Secure endpoints #3203

shreyamalviya · 2023-04-06T12:08:26Z

What does this PR do?

Fixes a part of #3078

What's left:

Making sure BB tests work

PR Checklist

Have you added an explanation of what your changes do and why you'd like to include them?
Is the TravisCI build passing?
Was the CHANGELOG.md updated to reflect the changes?
~~Was the documentation framework updated to reflect the changes?~~
Have you checked that you haven't introduced any duplicate code?

Testing Checklist

~~Added relevant unit tests?~~
Do all unit tests pass?
Do all end-to-end tests pass?
Any other testing performed?

Tested manually by running the Agent and Island
~~If applicable, add screenshots or log transcripts of the feature working~~

codecov · 2023-04-06T12:19:28Z

Codecov Report

Patch coverage has no change and project coverage change: +0.11 🎉

Comparison is base (768a656) 73.02% compared to head (40f15b1) 73.14%.

❗ Current head 40f15b1 differs from pull request most recent head 4bd5e5c. Consider uploading reports for the commit 4bd5e5c to get more accurate results

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #3203      +/-   ##
===========================================
+ Coverage    73.02%   73.14%   +0.11%     
===========================================
  Files          469      469              
  Lines        13566    13616      +50     
===========================================
+ Hits          9907     9959      +52     
+ Misses        3659     3657       -2

see 21 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

mssalvatore

The roles assigned to the endpoints look good to me.

cakekoa · 2023-04-06T16:22:34Z

monkey/monkey_island/cc/resources/agent_binaries.py

Note: We currently use this endpoint in the manual run commands to fetch the agent binaries. Requiring authentication would cause the manual run commands to fail

Good catch, I'll remove it

cakekoa · 2023-04-06T16:51:04Z

monkey/monkey_island/cc/resources/propagation_credentials.py

@@ -29,7 +32,8 @@ def get(self, collection=None):

        return propagation_credentials, HTTPStatus.OK

-    # Used by Agent. Can't secure.
+    @auth_token_required
+    @roles_accepted(AccountRole.AGENT.name, AccountRole.ISLAND_INTERFACE.name)


Do agents actually need to put propagation credentials?

I suppose they don't, since they send them via events.

monkey/monkey_island/cc/resources/agent_binaries.py

- adds a comment where it can't be done - changes @roles_required (requires caller to have all the specified roles) to @roles_accepted (requires caller to have one of the specified roles) where applicable - adds @include_auth_token to AgentOTPLogin resource

envs/monkey_zoo/blackbox/test_blackbox.py

mssalvatore · 2023-04-07T12:15:37Z

monkey/infection_monkey/monkey.py

+        # if OTP_FLAG not in os.environ:
+        #     return OTP("PLACEHOLDER_OTP")


Either we can leave this or remove it. I'm not sure this PR is the right place to remove it.

Just a temporary commit for testing

mssalvatore · 2023-04-07T12:21:13Z

envs/monkey_zoo/blackbox/island_client/agent_requests.py

+    pass
+
+
+class AgentRequests(IMonkeyIslandRequests):


Should we just use infection_monkey.island_api_client.IIslandAPIClient?

Pros:

Less code in BB tests

Adds a quick, ETE test for HTTPIslandAPIClient

Cons:

Couples the tests to that component

I don't like it. These tests shouldn't know anything about the internals. We don't do anything like this anywhere else in the BB tests either.

There were too many things called 'requests'.

shreyamalviya force-pushed the 3078-secure-endpoints branch from e1445f5 to b841c28 Compare April 6, 2023 13:45

mssalvatore force-pushed the 3078-secure-endpoints branch from 5ad0924 to 395a714 Compare April 6, 2023 14:12

mssalvatore reviewed Apr 6, 2023

View reviewed changes

mssalvatore force-pushed the 3078-secure-endpoints branch 2 times, most recently from 9193972 to 40f15b1 Compare April 6, 2023 14:45

cakekoa reviewed Apr 6, 2023

View reviewed changes

cakekoa force-pushed the 3078-secure-endpoints branch from f64d0e5 to 168cbd7 Compare April 6, 2023 20:44

ilija-lazoroski reviewed Apr 7, 2023

View reviewed changes

monkey/monkey_island/cc/resources/agent_binaries.py Outdated Show resolved Hide resolved

ilija-lazoroski reviewed Apr 7, 2023

View reviewed changes

monkey/monkey_island/cc/resources/agent_binaries.py Show resolved Hide resolved

shreyamalviya and others added 9 commits April 7, 2023 14:16

Island: Remove unused code in Root resource

452e92f

UT: Add Agent role to user in auth system

f698b41

Island: Improve comment in AgentOTPLogin

20f3332

UT: Fix logout tests

2db8a88

BB: Test island role authentication

6bc70e9

BB: Test agent role authentication

2ae796c

Island: Remove Agent role from propagation_credentials PUT

f03680f

Island: Remove authentication requirement from AgentBinaries GET

2127563

shreyamalviya force-pushed the 3078-secure-endpoints branch from d93489d to 2127563 Compare April 7, 2023 08:46

mssalvatore reviewed Apr 7, 2023

View reviewed changes

envs/monkey_zoo/blackbox/test_blackbox.py Outdated Show resolved Hide resolved

mssalvatore reviewed Apr 7, 2023

View reviewed changes

envs/monkey_zoo/blackbox/test_blackbox.py Outdated Show resolved Hide resolved

mssalvatore reviewed Apr 7, 2023

View reviewed changes

shreyamalviya added 5 commits April 7, 2023 18:48

Island: Add create_user() to AuthenticationFacade

4e18a5c

Island: Change how Agent user is created in AgentOTPLogin POST

e10ac84

BB: Rename constant FAKE_UUID -> UUID

b6916b2

BB: Remove useless comments in test_blackbox.py

ebf3ba1

Island: Make some variable names specific in test_blackbox.py

43c6673

There were too many things called 'requests'.

UT: Fix AgentOTPLogin success test

4bd5e5c

shreyamalviya force-pushed the 3078-secure-endpoints branch 2 times, most recently from fcc5b60 to 4bd5e5c Compare April 7, 2023 13:31

mssalvatore marked this pull request as ready for review April 7, 2023 14:30

mssalvatore approved these changes Apr 7, 2023

View reviewed changes

mssalvatore merged commit 778ba92 into develop Apr 7, 2023

mssalvatore deleted the 3078-secure-endpoints branch April 7, 2023 14:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Secure endpoints #3203

Secure endpoints #3203

shreyamalviya commented Apr 6, 2023 •

edited

Loading

codecov bot commented Apr 6, 2023 •

edited

Loading

mssalvatore left a comment

cakekoa Apr 6, 2023

shreyamalviya Apr 7, 2023

cakekoa Apr 6, 2023

mssalvatore Apr 6, 2023

shreyamalviya Apr 7, 2023

mssalvatore Apr 7, 2023

shreyamalviya Apr 7, 2023

mssalvatore Apr 7, 2023

shreyamalviya Apr 7, 2023

		# if OTP_FLAG not in os.environ:
		# return OTP("PLACEHOLDER_OTP")

Secure endpoints #3203

Secure endpoints #3203

Conversation

shreyamalviya commented Apr 6, 2023 • edited Loading

What does this PR do?

PR Checklist

Testing Checklist

codecov bot commented Apr 6, 2023 • edited Loading

Codecov Report

mssalvatore left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

shreyamalviya commented Apr 6, 2023 •

edited

Loading

codecov bot commented Apr 6, 2023 •

edited

Loading