Merge branch '3078-secure-endpoints' into develop

Issue #3078
PR #3203

Author: mssalvatore

envs/monkey_zoo/blackbox/island_client/agent_requests.py

@@ -0,0 +1,83 @@
+from http import HTTPStatus
+from typing import Dict
+
+import requests
+
+from common.types import OTP, AgentID
+
+from .i_monkey_island_requests import IMonkeyIslandRequests
+
+
+class InvalidRequestError(Exception):
+    pass
+
+
+class AgentRequests(IMonkeyIslandRequests):
+    def __init__(self, server_address, agent_id: AgentID, otp: OTP):
+        self.addr = f"https://{server_address}/"
+        self.token = None
+        self.agent_id = agent_id
+        self.otp = otp
+
+    def login(self):
+        self.token = self._try_register_otp()
+
+    def _try_register_otp(self):
+        resp = requests.post(  # noqa: DUO123
+            self.addr + "api/agent-otp-login",
+            json={"agent_id": str(self.agent_id), "otp": self.otp.get_secret_value()},
+            verify=False,
+        )
+        if resp.status_code == HTTPStatus.CONFLICT:
+            # A user has already been registered
+            return self.get_token_from_server()
+
+        if resp.status_code == HTTPStatus.BAD_REQUEST:
+            raise InvalidRequestError()
+
+        token = resp.json()["response"]["user"]["authentication_token"]
+        return token
+
+    def get_token_from_server(self):
+        return self.token
+
+    def get(self, url, data=None):
+        return requests.get(  # noqa: DUO123
+            self.addr + url,
+            headers=self.get_auth_header(),
+            params=data,
+            verify=False,
+        )
+
+    def post(self, url, data):
+        return requests.post(  # noqa: DUO123
+            self.addr + url, data=data, headers=self.get_auth_header(), verify=False
+        )
+
+    def put(self, url, data):
+        return requests.put(  # noqa: DUO123
+            self.addr + url, data=data, headers=self.get_auth_header(), verify=False
+        )
+
+    def put_json(self, url, json: Dict):
+        return requests.put(  # noqa: DUO123
+            self.addr + url, json=json, headers=self.get_auth_header(), verify=False
+        )
+
+    def post_json(self, url, json: Dict):
+        return requests.post(  # noqa: DUO123
+            self.addr + url, json=json, headers=self.get_auth_header(), verify=False
+        )
+
+    def patch(self, url, data: Dict):
+        return requests.patch(  # noqa: DUO123
+            self.addr + url, data=data, headers=self.get_auth_header(), verify=False
+        )
+
+    def delete(self, url):
+        return requests.delete(  # noqa: DUO123
+            self.addr + url, headers=self.get_auth_header(), verify=False
+        )
+
+    def get_auth_header(self):
+        return {"Authentication-Token": self.token}

envs/monkey_zoo/blackbox/test_blackbox.py

@@ -7,10 +7,13 @@
 import pytest
 import requests
 
+from common.types import OTP
 from envs.monkey_zoo.blackbox.analyzers.communication_analyzer import CommunicationAnalyzer
 from envs.monkey_zoo.blackbox.analyzers.zerologon_analyzer import ZerologonAnalyzer
+from envs.monkey_zoo.blackbox.island_client.agent_requests import AgentRequests
 from envs.monkey_zoo.blackbox.island_client.i_monkey_island_requests import IMonkeyIslandRequests
 from envs.monkey_zoo.blackbox.island_client.monkey_island_client import (
+    GET_AGENT_EVENTS_ENDPOINT,
     GET_AGENTS_ENDPOINT,
     GET_MACHINES_ENDPOINT,
     ISLAND_LOG_ENDPOINT,
@@ -93,8 +96,8 @@ def monkey_island_requests(island) -> IMonkeyIslandRequests:
 def island_client(monkey_island_requests):
     client_established = False
     try:
-        requests = ReauthorizingMonkeyIslandRequests(monkey_island_requests)
-        island_client_object = MonkeyIslandClient(requests)
+        reauthorizing_island_requests = ReauthorizingMonkeyIslandRequests(monkey_island_requests)
+        island_client_object = MonkeyIslandClient(reauthorizing_island_requests)
         client_established = island_client_object.get_api_status()
     except Exception:
         logging.exception("Got an exception while trying to establish connection to the Island.")
@@ -186,6 +189,103 @@ def make_request():
     assert response_codes.count(HTTPStatus.TOO_MANY_REQUESTS) == 1
 
 
+UUID = "00000000-0000-0000-0000-000000000000"
+AGENT_BINARIES_ENDPOINT = "/api/agent-binaries/os"
+AGENT_EVENTS_ENDPOINT = "/api/agent-events"
+AGENT_HEARTBEAT_ENDPOINT = f"/api/agent/{UUID}/heartbeat"
+PUT_LOG_ENDPOINT = f"/api/agent-logs/{UUID}"
+GET_AGENT_PLUGINS_ENDPOINT = "/api/agent-plugins/host/type/name"
+GET_AGENT_SIGNALS_ENDPOINT = f"/api/agent-signals/{UUID}"
+
+
+def test_island__cannot_access_nonisland_endpoints(island):
+    island_requests = MonkeyIslandRequests(island)
+    island_requests.login()
+
+    assert island_requests.get(AGENT_BINARIES_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert (
+        island_requests.post(AGENT_EVENTS_ENDPOINT, data=None).status_code == HTTPStatus.FORBIDDEN
+    )
+    assert (
+        island_requests.post(AGENT_HEARTBEAT_ENDPOINT, data=None).status_code
+        == HTTPStatus.FORBIDDEN
+    )
+    assert island_requests.put(PUT_LOG_ENDPOINT, data=None).status_code == HTTPStatus.FORBIDDEN
+    assert island_requests.get(GET_AGENT_PLUGINS_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert (
+        island_requests.get("/api/agent-plugins/plugin-type/plugin-name/manifest").status_code
+        == HTTPStatus.FORBIDDEN
+    )
+    assert island_requests.get(GET_AGENT_SIGNALS_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert island_requests.post(GET_AGENTS_ENDPOINT, data=None).status_code == HTTPStatus.FORBIDDEN
+
+
+GET_AGENT_OTP_ENDPOINT = "/api/agent-otp"
+REQUESTS_AGENT_ID = "00000000-0000-0000-0000-000000000001"
+TERMINATE_AGENTS_ENDPOINT = "/api/agent-signals/terminate-all-agents"
+CLEAR_SIMULATION_DATA_ENDPOINT = "/api/clear-simulation-data"
+MONKEY_EXPLOITATION_ENDPOINT = "/api/exploitations/monkey"
+GET_ISLAND_LOG_ENDPOINT = "/api/island/log"
+ISLAND_MODE_ENDPOINT = "/api/island/mode"
+ISLAND_RUN_ENDPOINT = "/api/local-monkey"
+GET_NODES_ENDPOINT = "/api/nodes"
+PROPAGATION_CREDENTIALS_ENDPOINT = "/api/propagation-credentials"
+GET_RANSOMWARE_REPORT_ENDPOINT = "/api/report/ransomware"
+REMOTE_RUN_ENDPOINT = "/api/remote-monkey"
+GET_REPORT_STATUS_ENDPOINT = "/api/report-generation-status"
+RESET_AGENT_CONFIG_ENDPOINT = "/api/reset-agent-configuration"
+GET_SECURITY_REPORT_ENDPOINT = "/api/report/security"
+GET_ISLAND_VERSION_ENDPOINT = "/api/island/version"
+PUT_AGENT_CONFIG_ENDPOINT = "/api/agent-configuration"
+
+
+def test_agent__cannot_access_nonagent_endpoints(island):
+    island_requests = MonkeyIslandRequests(island)
+    island_requests.login()
+    response = island_requests.get(GET_AGENT_OTP_ENDPOINT)
+    print(f"response: {response.json()}")
+    otp = response.json()["otp"]
+
+    agent_requests = AgentRequests(island, REQUESTS_AGENT_ID, OTP(otp))
+    agent_requests.login()
+
+    assert agent_requests.get(GET_AGENT_EVENTS_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.get(PUT_LOG_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert (
+        agent_requests.post(TERMINATE_AGENTS_ENDPOINT, data=None).status_code
+        == HTTPStatus.FORBIDDEN
+    )
+    assert agent_requests.get(GET_AGENTS_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert (
+        agent_requests.post(CLEAR_SIMULATION_DATA_ENDPOINT, data=None).status_code
+        == HTTPStatus.FORBIDDEN
+    )
+    assert agent_requests.get(MONKEY_EXPLOITATION_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.get(GET_ISLAND_LOG_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.get(ISLAND_MODE_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.put(ISLAND_MODE_ENDPOINT, data=None).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.post(ISLAND_RUN_ENDPOINT, data=None).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.get(GET_MACHINES_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.get(GET_NODES_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert (
+        agent_requests.put(PROPAGATION_CREDENTIALS_ENDPOINT, data=None).status_code
+        == HTTPStatus.FORBIDDEN
+    )
+    assert agent_requests.get(GET_RANSOMWARE_REPORT_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.get(REMOTE_RUN_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.post(REMOTE_RUN_ENDPOINT, data=None).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.get(GET_REPORT_STATUS_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert (
+        agent_requests.post(RESET_AGENT_CONFIG_ENDPOINT, data=None).status_code
+        == HTTPStatus.FORBIDDEN
+    )
+    assert agent_requests.get(GET_SECURITY_REPORT_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert agent_requests.get(GET_ISLAND_VERSION_ENDPOINT).status_code == HTTPStatus.FORBIDDEN
+    assert (
+        agent_requests.put(PUT_AGENT_CONFIG_ENDPOINT, data=None).status_code == HTTPStatus.FORBIDDEN
+    )
+
+
 # NOTE: These test methods are ordered to give time for the slower zoo machines
 # to boot up and finish starting services.
 # noinspection PyUnresolvedReferences

monkey/monkey_island/cc/resources/agent_binaries.py

@@ -15,7 +15,7 @@ class AgentBinaries(AbstractResource):
     def __init__(self, agent_binary_repository: IAgentBinaryRepository):
         self._agent_binary_repository = agent_binary_repository
 
-    # Used by monkey. can't secure.
+    # Can't be secured, used in manual run commands
     def get(self, os):
         """
         Gets the agent binary for the specified OS

monkey/monkey_island/cc/resources/agent_events.py

@@ -3,13 +3,15 @@
 from typing import Iterable, Optional, Sequence, Tuple, Type
 
 from flask import request
+from flask_security import auth_token_required, roles_accepted
 
 from common.agent_event_serializers import EVENT_TYPE_FIELD, AgentEventSerializerRegistry
 from common.agent_events import AbstractAgentEvent, AgentEventRegistry
 from common.event_queue import IAgentEventQueue
 from common.types import JSONSerializable
 from monkey_island.cc.flask_utils import AbstractResource
 from monkey_island.cc.repositories import IAgentEventRepository
+from monkey_island.cc.services.authentication_service import AccountRole
 
 logger = logging.getLogger(__name__)
 
@@ -29,7 +31,8 @@ def __init__(
         self._agent_event_repository = agent_event_repository
         self._agent_event_registry = agent_event_registry
 
-    # Agents need this. Can't secure.
+    @auth_token_required
+    @roles_accepted(AccountRole.AGENT.name)
     def post(self):
         events = request.json
 
@@ -45,6 +48,8 @@ def post(self):
 
         return {}, HTTPStatus.NO_CONTENT
 
+    @auth_token_required
+    @roles_accepted(AccountRole.ISLAND_INTERFACE.name)
     def get(self):
         try:
             type_, success = self._parse_event_filter_args()

monkey/monkey_island/cc/resources/agent_heartbeat.py

@@ -2,11 +2,13 @@
 from json import JSONDecodeError
 
 from flask import request
+from flask_security import auth_token_required, roles_accepted
 
 from common import AgentHeartbeat as AgentHeartbeatObject
 from common.types import AgentID
 from monkey_island.cc.event_queue import IIslandEventQueue, IslandEventTopic
 from monkey_island.cc.flask_utils import AbstractResource
+from monkey_island.cc.services.authentication_service import AccountRole
 
 
 class AgentHeartbeat(AbstractResource):
@@ -15,7 +17,8 @@ class AgentHeartbeat(AbstractResource):
     def __init__(self, island_event_queue: IIslandEventQueue):
         self._island_event_queue = island_event_queue
 
-    # Used by the agent. Can't secure.
+    @auth_token_required
+    @roles_accepted(AccountRole.AGENT.name)
     def post(self, agent_id: AgentID):
         try:
             heartbeat = AgentHeartbeatObject(**request.json)

monkey/monkey_island/cc/resources/agent_logs.py

@@ -2,7 +2,7 @@
 from http import HTTPStatus
 
 from flask import request
-from flask_security import auth_token_required, roles_required
+from flask_security import auth_token_required, roles_accepted
 
 from common.types import AgentID
 from monkey_island.cc.flask_utils import AbstractResource
@@ -19,7 +19,7 @@ def __init__(self, agent_log_repository: IAgentLogRepository):
         self._agent_log_repository = agent_log_repository
 
     @auth_token_required
-    @roles_required(AccountRole.ISLAND_INTERFACE.name)
+    @roles_accepted(AccountRole.ISLAND_INTERFACE.name)
     def get(self, agent_id: AgentID):
         try:
             log_contents = self._agent_log_repository.get_agent_log(agent_id)
@@ -29,6 +29,8 @@ def get(self, agent_id: AgentID):
 
         return log_contents, HTTPStatus.OK
 
+    @auth_token_required
+    @roles_accepted(AccountRole.AGENT.name)
     def put(self, agent_id: AgentID):
         log_contents = request.json
 

monkey/monkey_island/cc/resources/agent_plugins.py

@@ -2,11 +2,13 @@
 from http import HTTPStatus
 
 from flask import make_response
+from flask_security import auth_token_required, roles_accepted
 
 from common import OperatingSystem
 from common.agent_plugins import AgentPluginType
 from monkey_island.cc.flask_utils import AbstractResource
 from monkey_island.cc.repositories import IAgentPluginRepository, UnknownRecordError
+from monkey_island.cc.services.authentication_service import AccountRole
 
 logger = logging.getLogger(__name__)
 
@@ -17,7 +19,8 @@ class AgentPlugins(AbstractResource):
     def __init__(self, agent_plugin_repository: IAgentPluginRepository):
         self._agent_plugin_repository = agent_plugin_repository
 
-    # Used by monkey. can't secure.
+    @auth_token_required
+    @roles_accepted(AccountRole.AGENT.name)
     def get(self, host_os: str, plugin_type: str, name: str):
         """
         Get the plugin of the specified operating system, type and name.

monkey/monkey_island/cc/resources/agent_plugins_manifest.py

@@ -2,6 +2,7 @@
 from http import HTTPStatus
 
 from flask import make_response
+from flask_security import auth_token_required, roles_accepted
 
 from common import HARD_CODED_EXPLOITER_MANIFESTS
 from common.agent_plugins import AgentPluginManifest, AgentPluginType
@@ -13,6 +14,7 @@
 )
 from monkey_island.cc.flask_utils import AbstractResource
 from monkey_island.cc.repositories import IAgentPluginRepository
+from monkey_island.cc.services.authentication_service import AccountRole
 
 logger = logging.getLogger(__name__)
 
@@ -23,7 +25,8 @@ class AgentPluginsManifest(AbstractResource):
     def __init__(self, agent_plugin_repository: IAgentPluginRepository):
         self._agent_plugin_repository = agent_plugin_repository
 
-    # Used by monkey. can't secure.
+    @auth_token_required
+    @roles_accepted(AccountRole.AGENT.name)
     def get(self, plugin_type: str, name: str):
         """
         Get the plugin manifest of the specified type and name.

monkey/monkey_island/cc/resources/agent_signals/agent_signals.py

@@ -1,9 +1,12 @@
 import logging
 from http import HTTPStatus
 
+from flask_security import auth_token_required, roles_accepted
+
 from common.types import AgentID
 from monkey_island.cc.flask_utils import AbstractResource
 from monkey_island.cc.services import AgentSignalsService
+from monkey_island.cc.services.authentication_service import AccountRole
 
 logger = logging.getLogger(__name__)
 
@@ -17,7 +20,8 @@ def __init__(
     ):
         self._agent_signals_service = agent_signals_service
 
-    # Used by Agent. Can't secure.
+    @auth_token_required
+    @roles_accepted(AccountRole.AGENT.name)
     def get(self, agent_id: AgentID):
         agent_signals = self._agent_signals_service.get_signals(agent_id)
         return agent_signals.dict(simplify=True), HTTPStatus.OK

monkey/monkey_island/cc/resources/agent_signals/terminate_all_agents.py

@@ -3,7 +3,7 @@
 from json import JSONDecodeError
 
 from flask import request
-from flask_security import auth_token_required, roles_required
+from flask_security import auth_token_required, roles_accepted
 
 from monkey_island.cc.event_queue import IIslandEventQueue, IslandEventTopic
 from monkey_island.cc.flask_utils import AbstractResource
@@ -23,7 +23,7 @@ def __init__(
         self._island_event_queue = island_event_queue
 
     @auth_token_required
-    @roles_required(AccountRole.ISLAND_INTERFACE.name)
+    @roles_accepted(AccountRole.ISLAND_INTERFACE.name)
     def post(self):
         try:
             terminate_all_agents = TerminateAllAgentsObject(**request.json)