konsthol/SecDep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

I have no idea what I'm doing here.

Browse Source
This commit is contained in:
konsthol
2023-03-19 01:54:54 +02:00
parent bbc1542fa1
commit 5d9b3b2264
1 changed files with 75 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
secdep.py
View File

@@ -30,9 +30,10 @@ from libcloud.compute.providers import get_driver
from libcloud.compute.base import NodeAuthSSHKey from libcloud.compute.base import NodeAuthSSHKey
from libcloud.compute.deployment import ScriptDeployment, SSHKeyDeployment, MultiStepDeployment from libcloud.compute.deployment import ScriptDeployment, SSHKeyDeployment, MultiStepDeployment
# from azure.common.credentials import ServicePrincipalCredentials from azure.identity import ClientSecretCredential
# from azure.mgmt.network import NetworkManagementClient from azure.mgmt.resource import ResourceManagementClient
# from azure.mgmt.network.models import NetworkSecurityGroup, SecurityRule from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2022_07_01.models import SecurityRule
# Disable SSL certificate verification # Disable SSL certificate verification
# Disable SHA-2 variants of RSA key verification algorithm for backward compatibility reasons # Disable SHA-2 variants of RSA key verification algorithm for backward compatibility reasons
@@ -100,10 +101,8 @@ if not os.path.exists(ENV_FILE):
# 5) SECDEP_AZURE_SUB_ID # 5) SECDEP_AZURE_SUB_ID
# 6) SECDEP_AZURE_APP_ID # 6) SECDEP_AZURE_APP_ID
# 7) SECDEP_AZURE_PASSWORD # 7) SECDEP_AZURE_PASSWORD
# 8) SECDEP_AZURE_RESOURCE_GROUP # 8) SECDEP_AWS_ACCESS_KEY
# 9) SECDEP_AZURE_VIRTUAL_NETWORK # 9) SECDEP_AWS_SECRET_KEY
# 10) SECDEP_AWS_ACCESS_KEY
# 11) SECDEP_AWS_SECRET_KEY
# For GCE we need to create a service account (with Owner Role from the IAM section) and download the json file (from # For GCE we need to create a service account (with Owner Role from the IAM section) and download the json file (from
# the Service Account's manage keys section) in the same directory as the script # the Service Account's manage keys section) in the same directory as the script
@@ -146,14 +145,6 @@ with open(ENV_FILE, 'r') as f:
SECDEP_AZURE_PASSWORD = input("Enter your AZURE_PASSWORD: ") SECDEP_AZURE_PASSWORD = input("Enter your AZURE_PASSWORD: ")
with open(ENV_FILE, 'a') as f: with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AZURE_PASSWORD={}\n'.format(SECDEP_AZURE_PASSWORD)) f.write('SECDEP_AZURE_PASSWORD={}\n'.format(SECDEP_AZURE_PASSWORD))
if 'SECDEP_AZURE_RESOURCE_GROUP' not in env_file_content:
SECDEP_AZURE_RESOURCE_GROUP = input("Enter your AZURE_RESOURCE_GROUP: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AZURE_RESOURCE_GROUP={}\n'.format(SECDEP_AZURE_RESOURCE_GROUP))
if 'SECDEP_AZURE_VIRTUAL_NETWORK' not in env_file_content:
SECDEP_AZURE_VIRTUAL_NETWORK = input("Enter your AZURE_VIRTUAL_NETWORK: ")
with open(ENV_FILE, 'a') as f:
f.write('SECDEP_AZURE_VIRTUAL_NETWORK={}\n'.format(SECDEP_AZURE_VIRTUAL_NETWORK))
if 'SECDEP_AWS_ACCESS_KEY' not in env_file_content: if 'SECDEP_AWS_ACCESS_KEY' not in env_file_content:
SECDEP_AWS_ACCESS_KEY = input("Enter your AWS_ACCESS_KEY: ") SECDEP_AWS_ACCESS_KEY = input("Enter your AWS_ACCESS_KEY: ")
with open(ENV_FILE, 'a') as f: with open(ENV_FILE, 'a') as f:
@@ -185,8 +176,6 @@ def get_env_vars():
global SECDEP_AZURE_SUB_ID global SECDEP_AZURE_SUB_ID
global SECDEP_AZURE_APP_ID global SECDEP_AZURE_APP_ID
global SECDEP_AZURE_PASSWORD global SECDEP_AZURE_PASSWORD
global SECDEP_AZURE_RESOURCE_GROUP
global SECDEP_AZURE_VIRTUAL_NETWORK
global SECDEP_AWS_ACCESS_KEY global SECDEP_AWS_ACCESS_KEY
global SECDEP_AWS_SECRET_KEY global SECDEP_AWS_SECRET_KEY
# GCE # GCE
@@ -202,8 +191,6 @@ def get_env_vars():
SECDEP_AZURE_SUB_ID = os.getenv('SECDEP_AZURE_SUB_ID') SECDEP_AZURE_SUB_ID = os.getenv('SECDEP_AZURE_SUB_ID')
SECDEP_AZURE_APP_ID = os.getenv('SECDEP_AZURE_APP_ID') SECDEP_AZURE_APP_ID = os.getenv('SECDEP_AZURE_APP_ID')
SECDEP_AZURE_PASSWORD = os.getenv('SECDEP_AZURE_PASSWORD') SECDEP_AZURE_PASSWORD = os.getenv('SECDEP_AZURE_PASSWORD')
SECDEP_AZURE_RESOURCE_GROUP = os.getenv('SECDEP_AZURE_RESOURCE_GROUP')
SECDEP_AZURE_VIRTUAL_NETWORK = os.getenv('SECDEP_AZURE_VIRTUAL_NETWORK')
# AWS # AWS
SECDEP_AWS_ACCESS_KEY = os.getenv('SECDEP_AWS_ACCESS_KEY') SECDEP_AWS_ACCESS_KEY = os.getenv('SECDEP_AWS_ACCESS_KEY')
SECDEP_AWS_SECRET_KEY = os.getenv('SECDEP_AWS_SECRET_KEY') SECDEP_AWS_SECRET_KEY = os.getenv('SECDEP_AWS_SECRET_KEY')
@@ -586,7 +573,7 @@ def get_gce_driver():
# Get Azure driver # Get Azure driver
def get_azure_driver(): def get_azure_driver():
if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="" and SECDEP_AZURE_RESOURCE_GROUP !="" and SECDEP_AZURE_VIRTUAL_NETWORK != "": if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="":
driver = get_driver(Provider.AZURE_ARM) driver = get_driver(Provider.AZURE_ARM)
print("Trying to authenticate with azure...\n") print("Trying to authenticate with azure...\n")
return driver(tenant_id=SECDEP_AZURE_TENANT_ID, subscription_id=SECDEP_AZURE_SUB_ID, key=SECDEP_AZURE_APP_ID, secret=SECDEP_AZURE_PASSWORD) return driver(tenant_id=SECDEP_AZURE_TENANT_ID, subscription_id=SECDEP_AZURE_SUB_ID, key=SECDEP_AZURE_APP_ID, secret=SECDEP_AZURE_PASSWORD)
@@ -602,7 +589,7 @@ def get_providers_quantity():
providers_quantity = 0 providers_quantity = 0
if SECDEP_GCE_CLIENT_SECRET !="" and SECDEP_GCE_PROJECT_ID !="" and SECDEP_GCE_CLIENT_ID !="": if SECDEP_GCE_CLIENT_SECRET !="" and SECDEP_GCE_PROJECT_ID !="" and SECDEP_GCE_CLIENT_ID !="":
providers_quantity +=1 providers_quantity +=1
if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="" and SECDEP_AZURE_RESOURCE_GROUP !="" and SECDEP_AZURE_VIRTUAL_NETWORK != "": if SECDEP_AZURE_TENANT_ID !="" and SECDEP_AZURE_SUB_ID !="" and SECDEP_AZURE_APP_ID !="" and SECDEP_AZURE_PASSWORD !="":
providers_quantity +=1 providers_quantity +=1
if SECDEP_AWS_ACCESS_KEY !="" and SECDEP_AWS_SECRET_KEY !="": if SECDEP_AWS_ACCESS_KEY !="" and SECDEP_AWS_SECRET_KEY !="":
providers_quantity +=1 providers_quantity +=1
@@ -1072,63 +1059,52 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
exit(0) exit(0)
node = driver.create_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata) node = driver.create_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata)
elif provider == "azure": elif provider == "azure":
sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP) res_groups = driver.ex_list_resource_groups()
for sec_group in sec_groups: for res_group in res_groups:
if sec_group.name == name+"-sec_group": if res_group.name == name+"-res_group":
print("A security group with that name already exists, please try a different virtual machine name to differentiate the security group name") print("A resource group with that name already exists, please try a different virtual machine name to differentiate the resource group name")
exit(0) exit(0)
# Create Resource group using azure sdk since libcloud does not offer that functionality
# ips = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP) credential = ClientSecretCredential(client_id=SECDEP_AZURE_APP_ID, client_secret=SECDEP_AZURE_PASSWORD, tenant_id=SECDEP_AZURE_TENANT_ID)
# for ip in ips: subscription_id = SECDEP_AZURE_SUB_ID
# if ip.name == name+"-ip": resource_client = ResourceManagementClient(credential, subscription_id)
# print("An ip with that name already exists, please try a different virtual machine name to differentiate the ip name") res_group = resource_client.resource_groups.create_or_update(name+"-res_group", {"location": location.id})
# exit(0) # Create Virtual Network using azure sdk since libcloud does not offer that functionality
network_client = NetworkManagementClient(credential, subscription_id)
driver.ex_create_network_security_group(name=name+"-sec_group", resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location) poller = network_client.virtual_networks.begin_create_or_update(res_group.name, name+"-vir_net", { "location": location.id, "address_space": {"address_prefixes": ["10.0.0.0/16"]},},)
vir_net = poller.result()
# Create the default subnet using azure sdk since libcloud does not offer that functionality
poller = network_client.subnets.begin_create_or_update(res_group.name, vir_net.name, name+"-subnet", { "address_prefix": "10.0.0.0/24"},)
subnet = poller.result()
# Create Network Security Group
driver.ex_create_network_security_group(name=name+"-sec_group", resource_group=res_group.name, location=location)
# Get the created Virtual Network
networks = driver.ex_list_networks() networks = driver.ex_list_networks()
for network in networks: for network in networks:
if network.name == SECDEP_AZURE_VIRTUAL_NETWORK: if network.name == vir_net.name:
ex_network = network ex_network = network
break break
else: else:
print("Could not find the virtual network. Maybe it was not created beforehand?") print("Could not find the virtual network. Maybe it was not created correctly?")
assert ex_network is not None, "In azure you need to manually go and create a virtual network before launching a virtual machine" # Get Virtual Network's default subnet we created
if location.id != ex_network.location:
print("Because libcloud currently has no method to automatically create resource group which is tied to a location, the given location must be the same as the one specified when you created the virtual network")
print('Current virtual network\'s location: %s' % (ex_network.location))
exit(0)
subnet = driver.ex_list_subnets(network=ex_network)[0] subnet = driver.ex_list_subnets(network=ex_network)[0]
# Create public ip
# public_ip = driver.ex_create_public_ip(name=name+"-ip", resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location, public_ip_allocation_method="Static") public_ip = driver.ex_create_public_ip(name=name+"-ip", resource_group=res_group.name, location=location, public_ip_allocation_method="Static")
# Create a Virtual Network Interface
public_ip = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP)[0] network_interface = driver.ex_create_network_interface(name=name+"-nic", subnet=subnet, resource_group=res_group.name, location=location, public_ip=public_ip)
network_interface = driver.ex_create_network_interface(name=name+"-nic", subnet=subnet, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location, public_ip=public_ip) # Get the created Virtual Network Interface
nic = driver.ex_list_nics(resource_group=SECDEP_AZURE_RESOURCE_GROUP)[0] nic = driver.ex_list_nics(resource_group=res_group.name)[0]
sec_group = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP)[0] # Get the created Network Security Group
sec_group = driver.ex_list_network_security_groups(res_group.name)[0]
# Parameters to associate the Network Security Group to the Virtual Network Interface
params = {"ipConfigurations":[{"name":"myip1","id":nic.id,"type":"Microsoft.Network/networkInterfaces/ipConfigurations","properties":{"provisioningState":"Succeeded","privateIPAddress":"10.0.0.4","privateIPAllocationMethod":"Dynamic","publicIPAddress":{"id":public_ip.id},"subnet":{"id":subnet.id},"primary":"true","privateIPAddressVersion":"IPv4"}}],"dnsSettings":{"dnsServers":[]},"enableAcceleratedNetworking":"false","enableIPForwarding":"false","disableTcpStateTracking":"false","networkSecurityGroup":{"id":sec_group.id},"nicType":"Standard"} params = {"ipConfigurations":[{"name":"myip1","id":nic.id,"type":"Microsoft.Network/networkInterfaces/ipConfigurations","properties":{"provisioningState":"Succeeded","privateIPAddress":"10.0.0.4","privateIPAllocationMethod":"Dynamic","publicIPAddress":{"id":public_ip.id},"subnet":{"id":subnet.id},"primary":"true","privateIPAddressVersion":"IPv4"}}],"dnsSettings":{"dnsServers":[]},"enableAcceleratedNetworking":"false","enableIPForwarding":"false","disableTcpStateTracking":"false","networkSecurityGroup":{"id":sec_group.id},"nicType":"Standard"}
newnic = driver.ex_update_nic_properties(nic, SECDEP_AZURE_RESOURCE_GROUP, params) # New Virtual Network Interface associated with the Network Security Group
node = driver.create_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=SECDEP_AZURE_RESOURCE_GROUP, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True) newnic = driver.ex_update_nic_properties(nic, res_group.name, params)
# Update the Network Security Group's rules to accept connections using azure sdk since libcloud does not offer that functionality
# subscription_id = SECDEP_AZURE_SUB_ID network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllInbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Inbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll"))
# credentials = ServicePrincipalCredentials( network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllOutbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Outbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll"))
# client_id = SECDEP_AZURE_APP_ID, # Create the node
# secret = SECDEP_AZURE_PASSWORD, node = driver.create_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True)
# tenant = SECDEP_AZURE_TENANT_ID
# )
#
# network_client = NetworkManagementClient(
# credentials,
# subscription_id
# )
#
# network_client.security_rules.begin_create_or_update(SECDEP_AZURE_RESOURCE_GROUP,sec_group.name,"allowAllInbound",SecurityRule(
# protocol='*',
# source_address_prefix='*',
# destination_address_prefix='*',
# access='Allow',
# direction='Inbound', description='Allow all',source_port_range='*',
# destination_port_range='*',
# priority=4096, name="allowAll"))
else: else:
keys = driver.list_key_pairs() keys = driver.list_key_pairs()
for key in keys: for key in keys:
@@ -1263,6 +1239,7 @@ def node_action(action, provider):
driver = get_corresponding_driver("gce") driver = get_corresponding_driver("gce")
elif providerName == "azure": elif providerName == "azure":
driver = get_corresponding_driver("azure") driver = get_corresponding_driver("azure")
node_name = node.name
elif providerName == "aws": elif providerName == "aws":
driver = get_corresponding_driver("aws") driver = get_corresponding_driver("aws")
assert driver is not None, "Driver is not set up correctly" assert driver is not None, "Driver is not set up correctly"
@@ -1285,18 +1262,19 @@ def node_action(action, provider):
else: else:
print("%s node %s -> failed" % (providerName.upper(), action)) print("%s node %s -> failed" % (providerName.upper(), action))
if providerName == "azure" and action == "delete": if providerName == "azure" and action == "delete":
driver = get_corresponding_driver("azure") poller = resource_client.resource_groups.begin_delete(node_name+"-res_group")
node_location = node.extra['location'] result = poller.result()
locations = driver.list_locations() # node_location = node.extra['location']
for loc in locations: # locations = driver.list_locations()
if loc.id == node_location: # for loc in locations:
location = loc # if loc.id == node_location:
break # location = loc
sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP) # break
for sec_group in sec_groups: # sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP)
# driver.ex_delete_resource(sec_group) # for sec_group in sec_groups:
if sec_group.name == node.name+"-sec_group": # # driver.ex_delete_resource(sec_group)
driver.ex_delete_network_security_group(name=sec_group.name, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location) # if sec_group.name == node.name+"-sec_group":
# driver.ex_delete_network_security_group(name=sec_group.name, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location)
# ips = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP) # ips = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP)
# for ip in ips: # for ip in ips:
# if ip.name == node.name+"-ip": # if ip.name == node.name+"-ip":
@@ -1310,6 +1288,7 @@ def node_action_all(action, provider):
driver = get_corresponding_driver("gce") driver = get_corresponding_driver("gce")
elif providerName == "azure": elif providerName == "azure":
driver = get_corresponding_driver("azure") driver = get_corresponding_driver("azure")
node_name = node.name
elif providerName == "aws": elif providerName == "aws":
driver = get_corresponding_driver("aws") driver = get_corresponding_driver("aws")
assert driver is not None, "Driver is not set up correctly" assert driver is not None, "Driver is not set up correctly"
@@ -1333,18 +1312,20 @@ def node_action_all(action, provider):
else: else:
print("%s node %s -> failed" % (node.name, string)) print("%s node %s -> failed" % (node.name, string))
if providerName == "azure" and action == "delete": if providerName == "azure" and action == "delete":
driver = get_corresponding_driver("azure") poller = resource_client.resource_groups.begin_delete(node_name+"-res_group")
node_location = node.extra['location'] result = poller.result()
locations = driver.list_locations() # driver = get_corresponding_driver("azure")
for loc in locations: # node_location = node.extra['location']
if loc.id == node_location: # locations = driver.list_locations()
location = loc # for loc in locations:
break # if loc.id == node_location:
sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP) # location = loc
for sec_group in sec_groups: # break
# driver.ex_delete_resource(sec_group) # sec_groups = driver.ex_list_network_security_groups(SECDEP_AZURE_RESOURCE_GROUP)
if sec_group.name == node.name+"-sec_group": # for sec_group in sec_groups:
driver.ex_delete_network_security_group(name=sec_group.name, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location) # # driver.ex_delete_resource(sec_group)
# if sec_group.name == node.name+"-sec_group":
# driver.ex_delete_network_security_group(name=sec_group.name, resource_group=SECDEP_AZURE_RESOURCE_GROUP, location=location)
# ips = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP) # ips = driver.ex_list_public_ips(SECDEP_AZURE_RESOURCE_GROUP)
# for ip in ips: # for ip in ips:
# if ip.name == node.name+"-ip": # if ip.name == node.name+"-ip":