def getConfigExtended(self):
if "FALCONPY_DEBUG_TOKEN" in os.environ:
self.token = os.getenv("FALCONPY_DEBUG_TOKEN")
self.config = {}
self.config["falcon_client_id"] = os.environ["FALCONPY_DEBUG_CLIENT_ID"]
self.config["falcon_client_secret"] = os.environ["FALCONPY_DEBUG_CLIENT_SECRET"]
if "DEBUG_API_BASE_URL" in os.environ:
self.config["falcon_base_url"] = os.getenv("DEBUG_API_BASE_URL")
else:
self.config["falcon_base_url"] = "https://api.crowdstrike.com"
else:
status = self.getConfig()
if status:
os.environ["FALCONPY_DEBUG_CLIENT_ID"] = self.config["falcon_client_id"]
os.environ["FALCONPY_DEBUG_CLIENT_SECRET"] = self.config["falcon_client_secret"]
self.authorization = FalconAuth.OAuth2(creds={
"client_id": self.config["falcon_client_id"],
"client_secret": self.config["falcon_client_secret"]
},
base_url = self.config["falcon_base_url"])
try:
self.token = self.authorization.token()['body']['access_token']
os.environ["FALCONPY_DEBUG_TOKEN"] = self.token
except KeyError:
self.token = False
return self.token
def serviceCCAWS_AuthWithObject(self):
falconWithObject = FalconAWS.Cloud_Connect_AWS(auth_object=FalconAuth.OAuth2(creds={
'client_id': auth.config["falcon_client_id"],
'client_secret': auth.config["falcon_client_secret"]
}))
return falconWithObject.authenticated()
def serviceAny_TestBadCredRevoke(self):
bad_falcon = FalconAuth.OAuth2()
result = bad_falcon.revoke("Will generate a 403")
if result["status_code"] in AllowedResponses:
return True
else:
return False
def serviceAny_TestBadObjectAuth(self):
# Should also test bad direct auth in the authentication class
falcon = FalconAWS(auth_object=FalconAuth.OAuth2())
result = falcon.QueryAWSAccounts()
if result["status_code"] in AllowedResponses:
return True
else:
return False
def serviceCCAWS_AuthWithObject(self):
falconWithObject = CloudConnectAWS(auth_object=FalconAuth.OAuth2(creds={
'client_id': auth.config["falcon_client_id"],
'client_secret': auth.config["falcon_client_secret"]
}, base_url=auth.config["falcon_base_url"]))
check = falconWithObject.auth_object.token()
if check["status_code"] == 429:
pytest.skip("Rate limit hit")
return falconWithObject.authenticated()
def load_api_config():
"""Grab our config parameters from our provided config file (JSON format)"""
with open(Config.config_file, 'r') as file_config:
conf = json.loads(file_config.read())
return FalconAuth.OAuth2(
creds={
"client_id": conf["falcon_client_id"],
"client_secret": conf["falcon_client_secret"]
})
def serviceAny_TestObjectAuth(self):
# Should also test direct auth in the authentication class
auth_obj = FalconAuth.OAuth2(
client_id=auth.config["falcon_client_id"],
client_secret=auth.config["falcon_client_secret"])
auth_obj.token()
falcon = FalconAWS(auth_object=auth_obj)
result = falcon.QueryAWSAccounts()
if result["status_code"] in AllowedResponses:
return True
else:
return False
def serviceAny_TestBadObjectAuth(self):
falcon = FalconAWS(auth_object=FalconAuth.OAuth2(
creds={
"client_id": "ThisAlso",
"client_secret": "WontWork"
}))
result = falcon.QueryAWSAccounts()
if result["status_code"] in AllowedResponses:
return True
else:
return False
def serviceAny_TestStaleObjectAuth(self):
falcon = FalconAWS(auth_object=FalconAuth.OAuth2(
creds={
"client_id": auth.config["falcon_client_id"],
"client_secret": auth.config["falcon_client_secret"]
}))
result = falcon.QueryAWSAccounts()
if result["status_code"] in AllowedResponses:
return True
else:
return False
def serviceCCAWS_RefreshToken(self):
falconWithObject = FalconAWS.Cloud_Connect_AWS(auth_object=FalconAuth.OAuth2(creds={
'client_id': auth.config["falcon_client_id"],
'client_secret': auth.config["falcon_client_secret"]
}))
if not falconWithObject.token_expired():
falconWithObject.auth_object.token_expiration = 0 # Forcibly expire the current token
if falconWithObject.QueryAWSAccounts(parameters={"limit": 1})["status_code"] in AllowedResponses:
return True
else:
return False
else:
return False
def serviceCCAWS_InvalidPayloads(self):
result = True
falconWithObject = FalconAWS.Cloud_Connect_AWS(auth_object=FalconAuth.OAuth2(creds={
'client_id': auth.config["falcon_client_id"],
'client_secret': auth.config["falcon_client_secret"]
}))
if falconWithObject.QueryAWSAccounts(parameters={"limite": 1})["status_code"] != 500:
result = False
if falconWithObject.QueryAWSAccounts(parameters={"limit": "1"})["status_code"] != 500:
result = False
if falconWithObject.UpdateAWSAccounts(body={"resources": "I'm gonna go Boom!"})["status_code"] != 500:
result = False
return result
def serviceCCAWS_RefreshToken(self):
falconWithObject = CloudConnectAWS(auth_object=FalconAuth.OAuth2(creds={
'client_id': auth.config["falcon_client_id"],
'client_secret': auth.config["falcon_client_secret"]
}, base_url=auth.config["falcon_base_url"]))
check = falconWithObject.auth_object.token()
if check["status_code"] == 429:
pytest.skip("Rate limit hit")
if not falconWithObject.token_expired():
falconWithObject.auth_object.token_expiration = 0 # Forcibly expire the current token
if falconWithObject.QueryAWSAccounts(parameters={"limit": 1})["status_code"] in AllowedResponses:
return True
else:
return False
else:
return False
def serviceAuth(self):
self.getConfig()
self.authorization = FalconAuth.OAuth2(creds={
'client_id': self.config["falcon_client_id"],
'client_secret': self.config["falcon_client_secret"]
})
try:
self.token = self.authorization.token()['body']['access_token']
except:
self.token = False
if self.token:
return True
else:
return False
def failServiceAuth(self):
self.authorization = FalconAuth.OAuth2(creds={
'client_id': "BadClientID",
'client_secret': "BadClientSecret"
})
self.authorization.base_url = "nowhere"
try:
self.token = self.authorization.token()['body']['access_token']
except KeyError:
self.token = False
self.authorization.revoke(self.token)
if self.token:
return False
else:
return True
def serviceMSSPAuth(self):
status = self.getConfig()
result = False
if status:
authorization = FalconAuth.OAuth2(creds={
'client_id': self.config["falcon_client_id"],
'client_secret': self.config["falcon_client_secret"],
'member_cid': '1234567890ABCDEFG'
})
try:
req = authorization.token()
if req["status_code"] in [201, 403]: # Prolly an invalid MSSP cred, 403 is correct
result = True
except KeyError:
pass
return result
def serviceCCAWS_InvalidPayloads(self):
result = True
falconWithObject = CloudConnectAWS(auth_object=FalconAuth.OAuth2(creds={
'client_id': auth.config["falcon_client_id"],
'client_secret': auth.config["falcon_client_secret"]
}, base_url=auth.config["falcon_base_url"]))
check = falconWithObject.auth_object.token()
if check["status_code"] == 429:
pytest.skip("Rate limit hit")
if not falconWithObject.QueryAWSAccounts(parameters={"limite": 1})["status_code"] in AllowedResponses:
result = False
if not falconWithObject.QueryAWSAccounts(parameters={"limit": "1"})["status_code"] in AllowedResponses:
result = False
if falconWithObject.UpdateAWSAccounts(body={"resource": "I'm gonna go Boom!"})["status_code"] != 400:
result = False
if falconWithObject.UpdateAWSAccounts(body={"resources": {"id": "I'm gonna go Boom!"}})["status_code"] != 400:
result = False
return result
else:
parser.error("The {} command is not recognized.".format(command))
# These globals exist for all requests
falcon_client_id = args.falcon_client_id
falcon_client_secret = args.falcon_client_secret
log_enabled = args.log_enabled
if args.query_limit is None:
query_limit = 100
else:
query_limit = args.query_limit
# =============== MAIN ROUTINE
# Authenticate using our provided falcon client_id and client_secret
try:
authorized = FalconAuth.OAuth2(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
except Exception:
# We can't communicate with the endpoint, return a false token
authorized.token = lambda: False
# Try to retrieve a token from our authentication, returning false on failure
try:
token = authorized.token()["body"]["access_token"]
except Exception:
token = False
# Confirm the token was successfully retrieved
if token:
# Connect using our token and return an instance of the API gateway object
falcon_discover = FalconAWS.Cloud_Connect_AWS(access_token=token)
try:
# Hostname of the machine to contain / release
hostname = args.hostname
# Default action is to quarantine
if args.lift_containment:
action = "lift_containment"
else:
action = "contain"
# Use the credentials file provided
creds_file = args.creds_file
# Load the contents of the creds file into the creds dictionary
with open(creds_file) as f:
creds = json.load(f)
# Create an instance of our OAuth2 authorization class using our ingested creds
authorization = FalconAuth.OAuth2(
creds={
"client_id": creds['falcon_client_id'],
"client_secret": creds['falcon_client_secret']
})
# Try to generate a token
try:
token = authorization.token()['body']['access_token']
except Exception as e:
# Exit out on authentication errors
print("Failed to authenticate")
print(e)
exit(-1)
# If we have a token, proceed to the next step
if token:
# Create an instance of the Hosts class
falcon = FalconHosts.Hosts(access_token=token)
# Create our parameter payload, using our ingested hostname as a filter
