Merge pull request #644 from Netflix/develop

Release v0.9.0 "13 Reasons"

.gitignore

@@ -51,10 +51,13 @@ security_monkey/static
 dart/lib/util/constants.dart
 devlog/
 venv/
+venv
 .idea/
-
+dart/.idea
+dart/.packages
+dart/web/ico/packages
 boto.cfg
 secmonkey.env
 *.crt
 *.key
-
+postgres-data/

.travis.yml

@@ -16,30 +16,40 @@ cache:
 env:
   global:
     - PIP_DOWNLOAD_CACHE=".pip_download_cache"
-    - SECURITY_MONKEY_SETTINGS=`pwd`/env-config/config-local.py
+    - SECURITY_MONKEY_SETTINGS=`pwd`/env-config/config.py
 
 install:
+  - sed -i '/WTF_CSRF_ENABLED = True/c\WTF_CSRF_ENABLED = False' `pwd`/env-config/config.py
 
 before_install:
   # - sudo apt-get -qq update
   # - sudo apt-get install -y libxml2-dev libxmlsec1-dev
+  - sudo mkdir -p /var/log/security_monkey/
+  - sudo touch /var/log/security_monkey/securitymonkey.log
+  - sudo chown travis /var/log/security_monkey/securitymonkey.log
 
 before_script:
-  - psql -c "CREATE DATABASE securitymonkeydb;" -U postgres
-  - psql -c "CREATE ROLE securitymonkeyuser LOGIN PASSWORD 'securitymonkeypass';" -U postgres
-  - psql -c "CREATE SCHEMA securitymonkeydb GRANT Usage, Create ON SCHEMA securitymonkeydb TO securitymonkeyuser;" -U postgres
+  - psql -c "CREATE DATABASE secmonkey;" -U postgres
+  - psql -c "CREATE ROLE securitymonkeyuser LOGIN PASSWORD 'securitymonkeypassword';" -U postgres
+  - psql -c "CREATE SCHEMA secmonkey GRANT Usage, Create ON SCHEMA secmonkey TO securitymonkeyuser;" -U postgres
   - psql -c "set timezone TO 'GMT';" -U postgres
   - python setup.py develop
   - pip install .[tests]
   - pip install coveralls
-  - python manage.py db upgrade
+  - monkey db upgrade
 
 script:
   - sh env_tests/test_dart.sh
-  - coverage run -m py.test security_monkey/tests || exit 1
+  - coverage run -a -m py.test security_monkey/tests/auditors || exit 1
+  - coverage run -a -m py.test security_monkey/tests/watchers || exit 1
+  - coverage run -a -m py.test security_monkey/tests/core || exit 1
+  - coverage run -a -m py.test security_monkey/tests/views || exit 1
+  - coverage run -a -m py.test security_monkey/tests/interface || exit 1
+  - coverage run -a -m py.test security_monkey/tests/utilities || exit 1
 
 after_success:
   - coveralls
+  - coverage report
 
 notifications:
   email:

AUTHORS

@@ -1,3 +1,4 @@
 - Patrick Kelley <pkelley@netflix.com>
 - Kevin Glisson <kglisson@netflix.com>
 - Roy Rapoport <rrapoport@netflix.com>
+- Travis McPeak <tmcpeak@netflix.com>

Dockerfile

@@ -16,7 +16,7 @@
 FROM ubuntu:14.04
 MAINTAINER Netflix Open Source Development <talent@netflix.com>
 
-ENV SECURITY_MONKEY_VERSION=v0.8.0 \
+ENV SECURITY_MONKEY_VERSION=v0.9.0 \
     SECURITY_MONKEY_SETTINGS=/usr/local/src/security_monkey/env-config/config-docker.py
 
 RUN apt-get update &&\
@@ -42,5 +42,3 @@ RUN chmod +x /usr/local/src/security_monkey/docker/*.sh &&\
 
 WORKDIR /usr/local/src/security_monkey
 EXPOSE 5000
-
-ENTRYPOINT ["/usr/local/src/security_monkey/docker/api-start.sh"]

README.md

@@ -0,0 +1,27 @@
+Security Monkey
+===============
+
+<img align="right" alt="Security Monkey Logo 2017" src="docs/images/Security_Monkey.png" width="50%">
+
+Security Monkey monitors your [AWS and GCP accounts](https://medium.com/@Netflix_Techblog/netflix-security-monkey-on-google-cloud-platform-gcp-f221604c0cc7) for policy changes and alerts on insecure configurations.  It provides a single UI to browse and search through all of your accounts, regions, and cloud services.  The monkey remembers previous states and can show you exactly what changed, and when.
+
+Security Monkey can be extended with [custom account types](docs/plugins.md), [custom watchers](docs/development.md#adding-a-watcher), [custom auditors](docs/development.md#adding-an-auditor), and [custom alerters](docs/misc.md#custom-alerters).
+
+It works on CPython 2.7. It is known to work on Ubuntu Linux and OS X.
+
+[![Stories in Ready](https://badge.waffle.io/Netflix/security_monkey.svg?label=ready&title=Ready)](http://waffle.io/Netflix/security_monkey) [![Gitter chat](https://badges.gitter.im/gitterHQ/gitter.png)](https://gitter.im/Netflix/security_monkey)
+
+| Develop Branch  | Master Branch |
+| ------------- | ------------- |
+| [![Build Status](https://travis-ci.org/Netflix/security_monkey.svg?branch=develop)](https://travis-ci.org/Netflix/security_monkey)  | [![Build Status](https://travis-ci.org/Netflix/security_monkey.svg?branch=master)](https://travis-ci.org/Netflix/security_monkey)  |
+| [![Coverage Status](https://coveralls.io/repos/github/Netflix/security_monkey/badge.svg?branch=develop)](https://coveralls.io/github/Netflix/security_monkey?branch=develop)  | [![Coverage Status](https://coveralls.io/repos/github/Netflix/security_monkey/badge.svg?branch=master)](https://coveralls.io/github/Netflix/security_monkey?branch=master) |
+
+
+Project resources
+-----------------
+
+- [Quickstart](docs/quickstart.md)
+- [Source code](https://github.com/netflix/security_monkey)
+- [Issue tracker](https://github.com/netflix/security_monkey/issues)
+- [Gitter.im Chat Room](https://gitter.im/Netflix/security_monkey)
+- [CloudAux](https://github.com/Netflix-Skunkworks/cloudaux)

dart/lib/component/account_pattern_audit_score_view_component/account_pattern_audit_score_view_component.dart

@@ -0,0 +1,96 @@
+part of security_monkey;
+
+@Component(
+    selector: 'accountpatternauditscoreview',
+    templateUrl: 'packages/security_monkey/component/account_pattern_audit_score_view_component/account_pattern_audit_score_view_component.html',
+    useShadowDom: false
+)
+class AccountPatternAuditScoreComponent implements ScopeAware {
+    RouteProvider routeProvider;
+    Router router;
+    AccountPatternAuditScore accountpatternauditscore;
+    bool create = false;
+    bool _as_loaded = false;
+    bool _is_error = false;
+    bool _cfg_loaded = false;
+    String err_message = "";
+    ObjectStore store;
+    UsernameService us;
+    AccountConfig config;
+
+    AccountPatternAuditScoreComponent(this.routeProvider, this.router, this.store, this.us) {
+        this.store = store;
+        // If the URL has an ID, then let's view/edit
+        if (routeProvider.parameters.containsKey("accountpatternauditscoreid")) {
+            store.one(AccountPatternAuditScore, routeProvider.parameters['accountpatternauditscoreid']).then((accountpatternauditscore) {
+                this.accountpatternauditscore = accountpatternauditscore;
+                _as_loaded = true;
+            });
+            create = false;
+        } else {
+            // If the URL does not have an ID, then let's create
+            this.accountpatternauditscore = new AccountPatternAuditScore();
+            this.accountpatternauditscore.itemauditscores_id = routeProvider.parameters['auditscoreid'];
+            create = true;
+        }
+        store.one(AccountConfig, "all").then((account_config) {
+            this.config = account_config;
+
+            _cfg_loaded = true;
+        });
+    }
+
+    void set scope(Scope scope) {
+        scope.on("globalAlert").listen(this._showMessage);
+    }
+
+    get isLoaded => (create || _as_loaded) && _cfg_loaded;
+    get isError => _is_error;
+
+    void _showMessage(ScopeEvent event) {
+        this._is_error = true;
+        this.err_message = event.data;
+    }
+
+    void saveEntry() {
+        if (create) {
+            this.store.create(this.accountpatternauditscore).then((CommandResponse r) {
+                int id = r.content['id'];
+                router.go('viewaccountpatternauditscore', {
+                    'accountpatternauditscoreid': id
+                });
+            });
+        } else {
+            this.store.update(this.accountpatternauditscore).then( (_) {
+                // let the page flicker so people know the update happened.
+                // (poor man's UX)
+                _as_loaded = false;
+                store.one(AccountPatternAuditScore, routeProvider.parameters['accountpatternauditscoreid']).then((accountpatternauditscore) {
+                    this.accountpatternauditscore = accountpatternauditscore;
+                    _as_loaded = true;
+                });
+            });
+        }
+    }
+
+    void deleteEntry() {
+        this.store.delete(this.accountpatternauditscore).then((_) {
+            router.go('viewauditscore', {
+                'auditscoreid': routeProvider.parameters['auditscoreid']
+            });
+        });
+    }
+
+    int getAllowedValues() {
+        if (accountpatternauditscore.account_type != null && accountpatternauditscore.account_field != null) {
+            List<CustomFieldConfig> field_configs = this.config.fields[accountpatternauditscore.account_type];
+            for (var field_config in field_configs) {
+                if (field_config.name == accountpatternauditscore.account_field) {
+                    return field_config.allowed_values;
+                }
+            }
+        }
+
+        return null;
+    }
+}

dart/lib/component/account_pattern_audit_score_view_component/account_pattern_audit_score_view_component.html

@@ -0,0 +1,81 @@
+<div class="container-fluid">
+  <div ng-if="isError">
+    <div class="alert alert-danger">
+      {{err_message}}
+    </div>
+  </div>
+
+  <div ng-switch="isLoaded">
+    <div ng-switch-when="false">
+      <p>Loading. . .</p>
+    </div>
+    <div class="row" ng-switch-when="true">
+      <div class="col-sm-12 col-md-12 main">
+        <h1 ng-if="!create" class="page-header">Edit Account Pattern Override Audit Score</h1>
+        <h1 ng-if="create" class="page-header">Create Account Pattern Overide Audit Score</h1>
+        <form class="form-horizontal" role="form">
+          <div class="form-group">
+            <label class="col-sm-2 control-label" tooltip-placement="right" tooltip="The custom account type containing the field(s) to match for this score">
+               Account Type
+            </label>
+            <div class="col-sm-10">
+              <select id="AccountType" ng-model="accountpatternauditscore.account_type" class="form-control">
+                  <option ng-repeat="option in config.account_types" value="{{ option }}">{{ option }}</option>
+              </select>
+            </div>
+          </div>
+          <div class="form-group">
+            <label class="col-sm-2 control-label" tooltip-placement="right" tooltip="The account field to match for this score">
+               Account Field
+            </label>
+            <div class="col-sm-10">
+              <select id="AccountField" ng-model="accountpatternauditscore.account_field" class="form-control">
+                <option ng-repeat="option in config.fields[accountpatternauditscore.account_type]" value="{{ option.name }}">{{ option.name }}</option>
+              </select>
+            </div>
+          </div>
+          <div class="form-group">
+            <label id="FieldValue" class="col-sm-2 control-label" tooltip-placement="right" tooltip="The value of the account field to match to trigger the score">
+              Field Value
+            </label>
+            <div class="col-sm-10">
+              <input ng-if="getAllowedValues()==null" type="text" class="form-control" ng-model="accountpatternauditscore.account_pattern" maxlength="256">
+              <select ng-if="getAllowedValues()!=null" ng-model="accountpatternauditscore.account_pattern" class="form-control">
+                  <option ng-repeat="option in getAllowedValues()" value="{{ option }}">{{ option }}</option>
+              </select>
+            </div>
+          </div>
+
+          <div class="form-group">
+            <label for="score" class="col-sm-2 control-label" tooltip-placement="right" tooltip="Override score">Score</label>
+            <div class="col-sm-10">
+              <select id="score" ng-model="accountpatternauditscore.score" class="form-control">
+                <option value="0">0</option>
+                <option value="1">1</option>
+                <option value="2">2</option>
+                <option value="3">3</option>
+                <option value="4">4</option>
+                <option value="5">5</option>
+                <option value="6">6</option>
+                <option value="7">7</option>
+                <option value="8">8</option>
+                <option value="9">9</option>
+                <option value="10">10</option>
+              </select>
+            </div>
+          </div>
+          <div class="form-group">
+            <div class="col-sm-offset-2 col-sm-10">
+              <button ng-if="us.hasRole('Admin')" type="submit" class="btn btn-primary" ng-click="saveEntry()">
+                Save
+              </button>
+              <button ng-if="us.hasRole('Admin') &amp;&amp; !create" type="submit" class="btn btn-danger" ng-click="deleteEntry()">
+                Delete
+              </button>
+            </div>
+          </div>
+        </form>
+        </div>
+      </div>
+    </div>
+  </div>

dart/lib/component/account_view_component/account_view_component.dart

@@ -26,15 +26,15 @@ class AccountViewComponent implements ScopeAware {
                 this.account = account;
                 this._as_loaded = true;
             });
-            store.one(AccountConfig, "all").then((account_config) {
+            store.one(AccountConfig, "custom").then((account_config) {
                 this.config = account_config;
                 _cfg_loaded = true;
             });
             create = false;
         } else {
             // If the URL does not have an ID, then let's create
             this.account = new Account();
-            store.one(AccountConfig, "all").then((account_config) {
+            store.one(AccountConfig, "custom").then((account_config) {
                 this.config = account_config;
                 _cfg_loaded = true;
             });

dart/lib/component/account_view_component/account_view_component.html

@@ -42,13 +42,17 @@ <h1 ng-if="create" class="page-header">Create Account</h1>
               tooltip-placement="left" tooltip="{{ config.identifier_tool_tips[account.account_type]}}">
             </div>
           </div>
-          <div ng-repeat="custom_field in config.custom_fields[account.account_type]" class="form-group">
+          <div ng-repeat="custom_field in config.fields[account.account_type]" class="form-group">
             <label for="{{ custom_field.name }}" class="col-sm-2 control-label" tooltip-placement="right" tooltip="{{ custom_field.tool_tip }}">{{ custom_field.label }}</label>
             <div class="col-sm-10">
-              <input ng-if="!custom_field.password" type="text" class="form-control" id="{{ custom_field.name }}" ng-model="account.custom_field_values[custom_field.name]" ng-disabled="!custom_field.editable", maxlength="256"
+              <input ng-if="!custom_field.password &amp;&amp; custom_field.allowed_values==null" type="text" class="form-control" id="{{ custom_field.name }}" ng-model="account.custom_field_values[custom_field.name]" ng-disabled="!custom_field.editable", maxlength="256"
               tooltip-placement="left" tooltip="{{ custom_field.tool_tip}}">
               <input ng-if="custom_field.password" type="password" class="form-control" id="{{ custom_field.name }}" ng-model="account.custom_field_values[custom_field.name]" ng-disabled="!custom_field.editable", maxlength="256"
               tooltip-placement="left" tooltip="{{ custom_field.tool_tip}}">
+              <select ng-if="custom_field.allowed_values!=null" id="{{ custom_field.name }}" ng-model="account.custom_field_values[custom_field.name]" class="form-control" ng-disabled="!custom_field.editable"
+                      tooltip-placement="left" tooltip="{{ custom_field.tool_tip}}">
+                  <option ng-repeat="option in custom_field.allowed_values" value="{{ option }}">{{ option }}</option>
+              </select>
             </div>
           </div>
           <div class="form-group">
@@ -85,7 +89,8 @@ <h1 ng-if="create" class="page-header">Create Account</h1>
           <hr />
           <h3 ng-if="create">Due to an open <a href="https://github.com/Netflix/security_monkey/issues/54">issue</a>. You must restart the scheduler after adding a new account.</h3>
           <pre ng-if="create" class="code">
-$ sudo  supervisorctl -c security_monkey.ini
+$ sudo  supervisorctl
+supervisor> status
 securitymonkeyapi                RUNNING    pid 19198, uptime 0:00:05
 securitymonkeyscheduler          RUNNING    pid 19199, uptime 0:00:05
 supervisor> restart securitymonkeyscheduler