Merge pull request #2050 from guardicore/2002-config-encryption-in-ui

2002 config encryption in UI
This commit is contained in:
VakarisZ 2022-06-30 15:03:52 +03:00 committed by GitHub
commit fe36f863b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 120 additions and 89 deletions

View File

@ -20,6 +20,7 @@
"bootstrap": "^4.5.3", "bootstrap": "^4.5.3",
"classnames": "^2.3.1", "classnames": "^2.3.1",
"core-js": "^3.18.2", "core-js": "^3.18.2",
"crypto-js": "^4.1.1",
"d3": "^5.14.1", "d3": "^5.14.1",
"downloadjs": "^1.4.7", "downloadjs": "^1.4.7",
"fetch": "^1.1.0", "fetch": "^1.1.0",
@ -4191,6 +4192,11 @@
"semver": "bin/semver" "semver": "bin/semver"
} }
}, },
"node_modules/crypto-js": {
"version": "4.1.1",
"resolved": "https://registry.npmjs.org/crypto-js/-/crypto-js-4.1.1.tgz",
"integrity": "sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw=="
},
"node_modules/css-loader": { "node_modules/css-loader": {
"version": "6.7.1", "version": "6.7.1",
"resolved": "https://registry.npmjs.org/css-loader/-/css-loader-6.7.1.tgz", "resolved": "https://registry.npmjs.org/css-loader/-/css-loader-6.7.1.tgz",
@ -19166,6 +19172,11 @@
} }
} }
}, },
"crypto-js": {
"version": "4.1.1",
"resolved": "https://registry.npmjs.org/crypto-js/-/crypto-js-4.1.1.tgz",
"integrity": "sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw=="
},
"css-loader": { "css-loader": {
"version": "6.7.1", "version": "6.7.1",
"resolved": "https://registry.npmjs.org/css-loader/-/css-loader-6.7.1.tgz", "resolved": "https://registry.npmjs.org/css-loader/-/css-loader-6.7.1.tgz",

View File

@ -76,6 +76,7 @@
"bootstrap": "^4.5.3", "bootstrap": "^4.5.3",
"classnames": "^2.3.1", "classnames": "^2.3.1",
"core-js": "^3.18.2", "core-js": "^3.18.2",
"crypto-js": "^4.1.1",
"d3": "^5.14.1", "d3": "^5.14.1",
"downloadjs": "^1.4.7", "downloadjs": "^1.4.7",
"fetch": "^1.1.0", "fetch": "^1.1.0",

View File

@ -1,53 +1,44 @@
import {Button, Modal, Form} from 'react-bootstrap'; import {Button, Form, Modal} from 'react-bootstrap';
import React, {useState} from 'react'; import React, {useState} from 'react';
import FileSaver from 'file-saver'; import FileSaver from 'file-saver';
import AuthComponent from '../AuthComponent';
import '../../styles/components/configuration-components/ExportConfigModal.scss'; import '../../styles/components/configuration-components/ExportConfigModal.scss';
import {encryptText} from '../utils/PasswordBasedEncryptor';
type Props = { type Props = {
show: boolean, show: boolean,
configuration: object,
onHide: () => void onHide: () => void
} }
const ConfigExportModal = (props: Props) => { const ConfigExportModal = (props: Props) => {
// TODO: Change this endpoint to new agent-configuration endpoint
const configExportEndpoint = '/api/configuration/export';
const [pass, setPass] = useState(''); const [pass, setPass] = useState('');
const [radioValue, setRadioValue] = useState('password'); const [radioValue, setRadioValue] = useState('password');
const authComponent = new AuthComponent({});
function isExportBtnDisabled() { function isExportBtnDisabled() {
return pass === '' && radioValue === 'password'; return pass === '' && radioValue === 'password';
} }
function onSubmit() { function onSubmit() {
authComponent.authFetch(configExportEndpoint, let config = props.configuration;
{ let config_export = {'metadata': {}, 'contents': null};
method: 'POST',
headers: {'Content-Type': 'application/json'}, if (radioValue === 'password') {
body: JSON.stringify({ config_export.contents = encryptText(JSON.stringify(config), pass);
should_encrypt: (radioValue === 'password'), config_export.metadata = {'encrypted': true};
password: pass
})
}
)
.then(res => res.json())
.then(res => {
let configToExport = res['config_export'];
if (res['encrypted']) {
configToExport = new Blob([configToExport]);
} else { } else {
configToExport = new Blob( config_export.contents = config;
[JSON.stringify(configToExport, null, 2)], config_export.metadata = {'encrypted': false};
}
let export_json = JSON.stringify(config_export, null, 2);
let export_blob = new Blob(
[export_json],
{type: 'text/plain;charset=utf-8'} {type: 'text/plain;charset=utf-8'}
); );
} FileSaver.saveAs(export_blob, 'monkey.conf');
FileSaver.saveAs(configToExport, 'monkey.conf');
props.onHide(); props.onHide();
})
} }
return ( return (

View File

@ -9,10 +9,12 @@ import UnsafeConfigOptionsConfirmationModal
from './UnsafeConfigOptionsConfirmationModal.js'; from './UnsafeConfigOptionsConfirmationModal.js';
import UploadStatusIcon, {UploadStatuses} from '../ui-components/UploadStatusIcon'; import UploadStatusIcon, {UploadStatuses} from '../ui-components/UploadStatusIcon';
import isUnsafeOptionSelected from '../utils/SafeOptionValidator.js'; import isUnsafeOptionSelected from '../utils/SafeOptionValidator.js';
import {decryptText} from '../utils/PasswordBasedEncryptor';
type Props = { type Props = {
show: boolean, show: boolean,
schema: object,
onClose: (importSuccessful: boolean) => void onClose: (importSuccessful: boolean) => void
} }
@ -23,9 +25,9 @@ const ConfigImportModal = (props: Props) => {
const [uploadStatus, setUploadStatus] = useState(UploadStatuses.clean); const [uploadStatus, setUploadStatus] = useState(UploadStatuses.clean);
const [configContents, setConfigContents] = useState(null); const [configContents, setConfigContents] = useState(null);
const [candidateConfig, setCandidateConfig] = useState(null);
const [password, setPassword] = useState(''); const [password, setPassword] = useState('');
const [showPassword, setShowPassword] = useState(false); const [showPassword, setShowPassword] = useState(false);
const [configEncrypted, setConfigEncrypted] = useState(false);
const [errorMessage, setErrorMessage] = useState(''); const [errorMessage, setErrorMessage] = useState('');
const [unsafeOptionsVerified, setUnsafeOptionsVerified] = useState(false); const [unsafeOptionsVerified, setUnsafeOptionsVerified] = useState(false);
const [showUnsafeOptionsConfirmation, const [showUnsafeOptionsConfirmation,
@ -36,10 +38,33 @@ const ConfigImportModal = (props: Props) => {
useEffect(() => { useEffect(() => {
if (configContents !== null) { if (configContents !== null) {
sendConfigToServer(); tryImport();
} }
}, [configContents, unsafeOptionsVerified]) }, [configContents, unsafeOptionsVerified])
function tryImport() {
if (configEncrypted && !showPassword){
setShowPassword(true);
} else if (configEncrypted && showPassword) {
try {
let decryptedConfig = JSON.parse(decryptText(configContents, password));
setConfigEncrypted(false);
setConfigContents(decryptedConfig);
} catch (e) {
setUploadStatus(UploadStatuses.error);
setErrorMessage('Decryption failed: Password is wrong or the file is corrupted');
}
} else if(!unsafeOptionsVerified) {
if(isUnsafeOptionSelected(props.schema, configContents)){
setShowUnsafeOptionsConfirmation(true);
} else {
setUnsafeOptionsVerified(true);
}
} else {
sendConfigToServer();
setUploadStatus(UploadStatuses.success);
}
}
function sendConfigToServer() { function sendConfigToServer() {
authComponent.authFetch(configImportEndpoint, authComponent.authFetch(configImportEndpoint,
@ -48,34 +73,14 @@ const ConfigImportModal = (props: Props) => {
headers: {'Content-Type': 'application/json'}, headers: {'Content-Type': 'application/json'},
body: JSON.stringify({ body: JSON.stringify({
config: configContents, config: configContents,
password: password,
unsafeOptionsVerified: unsafeOptionsVerified
}) })
} }
).then(res => res.json()) ).then(res => res.json())
.then(res => { .then(res => {
if (res['import_status'] === 'invalid_credentials') { if (res['import_status'] === 'invalid_configuration') {
setUploadStatus(UploadStatuses.success);
if (showPassword){
setErrorMessage(res['message']);
} else {
setShowPassword(true);
setErrorMessage('');
}
} else if (res['import_status'] === 'invalid_configuration') {
setUploadStatus(UploadStatuses.error); setUploadStatus(UploadStatuses.error);
setErrorMessage(res['message']); setErrorMessage(res['message']);
} else if (res['import_status'] === 'unsafe_options_verification_required') { } else if (res['import_status'] === 'imported') {
setUploadStatus(UploadStatuses.success);
setErrorMessage('');
if (isUnsafeOptionSelected(res['config_schema'], JSON.parse(res['config']))) {
setShowUnsafeOptionsConfirmation(true);
setCandidateConfig(res['config']);
} else {
setUnsafeOptionsVerified(true);
}
} else if (res['import_status'] === 'imported'){
resetState(); resetState();
props.onClose(true); props.onClose(true);
} }
@ -83,7 +88,8 @@ const ConfigImportModal = (props: Props) => {
} }
function isImportDisabled(): boolean { function isImportDisabled(): boolean {
return uploadStatus !== UploadStatuses.success || (showPassword && password === '') // Don't allow import if password input is empty or there's an error
return (showPassword && password === '') || (errorMessage !== '');
} }
function resetState() { function resetState() {
@ -95,13 +101,22 @@ const ConfigImportModal = (props: Props) => {
setShowUnsafeOptionsConfirmation(false); setShowUnsafeOptionsConfirmation(false);
setUnsafeOptionsVerified(false); setUnsafeOptionsVerified(false);
setFileFieldKey(Date.now()); // Resets the file input setFileFieldKey(Date.now()); // Resets the file input
setConfigEncrypted(false);
} }
function uploadFile(event) { function uploadFile(event) {
setShowPassword(false); setShowPassword(false);
let reader = new FileReader(); let reader = new FileReader();
reader.onload = (event) => { reader.onload = (event) => {
setConfigContents(event.target.result); let importContents = null;
try {
importContents = JSON.parse(event.target.result);
} catch (e){
setErrorMessage('File is not in a valid json format');
return
}
setConfigEncrypted(importContents['metadata']['encrypted']);
setConfigContents(importContents['contents']);
}; };
reader.readAsText(event.target.files[0]); reader.readAsText(event.target.files[0]);
} }
@ -115,7 +130,6 @@ const ConfigImportModal = (props: Props) => {
}} }}
onContinueClick={() => { onContinueClick={() => {
setUnsafeOptionsVerified(true); setUnsafeOptionsVerified(true);
setConfigContents(candidateConfig);
}} }}
/> />
); );
@ -150,7 +164,8 @@ const ConfigImportModal = (props: Props) => {
key={fileFieldKey}/> key={fileFieldKey}/>
<UploadStatusIcon status={uploadStatus}/> <UploadStatusIcon status={uploadStatus}/>
{showPassword && <PasswordInput onChange={setPassword}/>} {showPassword && <PasswordInput onChange={(password) => {setPassword(password);
setErrorMessage('')}}/>}
{errorMessage && {errorMessage &&
<Alert variant={'danger'} className={'import-error'}> <Alert variant={'danger'} className={'import-error'}>
@ -163,7 +178,7 @@ const ConfigImportModal = (props: Props) => {
</Modal.Body> </Modal.Body>
<Modal.Footer> <Modal.Footer>
<Button variant={'info'} <Button variant={'info'}
onClick={sendConfigToServer} onClick={tryImport}
disabled={isImportDisabled()}> disabled={isImportDisabled()}>
Import Import
</Button> </Button>

View File

@ -23,6 +23,10 @@ const CONFIG_URL = '/api/configuration/island';
export const API_PBA_LINUX = '/api/file-upload/PBAlinux'; export const API_PBA_LINUX = '/api/file-upload/PBAlinux';
export const API_PBA_WINDOWS = '/api/file-upload/PBAwindows'; export const API_PBA_WINDOWS = '/api/file-upload/PBAwindows';
const configSubmitAction = 'config-submit';
const configExportAction = 'config-export';
const configSaveAction = 'config-saved';
class ConfigurePageComponent extends AuthComponent { class ConfigurePageComponent extends AuthComponent {
constructor(props) { constructor(props) {
@ -87,14 +91,16 @@ class ConfigurePageComponent extends AuthComponent {
}; };
onUnsafeConfirmationCancelClick = () => { onUnsafeConfirmationCancelClick = () => {
this.setState({showUnsafeOptionsConfirmation: false}); this.setState({showUnsafeOptionsConfirmation: false, lastAction: 'none'});
} }
onUnsafeConfirmationContinueClick = () => { onUnsafeConfirmationContinueClick = () => {
this.setState({showUnsafeOptionsConfirmation: false}); this.setState({showUnsafeOptionsConfirmation: false});
if (this.state.lastAction === configSubmitAction) {
if (this.state.lastAction === 'submit_attempt') {
this.configSubmit(); this.configSubmit();
} else if (this.state.lastAction === configExportAction) {
this.configSubmit();
this.setState({showConfigExportModal: true});
} }
} }
@ -113,37 +119,31 @@ class ConfigurePageComponent extends AuthComponent {
}; };
onSubmit = () => { onSubmit = () => {
this.attemptConfigSubmit(); this.setState({lastAction: configSubmitAction}, this.attemptConfigSubmit)
}; };
canSafelySubmitConfig(config) { canSafelySubmitConfig(config) {
return !isUnsafeOptionSelected(this.state.schema, config); return !isUnsafeOptionSelected(this.state.schema, config);
} }
checkAndShowUnsafeAttackWarning = () => { async attemptConfigSubmit() {
if (isUnsafeOptionSelected(this.state.schema, this.state.configuration)) { await this.updateConfigSection();
this.setState({showUnsafeAttackOptionsWarning: true});
}
}
attemptConfigSubmit() {
this.updateConfigSection();
this.setState({lastAction: 'submit_attempt'}, () => {
if (this.canSafelySubmitConfig(this.state.configuration)) { if (this.canSafelySubmitConfig(this.state.configuration)) {
this.configSubmit(); this.configSubmit();
if(this.state.lastAction === configExportAction){
this.setState({showConfigExportModal: true})
}
} else { } else {
this.setState({showUnsafeOptionsConfirmation: true}); this.setState({showUnsafeOptionsConfirmation: true});
} }
} }
);
}
configSubmit() { configSubmit() {
this.sendConfig() return this.sendConfig()
.then(res => res.json()) .then(res => res.json())
.then(res => { .then(res => {
this.setState({ this.setState({
lastAction: 'saved', lastAction: configSaveAction,
schema: res.schema, schema: res.schema,
configuration: res.configuration configuration: res.configuration
}); });
@ -167,11 +167,12 @@ class ConfigurePageComponent extends AuthComponent {
if (Object.keys(this.state.currentFormData).length > 0) { if (Object.keys(this.state.currentFormData).length > 0) {
newConfig[this.currentSection] = this.state.currentFormData; newConfig[this.currentSection] = this.state.currentFormData;
} }
this.setState({configuration: newConfig, lastAction: 'none'}); this.setState({configuration: newConfig});
}; };
renderConfigExportModal = () => { renderConfigExportModal = () => {
return (<ConfigExportModal show={this.state.showConfigExportModal} return (<ConfigExportModal show={this.state.showConfigExportModal}
configuration={this.state.configuration}
onHide={() => { onHide={() => {
this.setState({showConfigExportModal: false}); this.setState({showConfigExportModal: false});
}}/>); }}/>);
@ -179,6 +180,7 @@ class ConfigurePageComponent extends AuthComponent {
renderConfigImportModal = () => { renderConfigImportModal = () => {
return (<ConfigImportModal show={this.state.showConfigImportModal} return (<ConfigImportModal show={this.state.showConfigImportModal}
schema={this.state.schema}
onClose={this.onClose}/>); onClose={this.onClose}/>);
} }
@ -307,9 +309,9 @@ class ConfigurePageComponent extends AuthComponent {
this.authFetch(apiEndpoint, request_options); this.authFetch(apiEndpoint, request_options);
} }
exportConfig = () => { exportConfig = async () => {
this.updateConfigSection(); await this.setState({lastAction: configExportAction});
this.setState({showConfigExportModal: true}); await this.attemptConfigSubmit();
}; };
sendConfig() { sendConfig() {
@ -451,7 +453,7 @@ class ConfigurePageComponent extends AuthComponent {
Configuration reset successfully. Configuration reset successfully.
</div> </div>
: ''} : ''}
{this.state.lastAction === 'saved' ? {this.state.lastAction === configSaveAction ?
<div className='alert alert-success'> <div className='alert alert-success'>
<FontAwesomeIcon icon={faCheck} style={{'marginRight': '5px'}}/> <FontAwesomeIcon icon={faCheck} style={{'marginRight': '5px'}}/>
Configuration saved successfully. Configuration saved successfully.

View File

@ -0,0 +1,11 @@
import AES from 'crypto-js/aes';
import Utf8 from 'crypto-js/enc-utf8';
export function encryptText(content: string, password: string): string {
return AES.encrypt(content, password).toString();
}
export function decryptText(ciphertext: string, password: string): string {
let bytes = AES.decrypt(ciphertext, password);
return bytes.toString(Utf8);
}