Merge 9e3fa63 into 94eb032

Netflix · Feb 8, 2018 · 29efb7c · 29efb7c
2 parents 94eb032 + 9e3fa63
commit 29efb7c
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 1 deletion.
diff --git a/docs/misc.md b/docs/misc.md
@@ -30,6 +30,50 @@ Edit `security_monkey/scheduler.py` to change daily check schedule:
 Edit `security_monkey/watcher.py` to change check interval from every 15 minutes:
 
     self.interval = 15
+
+Synchronizing Network Whitelists
+--------------------------------
+
+Network whitelists can be imported from a JSON file in either an S3 bucket or local file. 
+
+```sh
+# add and update networks from an S3 bucket
+$ monkey sync_networks -b an-s3-bucket -f networks.json
+# in addition to the above, delete any networks not specified in networks.json
+$ monkey sync_networks -b an-s3-bucket -f networks.json -a
+# or just use a local file
+$ monkey sync_networks -f ~/networks.json
+```
+
+This JSON file should map between names and CIDRs like so:
+
+```json
+{
+    "net1": "2620:10D:C000::/40",
+    "net2": "199.201.64.0/22",
+    "net3": "2a03:2880:f10d:83:face:b00c:0:25de",
+}
+```
+
+If you're using S3 to store this file, make sure to give SecurityMonkeyInstanceProfile the appropriate policy permissions in IAM. For example, this will allow the example above to run:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowNetworkFileAccess",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+            ],
+            "Resource": [
+                "arn:aws:s3:::an-s3-bucket/networks.json",
+            ]
+        }
+    ]
+}
+```
 
 Overriding and Disabling Audit Checks
 -------------------------------------

diff --git a/security_monkey/manage.py b/security_monkey/manage.py
@@ -12,13 +12,14 @@
 #     See the License for the specific language governing permissions and
 #     limitations under the License.
 from datetime import datetime
+import json
 import sys
 
 from flask.ext.script import Manager, Command, Option, prompt_pass
 
 from security_monkey.account_manager import bulk_disable_accounts, bulk_enable_accounts
 from security_monkey.common.s3_canonical import get_canonical_ids
-from security_monkey.datastore import clear_old_exceptions, store_exception, AccountType, ItemAudit
+from security_monkey.datastore import clear_old_exceptions, store_exception, AccountType, ItemAudit, NetworkWhitelistEntry
 
 from security_monkey import app, db, jirasync
 from security_monkey.common.route53 import Route53Service
@@ -681,6 +682,46 @@ def sync_swag(owner, bucket_name, bucket_prefix, bucket_region, account_type, sp
     app.logger.info('SWAG sync successful.')
 
 
+@manager.option('-b', '--bucket-name', dest='bucket_name', type=unicode, help="S3 bucket where network whitelist data is stored.")
+@manager.option('-i', '--input-filename', dest='input_filename', type=unicode, default='networks.json', help="File path or bucket prefix to fetch account data from. Default: networks.json")
+@manager.option('-a', '--authoritative', dest='authoritative', default=False, action='store_true', help='Remove all networks not named in `input_filename`.')
+def sync_networks(bucket_name, input_filename, authoritative):
+    """Imports a JSON file of networks to the Security Monkey whitelist."""
+    if bucket_name:
+        import boto3
+        s3 = boto3.client('s3')
+        response = s3.get_object(
+            Bucket=bucket_name,
+            Key=input_filename,
+        )
+        handle = response['Body']
+    else:
+        handle = open(input_filename)
+    networks = json.load(handle)
+    handle.close()
+    existing = NetworkWhitelistEntry.query.filter(
+        NetworkWhitelistEntry.name in networks.keys()
+    )
+    new = set(networks.keys()) - set(entry.name for entry in existing)
+    for entry in existing:
+        existing.cidr = networks[entry.name]
+    for name in new:
+        app.logger.debug('Adding new network %s', name)
+        entry = NetworkWhitelistEntry(
+            name=name,
+            cidr=networks[name],
+        )
+        db.session.add(entry)
+    if authoritative:
+        old = NetworkWhitelistEntry.query.filter(
+            NetworkWhitelistEntry.name not in networks.keys()
+        )
+        for entry in old:
+            app.logger.debug('Removing stale network %s', entry.name)
+        old.delete()
+    db.session.commit()
+    db.session.close()
+
 class AddAccount(Command):
     def __init__(self, account_manager, *args, **kwargs):
         super(AddAccount, self).__init__(*args, **kwargs)