Add CarbonBlack downloader #52
Conversation
| self.failed_queue = failed_queue | ||
|
|
||
| # Each process needs its own logger to avoid race conditions. | ||
| self.logger = logging.getLogger(self.name) |
There was a problem hiding this comment.
As an aside, the logging package actually handles race conditions pretty well through the use of locks, etc (as seen here. That said, this is dependent on the threading package being available, and I don't think you'll have that in lambda(?). So, in normal use cases, having a separate logger for each is probably unnecessary, but is probably the safer/better solution in this case.
There was a problem hiding this comment.
This is actually a one-off script that is not designed to run in Lambda. It's probably confusing that it's part of the lambda_functions hierarchy, but I'm not sure where would be a better place to put it
There was a problem hiding this comment.
You're right; Python logging is thread-safe. I'll remove this
| if failed_md5s: | ||
| logger.error( | ||
| '%d %s failed to copy: \n%s', len(failed_md5s), | ||
| 'binary' if len(failed_md5s) == 1 else 'binaries', '\n'.join(sorted(failed_md5s))) |
lambda_functions/downloader/main.py
Outdated
| LOGGER = logging.getLogger() | ||
| LOGGER.setLevel(logging.INFO) | ||
|
|
||
| ENCRYPTED_TOKEN = os.environ['ENCRYPTED_CARBON_BLACK_API_TOKEN'] |
There was a problem hiding this comment.
Since these are required env variables, would you consider putting this into a try/except KeyError block that could log an error informing the user they must export said env variables (and then raising the exception as well). Currently the KeyError will be raised but without much context as to how to fix. For instance:
try:
CARBON_BLACK_URL = os.environ['CARBON_BLACK_URL']
ENCRYPTED_TOKEN = os.environ['ENCRYPTED_CARBON_BLACK_API_TOKEN']
TARGET_S3_BUCKET = os.environ['TARGET_S3_BUCKET']
except KeyError as err:
LOGGER.error('Please export the environment variable \'%s\' using...blah', err.message)
raise
I notice the 'TARGET_S3_BUCKET' env var is accessed within the _upload_to_s3 function and could presumably result in bigger problems if it doesn't exist. If there is not a chance that these would ever be missing, then you can probably safely ignore this :).
There was a problem hiding this comment.
That's a good idea. I'm going to leave it for now because I want to standardize this across all of the Lambda functions in a subsequent PR
There was a problem hiding this comment.
For now, I will definitely add this check in copy_all.py, since that's the only code which is designed to be invoked by a local user
lambda_functions/downloader/main.py
Outdated
| """Upload a binary to S3, keyed by a UUID. | ||
|
|
||
| Args: | ||
| local_file_path: [string] Path to the file to upload. |
There was a problem hiding this comment.
Consideration - switching to parenths style arguments (similar to what we started doing in SA)
There was a problem hiding this comment.
I think you must have been looking at an older commit; all types in new code should be replaced by explicit annotations (which obviates the need for types in the docstrings)
lambda_functions/downloader/main.py
Outdated
|
|
||
| with open(local_file_path, 'rb') as target_file: | ||
| S3_CLIENT.put_object( | ||
| Bucket=os.environ['TARGET_S3_BUCKET'], |
There was a problem hiding this comment.
See other comment about env variables (and my concern with accessing this within a function/loop in the instance that it doesn't exist).
tests/lambda_functions/build_test.py
Outdated
| def test_build_all(self, mock_print): | ||
| """Verify that the top-level build function executes without error.""" | ||
| build.build(self._tempdir) | ||
| self.assertEqual(3, mock_print.call_count) | ||
| self.assertEqual(4, mock_print.call_count) |
There was a problem hiding this comment.
++ for call count. easy tests are the best tests
manage.py
Outdated
| except ManagerError as error: | ||
| # Print error type and message, not full stack trace. | ||
| sys.exit('{}: {}'.format(type(error).__name__, error)) | ||
| self._parse_config(allow_empty=(command == 'test')) |
There was a problem hiding this comment.
Can you clarify (to me) what the allow_empty param is used for here? It looks like you mention it's only used in unit tests, but then it's used here (not in a unit test).
There was a problem hiding this comment.
This was a confusing flag to help with validation; it has since been removed and it is hopefully clearer now
lambda_functions/downloader/main.py
Outdated
|
|
||
| # Exponential backoff: try up to 4 times, waiting longer each time. | ||
| RETRY_SLEEP_SECS = [0, 30, 60, 120] | ||
|
|
||
|
|
||
| def _download_from_carbon_black(md5): | ||
| @backoff.on_exception(backoff.expo, ObjectNotFoundError, max_tries=5) | ||
| def _download_from_carbon_black(binary: Binary) -> str: |
lambda_functions/downloader/main.py
Outdated
|
|
||
| def _upload_to_s3(local_file_path, md5, observed_path): | ||
| """Upload a binary to S3, keyed by a UUID. | ||
| download_path = '/tmp/carbonblack_{}'.format(binary.md5) |
There was a problem hiding this comment.
Instead of using a hardcoded tmp dir here, I'd suggest using the tempdir package that offers interoperability across OSes
There was a problem hiding this comment.
Hmmm, that's a good point. Lambda explicitly allocates /tmp (which may not be the value returned by gettempdir). I'll try it and see!
| @@ -30,7 +30,7 @@ class MockMain(object): | |||
| """Mock out the downloader Lambda main.py.""" | |||
| CARBON_BLACK = MockCarbonBlack() | |||
|
|
|||
| def __init__(self, inject_errors: bool=False): | |||
| def __init__(self, inject_errors: bool = False): | |||
There was a problem hiding this comment.
Is the space around the equals something Typing requires? Typically this causes a pylint error so just wondering
There was a problem hiding this comment.
Pylint actually complains if there is not the extra space:
************* Module tests.lambda_functions.downloader.copy_all_test
C: 39, 0: Exactly one space required around keyword argument assignment
def __init__(self, inject_errors: bool=False):
^ (bad-whitespace)
However, this is not keyword argument assignment, so I'm guessing pylint doesn't exactly know how to handle type annotations?
I prefer the no-space version, but I don't want to have to disable the whitespace rule, so I guess I'll live with it :)
There was a problem hiding this comment.
Another note:
def __init__(self, inject_errors=False: bool):is invalid syntax
There was a problem hiding this comment.
Thanks for clarifying!
| @mock.patch.object(manage.Manager, 'build') | ||
| @mock.patch.object(manage.Manager, 'apply') | ||
| @mock.patch.object(manage.Manager, 'analyze_all') | ||
| def test_deploy(self, mock_analyze: mock.MagicMock, mock_apply: mock.MagicMock, |
There was a problem hiding this comment.
stacks on stacks on stacks
There was a problem hiding this comment.
boots and cats and stacks on stacks
austinbyers
force-pushed
the
abb--downloader
branch
from
b4b8ae4
to
5551964
Compare
austinbyers
force-pushed
the
abb--downloader
branch
from
5551964
to
ef0dfc6
Compare
|
@ryandeivert PTAL I've squashed the commits to simplify things and addressed all of the feedback. Be sure to look at the downloader code again because your last review was an an older commit for some reason |
|
@austinbyers your'e right - I had been stepping through commits since this PR was so large :) |
|
@ryandeivert Thanks for your review! I should have done a better job of keeping track of and squashing the commits. I did another deploy just to test everything one last time and once the Travis tests pass I'll go ahead and merge |
Overview
Size: Extra Large
CarbonBlack automatically uploads new binaries that it finds on endpoints; users who have CarbonBlack can now optionally enable a CarbonBlack downloader Lambda function to copy binaries from CarbonBlack into BinaryAlert.
The downloader can be enabled by running the new
python3 manage.py configurecommand to allow the user to set the CarbonBlack URL and encrypt its API key.Additionally,
python3 manage.py cb_copy_allallows users to copy the entire CarbonBlack binary corpus into BinaryAlert in one go.Full documentation will be added in the next PR.
Change Summary
lambda_functions/downloaderenable_carbon_black_downloaderTerraform variable. All downloader resources are created only if the downloader is explicitly enabled.manage.py:configureandcb_copy_allcommandstestcommand tounit_test(to distinguish it fromlive_test)Resolves: #29 (add downloader)
Resolves: #48 (additional name prefix validation)
Contributes to: #34 (type annotations)
Tested
CI
Added unit tests for downloader code as well as most of
manage.py. As you can see from the commit history, mocking everything correctly was a huge pain. In the future, I think we should removemotoentirely (we already have to do our own Dynamo and S3 mocks due to 2 separate moto issues)Test Deploy: Downloader Disabled (Default)
Test Deploy: Enable Downloader
After the previous deploy, we can easily re-configure and re-deploy:
Reviewers
to: @ryandeivert
cc: @mime-frame @airbnb/binaryalert-maintainers