From 91a65ee58c0f1609e17c62600ad2b6b6da07fc91 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 13 Jul 2022 13:00:29 -0400 Subject: [PATCH 01/13] Island: Use AgentConfiguration to get network scan settings --- .../monkey_island/cc/services/initialize.py | 4 ++- .../cc/services/reporting/report.py | 29 ++++++++++--------- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/monkey/monkey_island/cc/services/initialize.py b/monkey/monkey_island/cc/services/initialize.py index 9cf019421..eb21617ee 100644 --- a/monkey/monkey_island/cc/services/initialize.py +++ b/monkey/monkey_island/cc/services/initialize.py @@ -69,7 +69,9 @@ def initialize_services(data_dir: Path) -> DIContainer: _patch_credentials_parser(container) # This is temporary until we get DI all worked out. - ReportService.initialize(container.resolve(AWSService)) + ReportService.initialize( + container.resolve(AWSService), container.resolve(IAgentConfigurationRepository) + ) return container diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index 60d2d33ed..27e76db85 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -4,18 +4,13 @@ import itertools import logging from typing import List -from common.config_value_paths import ( - EXPLOITER_CLASSES_PATH, - LOCAL_NETWORK_SCAN_PATH, - PASSWORD_LIST_PATH, - SUBNET_SCAN_LIST_PATH, - USER_LIST_PATH, -) +from common.config_value_paths import EXPLOITER_CLASSES_PATH, PASSWORD_LIST_PATH, USER_LIST_PATH from common.network.network_range import NetworkRange from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst from monkey_island.cc.database import mongo from monkey_island.cc.models import Monkey from monkey_island.cc.models.report import get_report, save_report +from monkey_island.cc.repository import IAgentConfigurationRepository from monkey_island.cc.services.config import ConfigService from monkey_island.cc.services.configuration.utils import ( get_config_network_segments_as_subnet_groups, @@ -47,6 +42,7 @@ logger = logging.getLogger(__name__) class ReportService: _aws_service = None + _agent_configuration_repository = None class DerivedIssueEnum: WEAK_PASSWORD = "weak_password" @@ -54,8 +50,11 @@ class ReportService: ZEROLOGON_PASS_RESTORE_FAILED = "zerologon_pass_restore_failed" @classmethod - def initialize(cls, aws_service: AWSService): + def initialize( + cls, aws_service: AWSService, agent_configuration_repository: IAgentConfigurationRepository + ): cls._aws_service = aws_service + cls._agent_configuration_repository = agent_configuration_repository # This should pull from Simulation entity @staticmethod @@ -405,13 +404,15 @@ class ReportService: ExploiterDescriptorEnum.get_by_class_name(exploit).display_name for exploit in exploits ] - @staticmethod - def get_config_ips(): - return ConfigService.get_config_value(SUBNET_SCAN_LIST_PATH, True) + @classmethod + def get_config_ips(cls): + agent_configuration = cls._agent_configuration_repository.get_configuration() + return agent_configuration.propagation.network_scan.targets.subnets - @staticmethod - def get_config_scan(): - return ConfigService.get_config_value(LOCAL_NETWORK_SCAN_PATH, True) + @classmethod + def get_config_scan(cls): + agent_configuration = cls._agent_configuration_repository.get_configuration() + return agent_configuration.propagation.network_scan.targets.local_network_scan @staticmethod def get_issue_set(issues, config_users, config_passwords): From db4520af508d05dfc04063f36efc59b83a455a45 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 13 Jul 2022 13:02:03 -0400 Subject: [PATCH 02/13] Common: Remove disused network scan paths from config_value_paths.py --- monkey/common/config_value_paths.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/monkey/common/config_value_paths.py b/monkey/common/config_value_paths.py index c6bcf0dc0..5234fb34c 100644 --- a/monkey/common/config_value_paths.py +++ b/monkey/common/config_value_paths.py @@ -3,8 +3,6 @@ INACCESSIBLE_SUBNETS_PATH = ["basic_network", "network_analysis", "inaccessible_ USER_LIST_PATH = ["basic", "credentials", "exploit_user_list"] PASSWORD_LIST_PATH = ["basic", "credentials", "exploit_password_list"] EXPLOITER_CLASSES_PATH = ["basic", "exploiters", "exploiter_classes"] -SUBNET_SCAN_LIST_PATH = ["basic_network", "scope", "subnet_scan_list"] -LOCAL_NETWORK_SCAN_PATH = ["basic_network", "scope", "local_network_scan"] LM_HASH_LIST_PATH = ["internal", "exploits", "exploit_lm_hash_list"] NTLM_HASH_LIST_PATH = ["internal", "exploits", "exploit_ntlm_hash_list"] From 46a71ff8f198a4b33e089af1ca53c22d2c7f81ac Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 13 Jul 2022 13:07:31 -0400 Subject: [PATCH 03/13] Island: Remove "default" exploits display in report I'm not sure why this decision was made. It seems to me you'd always want to display which exploiters were enabled during the simulation. Telling me it was "default" means I need to go look up what the defaults are in order to understand the report. --- .../cc/services/reporting/report.py | 7 ------- .../report-components/SecurityReport.js | 17 ++++++----------- 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index 27e76db85..5a9a33721 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -391,15 +391,8 @@ class ReportService: @staticmethod def get_config_exploits(): exploits_config_value = EXPLOITER_CLASSES_PATH - # TODO: Return default config here - default_exploits = ConfigService.get_default_config(False) - for namespace in exploits_config_value: - default_exploits = default_exploits[namespace] exploits = ConfigService.get_config_value(exploits_config_value, True) - if exploits == default_exploits: - return ["default"] - return [ ExploiterDescriptorEnum.get_by_class_name(exploit).display_name for exploit in exploits ] diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js index c79e068df..d91d2d0fc 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js @@ -297,17 +297,12 @@ class ReportPageComponent extends AuthComponent { } { this.state.report.overview.config_exploits.length > 0 ? - ( - this.state.report.overview.config_exploits[0] === 'default' ? - '' - : -

- The Monkey uses the following exploit methods: -

    - {this.state.report.overview.config_exploits.map(x =>
  • {x}
    • )} -
-

- ) +

+ The Monkey uses the following exploit methods: +

    + {this.state.report.overview.config_exploits.map(x =>
  • {x}
    • )} +
+

:

No exploits are used by the Monkey. From 65686190dd4c96cf14b81561f3f7cdf447b70783 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 13 Jul 2022 13:17:35 -0400 Subject: [PATCH 04/13] Island: Use AgentConfiguration to get configured exploiters --- .../cc/services/reporting/report.py | 24 ++++++++++++------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index 5a9a33721..80574745a 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -1,10 +1,10 @@ import functools import ipaddress -import itertools import logging +from itertools import chain, product from typing import List -from common.config_value_paths import EXPLOITER_CLASSES_PATH, PASSWORD_LIST_PATH, USER_LIST_PATH +from common.config_value_paths import PASSWORD_LIST_PATH, USER_LIST_PATH from common.network.network_range import NetworkRange from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst from monkey_island.cc.database import mongo @@ -304,7 +304,7 @@ class ReportService: """ cross_segment_issues = [] - for subnet_pair in itertools.product(subnet_group, subnet_group): + for subnet_pair in product(subnet_group, subnet_group): source_subnet = subnet_pair[0] target_subnet = subnet_pair[1] pair_issues = ReportService.get_cross_segment_issues_per_subnet_pair( @@ -388,13 +388,21 @@ class ReportService: def get_config_passwords(): return ConfigService.get_config_value(PASSWORD_LIST_PATH, True) - @staticmethod - def get_config_exploits(): - exploits_config_value = EXPLOITER_CLASSES_PATH - exploits = ConfigService.get_config_value(exploits_config_value, True) + @classmethod + def get_config_exploits(cls): + agent_configuration = cls._agent_configuration_repository.get_configuration() + exploitation_configuration = agent_configuration.propagation.exploitation + + enabled_exploiters = ( + exploiter + for exploiter in chain( + exploitation_configuration.brute_force, exploitation_configuration.vulnerability + ) + ) return [ - ExploiterDescriptorEnum.get_by_class_name(exploit).display_name for exploit in exploits + ExploiterDescriptorEnum.get_by_class_name(exploiter.name).display_name + for exploiter in enabled_exploiters ] @classmethod From e1c5972ccca42293b5093d6b3e04a720cfd84b95 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 13 Jul 2022 14:02:30 -0400 Subject: [PATCH 05/13] Island: Use ICredentialsRepository to get configured usernames --- .../monkey_island/cc/services/initialize.py | 4 ++- .../cc/services/reporting/report.py | 29 +++++++++++++++---- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/monkey/monkey_island/cc/services/initialize.py b/monkey/monkey_island/cc/services/initialize.py index eb21617ee..26209ce6c 100644 --- a/monkey/monkey_island/cc/services/initialize.py +++ b/monkey/monkey_island/cc/services/initialize.py @@ -70,7 +70,9 @@ def initialize_services(data_dir: Path) -> DIContainer: # This is temporary until we get DI all worked out. ReportService.initialize( - container.resolve(AWSService), container.resolve(IAgentConfigurationRepository) + container.resolve(AWSService), + container.resolve(IAgentConfigurationRepository), + container.resolve(ICredentialsRepository), ) return container diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index 80574745a..2c09a4285 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -4,13 +4,14 @@ import logging from itertools import chain, product from typing import List -from common.config_value_paths import PASSWORD_LIST_PATH, USER_LIST_PATH +from common.config_value_paths import PASSWORD_LIST_PATH +from common.credentials import CredentialComponentType from common.network.network_range import NetworkRange from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst from monkey_island.cc.database import mongo from monkey_island.cc.models import Monkey from monkey_island.cc.models.report import get_report, save_report -from monkey_island.cc.repository import IAgentConfigurationRepository +from monkey_island.cc.repository import IAgentConfigurationRepository, ICredentialsRepository from monkey_island.cc.services.config import ConfigService from monkey_island.cc.services.configuration.utils import ( get_config_network_segments_as_subnet_groups, @@ -43,6 +44,7 @@ class ReportService: _aws_service = None _agent_configuration_repository = None + _credentials_repository = None class DerivedIssueEnum: WEAK_PASSWORD = "weak_password" @@ -51,10 +53,14 @@ class ReportService: @classmethod def initialize( - cls, aws_service: AWSService, agent_configuration_repository: IAgentConfigurationRepository + cls, + aws_service: AWSService, + agent_configuration_repository: IAgentConfigurationRepository, + credentials_repository: ICredentialsRepository, ): cls._aws_service = aws_service cls._agent_configuration_repository = agent_configuration_repository + cls._credentials_repository = credentials_repository # This should pull from Simulation entity @staticmethod @@ -380,9 +386,20 @@ class ReportService: def get_manual_monkey_hostnames(): return [monkey["hostname"] for monkey in get_manual_monkeys()] - @staticmethod - def get_config_users(): - return ConfigService.get_config_value(USER_LIST_PATH, True) + @classmethod + def get_config_users(cls): + usernames = [] + configured_credentials = cls._credentials_repository.get_configured_credentials() + for credentials in configured_credentials: + usernames = chain( + usernames, + ( + identity + for identity in credentials.identities + if identity.credential_type == CredentialComponentType.USERNAME + ), + ) + return [u.username for u in usernames] @staticmethod def get_config_passwords(): From e349a78334b42eaf42e9dd36f00e018da6fc7122 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 13 Jul 2022 14:59:27 -0400 Subject: [PATCH 06/13] Island: Fix string/bytes bug in StringListEncryptor For some reason, bytes objects do not come out of mongo the same way they go in. This class will be removed when reporting is reworked, so rather than spend the time on figuring out exactly what's going on, just use strings. --- monkey/monkey_island/cc/models/report/report_dal.py | 3 ++- .../encryption/field_encryptors/string_list_encryptor.py | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/monkey/monkey_island/cc/models/report/report_dal.py b/monkey/monkey_island/cc/models/report/report_dal.py index 3b7ca65e9..76c43bae6 100644 --- a/monkey/monkey_island/cc/models/report/report_dal.py +++ b/monkey/monkey_island/cc/models/report/report_dal.py @@ -29,7 +29,8 @@ def save_report(report_dict: dict): def get_report() -> dict: report_dict = Report.objects.first().to_mongo() - return _decode_dot_char_before_mongo_insert(decrypt_dict(sensitive_fields, report_dict)) + decrypted = decrypt_dict(sensitive_fields, report_dict) + return _decode_dot_char_before_mongo_insert(decrypted) # TODO remove this unnecessary encoding. I think these are legacy methods from back in the day diff --git a/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/string_list_encryptor.py b/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/string_list_encryptor.py index 9adf733a4..bf2555016 100644 --- a/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/string_list_encryptor.py +++ b/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/string_list_encryptor.py @@ -6,9 +6,9 @@ from . import IFieldEncryptor class StringListEncryptor(IFieldEncryptor): @staticmethod - def encrypt(value: List[str]): - return [get_datastore_encryptor().encrypt(string.encode()) for string in value] + def encrypt(value: List[str]) -> List[str]: + return [get_datastore_encryptor().encrypt(string.encode()).decode() for string in value] @staticmethod - def decrypt(value: List[bytes]): - return [get_datastore_encryptor().decrypt(bytes_).decode() for bytes_ in value] + def decrypt(value: List[str]) -> List[str]: + return [get_datastore_encryptor().decrypt(string.encode()).decode() for string in value] From 4fd5f0a8a52384d9a1d3c2d9ebb43aa219dcadf5 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 13 Jul 2022 15:04:49 -0400 Subject: [PATCH 07/13] Island: Use ICredentialsRepository to get configured passwords --- .../cc/services/reporting/report.py | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index 2c09a4285..f57adc247 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -4,7 +4,6 @@ import logging from itertools import chain, product from typing import List -from common.config_value_paths import PASSWORD_LIST_PATH from common.credentials import CredentialComponentType from common.network.network_range import NetworkRange from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst @@ -12,7 +11,6 @@ from monkey_island.cc.database import mongo from monkey_island.cc.models import Monkey from monkey_island.cc.models.report import get_report, save_report from monkey_island.cc.repository import IAgentConfigurationRepository, ICredentialsRepository -from monkey_island.cc.services.config import ConfigService from monkey_island.cc.services.configuration.utils import ( get_config_network_segments_as_subnet_groups, ) @@ -401,9 +399,21 @@ class ReportService: ) return [u.username for u in usernames] - @staticmethod - def get_config_passwords(): - return ConfigService.get_config_value(PASSWORD_LIST_PATH, True) + @classmethod + def get_config_passwords(cls): + passwords = [] + configured_credentials = cls._credentials_repository.get_configured_credentials() + for credentials in configured_credentials: + passwords = chain( + passwords, + ( + secret + for secret in credentials.secrets + if secret.credential_type == CredentialComponentType.PASSWORD + ), + ) + + return [p.password for p in passwords] @classmethod def get_config_exploits(cls): From 57b97d09f40671b8c455ab5d1d65d889548a481c Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 13 Jul 2022 15:05:47 -0400 Subject: [PATCH 08/13] Common: Remove disused EXPLOITER_CLASSES_PATH --- monkey/common/config_value_paths.py | 1 - 1 file changed, 1 deletion(-) diff --git a/monkey/common/config_value_paths.py b/monkey/common/config_value_paths.py index 5234fb34c..77fc0fb60 100644 --- a/monkey/common/config_value_paths.py +++ b/monkey/common/config_value_paths.py @@ -2,7 +2,6 @@ SSH_KEYS_PATH = ["internal", "exploits", "exploit_ssh_keys"] INACCESSIBLE_SUBNETS_PATH = ["basic_network", "network_analysis", "inaccessible_subnets"] USER_LIST_PATH = ["basic", "credentials", "exploit_user_list"] PASSWORD_LIST_PATH = ["basic", "credentials", "exploit_password_list"] -EXPLOITER_CLASSES_PATH = ["basic", "exploiters", "exploiter_classes"] LM_HASH_LIST_PATH = ["internal", "exploits", "exploit_lm_hash_list"] NTLM_HASH_LIST_PATH = ["internal", "exploits", "exploit_ntlm_hash_list"] From d7a2a35c46d6db15bf1f96fdd6bd91ffdc27c27c Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 14 Jul 2022 07:12:08 -0400 Subject: [PATCH 09/13] Island: Simplify a loop in get_config_exploits() --- monkey/monkey_island/cc/services/reporting/report.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index f57adc247..8e312c723 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -420,11 +420,8 @@ class ReportService: agent_configuration = cls._agent_configuration_repository.get_configuration() exploitation_configuration = agent_configuration.propagation.exploitation - enabled_exploiters = ( - exploiter - for exploiter in chain( - exploitation_configuration.brute_force, exploitation_configuration.vulnerability - ) + enabled_exploiters = chain( + exploitation_configuration.brute_force, exploitation_configuration.vulnerability ) return [ From 521396ff81f79953dbb42c538c571dd85b495ffd Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 14 Jul 2022 07:22:24 -0400 Subject: [PATCH 10/13] Island: Remove config_users from report Work being done in issue #1965 makes including config_users in the report unnecessary. --- monkey/monkey_island/cc/services/reporting/report.py | 1 - 1 file changed, 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index 8e312c723..7da855f07 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -504,7 +504,6 @@ class ReportService: report = { "overview": { "manual_monkeys": ReportService.get_manual_monkey_hostnames(), - "config_users": config_users, "config_passwords": config_passwords, "config_exploits": ReportService.get_config_exploits(), "config_ips": ReportService.get_config_ips(), From 60a1e79179ed4fbd96f6a3d3dc2cc32cd2f6dc30 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 14 Jul 2022 07:24:29 -0400 Subject: [PATCH 11/13] Island: Remove config_passwords from report Work being done in issue #1965 makes including config_passwords in the report unnecessary. --- monkey/monkey_island/cc/models/report/report_dal.py | 11 ++--------- monkey/monkey_island/cc/services/reporting/report.py | 1 - 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/monkey/monkey_island/cc/models/report/report_dal.py b/monkey/monkey_island/cc/models/report/report_dal.py index 76c43bae6..1b24dfcc2 100644 --- a/monkey/monkey_island/cc/models/report/report_dal.py +++ b/monkey/monkey_island/cc/models/report/report_dal.py @@ -3,16 +3,9 @@ from __future__ import annotations from bson import json_util from monkey_island.cc.models.report.report import Report -from monkey_island.cc.server_utils.encryption import ( - SensitiveField, - StringListEncryptor, - decrypt_dict, - encrypt_dict, -) +from monkey_island.cc.server_utils.encryption import decrypt_dict, encrypt_dict -sensitive_fields = [ - SensitiveField(path="overview.config_passwords", field_encryptor=StringListEncryptor) -] +sensitive_fields = [] def save_report(report_dict: dict): diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index 7da855f07..e044becea 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -504,7 +504,6 @@ class ReportService: report = { "overview": { "manual_monkeys": ReportService.get_manual_monkey_hostnames(), - "config_passwords": config_passwords, "config_exploits": ReportService.get_config_exploits(), "config_ips": ReportService.get_config_ips(), "config_scan": ReportService.get_config_scan(), From 7760520cc8d62cbda319bf79b75263a53ffa9568 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 14 Jul 2022 07:27:47 -0400 Subject: [PATCH 12/13] Island: Remove disused StringListEncryptor --- .../cc/server_utils/encryption/__init__.py | 1 - .../encryption/field_encryptors/__init__.py | 1 - .../field_encryptors/string_list_encryptor.py | 14 ------- .../cc/models/test_report_dal.py | 41 +------------------ .../encryption/test_string_list_encryptor.py | 21 ---------- 5 files changed, 1 insertion(+), 77 deletions(-) delete mode 100644 monkey/monkey_island/cc/server_utils/encryption/field_encryptors/string_list_encryptor.py delete mode 100644 monkey/tests/unit_tests/monkey_island/cc/server_utils/encryption/test_string_list_encryptor.py diff --git a/monkey/monkey_island/cc/server_utils/encryption/__init__.py b/monkey/monkey_island/cc/server_utils/encryption/__init__.py index 9443fa4ab..d790a71f6 100644 --- a/monkey/monkey_island/cc/server_utils/encryption/__init__.py +++ b/monkey/monkey_island/cc/server_utils/encryption/__init__.py @@ -21,5 +21,4 @@ from .dict_encryptor import ( FieldNotFoundError, ) from .field_encryptors.i_field_encryptor import IFieldEncryptor -from .field_encryptors.string_list_encryptor import StringListEncryptor from .field_encryptors.string_encryptor import StringEncryptor diff --git a/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/__init__.py b/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/__init__.py index 84a635ece..ccbd75331 100644 --- a/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/__init__.py +++ b/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/__init__.py @@ -1,3 +1,2 @@ from .i_field_encryptor import IFieldEncryptor -from .string_list_encryptor import StringListEncryptor from .string_encryptor import StringEncryptor diff --git a/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/string_list_encryptor.py b/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/string_list_encryptor.py deleted file mode 100644 index bf2555016..000000000 --- a/monkey/monkey_island/cc/server_utils/encryption/field_encryptors/string_list_encryptor.py +++ /dev/null @@ -1,14 +0,0 @@ -from typing import List - -from ..data_store_encryptor import get_datastore_encryptor -from . import IFieldEncryptor - - -class StringListEncryptor(IFieldEncryptor): - @staticmethod - def encrypt(value: List[str]) -> List[str]: - return [get_datastore_encryptor().encrypt(string.encode()).decode() for string in value] - - @staticmethod - def decrypt(value: List[str]) -> List[str]: - return [get_datastore_encryptor().decrypt(string.encode()).decode() for string in value] diff --git a/monkey/tests/unit_tests/monkey_island/cc/models/test_report_dal.py b/monkey/tests/unit_tests/monkey_island/cc/models/test_report_dal.py index 67ac8355e..00154e5fe 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/models/test_report_dal.py +++ b/monkey/tests/unit_tests/monkey_island/cc/models/test_report_dal.py @@ -1,16 +1,14 @@ import copy -from typing import List import pytest from monkey_island.cc.models import Report from monkey_island.cc.models.report import get_report, save_report -from monkey_island.cc.server_utils.encryption import IFieldEncryptor, SensitiveField MOCK_SENSITIVE_FIELD_CONTENTS = ["the_string", "the_string2"] MOCK_REPORT_DICT = { "overview": { - "foo": {"the_key": MOCK_SENSITIVE_FIELD_CONTENTS, "other_key": "other_value"}, + "foo": {"the_key": ["the_string", "the_string2"], "other_key": "other_value"}, "bar": {"the_key": []}, }, "glance": {"foo": "bar"}, @@ -19,43 +17,6 @@ MOCK_REPORT_DICT = { } -class MockStringListEncryptor(IFieldEncryptor): - plaintext = [] - - @staticmethod - def encrypt(value: List[str]) -> List[str]: - return [MockStringListEncryptor._encrypt(v) for v in value] - - @staticmethod - def _encrypt(value: str) -> str: - MockStringListEncryptor.plaintext.append(value) - return f"ENCRYPTED_{str(len(MockStringListEncryptor.plaintext) - 1)}" - - @staticmethod - def decrypt(value: List[str]) -> List[str]: - return MockStringListEncryptor.plaintext - - -@pytest.fixture(autouse=True) -def patch_sensitive_fields(monkeypatch): - mock_sensitive_fields = [ - SensitiveField("overview.foo.the_key", MockStringListEncryptor), - SensitiveField("overview.bar.the_key", MockStringListEncryptor), - ] - monkeypatch.setattr( - "monkey_island.cc.models.report.report_dal.sensitive_fields", mock_sensitive_fields - ) - - -@pytest.mark.usefixtures("uses_database") -def test_report_encryption(): - save_report(MOCK_REPORT_DICT) - - assert Report.objects.first()["overview"]["foo"]["the_key"] == ["ENCRYPTED_0", "ENCRYPTED_1"] - assert Report.objects.first()["overview"]["bar"]["the_key"] == [] - assert get_report()["overview"]["foo"]["the_key"] == MOCK_SENSITIVE_FIELD_CONTENTS - - @pytest.mark.usefixtures("uses_database") def test_report_dot_encoding(): mrd = copy.deepcopy(MOCK_REPORT_DICT) diff --git a/monkey/tests/unit_tests/monkey_island/cc/server_utils/encryption/test_string_list_encryptor.py b/monkey/tests/unit_tests/monkey_island/cc/server_utils/encryption/test_string_list_encryptor.py deleted file mode 100644 index b78cd6ec0..000000000 --- a/monkey/tests/unit_tests/monkey_island/cc/server_utils/encryption/test_string_list_encryptor.py +++ /dev/null @@ -1,21 +0,0 @@ -import pytest - -from monkey_island.cc.server_utils.encryption import StringListEncryptor - -MOCK_STRING_LIST = ["test_1", "test_2"] -EMPTY_LIST = [] - - -@pytest.mark.slow -def test_encryption_and_decryption(uses_encryptor): - encrypted_list = StringListEncryptor.encrypt(MOCK_STRING_LIST) - assert not encrypted_list == MOCK_STRING_LIST - decrypted_list = StringListEncryptor.decrypt(encrypted_list) - assert decrypted_list == MOCK_STRING_LIST - - -@pytest.mark.slow -def test_empty_list(uses_encryptor): - # Tests that no errors are raised - encrypted_list = StringListEncryptor.encrypt(EMPTY_LIST) - StringListEncryptor.decrypt(encrypted_list) From ea1414d0b5b218c4ba2ad07cc98ef6da14d98f98 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 14 Jul 2022 07:28:53 -0400 Subject: [PATCH 13/13] Island: Remove encryption from report_dal.py Since passwords were removed from the report in 60a1e791, there's no need to encrypt any data in the report. --- monkey/monkey_island/cc/models/report/report_dal.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/monkey/monkey_island/cc/models/report/report_dal.py b/monkey/monkey_island/cc/models/report/report_dal.py index 1b24dfcc2..b70ca98b8 100644 --- a/monkey/monkey_island/cc/models/report/report_dal.py +++ b/monkey/monkey_island/cc/models/report/report_dal.py @@ -3,14 +3,10 @@ from __future__ import annotations from bson import json_util from monkey_island.cc.models.report.report import Report -from monkey_island.cc.server_utils.encryption import decrypt_dict, encrypt_dict - -sensitive_fields = [] def save_report(report_dict: dict): report_dict = _encode_dot_char_before_mongo_insert(report_dict) - report_dict = encrypt_dict(sensitive_fields, report_dict) Report.objects.delete() Report( overview=report_dict["overview"], @@ -22,8 +18,7 @@ def save_report(report_dict: dict): def get_report() -> dict: report_dict = Report.objects.first().to_mongo() - decrypted = decrypt_dict(sensitive_fields, report_dict) - return _decode_dot_char_before_mongo_insert(decrypted) + return _decode_dot_char_before_mongo_insert(report_dict) # TODO remove this unnecessary encoding. I think these are legacy methods from back in the day