Island: Use new Credentials object in MongoCredentialsRepository

This commit is contained in:
Mike Salvatore 2022-07-14 13:32:16 -04:00
parent 04d72c0d36
commit add6ca3941
3 changed files with 45 additions and 35 deletions

View File

@ -80,30 +80,27 @@ class MongoCredentialsRepository(ICredentialsRepository):
def _encrypt_credentials_mapping(self, mapping: Mapping[str, Any]) -> Mapping[str, Any]:
encrypted_mapping: Dict[str, Any] = {}
for secret_or_identity, credentials_components in mapping.items():
encrypted_mapping[secret_or_identity] = []
for component in credentials_components:
for secret_or_identity, credentials_component in mapping.items():
encrypted_component = {}
for key, value in component.items():
for key, value in credentials_component.items():
encrypted_component[key] = self._repository_encryptor.encrypt(value.encode())
encrypted_mapping[secret_or_identity].append(encrypted_component)
encrypted_mapping[secret_or_identity] = encrypted_component
return encrypted_mapping
def _decrypt_credentials_mapping(self, mapping: Mapping[str, Any]) -> Mapping[str, Any]:
encrypted_mapping: Dict[str, Any] = {}
decrypted_mapping: Dict[str, Any] = {}
for secret_or_identity, credentials_components in mapping.items():
encrypted_mapping[secret_or_identity] = []
for component in credentials_components:
encrypted_component = {}
for key, value in component.items():
encrypted_component[key] = self._repository_encryptor.decrypt(value).decode()
for secret_or_identity, credentials_component in mapping.items():
decrypted_mapping[secret_or_identity] = []
decrypted_component = {}
for key, value in credentials_component.items():
decrypted_component[key] = self._repository_encryptor.decrypt(value).decode()
encrypted_mapping[secret_or_identity].append(encrypted_component)
decrypted_mapping[secret_or_identity] = decrypted_component
return encrypted_mapping
return decrypted_mapping
@staticmethod
def _remove_credentials_fom_collection(collection):

View File

@ -1,4 +1,4 @@
from common.credentials import Credentials, LMHash, NTHash, Password, Username
from common.credentials import Credentials, LMHash, NTHash, Password, SSHKeypair, Username
username = "m0nk3y_user"
special_username = "m0nk3y.user"
@ -6,8 +6,21 @@ nt_hash = "C1C58F96CDF212B50837BC11A00BE47C"
lm_hash = "299BD128C1101FD6299BD128C1101FD6"
password_1 = "trytostealthis"
password_2 = "password"
PUBLIC_KEY = "MY_PUBLIC_KEY"
PRIVATE_KEY = "MY_PRIVATE_KEY"
PROPAGATION_CREDENTIALS_1 = Credentials(identity=Username(username), secret=Password(password_1))
PROPAGATION_CREDENTIALS_2 = Credentials(identity=Username(special_username), secret=LMHash(lm_hash))
PROPAGATION_CREDENTIALS_3 = Credentials(identity=Username(username), secret=NTHash(nt_hash))
PROPAGATION_CREDENTIALS_4 = Credentials(identity=Username(username), secret=Password(password_2))
PROPAGATION_CREDENTIALS_5 = Credentials(
identity=Username(username), secret=SSHKeypair(PRIVATE_KEY, PUBLIC_KEY)
)
PROPAGATION_CREDENTIALS = [
PROPAGATION_CREDENTIALS_1,
PROPAGATION_CREDENTIALS_2,
PROPAGATION_CREDENTIALS_3,
PROPAGATION_CREDENTIALS_4,
PROPAGATION_CREDENTIALS_5,
]

View File

@ -2,6 +2,7 @@ from unittest.mock import MagicMock
import mongomock
import pytest
from tests.data_for_tests.propagation_credentials import PROPAGATION_CREDENTIALS
from common.credentials import Credentials, LMHash, NTHash, Password, SSHKeypair, Username
from monkey_island.cc.repository import MongoCredentialsRepository
@ -32,9 +33,9 @@ SECRETS_2 = (Password(PASSWORD2), Password(PASSWORD3))
CREDENTIALS_OBJECT_2 = Credentials(IDENTITIES_2, SECRETS_2)
CONFIGURED_CREDENTIALS = [CREDENTIALS_OBJECT_1]
CONFIGURED_CREDENTIALS = PROPAGATION_CREDENTIALS[0:3]
STOLEN_CREDENTIALS = [CREDENTIALS_OBJECT_2]
STOLEN_CREDENTIALS = PROPAGATION_CREDENTIALS[3:6]
CREDENTIALS_LIST = [CREDENTIALS_OBJECT_1, CREDENTIALS_OBJECT_2]
@ -81,9 +82,9 @@ def test_mongo_repository_get_all(mongo_repository):
def test_mongo_repository_configured(mongo_repository):
mongo_repository.save_configured_credentials(CREDENTIALS_LIST)
mongo_repository.save_configured_credentials(PROPAGATION_CREDENTIALS)
actual_configured_credentials = mongo_repository.get_configured_credentials()
assert actual_configured_credentials == CREDENTIALS_LIST
assert actual_configured_credentials == PROPAGATION_CREDENTIALS
mongo_repository.remove_configured_credentials()
actual_configured_credentials = mongo_repository.get_configured_credentials()
@ -93,7 +94,7 @@ def test_mongo_repository_configured(mongo_repository):
def test_mongo_repository_stolen(mongo_repository):
mongo_repository.save_stolen_credentials(STOLEN_CREDENTIALS)
actual_stolen_credentials = mongo_repository.get_stolen_credentials()
assert sorted(actual_stolen_credentials) == sorted(STOLEN_CREDENTIALS)
assert actual_stolen_credentials == STOLEN_CREDENTIALS
mongo_repository.remove_stolen_credentials()
actual_stolen_credentials = mongo_repository.get_stolen_credentials()
@ -104,7 +105,7 @@ def test_mongo_repository_all(mongo_repository):
mongo_repository.save_configured_credentials(CONFIGURED_CREDENTIALS)
mongo_repository.save_stolen_credentials(STOLEN_CREDENTIALS)
actual_credentials = mongo_repository.get_all_credentials()
assert actual_credentials == CREDENTIALS_LIST
assert actual_credentials == PROPAGATION_CREDENTIALS
mongo_repository.remove_all_credentials()
@ -116,26 +117,25 @@ def test_mongo_repository_all(mongo_repository):
# NOTE: The following tests are complicated, but they work. Rather than spend the effort to improve
# them now, we can revisit them when we resolve #2072. Resolving #2072 will make it easier to
# simplify these tests.
def test_configured_secrets_encrypted(mongo_repository, mongo_client):
mongo_repository.save_configured_credentials([CREDENTIALS_OBJECT_2])
check_if_stored_credentials_encrypted(mongo_client, CREDENTIALS_OBJECT_2)
@pytest.mark.parametrize("credentials", PROPAGATION_CREDENTIALS)
def test_configured_secrets_encrypted(mongo_repository, mongo_client, credentials):
mongo_repository.save_configured_credentials([credentials])
check_if_stored_credentials_encrypted(mongo_client, credentials)
def test_stolen_secrets_encrypted(mongo_repository, mongo_client):
mongo_repository.save_stolen_credentials([CREDENTIALS_OBJECT_2])
check_if_stored_credentials_encrypted(mongo_client, CREDENTIALS_OBJECT_2)
@pytest.mark.parametrize("credentials", PROPAGATION_CREDENTIALS)
def test_stolen_secrets_encrypted(mongo_repository, mongo_client, credentials):
mongo_repository.save_stolen_credentials([credentials])
check_if_stored_credentials_encrypted(mongo_client, credentials)
def check_if_stored_credentials_encrypted(mongo_client, original_credentials):
raw_credentials = get_all_credentials_in_mongo(mongo_client)
original_credentials_mapping = Credentials.to_mapping(original_credentials)
for rc in raw_credentials:
for identity_or_secret, credentials_components in rc.items():
for component in credentials_components:
for key, value in component.items():
assert (
original_credentials_mapping[identity_or_secret][0].get(key, None) != value
)
for identity_or_secret, credentials_component in rc.items():
for key, value in credentials_component.items():
assert original_credentials_mapping[identity_or_secret][key] != value
def get_all_credentials_in_mongo(mongo_client):