Esempio n. 1
0
 def serviceAny_forceGovCloudAutoSelectFailure(self):
     falcon = OAuth2(client_id=os.environ["CROSS_DEBUG_KEY"],
                     client_secret=os.environ["CROSS_DEBUG_SECRET"],
                     base_url="usgov1"
                     )
     result = falcon.token()
     if result["status_code"] == 201:
         falcon = APIHarness(client_id=os.environ["CROSS_DEBUG_KEY"],
                             client_secret=os.environ["CROSS_DEBUG_SECRET"],
                             base_url="usgov1"
                             )
         t_creds = {
             "client_id": os.environ["CROSS_DEBUG_KEY"],
             "client_secret": os.environ["CROSS_DEBUG_SECRET"],
         }
         result = falcon.command("oauth2AccessToken", data=t_creds, base_url="usgov1")
         if result["status_code"] == 201:
             falcon = CloudConnectAWS(client_id=os.environ["CROSS_DEBUG_KEY"],
                                      client_secret=os.environ["CROSS_DEBUG_SECRET"],
                                      base_url="usgov1"
                                      )
             result = falcon.auth_object.token()
             if result["status_code"] == 429:
                 pytest.skip("Rate limit hit")
             if result["status_code"] == 201:
                 return True
             else:
                 return False
         else:
             return False
     else:
         return False
Esempio n. 2
0
 def uberCCAWS_BadAuthentication(self):
     falcon = APIHarness()
     if falcon.command("QueryAWSAccounts",
                       parameters={"limit":
                                   1})["status_code"] in AllowedResponses:
         return True
     else:
         return False
Esempio n. 3
0
 def uberCCAWS_DisableSSLVerify(self):
     falcon = APIHarness(creds={
         "client_id": config["falcon_client_id"],
         "client_secret": config["falcon_client_secret"]
     },
                         ssl_verify=False,
                         base_url=config["falcon_base_url"])
     if falcon.command("QueryAWSAccounts",
                       parameters={"limit":
                                   1})["status_code"] in AllowedResponses:
         return True
     else:
         return False
Esempio n. 4
0
 def failUberMSSPAuth(self):
     status = self.getConfig()
     if status:
         self.falcon = APIHarness(
             client_id=self.config["falcon_client_id"],
             client_secret=self.config["falcon_client_secret"],
             member_cid="1234567890ABCDEFG")
         self.falcon.authenticate()
         if not self.falcon.authenticated:
             return True
         else:
             return False
     else:
         return False
Esempio n. 5
0
 def uberAuth(self):
     status = self.getConfig()
     if status:
         self.falcon = APIHarness(creds={
             "client_id":
             self.config["falcon_client_id"],
             "client_secret":
             self.config["falcon_client_secret"],
         },
                                  base_url=self.config["falcon_base_url"])
         self.falcon.authenticate()
         if self.falcon.authenticated:
             return True
         else:
             if self.falcon.base_url == "https://api.laggar.gcw.crowdstrike.com":
                 pytest.skip("GovCloud rate limit hit")
             else:
                 return False
     else:
         return False
Esempio n. 6
0
 def serviceAny_forceCrossCloudResponseFailure(self):
     falcon = OAuth2(client_id=os.environ["CROSS_DEBUG_KEY"],
                     client_secret="will_not_work",
                     base_url="us1"
                     )
     result = falcon.token()
     if result["status_code"] == 403:
         falcon = APIHarness(client_id=os.environ["CROSS_DEBUG_KEY"],
                             client_secret="will_not_work",
                             base_url="us1"
                             )
         t_creds = {
             "client_id": os.environ["CROSS_DEBUG_KEY"],
             "client_secret": "shouldn't work",
         }
         result = falcon.command("oauth2AccessToken", data=t_creds, base_url="us1")
         if result["status_code"] in [401, 403]:
             return True
         else:
             return False
     else:
         return False
Esempio n. 7
0
def connect_api(class_type: str = "service"):
    """Connect to the selected API service."""
    with open("../config.json", "r", encoding="utf-8") as cred_file:
        config = json.loads(cred_file.read())

    if class_type.lower() == "service":
        falcon_api = IOC(client_id=config["falcon_client_id"],
                         client_secret=config["falcon_client_secret"])
    elif class_type.lower() == "uber":
        falcon_api = APIHarness(client_id=config["falcon_client_id"],
                                client_secret=config["falcon_client_secret"])
    else:
        falcon_api = None

    return falcon_api
Esempio n. 8
0
    def parse(self, line):
        """Parse the received line."""
        # Return a false if this is a miss
        payload = False
        decoded_line = json.loads(line.decode("utf-8"))
        # Grab our current offset
        cur_offset = decoded_line["metadata"]["offset"]
        # Detections only
        if decoded_line["metadata"]["eventType"] == "DetectionSummaryEvent":
            # Only submit detections that meet our severity threshold
            if int(self.severity_threshold) <= int(
                    decoded_line["event"]["Severity"]):
                creds = {
                    "client_id": self.api_config["falcon_client_id"],
                    "client_secret": self.api_config["falcon_client_secret"]
                }
                # Is this a child detection?
                member_cid = self.current_cid.lower()
                if "customerIDString" in decoded_line["metadata"]:
                    member_cid = decoded_line["metadata"][
                        "customerIDString"].lower()
                if member_cid != self.current_cid.lower():
                    creds["member_cid"] = member_cid
                # Connect to the Hosts API and check all hosts that match this sensor
                falcon = APIHarness(creds=creds, base_url=self.base_url)
                sensor = decoded_line["event"]["SensorId"]
                # print(sensor)
                payload = self.check_records(decoded_line, sensor, falcon,
                                             payload)

            else:
                # Miss - below severity threshold
                self.discarded += 1
        else:
            # Miss - not a detection
            self.discarded += 1

        return payload, cur_offset
Esempio n. 9
0
class TestAuthorization():
    def getConfigObject(self):
        status = self.getConfig()
        if status:
            os.environ["FALCONPY_DEBUG_CLIENT_ID"] = self.config[
                "falcon_client_id"]
            os.environ["FALCONPY_DEBUG_CLIENT_SECRET"] = self.config[
                "falcon_client_secret"]
            self.authorization = OAuth2(
                creds={
                    "client_id": self.config["falcon_client_id"],
                    "client_secret": self.config["falcon_client_secret"]
                },
                base_url=self.config["falcon_base_url"])
        try:
            global shared_token
            if not shared_token:
                shared_token = self.authorization.token(
                )['body']['access_token']
        except KeyError:
            shared_token = False

        return self.authorization

    def getConfigExtended(self):
        if "FALCONPY_DEBUG_TOKEN" in os.environ:
            self.token = os.getenv("FALCONPY_DEBUG_TOKEN")
            self.config = {}
            self.config["falcon_client_id"] = os.environ[
                "FALCONPY_DEBUG_CLIENT_ID"]
            self.config["falcon_client_secret"] = os.environ[
                "FALCONPY_DEBUG_CLIENT_SECRET"]
            if "DEBUG_API_BASE_URL" in os.environ:
                self.config["falcon_base_url"] = os.getenv(
                    "DEBUG_API_BASE_URL")
            else:
                self.config["falcon_base_url"] = "https://api.crowdstrike.com"
        else:
            status = self.getConfig()
            if status:
                os.environ["FALCONPY_DEBUG_CLIENT_ID"] = self.config[
                    "falcon_client_id"]
                os.environ["FALCONPY_DEBUG_CLIENT_SECRET"] = self.config[
                    "falcon_client_secret"]
                self.authorization = OAuth2(
                    creds={
                        "client_id": self.config["falcon_client_id"],
                        "client_secret": self.config["falcon_client_secret"]
                    },
                    base_url=self.config["falcon_base_url"])
            try:
                self.token = self.authorization.token()['body']['access_token']
                os.environ["FALCONPY_DEBUG_TOKEN"] = self.token
            except KeyError:
                self.token = False

        return self.token

    def clear_env_token(self):
        if "FALCONPY_DEBUG_TOKEN" in os.environ:
            os.environ["FALCONPY_DEBUG_TOKEN"] = ""
            os.environ["FALCONPY_DEBUG_CLIENT_ID"] = ""
            os.environ["FALCONPY_DEBUG_CLIENT_SECRET"] = ""
        return True

    def getConfig(self):
        # Grab our config parameters
        if "DEBUG_API_ID" in os.environ and "DEBUG_API_SECRET" in os.environ:
            self.config = {}
            self.config["falcon_client_id"] = os.getenv("DEBUG_API_ID")
            self.config["falcon_client_secret"] = os.getenv("DEBUG_API_SECRET")
            if "DEBUG_API_BASE_URL" in os.environ:
                self.config["falcon_base_url"] = os.getenv(
                    "DEBUG_API_BASE_URL")
            else:
                self.config["falcon_base_url"] = "auto"
            return True
        else:
            cur_path = os.path.dirname(os.path.abspath(__file__))
            if os.path.exists('%s/test.config' % cur_path):
                with open('%s/test.config' % cur_path, 'r') as file_config:
                    self.config = json.loads(file_config.read())
                return True
            else:
                return False

    def uberAuth(self):
        status = self.getConfig()
        if status:
            self.falcon = APIHarness(creds={
                "client_id":
                self.config["falcon_client_id"],
                "client_secret":
                self.config["falcon_client_secret"],
            },
                                     base_url=self.config["falcon_base_url"])
            self.falcon.authenticate()
            if self.falcon.authenticated:
                return True
            else:
                if self.falcon.base_url == "https://api.laggar.gcw.crowdstrike.com":
                    pytest.skip("GovCloud rate limit hit")
                else:
                    return False
        else:
            return False

    def failUberMSSPAuth(self):
        status = self.getConfig()
        if status:
            self.falcon = APIHarness(
                client_id=self.config["falcon_client_id"],
                client_secret=self.config["falcon_client_secret"],
                member_cid="1234567890ABCDEFG")
            self.falcon.authenticate()
            if not self.falcon.authenticated:
                return True
            else:
                return False
        else:
            return False

    def uberRevoke(self):
        return self.falcon.deauthenticate()

    def serviceAuth(self):
        status = self.getConfig()
        if status:
            self.authorization = OAuth2(
                creds={
                    'client_id': self.config["falcon_client_id"],
                    'client_secret': self.config["falcon_client_secret"]
                },
                base_url=self.config["falcon_base_url"])

            try:
                check = self.authorization.token()
                if check["status_code"] == 429:
                    pytest.skip("Rate limit hit")
                self.token = check['body']['access_token']
                # Force a token authentication
                _ = Hosts(access_token=self.token)
            except KeyError:
                self.token = False

            if self.token:
                return True
            else:
                return False
        else:
            return False

    def serviceAuthNoSSL(self):
        status = self.getConfig()
        if status:
            self.authorization = Hosts(creds={
                'client_id':
                self.config["falcon_client_id"],
                'client_secret':
                self.config["falcon_client_secret"]
            },
                                       ssl_verify=False,
                                       base_url=self.config["falcon_base_url"])

            check = self.authorization.auth_object.token()
            if check["status_code"] == 429:
                pytest.skip("Rate limit hit")
            if check["body"]["access_token"]:
                self.authorization.auth_object.revoke(
                    check["body"]["access_token"])
                return True
            else:
                return False
        else:
            return False

    def serviceMSSPAuth(self):
        status = self.getConfig()
        result = False
        if status:
            authorization = OAuth2(
                client_id=self.config["falcon_client_id"],
                client_secret=self.config["falcon_client_secret"],
                member_cid='1234567890ABCDEFG')
            try:
                req = authorization.token()
                if req["status_code"] in [
                        201, 403
                ]:  # Prolly an invalid MSSP cred, 403 is correct
                    result = True
            except KeyError:
                pass

        return result

    def failServiceAuth(self):
        self.authorization = Hosts(client_id="BadClientID",
                                   client_secret="BadClientSecret",
                                   member_cid="123456789ABCDEFG",
                                   base_url="us3")
        # self.authorization.auth_object.base_url = "nowhere"
        try:
            self.token = self.authorization.auth_object.token(
            )['body']['access_token']
        except KeyError:
            self.token = False

        self.authorization.auth_object.revoke(self.token)

        if self.token:
            return False
        else:
            return True

    def serviceRevoke(self):
        try:
            result = self.authorization.revoke(token=self.token)["status_code"]
            if result > 0:
                return True
            else:
                return False
        except KeyError:
            return False

    def credential_logout(self, api: object = None):
        if api:
            return bool(
                api.auth_object.revoke(api.auth_object.token(
                )["body"]["access_token"])["status_code"] in [200, 201])
        else:
            return False

    def test_uberAuth(self):
        assert self.uberAuth() is True
        self.uberRevoke()

    def test_uberRevoke(self):
        self.uberAuth()
        assert self.uberRevoke() is True

    def test_serviceAuth(self):
        assert self.serviceAuth() is True
        self.serviceRevoke()

    # This test disables SSL and will generate a warning in pytest if we don't disable it
    @pytest.mark.filterwarnings(
        "ignore:Unverified HTTPS request is being made.*")
    def test_serviceAuthNoSSL(self):
        assert self.serviceAuthNoSSL() is True

    def test_serviceMSSPAuth(self):
        assert self.serviceMSSPAuth() is True

    def test_uberMSSPAuthFailure(self):
        assert self.failUberMSSPAuth() is True

    def test_serviceRevoke(self):
        self.serviceAuth()
        assert self.serviceRevoke() is True

    def test_failServiceAuth(self):
        assert self.failServiceAuth() is True

    @pytest.mark.skipif(os.getenv("DEBUG_API_BASE_URL", "us1").lower() in [
        "https://api.laggar.gcw.crowdstrike.com", "usgov1"
    ],
                        reason="Unit testing unavailable on US-GOV-1")
    def test_base_url_lookup(self):
        _ = self.getConfig()
        test_falcon = OAuth2(client_id=self.config["falcon_client_id"],
                             client_secret=self.config["falcon_client_secret"],
                             base_url="us1")
        assert bool(test_falcon.token()["status_code"] == 201)

    def test_fail_base_url_lookup(self):
        _ = self.getConfig()
        test_falcon = OAuth2(client_id=self.config["falcon_client_id"],
                             client_secret=self.config["falcon_client_secret"],
                             base_url="nowhere")
        assert bool(test_falcon.token()["status_code"] != 201)
Esempio n. 10
0
    for env in Environment:
        # User submitted name matches an accepted type
        if env.name == SANDBOX_ENV:
            MATCHED = True
    if not MATCHED:
        # We only accept the environments defined in our Enum above
        raise SystemExit("Invalid sandbox environment specified.")

if not os.path.isfile(args.file):
    # We were not provided a valid filename
    raise SystemExit("Invalid filename specified.")

# Announce progress
inform(f"[   Init   ] {running_time(start_time)}")
# Connec to the API and provide our credentials for authorization
falcon = APIHarness(client_id=args.key, client_secret=args.secret)
# Announce progress
inform(f"[  Upload  ] {running_time(start_time)}")

# Upload our test file
response = upload_file(args.file,
                       f"FalconX File Analysis: {time.strftime('%V %r %Z')}",
                       "Falcon X upload and scan example",
                       confidential=False)

# Retrieve the SHA of our upload file
sha = response["body"]["resources"][0]["sha256"]

# Announce progress
inform(f"[  Submit  ] {running_time(start_time)}")
Esempio n. 11
0
#     _       _
#    /  _ .__|_o _
#    \_(_)| || |(_|
#                _|
#
# Grab our config parameters from our config file.
# Review this README here for more detail regarding the sample config file.
# https://github.com/CrowdStrike/falconpy/tree/main/samples
with open('../config.json', 'r', encoding="utf-8") as file_config:
    config = json.loads(file_config.read())

# Provide our credentials to the Uber Class using Direct Authentication.
# Since we are using version 0.8.6+ we do not need to specify the base_url
# keyword unless we are on GovCloud.
falcon = APIHarness(client_id=config["falcon_client_id"],
                    client_secret=config["falcon_client_secret"]
                    # ,base_url="usgov1"     # GovCloud users only
                    )

# Define our upload and download file names
UP_FILENAME = "testfile.jpg"
DOWN_FILENAME = "uberclass.jpg"

# Remove our download file if it is present before we begin
if os.path.exists(DOWN_FILENAME):
    os.remove(DOWN_FILENAME)

#    | |._ | _  _. _|
#    |_||_)|(_)(_|(_|
#       |
#
# Open the file for binary read, this will be our payload
Esempio n. 12
0
    config["falcon_client_id"] = os.getenv("DEBUG_API_ID")
    config["falcon_client_secret"] = os.getenv("DEBUG_API_SECRET")
    if "DEBUG_API_BASE_URL" in os.environ:
        config["falcon_base_url"] = os.getenv("DEBUG_API_BASE_URL")
    else:
        config["falcon_base_url"] = "us1"
else:
    cur_path = os.path.dirname(os.path.abspath(__file__))
    if os.path.exists('%s/test.config' % cur_path):
        with open('%s/test.config' % cur_path, 'r') as file_config:
            config = json.loads(file_config.read())
    else:
        sys.exit(1)

falcon = APIHarness(client_id=config["falcon_client_id"],
                    client_secret=config["falcon_client_secret"],
                    base_url=config["falcon_base_url"])


class TestUber:
    def uberCCAWS_GetAWSSettings(self):
        if falcon.command("GetAWSSettings")["status_code"] in AllowedResponses:
            return True
        else:
            return False

    def uberCCAWS_QueryAWSAccounts(self):
        if falcon.command("QueryAWSAccounts",
                          parameters={"limit":
                                      1})["status_code"] in AllowedResponses:
            return True
Esempio n. 13
0
    if not args.crowdstrike_cloud:
        CLOUD_URL = "US1"
    else:
        CLOUD_URL = args.crowdstrike_cloud
    log_enabled = args.log_enabled
    if not args.query_limit:
        QUERY_LIMIT = 100
    else:
        QUERY_LIMIT = args.query_limit

    # ############## MAIN ROUTINE
    # Connect to the API using our provided falcon client_id and client_secret

    try:
        falcon = APIHarness(client_id=falcon_client_id,
                            client_secret=falcon_client_secret,
                            base_url=CLOUD_URL)
    except Exception as err:  # noqa: E722  pylint: disable=W0703
        # We can't communicate with the endpoint
        print(f'Unable to communicate with API {str(err)}')
    # Authenticate
    if falcon.authenticate():
        try:
            # Execute the command by calling the named function
            if command.lower() == "check":
                check_account()
            if command.lower() == "update":
                update_account()
            if command.lower() == "register":
                register_account()
            if command.lower() == "delete":
Esempio n. 14
0
    FILENAME = args.filename

FORMAT = "fancy_grid"
if args.format:
    FORMAT = args.format

SHOW_ALL = False
if args.all:
    SHOW_ALL = True

OSVER = ""
if args.osver:
    OSVER = args.osver

# Login to the Falcon API and retrieve our list of sensors
falcon = APIHarness(client_id=CLIENTID, client_secret=CLIENTSECRET)
sensors = falcon.command(action="GetCombinedSensorInstallersByQuery",
                         filter=OS_FILTER)
if CMD in "list":
    # List sensors
    data = []
    headers = {
        "name": "Name",
        "description": "Description",
        "platform": "Platform",
        "os": "OS",
        "os_version": "OS Version",
        "sha256": "File Hash",
        "release_date": "Release Date",
        "version": "Version",
        "file_size": "File Size",
Esempio n. 15
0
def connect_api(key: str, secret: str):
    """
    Connects and returns an instance of the Uber class.
    """
    return APIHarness(client_id=key, client_secret=secret)
Esempio n. 16
0
        BASE_URL = "us1"
except KeyError:
    # Any failure assume we're doing commercial / US-1
    BASE_URL = "us1"

try:
    VERIFY_SSL_CONNECTIONS = config["ssl_verify"]
    if VERIFY_SSL_CONNECTIONS == "":
        VERIFY_SSL_CONNECTIONS = True
except KeyError:
    VERIFY_SSL_CONNECTIONS = True
    config["ssl_verify"] = VERIFY_SSL_CONNECTIONS

# Connect to the API
falcon = APIHarness(client_id=config["falcon_client_id"],
                    client_secret=config["falcon_client_secret"],
                    base_url=BASE_URL,
                    ssl_verify=VERIFY_SSL_CONNECTIONS)
# Authenticate to the API
falcon.authenticate()
# Cry about our bad keys
if not falcon.authenticated:
    status.status_write(
        f"Failed to connect to the API on {BASE_URL}. Check base_url and ssl_verify configuration settings."
    )
    raise SystemExit(
        f"Failed to connect to the API on {BASE_URL}.  Check base_url and ssl_verify configuration settings."
    )

# Retrieve our current CID (MSSP functionality) or add it to config?
# This method requires Sensor Install API, our fallback option uses the Hosts API but a device must exist
try: