def getConfigExtended(self): if "FALCONPY_DEBUG_TOKEN" in os.environ: self.token = os.getenv("FALCONPY_DEBUG_TOKEN") self.config = {} self.config["falcon_client_id"] = os.environ["FALCONPY_DEBUG_CLIENT_ID"] self.config["falcon_client_secret"] = os.environ["FALCONPY_DEBUG_CLIENT_SECRET"] if "DEBUG_API_BASE_URL" in os.environ: self.config["falcon_base_url"] = os.getenv("DEBUG_API_BASE_URL") else: self.config["falcon_base_url"] = "https://api.crowdstrike.com" else: status = self.getConfig() if status: os.environ["FALCONPY_DEBUG_CLIENT_ID"] = self.config["falcon_client_id"] os.environ["FALCONPY_DEBUG_CLIENT_SECRET"] = self.config["falcon_client_secret"] self.authorization = FalconAuth.OAuth2(creds={ "client_id": self.config["falcon_client_id"], "client_secret": self.config["falcon_client_secret"] }, base_url = self.config["falcon_base_url"]) try: self.token = self.authorization.token()['body']['access_token'] os.environ["FALCONPY_DEBUG_TOKEN"] = self.token except KeyError: self.token = False return self.token
def serviceCCAWS_AuthWithObject(self): falconWithObject = FalconAWS.Cloud_Connect_AWS(auth_object=FalconAuth.OAuth2(creds={ 'client_id': auth.config["falcon_client_id"], 'client_secret': auth.config["falcon_client_secret"] })) return falconWithObject.authenticated()
def serviceAny_TestBadCredRevoke(self): bad_falcon = FalconAuth.OAuth2() result = bad_falcon.revoke("Will generate a 403") if result["status_code"] in AllowedResponses: return True else: return False
def serviceAny_TestBadObjectAuth(self): # Should also test bad direct auth in the authentication class falcon = FalconAWS(auth_object=FalconAuth.OAuth2()) result = falcon.QueryAWSAccounts() if result["status_code"] in AllowedResponses: return True else: return False
def serviceCCAWS_AuthWithObject(self): falconWithObject = CloudConnectAWS(auth_object=FalconAuth.OAuth2(creds={ 'client_id': auth.config["falcon_client_id"], 'client_secret': auth.config["falcon_client_secret"] }, base_url=auth.config["falcon_base_url"])) check = falconWithObject.auth_object.token() if check["status_code"] == 429: pytest.skip("Rate limit hit") return falconWithObject.authenticated()
def load_api_config(): """Grab our config parameters from our provided config file (JSON format)""" with open(Config.config_file, 'r') as file_config: conf = json.loads(file_config.read()) return FalconAuth.OAuth2( creds={ "client_id": conf["falcon_client_id"], "client_secret": conf["falcon_client_secret"] })
def serviceAny_TestObjectAuth(self): # Should also test direct auth in the authentication class auth_obj = FalconAuth.OAuth2( client_id=auth.config["falcon_client_id"], client_secret=auth.config["falcon_client_secret"]) auth_obj.token() falcon = FalconAWS(auth_object=auth_obj) result = falcon.QueryAWSAccounts() if result["status_code"] in AllowedResponses: return True else: return False
def serviceAny_TestBadObjectAuth(self): falcon = FalconAWS(auth_object=FalconAuth.OAuth2( creds={ "client_id": "ThisAlso", "client_secret": "WontWork" })) result = falcon.QueryAWSAccounts() if result["status_code"] in AllowedResponses: return True else: return False
def serviceAny_TestStaleObjectAuth(self): falcon = FalconAWS(auth_object=FalconAuth.OAuth2( creds={ "client_id": auth.config["falcon_client_id"], "client_secret": auth.config["falcon_client_secret"] })) result = falcon.QueryAWSAccounts() if result["status_code"] in AllowedResponses: return True else: return False
def serviceCCAWS_RefreshToken(self): falconWithObject = FalconAWS.Cloud_Connect_AWS(auth_object=FalconAuth.OAuth2(creds={ 'client_id': auth.config["falcon_client_id"], 'client_secret': auth.config["falcon_client_secret"] })) if not falconWithObject.token_expired(): falconWithObject.auth_object.token_expiration = 0 # Forcibly expire the current token if falconWithObject.QueryAWSAccounts(parameters={"limit": 1})["status_code"] in AllowedResponses: return True else: return False else: return False
def serviceCCAWS_InvalidPayloads(self): result = True falconWithObject = FalconAWS.Cloud_Connect_AWS(auth_object=FalconAuth.OAuth2(creds={ 'client_id': auth.config["falcon_client_id"], 'client_secret': auth.config["falcon_client_secret"] })) if falconWithObject.QueryAWSAccounts(parameters={"limite": 1})["status_code"] != 500: result = False if falconWithObject.QueryAWSAccounts(parameters={"limit": "1"})["status_code"] != 500: result = False if falconWithObject.UpdateAWSAccounts(body={"resources": "I'm gonna go Boom!"})["status_code"] != 500: result = False return result
def serviceCCAWS_RefreshToken(self): falconWithObject = CloudConnectAWS(auth_object=FalconAuth.OAuth2(creds={ 'client_id': auth.config["falcon_client_id"], 'client_secret': auth.config["falcon_client_secret"] }, base_url=auth.config["falcon_base_url"])) check = falconWithObject.auth_object.token() if check["status_code"] == 429: pytest.skip("Rate limit hit") if not falconWithObject.token_expired(): falconWithObject.auth_object.token_expiration = 0 # Forcibly expire the current token if falconWithObject.QueryAWSAccounts(parameters={"limit": 1})["status_code"] in AllowedResponses: return True else: return False else: return False
def serviceAuth(self): self.getConfig() self.authorization = FalconAuth.OAuth2(creds={ 'client_id': self.config["falcon_client_id"], 'client_secret': self.config["falcon_client_secret"] }) try: self.token = self.authorization.token()['body']['access_token'] except: self.token = False if self.token: return True else: return False
def failServiceAuth(self): self.authorization = FalconAuth.OAuth2(creds={ 'client_id': "BadClientID", 'client_secret': "BadClientSecret" }) self.authorization.base_url = "nowhere" try: self.token = self.authorization.token()['body']['access_token'] except KeyError: self.token = False self.authorization.revoke(self.token) if self.token: return False else: return True
def serviceMSSPAuth(self): status = self.getConfig() result = False if status: authorization = FalconAuth.OAuth2(creds={ 'client_id': self.config["falcon_client_id"], 'client_secret': self.config["falcon_client_secret"], 'member_cid': '1234567890ABCDEFG' }) try: req = authorization.token() if req["status_code"] in [201, 403]: # Prolly an invalid MSSP cred, 403 is correct result = True except KeyError: pass return result
def serviceCCAWS_InvalidPayloads(self): result = True falconWithObject = CloudConnectAWS(auth_object=FalconAuth.OAuth2(creds={ 'client_id': auth.config["falcon_client_id"], 'client_secret': auth.config["falcon_client_secret"] }, base_url=auth.config["falcon_base_url"])) check = falconWithObject.auth_object.token() if check["status_code"] == 429: pytest.skip("Rate limit hit") if not falconWithObject.QueryAWSAccounts(parameters={"limite": 1})["status_code"] in AllowedResponses: result = False if not falconWithObject.QueryAWSAccounts(parameters={"limit": "1"})["status_code"] in AllowedResponses: result = False if falconWithObject.UpdateAWSAccounts(body={"resource": "I'm gonna go Boom!"})["status_code"] != 400: result = False if falconWithObject.UpdateAWSAccounts(body={"resources": {"id": "I'm gonna go Boom!"}})["status_code"] != 400: result = False return result
else: parser.error("The {} command is not recognized.".format(command)) # These globals exist for all requests falcon_client_id = args.falcon_client_id falcon_client_secret = args.falcon_client_secret log_enabled = args.log_enabled if args.query_limit is None: query_limit = 100 else: query_limit = args.query_limit # =============== MAIN ROUTINE # Authenticate using our provided falcon client_id and client_secret try: authorized = FalconAuth.OAuth2(creds={ 'client_id': falcon_client_id, 'client_secret': falcon_client_secret }) except Exception: # We can't communicate with the endpoint, return a false token authorized.token = lambda: False # Try to retrieve a token from our authentication, returning false on failure try: token = authorized.token()["body"]["access_token"] except Exception: token = False # Confirm the token was successfully retrieved if token: # Connect using our token and return an instance of the API gateway object falcon_discover = FalconAWS.Cloud_Connect_AWS(access_token=token) try:
# Hostname of the machine to contain / release hostname = args.hostname # Default action is to quarantine if args.lift_containment: action = "lift_containment" else: action = "contain" # Use the credentials file provided creds_file = args.creds_file # Load the contents of the creds file into the creds dictionary with open(creds_file) as f: creds = json.load(f) # Create an instance of our OAuth2 authorization class using our ingested creds authorization = FalconAuth.OAuth2( creds={ "client_id": creds['falcon_client_id'], "client_secret": creds['falcon_client_secret'] }) # Try to generate a token try: token = authorization.token()['body']['access_token'] except Exception as e: # Exit out on authentication errors print("Failed to authenticate") print(e) exit(-1) # If we have a token, proceed to the next step if token: # Create an instance of the Hosts class falcon = FalconHosts.Hosts(access_token=token) # Create our parameter payload, using our ingested hostname as a filter