diff --git a/monkey/tests/monkey_island/utils.py b/monkey/tests/monkey_island/utils.py new file mode 100644 index 000000000..2ccd2c178 --- /dev/null +++ b/monkey/tests/monkey_island/utils.py @@ -0,0 +1,34 @@ +from monkey_island.cc.server_utils.file_utils import is_windows_os + +if is_windows_os(): + import win32api + import win32security + + FULL_CONTROL = 2032127 + ACE_ACCESS_MODE_GRANT_ACCESS = win32security.GRANT_ACCESS + ACE_INHERIT_OBJECT_AND_CONTAINER = 3 + + +def _get_acl_and_sid_from_path(path: str): + sid, _, _ = win32security.LookupAccountName("", win32api.GetUserName()) + security_descriptor = win32security.GetNamedSecurityInfo( + path, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION + ) + acl = security_descriptor.GetSecurityDescriptorDacl() + return acl, sid + +def assert_windows_permissions(path: str): + acl, user_sid = _get_acl_and_sid_from_path(path) + + assert acl.GetAceCount() == 1 + + ace = acl.GetExplicitEntriesFromAcl()[0] + + ace_access_mode = ace["AccessMode"] + ace_permissions = ace["AccessPermissions"] + ace_inheritance = ace["Inheritance"] + ace_sid = ace["Trustee"]["Identifier"] + + assert ace_sid == user_sid + assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS + assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER diff --git a/monkey/tests/unit_tests/monkey_island/cc/server_utils/test_file_utils.py b/monkey/tests/unit_tests/monkey_island/cc/server_utils/test_file_utils.py index 9a9ada29d..444e2ca17 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/server_utils/test_file_utils.py +++ b/monkey/tests/unit_tests/monkey_island/cc/server_utils/test_file_utils.py @@ -2,6 +2,7 @@ import os import stat import pytest +from tests.monkey_island.utils import assert_windows_permissions from monkey_island.cc.server_utils.file_utils import ( create_secure_directory, @@ -10,14 +11,6 @@ from monkey_island.cc.server_utils.file_utils import ( open_new_securely_permissioned_file, ) -if is_windows_os(): - import win32api - import win32security - - FULL_CONTROL = 2032127 - ACE_ACCESS_MODE_GRANT_ACCESS = win32security.GRANT_ACCESS - ACE_INHERIT_OBJECT_AND_CONTAINER = 3 - def test_expand_user(patched_home_env): input_path = os.path.join("~", "test") @@ -47,15 +40,6 @@ def test_path(tmpdir): return path -def _get_acl_and_sid_from_path(path: str): - sid, _, _ = win32security.LookupAccountName("", win32api.GetUserName()) - security_descriptor = win32security.GetNamedSecurityInfo( - path, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION - ) - acl = security_descriptor.GetSecurityDescriptorDacl() - return acl, sid - - def test_create_secure_directory__already_exists(test_path): os.mkdir(test_path) assert os.path.isdir(test_path) @@ -82,20 +66,7 @@ def test_create_secure_directory__perm_linux(test_path): def test_create_secure_directory__perm_windows(test_path): create_secure_directory(test_path) - acl, user_sid = _get_acl_and_sid_from_path(test_path) - - assert acl.GetAceCount() == 1 - - ace = acl.GetExplicitEntriesFromAcl()[0] - - ace_access_mode = ace["AccessMode"] - ace_permissions = ace["AccessPermissions"] - ace_inheritance = ace["Inheritance"] - ace_sid = ace["Trustee"]["Identifier"] - - assert ace_sid == user_sid - assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS - assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER + assert_windows_permissions(test_path) def test_open_new_securely_permissioned_file__already_exists(test_path): @@ -131,20 +102,7 @@ def test_open_new_securely_permissioned_file__perm_windows(test_path): with open_new_securely_permissioned_file(test_path): pass - acl, user_sid = _get_acl_and_sid_from_path(test_path) - - assert acl.GetAceCount() == 1 - - ace = acl.GetExplicitEntriesFromAcl()[0] - - ace_access_mode = ace["AccessMode"] - ace_permissions = ace["AccessPermissions"] - ace_inheritance = ace["Inheritance"] - ace_sid = ace["Trustee"]["Identifier"] - - assert ace_sid == user_sid - assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS - assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER + assert_windows_permissions(test_path) def test_open_new_securely_permissioned_file__write(test_path): diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/test_post_breach_files.py b/monkey/tests/unit_tests/monkey_island/cc/services/test_post_breach_files.py index cc21bd97a..5a2ddaa17 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/services/test_post_breach_files.py +++ b/monkey/tests/unit_tests/monkey_island/cc/services/test_post_breach_files.py @@ -1,18 +1,11 @@ import os import pytest +from tests.monkey_island.utils import assert_windows_permissions from monkey_island.cc.server_utils.file_utils import is_windows_os from monkey_island.cc.services.post_breach_files import PostBreachFilesService -if is_windows_os(): - import win32api - import win32security - - FULL_CONTROL = 2032127 - ACE_ACCESS_MODE_GRANT_ACCESS = win32security.GRANT_ACCESS - ACE_INHERIT_OBJECT_AND_CONTAINER = 3 - def raise_(ex): raise ex @@ -48,33 +41,11 @@ def test_custom_pba_dir_permissions_linux(): assert st.st_mode == 0o40700 -def _get_acl_and_sid_from_path(path: str): - sid, _, _ = win32security.LookupAccountName("", win32api.GetUserName()) - security_descriptor = win32security.GetNamedSecurityInfo( - path, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION - ) - acl = security_descriptor.GetSecurityDescriptorDacl() - return acl, sid - - @pytest.mark.skipif(not is_windows_os(), reason="Tests Windows (not Posix) permissions.") def test_custom_pba_dir_permissions_windows(): pba_dir = PostBreachFilesService.get_custom_pba_directory() - acl, user_sid = _get_acl_and_sid_from_path(pba_dir) - - assert acl.GetAceCount() == 1 - - ace = acl.GetExplicitEntriesFromAcl()[0] - - ace_access_mode = ace["AccessMode"] - ace_permissions = ace["AccessPermissions"] - ace_inheritance = ace["Inheritance"] - ace_sid = ace["Trustee"]["Identifier"] - - assert ace_sid == user_sid - assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS - assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER + assert_windows_permissions(pba_dir) def test_remove_failure(monkeypatch):