From 9bb7148f50af24ad42d303e6dec408d0ea57b6a2 Mon Sep 17 00:00:00 2001
From: Itay Mizeretz <itay.mizeretz@guardicore.com>
Date: Thu, 22 Feb 2018 16:21:03 +0200
Subject: [PATCH] Secure all endpoints

---
 monkey_island/cc/resources/monkey.py               | 14 ++++++--------
 monkey_island/cc/resources/monkey_configuration.py |  7 ++++---
 monkey_island/cc/resources/monkey_download.py      |  3 +++
 monkey_island/cc/resources/netmap.py               |  2 ++
 monkey_island/cc/resources/node.py                 |  2 ++
 monkey_island/cc/resources/report.py               |  3 +++
 monkey_island/cc/resources/root.py                 |  3 +++
 monkey_island/cc/resources/telemetry.py            |  3 +++
 monkey_island/cc/resources/telemetry_feed.py       |  2 ++
 9 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/monkey_island/cc/resources/monkey.py b/monkey_island/cc/resources/monkey.py
index 37722262c..d344949bc 100644
--- a/monkey_island/cc/resources/monkey.py
+++ b/monkey_island/cc/resources/monkey.py
@@ -15,23 +15,20 @@ __author__ = 'Barak'
 
 
 class Monkey(flask_restful.Resource):
+
+    # Used by monkey. can't secure.
     def get(self, guid=None, **kw):
         NodeService.update_dead_monkeys()  # refresh monkeys status
         if not guid:
             guid = request.args.get('guid')
-        timestamp = request.args.get('timestamp')
 
         if guid:
             monkey_json = mongo.db.monkey.find_one_or_404({"guid": guid})
             return monkey_json
-        else:
-            result = {'timestamp': datetime.now().isoformat()}
-            find_filter = {}
-            if timestamp is not None:
-                find_filter['modifytime'] = {'$gt': dateutil.parser.parse(timestamp)}
-            result['objects'] = [x for x in mongo.db.monkey.find(find_filter)]
-            return result
 
+        return {}
+
+    # Used by monkey. can't secure.
     def patch(self, guid):
         monkey_json = json.loads(request.data)
         update = {"$set": {'modifytime': datetime.now()}}
@@ -51,6 +48,7 @@ class Monkey(flask_restful.Resource):
 
         return mongo.db.monkey.update({"_id": monkey["_id"]}, update, upsert=False)
 
+    # Used by monkey. can't secure.
     def post(self, **kw):
         monkey_json = json.loads(request.data)
         monkey_json['creds'] = []
diff --git a/monkey_island/cc/resources/monkey_configuration.py b/monkey_island/cc/resources/monkey_configuration.py
index 6d622b1cd..0bd30db3f 100644
--- a/monkey_island/cc/resources/monkey_configuration.py
+++ b/monkey_island/cc/resources/monkey_configuration.py
@@ -1,18 +1,20 @@
 import json
 
-from flask import request, jsonify
 import flask_restful
+from flask import request, jsonify
 
-from cc.database import mongo
+from cc.auth import jwt_required
 from cc.services.config import ConfigService
 
 __author__ = 'Barak'
 
 
 class MonkeyConfiguration(flask_restful.Resource):
+    @jwt_required()
     def get(self):
         return jsonify(schema=ConfigService.get_config_schema(), configuration=ConfigService.get_config())
 
+    @jwt_required()
     def post(self):
         config_json = json.loads(request.data)
         if config_json.has_key('reset'):
@@ -20,4 +22,3 @@ class MonkeyConfiguration(flask_restful.Resource):
         else:
             ConfigService.update_config(config_json)
         return self.get()
-
diff --git a/monkey_island/cc/resources/monkey_download.py b/monkey_island/cc/resources/monkey_download.py
index b311c4472..ac1f9de2d 100644
--- a/monkey_island/cc/resources/monkey_download.py
+++ b/monkey_island/cc/resources/monkey_download.py
@@ -47,9 +47,12 @@ def get_monkey_executable(host_os, machine):
 
 
 class MonkeyDownload(flask_restful.Resource):
+
+    # Used by monkey. can't secure.
     def get(self, path):
         return send_from_directory('binaries', path)
 
+    # Used by monkey. can't secure.
     def post(self):
         host_json = json.loads(request.data)
         host_os = host_json.get('os')
diff --git a/monkey_island/cc/resources/netmap.py b/monkey_island/cc/resources/netmap.py
index 12418ef6b..3ba7fafa8 100644
--- a/monkey_island/cc/resources/netmap.py
+++ b/monkey_island/cc/resources/netmap.py
@@ -1,5 +1,6 @@
 import flask_restful
 
+from cc.auth import jwt_required
 from cc.services.edge import EdgeService
 from cc.services.node import NodeService
 from cc.database import mongo
@@ -8,6 +9,7 @@ __author__ = 'Barak'
 
 
 class NetMap(flask_restful.Resource):
+    @jwt_required()
     def get(self, **kw):
         monkeys = [NodeService.monkey_to_net_node(x) for x in mongo.db.monkey.find({})]
         nodes = [NodeService.node_to_net_node(x) for x in mongo.db.node.find({})]
diff --git a/monkey_island/cc/resources/node.py b/monkey_island/cc/resources/node.py
index 5a6c52e1b..bc00c40cf 100644
--- a/monkey_island/cc/resources/node.py
+++ b/monkey_island/cc/resources/node.py
@@ -1,12 +1,14 @@
 from flask import request
 import flask_restful
 
+from cc.auth import jwt_required
 from cc.services.node import NodeService
 
 __author__ = 'Barak'
 
 
 class Node(flask_restful.Resource):
+    @jwt_required()
     def get(self):
         node_id = request.args.get('id')
         if node_id:
diff --git a/monkey_island/cc/resources/report.py b/monkey_island/cc/resources/report.py
index e967b207f..1a00fa609 100644
--- a/monkey_island/cc/resources/report.py
+++ b/monkey_island/cc/resources/report.py
@@ -1,10 +1,13 @@
 import flask_restful
 
+from cc.auth import jwt_required
 from cc.services.report import ReportService
 
 __author__ = "itay.mizeretz"
 
 
 class Report(flask_restful.Resource):
+
+    @jwt_required()
     def get(self):
         return ReportService.get_report()
diff --git a/monkey_island/cc/resources/root.py b/monkey_island/cc/resources/root.py
index 25d7dfed7..04129f257 100644
--- a/monkey_island/cc/resources/root.py
+++ b/monkey_island/cc/resources/root.py
@@ -3,6 +3,7 @@ from datetime import datetime
 import flask_restful
 from flask import request, make_response, jsonify
 
+from cc.auth import jwt_required
 from cc.database import mongo
 from cc.services.config import ConfigService
 from cc.services.node import NodeService
@@ -13,6 +14,8 @@ __author__ = 'Barak'
 
 
 class Root(flask_restful.Resource):
+
+    @jwt_required()
     def get(self, action=None):
         if not action:
             action = request.args.get('action')
diff --git a/monkey_island/cc/resources/telemetry.py b/monkey_island/cc/resources/telemetry.py
index 94c4046b5..e1b17ac9a 100644
--- a/monkey_island/cc/resources/telemetry.py
+++ b/monkey_island/cc/resources/telemetry.py
@@ -7,6 +7,7 @@ import dateutil
 import flask_restful
 from flask import request
 
+from cc.auth import jwt_required
 from cc.database import mongo
 from cc.services.config import ConfigService
 from cc.services.edge import EdgeService
@@ -16,6 +17,7 @@ __author__ = 'Barak'
 
 
 class Telemetry(flask_restful.Resource):
+    @jwt_required()
     def get(self, **kw):
         monkey_guid = request.args.get('monkey_guid')
         telem_type = request.args.get('telem_type')
@@ -36,6 +38,7 @@ class Telemetry(flask_restful.Resource):
         result['objects'] = self.telemetry_to_displayed_telemetry(mongo.db.telemetry.find(find_filter))
         return result
 
+    # Used by monkey. can't secure.
     def post(self):
         telemetry_json = json.loads(request.data)
         telemetry_json['timestamp'] = datetime.now()
diff --git a/monkey_island/cc/resources/telemetry_feed.py b/monkey_island/cc/resources/telemetry_feed.py
index 9a7e507ef..f14c5d29f 100644
--- a/monkey_island/cc/resources/telemetry_feed.py
+++ b/monkey_island/cc/resources/telemetry_feed.py
@@ -5,6 +5,7 @@ import flask_restful
 from flask import request
 import flask_pymongo
 
+from cc.auth import jwt_required
 from cc.database import mongo
 from cc.services.node import NodeService
 
@@ -12,6 +13,7 @@ __author__ = 'itay.mizeretz'
 
 
 class TelemetryFeed(flask_restful.Resource):
+    @jwt_required()
     def get(self, **kw):
         timestamp = request.args.get('timestamp')
         if "null" == timestamp or timestamp is None:  # special case to avoid ugly JS code...