def test_bats_001_create_resource_group(sut_handle, config_file, datadir,
shieldx_logger):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
# JSON Config Reader
config_reader = CCR()
# Selected Rule IDs
resolved_input_json_file = str((datadir / config_file).resolve())
rg_config = config_reader.read_json_config(resolved_input_json_file)
# Create resource Group
resource_group = rg_config["rg1"]
resource_group["name"] = "VP_ResourceGroup"
resource_group["description"] = "CIDR Based RG"
resource_group["purpose"] = "POLICY"
resource_group["resourceType"] = "CIDR"
resource_group["memberList"] = [{
"id": 0,
"cidr": "192.168.131.5/32"
}, {
"id": 0,
"cidr": "192.168.131.51/32"
}]
rg_id = cloud_mgmt.create_resource_group(resource_group)
shieldx_logger.info("Resource Group Created, ID: {}".format(rg_id))
def test_bats_000_get_resource_groups(sut_handle, shieldx_logger):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
# Create resource Group
resource_groups = cloud_mgmt.get_resource_groups()
for resource_group in resource_groups:
shieldx_logger.info("Resource Group: {}".format(resource_group))
def test_bats_003_del_resource_group_by_name(sut_handle, shieldx_logger):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
# Create resource Group
rg_name = "VP_ResourceGroup"
is_deleted = cloud_mgmt.remove_resource_group_by_name(rg_name)
shieldx_logger.info("Remove RG Status: {}".format(is_deleted))
def test_bats_002_get_resource_group_by_name(sut_handle, shieldx_logger):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
# Create resource Group
rg_name = "VP_ResourceGroup"
rg = cloud_mgmt.get_resource_group_by_name(rg_name)
shieldx_logger.info("Resource Group: {}".format(rg))
def test_create_aws_connector(sut_handle, shieldx_logger, datadir,
input_json_file):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
config_reader = CCR()
converter = DSC()
resolved_input_json_file = str((datadir / input_json_file).resolve())
cloud_payload = dict(
config_reader.read_json_config(resolved_input_json_file))
aws_cloud = cloud_payload["aws_cloud"]
# Fetch ACL Policy, Default ACL Policy = 3
acl_id = 3
aws_cloud["aclPolicyId"] = acl_id
# Inline Inspection: Active | Passive
pseudo_tap = "false"
aws_cloud["inlinePassiveInspection"] = pseudo_tap
# Create Infra Connector
cloud_id = cloud_mgmt.create_cloud(aws_cloud)
shieldx_logger.info("Cloud Type: {}".format("AWS"))
shieldx_logger.info("Cloud ID: {}".format(cloud_id))
shieldx_logger.info("---")
# Initialize
jobs_mgmt = JobsApis(sut_handle)
jobs = jobs_mgmt.get_jobs()
# Get Latest Job
shieldx_logger.info("Jobs count: {}".format(len(jobs)))
job = jobs[0]
job_id = job["id"]
# Monitor job progress
is_completed = False
retry = 0
max_retry = 10
time.sleep(60)
while retry < max_retry:
job = jobs_mgmt.get_job_by_id(job_id)
shieldx_logger.info("Job {} - {} - {}".format(job["id"], job["state"],
job["status"]))
if job["state"] == "COMPLETED":
break
retry += 1
time.sleep(60)
def test_get_clouds(sut_handle, shieldx_logger):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
# List Infra Connectors
cloud_list = cloud_mgmt.get_cloud_infra()
# Enumerate Infra Connectors
for cloud_info in cloud_list:
shieldx_logger.info("Cloud Type: {}".format(cloud_info["type"]))
shieldx_logger.info("Cloud Name: {}".format(cloud_info["name"]))
shieldx_logger.info("Cloud ID: {}".format(cloud_info["id"]))
shieldx_logger.info("---")
def test_delete_aws_connector(sut_handle, shieldx_logger, datadir,
input_json_file):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
config_reader = CCR()
resolved_input_json_file = str((datadir / input_json_file).resolve())
cloud_payload = dict(
config_reader.read_json_config(resolved_input_json_file))
aws_cloud = cloud_payload["aws_cloud"]
name = aws_cloud["name"]
cloud_infra = cloud_mgmt.get_cloud_infra_by_name(name)
cloud_id = cloud_infra["id"]
shieldx_logger.info("Cloud Name: {}".format(name))
shieldx_logger.info("Cloud ID: {}".format(cloud_id))
shieldx_logger.info("---")
# Delete
cloud_mgmt.delete_cloud(cloud_id)
# Initialize
jobs_mgmt = JobsApis(sut_handle)
jobs = jobs_mgmt.get_jobs()
# Get Latest Job
shieldx_logger.info("Jobs count: {}".format(len(jobs)))
job = jobs[0]
job_id = job["id"]
# Monitor job progress
is_completed = False
retry = 0
max_retry = 10
time.sleep(60)
while not is_completed and retry < max_retry:
job = jobs_mgmt.get_job_by_id(job_id)
if job["state"] == "COMPLETED":
is_completed = True
shieldx_logger.info("Job {} - {} - {}".format(job["id"], job["state"],
job["status"]))
retry += 1
time.sleep(60)
def test_bats_000_check_cloud(sut_handle, shieldx_logger):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
# List Infra Connectors
cloud_list = cloud_mgmt.get_cloud_infra()
# Enumerate Infra Connectors
for cloud_info in cloud_list:
shieldx_logger.info("Cloud Type: {}".format(cloud_info["type"]))
shieldx_logger.info("Cloud ID: {}".format(cloud_info["id"]))
shieldx_logger.info("Pseudo TAP: {}".format(
cloud_info["inlinePassiveInspection"]))
shieldx_logger.info("Cloud Info: {}".format(cloud_info))
shieldx_logger.info("---")
def test_get_aws_cloud_objects(sut_handle, shieldx_logger, datadir,
input_json_file):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
config_reader = CCR()
converter = DSC()
resolved_input_json_file = str((datadir / input_json_file).resolve())
cloud_payload = dict(
config_reader.read_json_config(resolved_input_json_file))
aws_cloud = cloud_payload["aws_cloud"]
name = aws_cloud["name"]
cloud_infra = cloud_mgmt.get_cloud_infra_by_name(name)
cloud_id = cloud_infra["id"]
shieldx_logger.info("Cloud Name: {}".format(name))
shieldx_logger.info("Cloud ID: {}".format(cloud_id))
shieldx_logger.info("---")
# Objects
cloud_objects = cloud_mgmt.get_cloud_objects(cloud_id)
#for key in cloud_objects:
# shieldx_logger.info("{}".format(key))
# #shieldx_logger.info("{} - {}".format(key, cloud_objects[key]))
networks = converter.list_of_dict_to_dict(cloud_objects["networks"],
"name")
shieldx_logger.info("Network: {} - {}".format(
networks["Juan-Management-Subnet"]["name"],
networks["Juan-Management-Subnet"]["id"]))
shieldx_logger.info("Network: {} - {}".format(
networks["Juan-Backplane-Subnet"]["name"],
networks["Juan-Management-Subnet"]["id"]))
shieldx_logger.info("Network: {} - {}".format(
networks["Juan-Workload-Subnet"]["name"],
networks["Juan-Management-Subnet"]["id"]))
tenants = converter.list_of_dict_to_dict(cloud_objects["tenants"], "name")
shieldx_logger.info("Tenant: {} - {} - {}".format(
tenants["Juan-Test-VPC"]["name"], tenants["Juan-Test-VPC"]["id"],
tenants["Juan-Test-VPC"]["regionId"]))
def test_bats_002_disable_pseudotap(sut_handle, shieldx_logger):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
# List Infra Connectors
cloud_list = cloud_mgmt.get_cloud_infra()
name = "Juan-Azure-Cloud"
pseudotap = False
client_secret_key = "rwQBYeXhg5Isgyxlxa5cOW1wCdK7XdBE/vLYT4lA0I0="
# Before change
cloud = cloud_mgmt.get_cloud_infra_by_name(name)
if cloud is not None:
shieldx_logger.info("Before pseudotap change")
shieldx_logger.info("Cloud Info: {}".format(cloud))
else:
assert False, "Get cloud failed!"
# Set pseudotap
cloud["inlinePassiveInspection"] = pseudotap
cloud["clientSecretKey"] = client_secret_key
update_cloud = {key: value for key, value in cloud.items() if value}
shieldx_logger.info("Update Cloud: {}".format(update_cloud))
cloud_mgmt.update_cloud_infra(update_cloud)
# Check job
time.sleep(60)
# After change
cloud = cloud_mgmt.get_cloud_infra_by_name(name)
shieldx_logger.info("After pseudotap change")
shieldx_logger.info("Cloud Info: {}".format(cloud))
def __init__(self, rest_session, logger):
# Logger
self.logger = logger
# Session
self.rest_session = rest_session
# Policy Mgmt
self.tpp_mgmt = TPP(rest_session)
self.sps_mgmt = SPS(rest_session)
self.acl_mgmt = ACL(rest_session)
self.cloud_mgmt = CloudMgmt(rest_session)
# SX Info
self._source_policy = "All Threats"
self._default_acl_policy = "Default ACL Policy"
# Payloads
self._payload = PolicyPayload()
# Cache All Threats
self.all_threats_cache = {}
self._cache_all_threats()
class VirtualPatch(object):
def __init__(self, rest_session, logger):
# Logger
self.logger = logger
# Session
self.rest_session = rest_session
# Policy Mgmt
self.tpp_mgmt = TPP(rest_session)
self.sps_mgmt = SPS(rest_session)
self.acl_mgmt = ACL(rest_session)
self.cloud_mgmt = CloudMgmt(rest_session)
# SX Info
self._source_policy = "All Threats"
self._default_acl_policy = "Default ACL Policy"
# Payloads
self._payload = PolicyPayload()
# Cache All Threats
self.all_threats_cache = {}
self._cache_all_threats()
def _cache_all_threats(self):
tpp = self.tpp_mgmt.get_threat_prevention_policy_by_name(
self._source_policy)
all_threats = self.tpp_mgmt.get_threats_by_policy_id(tpp["id"])
for threat in all_threats:
key = "{}:{}".format(threat["protocolID"], threat["threatID"])
self.all_threats_cache[key] = threat
def _create_resource_group(self, rg_name, rg_components):
resource_group = self._payload.get_rg_payload()
resource_group["name"] = rg_name
resource_group["description"] = rg_components["description"]
resource_group["purpose"] = rg_components["purpose"]
resource_group["resourceType"] = rg_components["resource_type"]
resource_group["memberList"] = rg_components["member_list"]
rg_id = self.cloud_mgmt.create_resource_group(resource_group)
return rg_id
def _delete_resource_group(self, rg_name):
is_deleted = self.cloud_mgmt.remove_resource_group_by_name(rg_name)
return is_deleted
def _create_tpp(self, policy_name, tpp_components):
self.logger.info("Creating TPP.")
tpp_id = 0
specific_threats = list()
# Get specific threats
for threat in tpp_components["threats"]:
key = "{}:{}".format(threat["protocolID"], threat["threatID"])
if key in self.all_threats_cache:
specific_threats.append(self.all_threats_cache[key])
else:
# Rule not found, raise warning
pass
self.logger.info("Specific Threats: {}".format(specific_threats))
# TPP Payload
tpp_payload = self._payload.get_tpp_payload()
self.logger.info("TPP Payload - Template: {}".format(tpp_payload))
tpp_payload["name"] = policy_name
tpp_payload["rules"] = [{"specificThreats": specific_threats}]
self.logger.info("TPP Payload - Populated: {}".format(tpp_payload))
tpp_id = self.tpp_mgmt.create_threat_prevention_policy(tpp_payload)
self.logger.info("TPP Created, ID: {}".format(tpp_id))
return tpp_id
def _edit_response_actions(self, tpp_id, response_actions):
threat_responses = self.tpp_mgmt.get_threat_responses_by_policy_id(
tpp_id)
for threat_response in threat_responses:
threat_response["block"] = response_actions["block"]
threat_response["policyId"] = tpp_id
# Bulk Edit - Response Action Payload
response_payload = self._payload.get_tpp_response_payload()
response_payload["id"] = tpp_id
response_payload["responses"] = threat_responses
is_bulk_edit_ok = self.tpp_mgmt.bulk_update_threat_responses(
response_payload)
return is_bulk_edit_ok
def _delete_tpp(self, policy_name):
is_deleted = False
# Get TPP
tpp = self.tpp_mgmt.get_threat_prevention_policy_by_name(policy_name)
if tpp is not None:
# Delete
is_deleted = self.tpp_mgmt.delete_threat_prevention_policy_by_id(
tpp["id"])
else:
# TPP not found, NOOP
pass
return is_deleted
def _create_sps(self, policy_name, sps_components):
# Threat Prevention Policy
tpp = self.tpp_mgmt.get_threat_prevention_policy_by_name(
sps_components["threat_prevention"])
tpp_id = tpp["id"]
tpp_name = tpp["name"]
# Malware Policy
malware_policy_id = None
malware_policy_name = None
# URL Filtering Policy
url_filtering_policy_id = None
url_filtering_policy_name = None
# SPS Payload
sps_payload = self._payload.get_sps_payload()
sps_payload["name"] = policy_name
sps_payload["threatPreventionPolicyName"] = tpp_name
sps_payload["threatPreventionPolicyId"] = tpp_id
sps_id = self.sps_mgmt.create_security_policy_set(sps_payload)
self.logger.info("SPS Created, ID: {}".format(sps_id))
return sps_id
def _delete_sps(self, policy_name):
is_deleted = False
# Get SPS
sps = self.sps_mgmt.get_sps_by_name(policy_name)
if sps is not None:
# Delete
is_deleted = self.sps_mgmt.delete_security_policy_set_by_id(
sps["id"])
else:
# SPS not found, NOOP
pass
return is_deleted
def _create_acl_rule(self, acl_rule_name, acl_rule_components):
# Get Default Access Control Policy
default_access_control_policy = self.acl_mgmt.get_acl_policies()[0]
self.logger.info("Before Add - Default ACP: {}".format(
default_access_control_policy))
# Clone ACL Rule and modify relevant fields
new_acl_rule = default_access_control_policy["aclRules"][0].copy()
del (new_acl_rule["id"])
new_acl_rule["name"] = acl_rule_name
new_acl_rule["description"] = acl_rule_components["description"]
new_acl_rule["spsId"] = acl_rule_components["sps_id"]
new_acl_rule["destinationResourceGroupList"] = [
acl_rule_components["dst_rg"]
]
# TODO
# new_acl_rule["sourceResourceGroupList"] = (compute from RG or NS created based on WL IP from vuln scanner)
# new_acl_rule["destinationResourceGroupList"] = (compute from RG or NS created based on WL IP from vuln scanner)
# Append the new rule
default_access_control_policy["aclRules"].append(new_acl_rule)
# Fix order number, newly created rule is #1
acl_rules_count = len(default_access_control_policy["aclRules"])
for acl_rule in default_access_control_policy["aclRules"]:
acl_rule["orderNum"] = acl_rules_count
acl_rules_count -= 1
self.logger.info("After Add - Default ACP: {}".format(
default_access_control_policy))
is_updated = self.acl_mgmt.update_acl(default_access_control_policy)
self.logger.info("ACL Update status: {}".format(is_updated))
return is_updated
def _delete_acl_rule(self, acl_rule_name):
# Get Default Access Control Policy
default_access_control_policy = self.acl_mgmt.get_acl_policies()[0]
self.logger.info("Before Del - Default ACP: {}".format(
default_access_control_policy))
# Delete ACL Rule
index = 0
for acl_rule in default_access_control_policy["aclRules"]:
if acl_rule["name"] == acl_rule_name:
# Pop based on index
_ = default_access_control_policy["aclRules"].pop(index)
break
index += 1
self.logger.info("After Del - Default ACP: {}".format(
default_access_control_policy))
is_updated = self.acl_mgmt.update_acl(default_access_control_policy)
self.logger.info("ACL Update status: {}".format(is_updated))
return is_updated
def patch(self, artifact):
# Application Discovery
# 1. Analyze Vulnerability Scanner Output
# 1a. CVE IDs to ShieldX Rule IDs
# List of Rules [{"pm_id": 6, "rule_id": 10114}, ...]
threat_rules = [{"protocolID": 6, "threatID": 10114}]
# 1b. List of IP Address (workloads)
scanner_report_ip_set = [{
"id": 0,
"cidr": "192.168.131.5/32"
}, {
"id": 0,
"cidr": "192.168.131.51/32"
}]
# 2. Create/resuse a resource group for workloads, Insertion = MSN
rg_name = artifact["rg_name"]
rg_components = {
"description": "Virtual Patch - RG",
"purpose": "POLICY",
"resource_type": "CIDR",
"member_list": scanner_report_ip_set
}
rg_id = self._create_resource_group(rg_name, rg_components)
# 3. Locate/Create ACL Rule responsible for allowing relevant traffic
# 4. Change the threat policy of the ACL
# 4a. Create TPP
tpp_name = artifact["tpp_name"]
tpp_components = {"threats": threat_rules}
tpp_id = self._create_tpp(tpp_name, tpp_components)
# 4b. Edit Response action of each threat to block
response_actions = {"block": True}
is_buld_edit_ok = self._edit_response_actions(tpp_id, response_actions)
# 4c. Compute Malware Policy, URL Filtering Policy
mp_name = None # "WithSXCloud"
ufp_name = None # "Default URL Filtering Policy"
# 4d. Create SPS. Note: URL Filtering and Malware Policies are not defined
sps_name = artifact["sps_name"]
sps_components = {
"threat_prevention": tpp_name,
"malware": mp_name,
"url_filtering": ufp_name,
}
sps_id = self._create_sps(sps_name, sps_components)
# 4e. Create ACL Rule
acl_rule_name = artifact["acl_rule_name"]
acl_rule_components = {
"description": "Virtual Patch - ACL Rule",
"dst_rg": rg_id,
"sps_id": sps_id
}
is_updated = self._create_acl_rule(acl_rule_name, acl_rule_components)
def check(self, artifact):
# Check TPP, SPS and ACL Rule
self.logger.info("Check TPP, SPS and ACL Rule.")
def cleanup(self, artifact):
# Delete ACL Rule
self._delete_acl_rule(artifact["acl_rule_name"])
# Delete Resource Group
self._delete_resource_group(artifact["rg_name"])
# Delete SPS
self._delete_sps(artifact["sps_name"])
# Delete TPP
self._delete_tpp(artifact["tpp_name"])
def test_create_deployment(sut_handle, shieldx_logger, datadir,
input_json_file):
# Initialize
cloud_mgmt = CloudMgmt(sut_handle)
dp_mgmt = DPMgmt(sut_handle)
config_reader = CCR()
converter = DSC()
resolved_input_json_file = str((datadir / input_json_file).resolve())
aws_payload = dict(
config_reader.read_json_config(resolved_input_json_file))
aws_cloud = aws_payload["aws_cloud"]
aws_deployment = aws_payload["aws_deployment"]
cloud_name = aws_cloud["name"]
cloud_infra = cloud_mgmt.get_cloud_infra_by_name(cloud_name)
cloud_id = cloud_infra["id"]
# Objects
cloud_objects = cloud_mgmt.get_cloud_objects(cloud_id)
networks = converter.list_of_dict_to_dict(cloud_objects["networks"],
"name")
tenants = converter.list_of_dict_to_dict(cloud_objects["tenants"], "name")
#for key in cloud_objects:
# shieldx_logger.info("{}".format(key))
# #shieldx_logger.info("{} - {}".format(key, cloud_objects[key]))
# Fill in deployment payload
tenant_name = aws_deployment["deploymentSpecification"]["tenantNameStr"]
mgmt_network_name = aws_deployment["deploymentSpecification"][
"mgmtNetworkNameStr"]
bkpln_network_name = aws_deployment["deploymentSpecification"][
"backPlaneNetworkStr"]
aws_deployment["cloudId"] = cloud_id
aws_deployment["deploymentSpecification"]["cloudId"] = cloud_id
aws_deployment["deploymentSpecification"]["cloudid"] = cloud_id
aws_deployment["deploymentSpecification"]["regionId"] = tenants[
tenant_name]["regionId"]
aws_deployment["deploymentSpecification"]["tenantId"] = tenants[
tenant_name]["id"]
aws_deployment["deploymentSpecification"]["availabilityZoneId"] = networks[
mgmt_network_name]["availabilityZoneId"]
aws_deployment["deploymentSpecification"]["mgmtNetworkId"] = networks[
mgmt_network_name]["id"]
aws_deployment["deploymentSpecification"]["backPlaneNetworkId"] = networks[
bkpln_network_name]["id"]
shieldx_logger.info("DP - {}".format(aws_deployment))
dp_id = dp_mgmt.create_deployment(aws_deployment)
shieldx_logger.info("Deployment ID: {}".format(dp_id))
shieldx_logger.info("---")
# Initialize
jobs_mgmt = JobsApis(sut_handle)
jobs = jobs_mgmt.get_jobs()
# Get Latest Job
shieldx_logger.info("Jobs count: {}".format(len(jobs)))
job = jobs[0]
job_id = job["id"]
# Monitor job progress
is_completed = False
retry = 0
max_retry = 10
time.sleep(60)
while retry < max_retry:
job = jobs_mgmt.get_job_by_id(job_id)
shieldx_logger.info("Job {} - {} - {}".format(job["id"], job["state"],
job["status"]))
if job["state"] == "COMPLETED":
break
retry += 1
time.sleep(60)