Island: Rename get_encryptor and initialize_encryptor

Renamed to get_datastore_encryptor and
initialize_datastore_encryptor
This commit is contained in:
Ilija Lazoroski 2021-09-23 19:04:22 +02:00
parent e0779347b2
commit e2ede28967
12 changed files with 53 additions and 45 deletions

View File

@ -1,14 +1,14 @@
from typing import List from typing import List
from monkey_island.cc.models.utils.field_encryptors.i_field_encryptor import IFieldEncryptor from monkey_island.cc.models.utils.field_encryptors.i_field_encryptor import IFieldEncryptor
from monkey_island.cc.server_utils.encryption import get_encryptor from monkey_island.cc.server_utils.encryption import get_datastore_encryptor
class StringListEncryptor(IFieldEncryptor): class StringListEncryptor(IFieldEncryptor):
@staticmethod @staticmethod
def encrypt(value: List[str]): def encrypt(value: List[str]):
return [get_encryptor().enc(string) for string in value] return [get_datastore_encryptor().enc(string) for string in value]
@staticmethod @staticmethod
def decrypt(value: List[str]): def decrypt(value: List[str]):
return [get_encryptor().dec(string) for string in value] return [get_datastore_encryptor().dec(string) for string in value]

View File

@ -27,7 +27,7 @@ from monkey_island.cc.server_utils.consts import ( # noqa: E402
GEVENT_EXCEPTION_LOG, GEVENT_EXCEPTION_LOG,
MONGO_CONNECTION_TIMEOUT, MONGO_CONNECTION_TIMEOUT,
) )
from monkey_island.cc.server_utils.encryption import initialize_encryptor # noqa: E402 from monkey_island.cc.server_utils.encryption import initialize_datastore_encryptor # noqa: E402
from monkey_island.cc.server_utils.island_logger import reset_logger, setup_logging # noqa: E402 from monkey_island.cc.server_utils.island_logger import reset_logger, setup_logging # noqa: E402
from monkey_island.cc.services.initialize import initialize_services # noqa: E402 from monkey_island.cc.services.initialize import initialize_services # noqa: E402
from monkey_island.cc.services.reporting.exporter_init import populate_exporter_list # noqa: E402 from monkey_island.cc.services.reporting.exporter_init import populate_exporter_list # noqa: E402
@ -88,7 +88,7 @@ def _configure_logging(config_options):
def _initialize_globals(config_options: IslandConfigOptions, server_config_path: str): def _initialize_globals(config_options: IslandConfigOptions, server_config_path: str):
env_singleton.initialize_from_file(server_config_path) env_singleton.initialize_from_file(server_config_path)
initialize_encryptor(config_options.data_dir) initialize_datastore_encryptor(config_options.data_dir)
initialize_services(config_options.data_dir) initialize_services(config_options.data_dir)

View File

@ -8,6 +8,6 @@ from monkey_island.cc.server_utils.encryption.password_based_encryption import (
) )
from monkey_island.cc.server_utils.encryption.data_store_encryptor import ( from monkey_island.cc.server_utils.encryption.data_store_encryptor import (
DataStoreEncryptor, DataStoreEncryptor,
get_encryptor, get_datastore_encryptor,
initialize_encryptor, initialize_datastore_encryptor,
) )

View File

@ -40,11 +40,11 @@ class DataStoreEncryptor:
return self._key_base_encryptor.decrypt(enc_message) return self._key_base_encryptor.decrypt(enc_message)
def initialize_encryptor(key_file_dir): def initialize_datastore_encryptor(key_file_dir):
global _encryptor global _encryptor
_encryptor = DataStoreEncryptor(key_file_dir) _encryptor = DataStoreEncryptor(key_file_dir)
def get_encryptor(): def get_datastore_encryptor():
return _encryptor return _encryptor

View File

@ -1,4 +1,4 @@
from monkey_island.cc.server_utils.encryption import get_encryptor from monkey_island.cc.server_utils.encryption import get_datastore_encryptor
def parse_creds(attempt): def parse_creds(attempt):
@ -29,7 +29,7 @@ def censor_password(password, plain_chars=3, secret_chars=5):
""" """
if not password: if not password:
return "" return ""
password = get_encryptor().dec(password) password = get_datastore_encryptor().dec(password)
return password[0:plain_chars] + "*" * secret_chars return password[0:plain_chars] + "*" * secret_chars
@ -42,5 +42,5 @@ def censor_hash(hash_, plain_chars=5):
""" """
if not hash_: if not hash_:
return "" return ""
hash_ = get_encryptor().dec(hash_) hash_ = get_datastore_encryptor().dec(hash_)
return hash_[0:plain_chars] + " ..." return hash_[0:plain_chars] + " ..."

View File

@ -19,7 +19,7 @@ from common.config_value_paths import (
USER_LIST_PATH, USER_LIST_PATH,
) )
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.server_utils.encryption import get_encryptor from monkey_island.cc.server_utils.encryption import get_datastore_encryptor
from monkey_island.cc.services.config_manipulator import update_config_per_mode from monkey_island.cc.services.config_manipulator import update_config_per_mode
from monkey_island.cc.services.config_schema.config_schema import SCHEMA from monkey_island.cc.services.config_schema.config_schema import SCHEMA
from monkey_island.cc.services.mode.island_mode_service import ModeNotSetError, get_mode from monkey_island.cc.services.mode.island_mode_service import ModeNotSetError, get_mode
@ -90,9 +90,9 @@ class ConfigService:
if should_decrypt: if should_decrypt:
if config_key_as_arr in ENCRYPTED_CONFIG_VALUES: if config_key_as_arr in ENCRYPTED_CONFIG_VALUES:
if isinstance(config, str): if isinstance(config, str):
config = get_encryptor().dec(config) config = get_datastore_encryptor().dec(config)
elif isinstance(config, list): elif isinstance(config, list):
config = [get_encryptor().dec(x) for x in config] config = [get_datastore_encryptor().dec(x) for x in config]
return config return config
@staticmethod @staticmethod
@ -130,7 +130,7 @@ class ConfigService:
if item_value in items_from_config: if item_value in items_from_config:
return return
if should_encrypt: if should_encrypt:
item_value = get_encryptor().enc(item_value) item_value = get_datastore_encryptor().enc(item_value)
mongo.db.config.update( mongo.db.config.update(
{"name": "newconfig"}, {"$addToSet": {item_key: item_value}}, upsert=False {"name": "newconfig"}, {"$addToSet": {item_key: item_value}}, upsert=False
) )
@ -349,9 +349,11 @@ class ConfigService:
ConfigService.decrypt_ssh_key_pair(item) for item in flat_config[key] ConfigService.decrypt_ssh_key_pair(item) for item in flat_config[key]
] ]
else: else:
flat_config[key] = [get_encryptor().dec(item) for item in flat_config[key]] flat_config[key] = [
get_datastore_encryptor().dec(item) for item in flat_config[key]
]
else: else:
flat_config[key] = get_encryptor().dec(flat_config[key]) flat_config[key] = get_datastore_encryptor().dec(flat_config[key])
return flat_config return flat_config
@staticmethod @staticmethod
@ -377,25 +379,25 @@ class ConfigService:
) )
else: else:
config_arr[i] = ( config_arr[i] = (
get_encryptor().dec(config_arr[i]) get_datastore_encryptor().dec(config_arr[i])
if is_decrypt if is_decrypt
else get_encryptor().enc(config_arr[i]) else get_datastore_encryptor().enc(config_arr[i])
) )
else: else:
parent_config_arr[config_arr_as_array[-1]] = ( parent_config_arr[config_arr_as_array[-1]] = (
get_encryptor().dec(config_arr) get_datastore_encryptor().dec(config_arr)
if is_decrypt if is_decrypt
else get_encryptor().enc(config_arr) else get_datastore_encryptor().enc(config_arr)
) )
@staticmethod @staticmethod
def decrypt_ssh_key_pair(pair, encrypt=False): def decrypt_ssh_key_pair(pair, encrypt=False):
if encrypt: if encrypt:
pair["public_key"] = get_encryptor().enc(pair["public_key"]) pair["public_key"] = get_datastore_encryptor().enc(pair["public_key"])
pair["private_key"] = get_encryptor().enc(pair["private_key"]) pair["private_key"] = get_datastore_encryptor().enc(pair["private_key"])
else: else:
pair["public_key"] = get_encryptor().dec(pair["public_key"]) pair["public_key"] = get_datastore_encryptor().dec(pair["public_key"])
pair["private_key"] = get_encryptor().dec(pair["private_key"]) pair["private_key"] = get_datastore_encryptor().dec(pair["private_key"])
return pair return pair
@staticmethod @staticmethod

View File

@ -3,7 +3,7 @@ import copy
import dateutil import dateutil
from monkey_island.cc.models import Monkey from monkey_island.cc.models import Monkey
from monkey_island.cc.server_utils.encryption import get_encryptor from monkey_island.cc.server_utils.encryption import get_datastore_encryptor
from monkey_island.cc.services.config import ConfigService from monkey_island.cc.services.config import ConfigService
from monkey_island.cc.services.edge.displayed_edge import EdgeService from monkey_island.cc.services.edge.displayed_edge import EdgeService
from monkey_island.cc.services.node import NodeService from monkey_island.cc.services.node import NodeService
@ -76,4 +76,4 @@ def encrypt_exploit_creds(telemetry_json):
credential = attempts[i][field] credential = attempts[i][field]
if credential: # PowerShell exploiter's telem may have `None` here if credential: # PowerShell exploiter's telem may have `None` here
if len(credential) > 0: if len(credential) > 0:
attempts[i][field] = get_encryptor().enc(credential) attempts[i][field] = get_datastore_encryptor().enc(credential)

View File

@ -1,6 +1,6 @@
import logging import logging
from monkey_island.cc.server_utils.encryption import get_encryptor from monkey_island.cc.server_utils.encryption import get_datastore_encryptor
from monkey_island.cc.services.config import ConfigService from monkey_island.cc.services.config import ConfigService
from monkey_island.cc.services.node import NodeService from monkey_island.cc.services.node import NodeService
from monkey_island.cc.services.telemetry.processing.system_info_collectors.system_info_telemetry_dispatcher import ( # noqa: E501 from monkey_island.cc.services.telemetry.processing.system_info_collectors.system_info_telemetry_dispatcher import ( # noqa: E501
@ -70,7 +70,7 @@ def encrypt_system_info_ssh_keys(ssh_info):
for idx, user in enumerate(ssh_info): for idx, user in enumerate(ssh_info):
for field in ["public_key", "private_key", "known_hosts"]: for field in ["public_key", "private_key", "known_hosts"]:
if ssh_info[idx][field]: if ssh_info[idx][field]:
ssh_info[idx][field] = get_encryptor().enc(ssh_info[idx][field]) ssh_info[idx][field] = get_datastore_encryptor().enc(ssh_info[idx][field])
def process_credential_info(telemetry_json): def process_credential_info(telemetry_json):

View File

@ -5,7 +5,7 @@ from ScoutSuite.providers.base.authentication_strategy import AuthenticationExce
from common.cloud.scoutsuite_consts import CloudProviders from common.cloud.scoutsuite_consts import CloudProviders
from common.config_value_paths import AWS_KEYS_PATH from common.config_value_paths import AWS_KEYS_PATH
from common.utils.exceptions import InvalidAWSKeys from common.utils.exceptions import InvalidAWSKeys
from monkey_island.cc.server_utils.encryption import get_encryptor from monkey_island.cc.server_utils.encryption import get_datastore_encryptor
from monkey_island.cc.services.config import ConfigService from monkey_island.cc.services.config import ConfigService
@ -41,7 +41,7 @@ def set_aws_keys(access_key_id: str, secret_access_key: str, session_token: str)
def _set_aws_key(key_type: str, key_value: str): def _set_aws_key(key_type: str, key_value: str):
path_to_keys = AWS_KEYS_PATH path_to_keys = AWS_KEYS_PATH
encrypted_key = get_encryptor().enc(key_value) encrypted_key = get_datastore_encryptor().enc(key_value)
ConfigService.set_config_value(path_to_keys + [key_type], encrypted_key) ConfigService.set_config_value(path_to_keys + [key_type], encrypted_key)

View File

@ -1,7 +1,7 @@
import pytest import pytest
from monkey_island.cc.models.utils.field_encryptors.string_list_encryptor import StringListEncryptor from monkey_island.cc.models.utils.field_encryptors.string_list_encryptor import StringListEncryptor
from monkey_island.cc.server_utils.encryption import initialize_encryptor from monkey_island.cc.server_utils.encryption import initialize_datastore_encryptor
MOCK_STRING_LIST = ["test_1", "test_2"] MOCK_STRING_LIST = ["test_1", "test_2"]
EMPTY_LIST = [] EMPTY_LIST = []
@ -9,7 +9,7 @@ EMPTY_LIST = []
@pytest.fixture @pytest.fixture
def uses_encryptor(data_for_tests_dir): def uses_encryptor(data_for_tests_dir):
initialize_encryptor(data_for_tests_dir) initialize_datastore_encryptor(data_for_tests_dir)
def test_encryption_and_decryption(uses_encryptor): def test_encryption_and_decryption(uses_encryptor):

View File

@ -1,6 +1,9 @@
import os import os
from monkey_island.cc.server_utils.encryption import get_encryptor, initialize_encryptor from monkey_island.cc.server_utils.encryption import (
get_datastore_encryptor,
initialize_datastore_encryptor,
)
PASSWORD_FILENAME = "mongo_key.bin" PASSWORD_FILENAME = "mongo_key.bin"
@ -9,24 +12,24 @@ CYPHERTEXT = "vKgvD6SjRyIh1dh2AM/rnTa0NI/vjfwnbZLbMocWtE4e42WJmSUz2ordtbQrH1Fq"
def test_aes_cbc_encryption(data_for_tests_dir): def test_aes_cbc_encryption(data_for_tests_dir):
initialize_encryptor(data_for_tests_dir) initialize_datastore_encryptor(data_for_tests_dir)
assert get_encryptor().enc(PLAINTEXT) != PLAINTEXT assert get_datastore_encryptor().enc(PLAINTEXT) != PLAINTEXT
def test_aes_cbc_decryption(data_for_tests_dir): def test_aes_cbc_decryption(data_for_tests_dir):
initialize_encryptor(data_for_tests_dir) initialize_datastore_encryptor(data_for_tests_dir)
assert get_encryptor().dec(CYPHERTEXT) == PLAINTEXT assert get_datastore_encryptor().dec(CYPHERTEXT) == PLAINTEXT
def test_aes_cbc_enc_dec(data_for_tests_dir): def test_aes_cbc_enc_dec(data_for_tests_dir):
initialize_encryptor(data_for_tests_dir) initialize_datastore_encryptor(data_for_tests_dir)
assert get_encryptor().dec(get_encryptor().enc(PLAINTEXT)) == PLAINTEXT assert get_datastore_encryptor().dec(get_datastore_encryptor().enc(PLAINTEXT)) == PLAINTEXT
def test_create_new_password_file(tmpdir): def test_create_new_password_file(tmpdir):
initialize_encryptor(tmpdir) initialize_datastore_encryptor(tmpdir)
assert os.path.isfile(os.path.join(tmpdir, PASSWORD_FILENAME)) assert os.path.isfile(os.path.join(tmpdir, PASSWORD_FILENAME))

View File

@ -5,7 +5,10 @@ import pytest
from common.config_value_paths import AWS_KEYS_PATH from common.config_value_paths import AWS_KEYS_PATH
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.server_utils.encryption import get_encryptor, initialize_encryptor from monkey_island.cc.server_utils.encryption import (
get_datastore_encryptor,
initialize_datastore_encryptor,
)
from monkey_island.cc.services.config import ConfigService from monkey_island.cc.services.config import ConfigService
from monkey_island.cc.services.zero_trust.scoutsuite.scoutsuite_auth_service import ( from monkey_island.cc.services.zero_trust.scoutsuite.scoutsuite_auth_service import (
is_aws_keys_setup, is_aws_keys_setup,
@ -27,8 +30,8 @@ def test_is_aws_keys_setup(tmp_path):
assert not is_aws_keys_setup() assert not is_aws_keys_setup()
# Make sure noone changed config path and broke this function # Make sure noone changed config path and broke this function
initialize_encryptor(tmp_path) initialize_datastore_encryptor(tmp_path)
bogus_key_value = get_encryptor().enc("bogus_aws_key") bogus_key_value = get_datastore_encryptor().enc("bogus_aws_key")
dpath.util.set( dpath.util.set(
ConfigService.default_config, AWS_KEYS_PATH + ["aws_secret_access_key"], bogus_key_value ConfigService.default_config, AWS_KEYS_PATH + ["aws_secret_access_key"], bogus_key_value
) )