this._loggedIn()) {
+ if (this.loggedIn()) {
headers['Authorization'] = 'Bearer ' + this._getToken();
}
@@ -101,19 +99,7 @@ export default class AuthService {
})
};
- async loggedIn() {
- let token = this._getToken();
- if ((token === null) || (this._isTokenExpired(token))) {
- await this.attemptNoAuthLogin();
- }
- return this._loggedIn();
- }
-
- attemptNoAuthLogin() {
- return this._login(this.NO_AUTH_CREDS, this.NO_AUTH_CREDS);
- }
-
- _loggedIn() {
+ loggedIn() {
const token = this._getToken();
return ((token !== null) && !this._isTokenExpired(token));
}
diff --git a/monkey/monkey_island/cc/ui/src/styles/pages/AuthPage.scss b/monkey/monkey_island/cc/ui/src/styles/pages/AuthPage.scss
index e3ecbd0e6..80bd54507 100644
--- a/monkey/monkey_island/cc/ui/src/styles/pages/AuthPage.scss
+++ b/monkey/monkey_island/cc/ui/src/styles/pages/AuthPage.scss
@@ -35,15 +35,3 @@
margin-bottom: 20px;
text-align: center;
}
-
-.no-auth-link {
- margin-top: 10px;
- float: right;
- color: $monkey-black;
- text-decoration: underline;
-}
-
-.no-auth-link:hover {
- float: right;
- color: $monkey-yellow;
-}
diff --git a/monkey/tests/data_for_tests/server_configs/server_config_standard_env.json b/monkey/tests/data_for_tests/server_configs/server_config_standard_env.json
deleted file mode 100644
index 9c3a9899f..000000000
--- a/monkey/tests/data_for_tests/server_configs/server_config_standard_env.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
- "environment" : {
- "server_config": "standard",
- "deployment": "develop"
- },
- "mongodb": {
- "start_mongodb": true
- }
-}
diff --git a/monkey/tests/data_for_tests/server_configs/server_config_standard_with_credentials.json b/monkey/tests/data_for_tests/server_configs/server_config_standard_with_credentials.json
deleted file mode 100644
index 28d8653c8..000000000
--- a/monkey/tests/data_for_tests/server_configs/server_config_standard_with_credentials.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- "log_level": "NOTICE",
- "environment" : {
- "server_config": "standard",
- "deployment": "develop",
- "user": "test",
- "password_hash": "abcdef"
- },
- "mongodb": {
- "start_mongodb": true
- }
-}
diff --git a/monkey/tests/data_for_tests/server_configs/server_config_with_credentials.json b/monkey/tests/data_for_tests/server_configs/server_config_with_credentials.json
index 2f75c48fb..8690ef1c7 100644
--- a/monkey/tests/data_for_tests/server_configs/server_config_with_credentials.json
+++ b/monkey/tests/data_for_tests/server_configs/server_config_with_credentials.json
@@ -1,4 +1,5 @@
{
+ "log_level": "NOTICE",
"environment" : {
"server_config": "password",
"deployment": "develop",
diff --git a/monkey/tests/unit_tests/monkey_island/cc/environment/conftest.py b/monkey/tests/unit_tests/monkey_island/cc/environment/conftest.py
index 767f765d9..c5d7b46b7 100644
--- a/monkey/tests/unit_tests/monkey_island/cc/environment/conftest.py
+++ b/monkey/tests/unit_tests/monkey_island/cc/environment/conftest.py
@@ -16,8 +16,3 @@ def no_credentials(server_configs_dir):
@pytest.fixture(scope="module")
def partial_credentials(server_configs_dir):
return os.path.join(server_configs_dir, "server_config_partial_credentials.json")
-
-
-@pytest.fixture(scope="module")
-def standard_with_credentials(server_configs_dir):
- return os.path.join(server_configs_dir, "server_config_standard_with_credentials.json")
diff --git a/monkey/tests/unit_tests/monkey_island/cc/environment/test_environment.py b/monkey/tests/unit_tests/monkey_island/cc/environment/test_environment.py
index 030f99169..10adea8b7 100644
--- a/monkey/tests/unit_tests/monkey_island/cc/environment/test_environment.py
+++ b/monkey/tests/unit_tests/monkey_island/cc/environment/test_environment.py
@@ -17,8 +17,6 @@ from monkey_island.cc.environment import Environment, EnvironmentConfig, UserCre
WITH_CREDENTIALS = None
NO_CREDENTIALS = None
PARTIAL_CREDENTIALS = None
-STANDARD_WITH_CREDENTIALS = None
-STANDARD_ENV = None
EMPTY_USER_CREDENTIALS = UserCreds("", "")
FULL_USER_CREDENTIALS = UserCreds(username="test", password_hash="1231234")
@@ -31,16 +29,10 @@ def configure_resources(server_configs_dir):
global WITH_CREDENTIALS
global NO_CREDENTIALS
global PARTIAL_CREDENTIALS
- global STANDARD_WITH_CREDENTIALS
- global STANDARD_ENV
WITH_CREDENTIALS = os.path.join(server_configs_dir, "server_config_with_credentials.json")
NO_CREDENTIALS = os.path.join(server_configs_dir, "server_config_no_credentials.json")
PARTIAL_CREDENTIALS = os.path.join(server_configs_dir, "server_config_partial_credentials.json")
- STANDARD_WITH_CREDENTIALS = os.path.join(
- server_configs_dir, "server_config_standard_with_credentials.json"
- )
- STANDARD_ENV = os.path.join(server_configs_dir, "server_config_standard_env.json")
def get_tmp_file():
@@ -123,29 +115,18 @@ class TestEnvironment(TestCase):
self._test_bool_env_method("needs_registration", env, NO_CREDENTIALS, True)
self._test_bool_env_method("needs_registration", env, PARTIAL_CREDENTIALS, True)
- env = TestEnvironment.EnvironmentCredentialsNotRequired()
- self._test_bool_env_method("needs_registration", env, STANDARD_ENV, False)
- self._test_bool_env_method("needs_registration", env, STANDARD_WITH_CREDENTIALS, False)
-
def test_is_registered(self):
env = TestEnvironment.EnvironmentCredentialsRequired()
self._test_bool_env_method("_is_registered", env, WITH_CREDENTIALS, True)
self._test_bool_env_method("_is_registered", env, NO_CREDENTIALS, False)
self._test_bool_env_method("_is_registered", env, PARTIAL_CREDENTIALS, False)
- env = TestEnvironment.EnvironmentCredentialsNotRequired()
- self._test_bool_env_method("_is_registered", env, STANDARD_ENV, False)
- self._test_bool_env_method("_is_registered", env, STANDARD_WITH_CREDENTIALS, False)
-
def test_is_credentials_set_up(self):
env = TestEnvironment.EnvironmentCredentialsRequired()
self._test_bool_env_method("_is_credentials_set_up", env, NO_CREDENTIALS, False)
self._test_bool_env_method("_is_credentials_set_up", env, WITH_CREDENTIALS, True)
self._test_bool_env_method("_is_credentials_set_up", env, PARTIAL_CREDENTIALS, False)
- env = TestEnvironment.EnvironmentCredentialsNotRequired()
- self._test_bool_env_method("_is_credentials_set_up", env, STANDARD_ENV, False)
-
def _test_bool_env_method(
self, method_name: str, env: Environment, config: Dict, expected_result: bool
):
diff --git a/monkey/tests/unit_tests/monkey_island/cc/environment/test_environment_config.py b/monkey/tests/unit_tests/monkey_island/cc/environment/test_environment_config.py
index 0e3efda04..52f0d96ca 100644
--- a/monkey/tests/unit_tests/monkey_island/cc/environment/test_environment_config.py
+++ b/monkey/tests/unit_tests/monkey_island/cc/environment/test_environment_config.py
@@ -40,8 +40,8 @@ def test_get_with_partial_credentials(partial_credentials):
assert config_dict["user"] == "test"
-def test_save_to_file(config_file, standard_with_credentials):
- shutil.copyfile(standard_with_credentials, config_file)
+def test_save_to_file(config_file, with_credentials):
+ shutil.copyfile(with_credentials, config_file)
environment_config = EnvironmentConfig(config_file)
environment_config.aws = "test_aws"
@@ -53,8 +53,8 @@ def test_save_to_file(config_file, standard_with_credentials):
assert environment_config.to_dict() == from_file["environment"]
-def test_save_to_file_preserve_log_level(config_file, standard_with_credentials):
- shutil.copyfile(standard_with_credentials, config_file)
+def test_save_to_file_preserve_log_level(config_file, with_credentials):
+ shutil.copyfile(with_credentials, config_file)
environment_config = EnvironmentConfig(config_file)
environment_config.aws = "test_aws"
@@ -67,12 +67,12 @@ def test_save_to_file_preserve_log_level(config_file, standard_with_credentials)
assert from_file["log_level"] == "NOTICE"
-def test_add_user(config_file, standard_with_credentials):
+def test_add_user(config_file, with_credentials):
new_user = "new_user"
new_password_hash = "fedcba"
new_user_creds = UserCreds(new_user, new_password_hash)
- shutil.copyfile(standard_with_credentials, config_file)
+ shutil.copyfile(with_credentials, config_file)
environment_config = EnvironmentConfig(config_file)
environment_config.add_user(new_user_creds)
@@ -85,8 +85,8 @@ def test_add_user(config_file, standard_with_credentials):
assert from_file["environment"]["password_hash"] == new_password_hash
-def test_get_users(standard_with_credentials):
- environment_config = EnvironmentConfig(standard_with_credentials)
+def test_get_users(with_credentials):
+ environment_config = EnvironmentConfig(with_credentials)
users = environment_config.get_users()
assert len(users) == 1