Merge branch '3078-test-unauthenticated-requests-rejected' into develop

mssalvatore · mssalvatore · commit 69e326b187f0 · 2023-04-10T13:21:02.000-04:00
Issue #3078 PR #3217
diff --git a/envs/monkey_zoo/blackbox/island_client/monkey_island_requests.py b/envs/monkey_zoo/blackbox/island_client/monkey_island_requests.py
@@ -1,9 +1,10 @@
 import logging
 from http import HTTPStatus
-from typing import Dict
 
 import requests
 
+from common.types import JSONSerializable
+
 from .i_monkey_island_requests import IMonkeyIslandRequests
 
 ISLAND_USERNAME = "test"
@@ -89,17 +90,17 @@ def put(self, url, data):
             self.addr + url, data=data, headers=self.get_auth_header(), verify=False
         )
 
-    def put_json(self, url, json: Dict):
+    def put_json(self, url, json: JSONSerializable):
         return requests.put(  # noqa: DUO123
             self.addr + url, json=json, headers=self.get_auth_header(), verify=False
         )
 
-    def post_json(self, url, json: Dict):
+    def post_json(self, url, json: JSONSerializable):
         return requests.post(  # noqa: DUO123
             self.addr + url, json=json, headers=self.get_auth_header(), verify=False
         )
 
-    def patch(self, url, data: Dict):
+    def patch(self, url, data: JSONSerializable):
         return requests.patch(  # noqa: DUO123
             self.addr + url, data=data, headers=self.get_auth_header(), verify=False
         )
diff --git a/envs/monkey_zoo/blackbox/test_blackbox.py b/envs/monkey_zoo/blackbox/test_blackbox.py
@@ -316,6 +316,76 @@ def test_agent__cannot_access_nonagent_endpoints(island):
     )
 
 
+def test_unauthenticated_user_cannot_access_API(island):
+    island_requests = MonkeyIslandRequests(island)
+
+    assert (
+        island_requests.post(AGENT_EVENTS_ENDPOINT, data=None).status_code
+        == HTTPStatus.UNAUTHORIZED
+    )
+    assert (
+        island_requests.post(AGENT_HEARTBEAT_ENDPOINT, data=None).status_code
+        == HTTPStatus.UNAUTHORIZED
+    )
+    assert island_requests.put(PUT_LOG_ENDPOINT, data=None).status_code == HTTPStatus.UNAUTHORIZED
+    assert island_requests.get(GET_AGENT_PLUGINS_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert (
+        island_requests.get("/api/agent-plugins/plugin-type/plugin-name/manifest").status_code
+        == HTTPStatus.UNAUTHORIZED
+    )
+    assert island_requests.get(GET_AGENT_SIGNALS_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert (
+        island_requests.post(GET_AGENTS_ENDPOINT, data=None).status_code == HTTPStatus.UNAUTHORIZED
+    )
+    assert island_requests.get(GET_AGENT_EVENTS_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert island_requests.get(PUT_LOG_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert (
+        island_requests.post(TERMINATE_AGENTS_ENDPOINT, data=None).status_code
+        == HTTPStatus.UNAUTHORIZED
+    )
+    assert island_requests.get(GET_AGENTS_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert (
+        island_requests.post(CLEAR_SIMULATION_DATA_ENDPOINT, data=None).status_code
+        == HTTPStatus.UNAUTHORIZED
+    )
+    assert island_requests.get(MONKEY_EXPLOITATION_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert island_requests.get(GET_ISLAND_LOG_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert island_requests.get(ISLAND_MODE_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert (
+        island_requests.put(ISLAND_MODE_ENDPOINT, data=None).status_code == HTTPStatus.UNAUTHORIZED
+    )
+    assert (
+        island_requests.post(ISLAND_RUN_ENDPOINT, data=None).status_code == HTTPStatus.UNAUTHORIZED
+    )
+    assert island_requests.get(GET_MACHINES_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert island_requests.get(GET_NODES_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert (
+        island_requests.put(PROPAGATION_CREDENTIALS_ENDPOINT, data=None).status_code
+        == HTTPStatus.UNAUTHORIZED
+    )
+    assert (
+        island_requests.get(PROPAGATION_CREDENTIALS_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    )
+    assert (
+        island_requests.get(GET_RANSOMWARE_REPORT_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    )
+    assert island_requests.get(REMOTE_RUN_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert (
+        island_requests.post(REMOTE_RUN_ENDPOINT, data=None).status_code == HTTPStatus.UNAUTHORIZED
+    )
+    assert island_requests.get(GET_REPORT_STATUS_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert (
+        island_requests.post(RESET_AGENT_CONFIG_ENDPOINT, data=None).status_code
+        == HTTPStatus.UNAUTHORIZED
+    )
+    assert island_requests.get(GET_SECURITY_REPORT_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert island_requests.get(GET_ISLAND_VERSION_ENDPOINT).status_code == HTTPStatus.UNAUTHORIZED
+    assert (
+        island_requests.put(PUT_AGENT_CONFIG_ENDPOINT, data=None).status_code
+        == HTTPStatus.UNAUTHORIZED
+    )
+
+
 LOGOUT_AGENT_ID = uuid4()
 
 
