Merge branch 'next-js-prototype' into develop

Issue #3793
PR #3896

.travis.yml

@@ -83,6 +83,14 @@ jobs:
         - JS_WARNINGS_AMOUNT_UPPER_LIMIT=0
         - eslint ./src --max-warnings $JS_WARNINGS_AMOUNT_UPPER_LIMIT  # test for max warnings
 
+        # check NextJS code.
+        - cd ../next_ui
+        - npm ci  # see https://docs.npmjs.com/cli/ci.html
+        - eslint ./src --quiet  # test for errors
+        - JS_WARNINGS_AMOUNT_UPPER_LIMIT=0
+        - eslint ./src --max-warnings $JS_WARNINGS_AMOUNT_UPPER_LIMIT  # test for max warnings
+
+
         # build documentation
         - cd $TRAVIS_BUILD_DIR/docs
         - ../hugo --verbose --environment staging

CHANGELOG.md

@@ -6,8 +6,8 @@ The format is based on [Keep a
 Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
-
 ### Added
+- Configurable Island port through node proxy server. #3827
 - Ability to change wallpaper as part of the ransomware simulation on Windows.
   #1247
 

build_scripts/appimage/AppRun

@@ -4,17 +4,23 @@
 self="$(readlink -f -- $0)"
 here="${self%/*}"
 APPDIR="${APPDIR:-${here}}"
+FEATURE_FLAGS="${FEATURE_FLAGS}"
 
 # Export SSL certificate
 export SSL_CERT_FILE="${APPDIR}/opt/_internal/certs.pem"
 
-if [ "$1" == "service" ] ; then
+if [ "$1" == "service" ]; then
     exec /bin/bash "${APPDIR}/install-infection-monkey-service.sh" ${@:2}
 fi
 
+# Check if running as root
+if [ "$EUID" -eq 0 ]; then
+    echo "AppImage: Warning: running as root is not recommended. You should instead run the AppImage as a regular user."
+    echo "AppImage: If you want to run the Agent as root, do so by choosing manual run mode."
+fi
+
 # Call the entry point
-for opt in "$@"
-do
+for opt in "$@"; do
     [ "${opt:0:1}" != "-" ] && break
     if [[ "${opt}" =~ "I" ]] || [[ "${opt}" =~ "E" ]]; then
         # Environment variables are disabled ($PYTHONHOME). Let's run in a safe
@@ -24,7 +30,19 @@ do
     fi
 done
 
+
 export PYTHONNOUSERSITE=1
-(PYTHONHOME="${APPDIR}/opt/python3.11" exec "${APPDIR}/opt/python3.11/bin/python3.11" "${APPDIR}/usr/src/monkey_island.py" $@)
+
+run_island="${APPDIR}/opt/python3.11/bin/python3.11 ${APPDIR}/usr/src/monkey_island.py"
+
+if [[ -z ${MONKEY_APPIMAGE_SERVICE_RUN+x} ]]; then
+    # Save HOME and USER because capsh changes them. Until ubuntu adds --noenv option we have to rely on a workaround
+    home_original=$HOME
+    user_original=$USER
+
+    (PYTHONHOME="${APPDIR}/opt/python3.11" sudo capsh --keep=1 --user=${user_original} --inh=cap_net_bind_service --addamb=cap_net_bind_service -- -c "env HOME=${home_original} USER=${user_original} FEATURE_FLAGS=${FEATURE_FLAGS} ${run_island}" "$@")
+else
+    (PYTHONHOME="${APPDIR}/opt/python3.11" ${run_island})
+fi
 
 exit "$?"

build_scripts/appimage/appimage.sh

@@ -42,12 +42,19 @@ setup_build_dir() {
   copy_infection_monkey_service_to_build_dir
   modify_deployment "$deployment_type" "$BUILD_DIR"
   add_agent_binaries_to_build_dir "$agent_binary_dir" "$BUILD_DIR"
+  add_node_to_build_dir "$BUILD_DIR" || handle_error
 
   install_monkey_island_python_dependencies
   install_mongodb
 
   generate_ssl_cert "$BUILD_DIR"
-  build_frontend "$BUILD_DIR" "$is_release_build"
+  if [[ $FEATURE_FLAGS == *"NEXT_JS_UI"* ]]; then
+    log_message "Building Next.js frontend"
+    build_nextjs_frontend "$BUILD_DIR" "$is_release_build"
+  else
+    log_message "Building legacy frontend"
+    build_frontend "$BUILD_DIR" "$is_release_build"
+  fi
 
   remove_python_appdir_artifacts
 
@@ -62,7 +69,8 @@ setup_python_appdir() {
 
   chmod u+x "$PYTHON_APPIMAGE"
 
-  "./$PYTHON_APPIMAGE" --appimage-extract
+  log_message "extracting Python Appimage"
+  "./$PYTHON_APPIMAGE" --appimage-extract 1>/dev/null
   rm "$PYTHON_APPIMAGE"
 }
 

build_scripts/appimage/install-infection-monkey-service.sh

@@ -37,7 +37,7 @@ install_service() {
   install_systemd_unit "$1"
 
   echo "The Infection Monkey service has been installed and will start on boot."
-  echo "Run 'systemctl start infection-monkey' to start the service now."
+  echo "Run 'sudo systemctl start infection-monkey' to start the service now."
 }
 
 exit_if_service_installed() {
@@ -68,7 +68,9 @@ After=network.target
 [Service]
 User=$1
 Type=simple
+Environment="MONKEY_APPIMAGE_SERVICE_RUN=1"
 ExecStart="${MONKEY_BIN}/${APPIMAGE_NAME}"
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=multi-user.target

build_scripts/common.sh

@@ -4,14 +4,10 @@ copy_monkey_island_to_build_dir() {
   local src=$1
   local build_dir=$2
 
-  cp "$src"/__init__.py "$build_dir"
   cp "$src"/monkey_island.py "$build_dir"
   cp -r "$src"/common "$build_dir/"
 
-  rsync \
-      -ar \
-      --exclude=monkey_island/cc/ui/node_modules \
-      --exclude=monkey_island/cc/ui/.npm \
+  rsync -ar \
       "$src"/monkey_island "$build_dir/"
 }
 
@@ -22,6 +18,12 @@ modify_deployment() {
   fi
 }
 
+add_node_to_build_dir() {
+  local build_dir="$1"
+  local node_dir="$build_dir/monkey_island/bin/node"
+  "$build_dir/monkey_island/linux/install_node.sh" "${node_dir}"
+}
+
 add_agent_binaries_to_build_dir() {
   local agent_binary_dir=$1
   local island_binaries_path="$2/monkey_island/cc/binaries/"
@@ -72,6 +74,27 @@ generate_ssl_cert() {
   "$island_path"/linux/create_certificate.sh "$island_path"/cc
 }
 
+build_nextjs_frontend() {
+  local ui_dir="$1/monkey_island/cc/next_ui"
+  local is_release_build=$2
+  mkdir -p "$ui_dir"
+  pushd "$ui_dir" || handle_error
+
+  log_message "Generating front end"
+  npm ci
+  log_message "Running production front end build"
+  npm run build
+
+  log_message "Removing development artifacts"
+  mv "${ui_dir}/.next/standalone" "${ui_dir}/standalone"
+  rm -rf "${ui_dir}/.next"
+  mkdir "${ui_dir}/.next"
+  mv "${ui_dir}/standalone" "${ui_dir}/.next"
+  log_message "Next.js standalone deployment built successfully"
+
+  popd || handle_error
+}
+
 build_frontend() {
   local ui_dir="$1/monkey_island/cc/ui"
   local is_release_build=$2
@@ -89,12 +112,6 @@ build_frontend() {
 
   popd || handle_error
 
-  remove_node_modules "$ui_dir"
-}
-
-remove_node_modules() {
-  # Node has served its purpose. We don't need to deliver the node modules with
-  # the package.
   rm -rf "$1/node_modules"
   rm -rf "$1/.npm"
 }

build_scripts/docker/Dockerfile

@@ -18,6 +18,8 @@ FROM python:$PYTHON_VERSION-slim
 COPY --from=builder /monkey /monkey
 WORKDIR /monkey
 EXPOSE 5000
+# Javascript runtime server is running on port 443 by default
+EXPOSE 443
 ENV MONKEY_DOCKER_CONTAINER=true
 RUN apt-get update \
     && apt-get install -y iputils-ping \
@@ -29,6 +31,8 @@ RUN apt-get update \
     && chmod 444 /monkey/monkey_island/cc/server.crt \
     && mkdir /monkey_island_data \
     && chmod 700 /monkey_island_data \
-    && chown -R monkey-island:monkey-island /monkey_island_data
+    && chown -R monkey-island:monkey-island /monkey_island_data \
+    && setcap 'cap_net_bind_service=+ep' /monkey/monkey_island/bin/node/node
+
 USER monkey-island
 ENTRYPOINT ["/monkey/entrypoint.sh"]

build_scripts/docker/docker.sh

@@ -21,10 +21,15 @@ setup_build_dir() {
   copy_server_config_to_build_dir "$build_dir"
   modify_deployment "$deployment_type" "$build_dir"
   add_agent_binaries_to_build_dir "$agent_binary_dir" "$build_dir"
+  add_node_to_build_dir "$build_dir" || handle_error
 
   generate_ssl_cert "$build_dir"
 
-  build_frontend "$build_dir" "$is_release_build"
+  if [[ $FEATURE_FLAGS == *"NEXT_JS_UI"* ]]; then
+    build_nextjs_frontend "$build_dir" "$is_release_build"
+  else
+    build_frontend "$build_dir" "$is_release_build"
+  fi
 }
 
 copy_entrypoint_to_build_dir() {

deployment_scripts/deploy_linux.sh

@@ -70,6 +70,7 @@ fi
 # We can set main paths after we know the home dir
 ISLAND_PATH="$monkey_home/monkey/monkey_island"
 MONGO_PATH="$ISLAND_PATH/bin/mongodb"
+NODE_SERVER_PATH="$ISLAND_PATH/bin/node"
 ISLAND_BINARIES_PATH="$ISLAND_PATH/cc/binaries"
 INFECTION_MONKEY_DIR="$monkey_home/monkey/infection_monkey"
 MONKEY_BIN_DIR="$INFECTION_MONKEY_DIR/bin"
@@ -191,6 +192,9 @@ log_message "Generating certificate"
 chmod u+x "${ISLAND_PATH}"/linux/create_certificate.sh
 "${ISLAND_PATH}"/linux/create_certificate.sh ${ISLAND_PATH}/cc
 
+# Install node server
+"${ISLAND_PATH}"/linux/install_node.sh "${NODE_SERVER_PATH}" || handle_error
+
 # Update node
 if ! exists npm; then
   log_message "Installing nodejs"
@@ -235,7 +239,7 @@ pushd "$ISLAND_PATH/cc/ui" || handle_error
 npm ci
 
 log_message "Generating front end"
-npm run dev
+npm run build
 popd || handle_error
 
 # Making dir for binaries

deployment_scripts/deploy_windows.ps1

@@ -201,6 +201,10 @@ function Deploy-Windows([String] $monkey_home = (Get-Item -Path ".\").FullName,
     $install_mongo_script = (Join-Path -Path $monkey_home -ChildPath "$MONKEY_ISLAND_DIR\windows\install_mongo.ps1")
     Invoke-Expression "$install_mongo_script -binDir $binDir"
 
+    $install_node_script = (Join-Path -Path $monkey_home -ChildPath "$MONKEY_ISLAND_DIR\windows\install_node.ps1")
+    $node_server_dir = (Join-Path -Path $binDir -ChildPath "node")
+    Invoke-Expression "$install_node_script -destinationDir $node_server_dir"
+
     # Download OpenSSL
     Print-Status "Downloading OpenSSL ..."
     $webClient.DownloadFile($OPEN_SSL_URL, $TEMP_OPEN_SSL_ZIP)
@@ -238,7 +242,7 @@ function Deploy-Windows([String] $monkey_home = (Get-Item -Path ".\").FullName,
     Print-Status "Updating npm"
     Push-Location -Path (Join-Path -Path $monkey_home -ChildPath $MONKEY_ISLAND_DIR | Join-Path -ChildPath "\cc\ui")
     & npm update
-    & npm run dev
+    & npm run build
     Pop-Location
 
     # Create infection_monkey/bin directory if not already present

docs/content/FAQ/_index.md

@@ -20,6 +20,7 @@ Below are some of the most common questions we receive about the Infection Monke
   - [Downloading logs](#downloading-logs)
   - [Log locations](#log-locations)
   - [Monkey Island Server logs](#monkey-island-server-logs)
+  - [Monkey Island UI logs](#monkey-island-ui-logs)
   - [Infection Monkey Agent logs](#infection-monkey-agent-logs)
 - [Running the Infection Monkey in a production environment](#running-the-infection-monkey-in-a-production-environment)
   - [How much of a footprint does the Infection Monkey leave?](#how-much-of-a-footprint-does-the-infection-monkey-leave)
@@ -198,6 +199,14 @@ It's also possible to change the default log level by editing `log_level` value
 `log_level` can be set to `info`(default, less verbose) or `debug`(more verbose).
 
 
+#### Monkey Island UI logs
+
+The Monkey Island's UI log file (`nextjs.log`) is located in the
+[data directory]({{< ref "/reference/data_directory" >}}).
+
+This log contains the output of the server process hosting the web interface.
+
+
 #### Infection Monkey Agent logs
 
 The Infection Monkey Agent log file can be found in directories specified for

docs/content/_index.md

@@ -24,7 +24,7 @@ Hub Logo")
 
 ## How it works
 
-Architecturally, Infection Monkey is comprised of two components:
+Architecturally, Infection Monkey comprises two components:
 
 * Monkey Agent (Monkey for short) - a safe, worm-like binary program which
   scans, propagates and simulates attack techniques on the **local network**.
@@ -34,7 +34,7 @@ Architecturally, Infection Monkey is comprised of two components:
 The user can run the Monkey Agent on the Island Server machine or distribute
 Monkey Agent binaries on the network manually. Based on the configuration
 parameters, Monkey Agents scan, propagate and simulate an attacker's behavior
-on the local network. All of the information gathered about the network is
+on the local network. All the information gathered about the network is
 aggregated in the Island Server and displayed once all Monkey Agents are
 finished.
 

docs/content/reference/server_configuration.md

@@ -8,13 +8,19 @@ weight: 1
 
 ## Configuring the Monkey Island
 
-The Monkey Island Server is configured by creating a `server_config.json` file.
+The Monkey Island Server is configured through the `server_config.json` file.
+
+{{% notice info %}}
+Refer to the [setup guides](../../setup/) to learn how to use
+the `server_config.json` file for each deployment.
+{{% /notice %}}
 
 ### Creating a configuration file
 
 Here's an example `server_config.json` with all options specified:
 ```json
 {
+  "island_port": 443,
   "log_level": "DEBUG",
   "ssl_certificate": {
     "ssl_certificate_file": "<PATH_TO_CRT_FILE>",
@@ -41,6 +47,7 @@ Only relevant options can be specified, for example:
 
 See setup instructions for your operating system to understand how to apply these.
 
+ - `island_port` - Port used by the Island C&C server. Default is `443`.
  - `log_level` - can be set to `"DEBUG"`(verbose), `"INFO"`(less verbose) or `"ERROR"`(silent, except errors).
  - `ssl_certificate` - contains paths for files, required to run the Island Server with custom certificate.
  - `data_dir` - path to a writeable directory where the Island will store the database and other files.

docs/content/setup/aws.md

@@ -22,12 +22,17 @@ At this point, AWS will instance and deploy the new machine.
 
 When ready, you can browse to the Infection Monkey running on the fresh deployment at:
 
-`https://{public-ip}:5000`
+`https://{public-ip}`
 
 To login to the machine, use *ubuntu* username.
 
 Once you have access to the Monkey Island server, check out the [getting started page]({{< ref "/usage/getting-started" >}}).
 
+## Configuration
+
+AWS EC2 instance is running the AppImage deployment of the Infection Monkey. To configure the VM, shell
+into it and follow configuration instructions in the [Linux setup section]({{< ref "/setup/linux#configuring-the-server" >}}).
+
 ## Integration with AWS services
 
 The Infection Monkey has built-in integrations with AWS that allows running Agents on EC2 instances.

docs/content/setup/azure.md

@@ -26,10 +26,15 @@ Select the [Infection Monkey from the Azure Marketplace](https://azuremarketplac
 At this point, Azure will provision and deploy your new machine. When ready,
 you can browse to the Infection Monkey running on your fresh deployment at:
 
-`https://{public-ip-address}:5000`
+`https://{public-ip-address}`
 
 Once you have access to the Monkey Island server, check out the [getting started page]({{< ref "/usage/getting-started" >}}).
 
+## Configuration
+
+Azure VM is running the AppImage deployment of the Infection Monkey. To configure the VM, shell
+into it and follow configuration instructions in the [Linux setup section]({{< ref "/setup/linux#configuring-the-server" >}}).
+
 ## Upgrading
 
 Currently, there's no "upgrade-in-place" option when a new version is released.