From 19a720898ec0cdefae6f3463921aa0ff22d27a8b Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Fri, 15 Jul 2022 11:33:31 -0400 Subject: [PATCH] Island: Handle encryption/decryption of None credential components --- .../mongo_credentials_repository.py | 22 ++++++++++++------- .../data_for_tests/propagation_credentials.py | 5 +++++ .../test_mongo_credentials_repository.py | 12 +++++----- 3 files changed, 25 insertions(+), 14 deletions(-) diff --git a/monkey/monkey_island/cc/repository/mongo_credentials_repository.py b/monkey/monkey_island/cc/repository/mongo_credentials_repository.py index aeaa5b884..5d58d510a 100644 --- a/monkey/monkey_island/cc/repository/mongo_credentials_repository.py +++ b/monkey/monkey_island/cc/repository/mongo_credentials_repository.py @@ -77,10 +77,13 @@ class MongoCredentialsRepository(ICredentialsRepository): encrypted_mapping: Dict[str, Any] = {} for secret_or_identity, credentials_component in mapping.items(): - encrypted_component = { - key: self._repository_encryptor.encrypt(value.encode()) - for key, value in credentials_component.items() - } + if credentials_component is None: + encrypted_component = None + else: + encrypted_component = { + key: self._repository_encryptor.encrypt(value.encode()) + for key, value in credentials_component.items() + } encrypted_mapping[secret_or_identity] = encrypted_component @@ -90,10 +93,13 @@ class MongoCredentialsRepository(ICredentialsRepository): decrypted_mapping: Dict[str, Any] = {} for secret_or_identity, credentials_component in mapping.items(): - decrypted_component = { - key: self._repository_encryptor.decrypt(value).decode() - for key, value in credentials_component.items() - } + if credentials_component is None: + decrypted_component = None + else: + decrypted_component = { + key: self._repository_encryptor.decrypt(value).decode() + for key, value in credentials_component.items() + } decrypted_mapping[secret_or_identity] = decrypted_component diff --git a/monkey/tests/data_for_tests/propagation_credentials.py b/monkey/tests/data_for_tests/propagation_credentials.py index 5c869e8c0..6efe9b7af 100644 --- a/monkey/tests/data_for_tests/propagation_credentials.py +++ b/monkey/tests/data_for_tests/propagation_credentials.py @@ -6,6 +6,7 @@ NT_HASH = "C1C58F96CDF212B50837BC11A00BE47C" LM_HASH = "299BD128C1101FD6299BD128C1101FD6" PASSWORD_1 = "trytostealthis" PASSWORD_2 = "password!" +PASSWORD_3 = "rubberbabybuggybumpers" PUBLIC_KEY = "MY_PUBLIC_KEY" PRIVATE_KEY = "MY_PRIVATE_KEY" @@ -16,6 +17,8 @@ NT_HASH_CREDENTIALS = Credentials(identity=Username(USERNAME), secret=NTHash(NT_ SSH_KEY_CREDENTIALS = Credentials( identity=Username(USERNAME), secret=SSHKeypair(PRIVATE_KEY, PUBLIC_KEY) ) +EMPTY_SECRET_CREDENTIALS = Credentials(identity=Username(USERNAME), secret=None) +EMPTY_IDENTITY_CREDENTIALS = Credentials(identity=None, secret=Password(PASSWORD_3)) PROPAGATION_CREDENTIALS = [ PASSWORD_CREDENTIALS_1, @@ -23,4 +26,6 @@ PROPAGATION_CREDENTIALS = [ NT_HASH_CREDENTIALS, PASSWORD_CREDENTIALS_2, SSH_KEY_CREDENTIALS, + EMPTY_SECRET_CREDENTIALS, + EMPTY_IDENTITY_CREDENTIALS, ] diff --git a/monkey/tests/unit_tests/monkey_island/cc/repository/test_mongo_credentials_repository.py b/monkey/tests/unit_tests/monkey_island/cc/repository/test_mongo_credentials_repository.py index 460f20da9..010f26b8f 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/repository/test_mongo_credentials_repository.py +++ b/monkey/tests/unit_tests/monkey_island/cc/repository/test_mongo_credentials_repository.py @@ -13,7 +13,7 @@ from monkey_island.cc.repository import MongoCredentialsRepository from monkey_island.cc.server_utils.encryption import ILockableEncryptor CONFIGURED_CREDENTIALS = PROPAGATION_CREDENTIALS[0:3] -STOLEN_CREDENTIALS = PROPAGATION_CREDENTIALS[3:6] +STOLEN_CREDENTIALS = PROPAGATION_CREDENTIALS[3:] def reverse(data: bytes) -> bytes: @@ -91,9 +91,6 @@ def test_mongo_repository_all(mongo_repository): assert mongo_repository.get_configured_credentials() == [] -# NOTE: The following tests are complicated, but they work. Rather than spend the effort to improve -# them now, we can revisit them when we resolve #2072. Resolving #2072 will make it easier to -# simplify these tests. @pytest.mark.parametrize("credentials", PROPAGATION_CREDENTIALS) def test_configured_secrets_encrypted( mongo_repository: MongoCredentialsRepository, @@ -116,8 +113,11 @@ def check_if_stored_credentials_encrypted(mongo_client: MongoClient, original_cr for rc in raw_credentials: for identity_or_secret, credentials_component in rc.items(): - for key, value in credentials_component.items(): - assert original_credentials_mapping[identity_or_secret][key] != value.decode() + if original_credentials_mapping[identity_or_secret] is None: + assert credentials_component is None + else: + for key, value in credentials_component.items(): + assert original_credentials_mapping[identity_or_secret][key] != value.decode() def get_all_credentials_in_mongo(