def test_put_bad_endpoint(self):
endpoint = nonexistent_url
put_data = {"whatevs": "becausenobodycares"}
session = cloudpassage.HaloSession(key_id,
secret_key,
api_host=api_hostname,
api_port=api_port,
integration_string="SDK-Smoke")
session.authenticate_client()
req = cloudpassage.HttpHelper(session)
with pytest.raises(cloudpassage.CloudPassageResourceExistence) as e:
req.put(endpoint, put_data)
assert '404' in str(e)
def test_delete(self):
rejected = False
session = cloudpassage.HaloSession(key_id,
secret_key,
api_host=api_hostname,
api_port=api_port,
integration_string="SDK-Smoke")
policy = cloudpassage.SpecialEventsPolicy(session)
try:
policy.delete("DoesNotEvenMatter")
except NotImplementedError:
rejected = True
assert rejected
def test_post_bad_payload(self):
endpoint = "/v1/groups"
post_data = {"whatevs": "becausenobodycares"}
session = cloudpassage.HaloSession(key_id,
secret_key,
api_host=api_hostname,
api_port=api_port,
integration_string="SDK-Smoke")
session.authenticate_client()
req = cloudpassage.HttpHelper(session)
with pytest.raises(cloudpassage.CloudPassageValidation) as e:
req.post(endpoint, post_data)
assert '400' in str(e)
def test_get_paginated_404(self):
endpoint = nonexistent_url
key = "noexist"
pages = 5
session = cloudpassage.HaloSession(key_id,
secret_key,
api_host=api_hostname,
api_port=api_port,
integration_string="SDK-Smoke")
session.authenticate_client()
req = cloudpassage.HttpHelper(session)
with pytest.raises(cloudpassage.CloudPassageResourceExistence) as e:
req.get_paginated(endpoint, key, pages)
assert '404' in str(e)
def main():
halo_key = os.getenv('HALO_API_KEY')
halo_secret = os.getenv('HALO_API_SECRET_KEY')
halo_api_host = os.getenv('HALO_API_HOSTNAME')
target = os.getenv('TARGET')
session = cloudpassage.HaloSession(halo_key,
halo_secret,
api_host=halo_api_host)
try:
result = generate_group_firewall_report(session, target)
print(result)
except Exception as e:
print("Exception caught!\n %s" % e)
return
def test_sam_historical_is_unsupported(self):
rejected = False
session = cloudpassage.HaloSession(key_id, secret_key,
api_host=api_hostname,
api_port=api_port)
scanner = cloudpassage.Scan(session)
server = cloudpassage.Server(session)
scan_type = "sam"
server_id = server.list_all()[0]["id"]
try:
scanner.last_scan_results(server_id, scan_type)
except cloudpassage.CloudPassageValidation:
rejected = True
assert rejected
def test_get_paginated_toomany(self):
endpoint = "/v1/events"
key = "events"
pages = 301
session = cloudpassage.HaloSession(key_id,
secret_key,
api_host=api_hostname,
api_port=api_port,
integration_string="SDK-Smoke")
session.auth_token = "abc123"
req = cloudpassage.HttpHelper(session)
with pytest.raises(cloudpassage.CloudPassageValidation) as e:
req.get_paginated(endpoint, key, pages)
assert '300 max.' in str(e)
def __init__(self, key, secret, api_host):
"""Instantiate with key, secret, and API host.
Args:
config (ConfigHelper): Config Object
"""
self.logger = Logger()
integration = self.get_integration_string()
self.session = cloudpassage.HaloSession(key,
secret,
api_host=api_host,
integration_string=integration)
self.issue = cloudpassage.Issue(self.session, endpoint_version=3)
self.http_helper = cloudpassage.HttpHelper(self.session)
self.cve_detail = cloudpassage.CveDetails(self.session)
def __init__(self, config, health_string, tasks_obj):
"""Initialization only instantiates the session object."""
self.session = cloudpassage.HaloSession(config.halo_api_key,
config.halo_api_secret_key,
api_host=config.halo_api_host,
api_port=config.halo_api_port,
integration_string=config.ua)
self.product_version = config.product_version
self.monitor_events = config.monitor_events
self.slack_channel = config.slack_channel
self.health_string = health_string
self.tasks = tasks_obj
self.flower_host = config.flower_host
self.config = config
return
def get_last_timestamp(self):
"""Get latest object's timestamp from Halo API."""
if self.halo_module == "scans":
url = "/v1/scans?sort_by=created_at.desc&per_page=1"
elif self.halo_module == "events":
url = "/v1/events?sort_by=created_at.desc&per_page=1"
else:
print("Unrecognized module: %s" % self.halo_module)
session = cloudpassage.HaloSession(
self.halo_key,
self.halo_secret,
api_host=self.halo_api_hostname,
integration_string=self.integration_name)
http_helper = cloudpassage.HttpHelper(session)
timestamp = http_helper.get(url)[self.halo_module][0]["created_at"]
return timestamp
def test_instantiation(self):
session = cloudpassage.HaloSession(key_id, secret_key,
api_host=api_hostname,
api_port=api_port,
integration_string="SDK-Smoke")
assert cloudpassage.SystemAnnouncement(session)
def __init__(self):
self.halo_creds = cloudpassage.ApiKeyManager()
self.halo_session = cloudpassage.HaloSession(
self.halo_creds.key_id, self.halo_creds.secret_key)
return
def create_announcement(self):
session = cloudpassage.HaloSession(key_id, secret_key,
api_host=api_hostname,
api_port=api_port,
integration_string="SDK-Smoke")
return(cloudpassage.SystemAnnouncement(session))
def __init__(self, *kwargs):
# Groups and prod lists to be replace by yaml template
self.cwd = path.realpath(path.join(getcwd(), path.dirname(__file__)))
self.api_key = environ['CLOUDP_KEY']
self.api_secret = environ['CLOUDP_SECRET']
self.session = cloudpassage.HaloSession(self.api_key, self.api_secret)
self.server = cloudpassage.Server(self.session)
self.policies = cloudpassage.FirewallPolicy(self.session)
self.policy_init = cloudpassage.policy.Policy(self.session)
self.poldetails = cloudpassage.FirewallRule(self.session)
self.firewall_services = cloudpassage.FirewallService(self.session)
self.http_helper = cloudpassage.HttpHelper(self.session)
self.args = args
self.firewall_ports = {}
self.filtered_ports = {}
self.rules = []
self.myrules = {}
self.users = {}
self.user_id = {}
self.filtered_rules = {}
self.rule_ids = []
self.filtered_rule_ids = {}
self.log_positions = {}
self.pol_positions = {}
self.list_of_servers = self.server.list_all()
self.list_of_policies = self.policies.list_all()
self.list_of_services = self.firewall_services.list_all()
self.policy_names = []
self.filtered_groups = []
self.policy_ids = []
self.filtered_policy_ids = []
self.unfiltered_policy_ids = []
self.filtered_policies = {}
self.activerules = {}
self.myactiverules = {}
self.activecomments = {}
self.activeurls = {}
self.activepolicies = {}
self.user = {}
self.json = {}
self.group = kwargs[0]
self.chain = kwargs[1]
self.active = kwargs[2]
self.source = kwargs[3]
self.destination = kwargs[4]
self.states = kwargs[5]
self.action = kwargs[6]
self.username = kwargs[11]
self.all = kwargs[12]
# Split without spaces being added
self.service = kwargs[7]
self.filtered_service = {}
self.unfiltered_service = {}
self.log = kwargs[8]
self.log_prefix = kwargs[9]
self.comment = kwargs[10]
self.wildcard = kwargs[13]
self.setactive = kwargs[14]
self.setinactive = kwargs[15]
self.dryrun = kwargs[16]
self.subtractfromlastrule = kwargs[17]
self.deleteinactive = kwargs[18]
self.fullbackup = kwargs[19]
self.fullrestore = kwargs[20]
self.filename = kwargs[21]
def __init__(self):
super(ApiSession, self).__init__()
self.session = cloudpassage.HaloSession(self.halo_key,
self.halo_secret)
def test_instantiation(self):
session = cloudpassage.HaloSession(key_id, secret_key)
assert cloudpassage.FirewallPolicy(session)
def test_integration_string(self):
override_string = "Halo API SDK TEST SUITE"
session = cloudpassage.HaloSession("",
"",
integration_string=override_string)
assert override_string in session.user_agent
def test_instantiation(self):
session = cloudpassage.HaloSession(key_id,
secret_key,
api_host=api_hostname,
api_port=api_port)
assert cloudpassage.Issue(session)
def __new__(cls):
session = cloudpassage.HaloSession(CONFIG['key_id'],
CONFIG['secret_key'],
api_port=CONFIG["api_port"],
api_host=CONFIG["api_hostname"])
return cloudpassage.Server(session)
def __init__(self, config):
self.config = config
# authenticate to get a session object
self.session = cloudpassage.HaloSession(self.config.halo_key,
self.config.halo_secret)
def create_halo_session_object(self):
session = cloudpassage.HaloSession(key_id, secret_key)
return session
def test_instantiation(self):
session = cloudpassage.HaloSession(key_id, secret_key)
assert cloudpassage.ConfigurationPolicy(session)
def test_halosession_build_endpoint_prefix(self):
session = cloudpassage.HaloSession(key_id, secret_key)
default_good = "https://api.cloudpassage.com:443"
fn_out = session.build_endpoint_prefix()
assert fn_out == default_good
def test_instantiation(self):
session = cloudpassage.HaloSession(key_id, secret_key)
assert cloudpassage.FimBaseline(session)
def build_halo_session(self):
halo_session = cloudpassage.HaloSession(self.halo_key,
self.halo_secret,
integration_string=self.ua)
return halo_session
def build_session(self):
session = cloudpassage.HaloSession(self.api_key,
self.api_secret,
api_host=self.api_host,
api_port=self.api_port)
return (session)
import cloudpassage
from flask import Flask
from flask import render_template
app = Flask(__name__)
halo_creds = cloudpassage.ApiKeyManager()
halo_session = cloudpassage.HaloSession(halo_creds.key_id,
halo_creds.secret_key)
def get_servers(halo_session):
servers_object = cloudpassage.Server(halo_session)
all_servers = servers_object.list_all()
return all_servers
@app.route('/')
def home_page():
return render_template('mainpage.html')
@app.route('/servers')
def server_list():
return render_template('servers.html', servers=get_servers(halo_session))
def main():
# Suspect package names
suspect_packages = "kubectl,kubeadm,kubelet"
# Suspect processes URL
procs_url = "/v2/servers?process_name=kubelet,kubeadm,kubectl,kube-proxy"
# Minimum versions safe from API auth bug
kube_min_ver = {
"1.10": "1.10.11",
"1.11": "1.11.5",
"1.12": "1.12.3",
"1.13": "1.13.0-rc.1"
}
# Get Halo auth info
key = os.getenv("HALO_API_KEY")
secret = os.getenv("HALO_API_SECRET_KEY")
# Set up CloudPassage API abstractions
session = cloudpassage.HaloSession(key, secret)
servers = cloudpassage.Server(session)
scans = cloudpassage.Scan(session)
helper = cloudpassage.HttpHelper(session)
# Get servers with suspect packages installed
servers_installed_kube = [
x for x in servers.list_all(package_name=suspect_packages)
]
# Get servers with suspect processes
servers_running_kube = [
x for x in helper.get_paginated(procs_url, "servers", 99)
]
# Print preliminary metrics
print("Installation match: %s" % len(servers_installed_kube))
print("Running process match: %s" % len(servers_running_kube))
# Get a list of all servers with K8s-related procs or packages
kube_servers = merge_server_lists(servers_installed_kube,
servers_running_kube)
# Create a dictionary of packages, processes, and metadata for each server.
inventory = {
x["id"]: {
"packages":
get_package_listing_from_scan(
scans.last_scan_results(x["id"], "svm")), # NOQA
"processes":
servers.list_processes(x["id"]),
"server_metadata":
x
}
for x in kube_servers
}
# Print a report to stdout
print("{}{}{}{}{}{}{}".format(
"Halo ID".ljust(40), "CSP account".ljust(40), "CSP Instance".ljust(40),
"kubectl version".ljust(20), "kubeadm version".ljust(20),
"kubelet version".ljust(20), "kubectl vulnerable".ljust(25),
"kubeadm vulnerable".ljust(25), "kubelet vulnerable".ljust(25),
"k8s processes(below)"))
for x in inventory.items():
server_id = x[0]
server_csp_id = x[1]["server_metadata"][
"csp_account_id"] if "csp_account_id" in x[1][
"server_metadata"] else "" # NOQA
server_instance_id = x[1]["server_metadata"][
"csp_instance_id"] if "csp_instance_id" in x[1][
"server_metadata"] else "" # NOQA
kubectl_version = get_package_version(x[1]["packages"], "kubectl")
kubeadm_version = get_package_version(x[1]["packages"], "kubeadm")
kubelet_version = get_package_version(x[1]["packages"], "kubelet")
kube_procs = get_kube_procs(x[1]["processes"])
kubectl_vulnerable = is_kube_vulnerable(kube_min_ver, kubectl_version)
kubeadm_vulnerable = is_kube_vulnerable(kube_min_ver, kubeadm_version)
kubelet_vulnerable = is_kube_vulnerable(kube_min_ver, kubelet_version)
print("{}{}{}{}{}{}{}{}{}\n{}\n\n".format(server_id.ljust(40),
server_csp_id.ljust(40),
server_instance_id.ljust(40),
kubectl_version.ljust(16),
kubeadm_version.ljust(16),
kubelet_version.ljust(16),
kubectl_vulnerable.ljust(20),
kubeadm_vulnerable.ljust(20),
kubelet_vulnerable.ljust(20),
kube_procs))
dump_to_csv(inventory, kube_min_ver)
dump_to_json(inventory)
def create_api_session(session):
config_file_loc = "cloudpassage.yml"
config_info = cloudpassage.ApiKeyManager(config_file=config_file_loc)
session = cloudpassage.HaloSession(config_info.key_id,
config_info.secret_key)
return session
def __init__(self, config):
session = cloudpassage.HaloSession(config.halo_key,
config.halo_secret,
api_host=config.halo_url)
self.scan = cloudpassage.Scan(session)
