Formalize the providers architecture

[Aboisier]

Once upon a time, there was only AWS. The realm of Scout was dominated by this provider only, and as it grew bigger, jealous grew the other providers. GCP was then given a piece of land. GCP, receiving a lot of attention from the Supreme Beings of Scout, was making Azure jealous. And so Azure was given a piece of land. Even though it seemed like the providers were happily cohabiting, the Supreme Beings knew something was not right.

And this is why we need to refactor the providers' architecture. Basically, there is a whole lot of provider-checking conditions, which is a huge code smell. There is already a provider model in place, but a lot of attributes should be bubbled up to the generic provider class, and some others should be pushed down to their respective provider. Basically, we should take advantage of polymorphism.

List of tasks

Services to migrate

AWS

• Lambdas (WIP - Refactoring/aws lambda config #199)
• CloudFormation (Refactoring/aws/cloudformation #216)
• CloudTrail (Refactoring/aws/cloudtrail #219)
• CloudWatch (Refactoring/aws/cloudwatch #221)
• DirectConnect (Refactoring/aws/directconnect #222)
• EC2 (EC2 migration to the new architecture #202)
• EFS (Refactoring/aws/efs #227)
• ElastiCache (Refactoring/aws/elasticache #245)
• ELB (Refactoring/aws/elb #257)
• ELBv2 (Refactoring/aws/elbv2 #259 )
• EMR (Refactoring/aws/emr #248)
• IAM (Refactoring/aws/iam #264)
• RDS (Refactoring/aws/rds #271 )
• RedShift (Refactoring/aws/redshift #261)
• Route53 (Refactoring/aws/route53 #267)
• S3 (Refactoring/aws/s3 #270)
• SES (Refactoring/aws/ses #269)
• SNS (Refactoring/aws/sns #265)
• SQS (Refactoring/aws/sqs #262)
• VPC (Refactoring/aws/vpc #273)
• Config (Integrated new config service implementation #272 and https://github.com/nccgroup/ScoutSuite-Proprietary/pull/115)
• DynamoDb (Refactoring/aws/dynamodb #274 and https://github.com/nccgroup/ScoutSuite-Proprietary/pull/115)
• KMS (Refactoring/aws/kms #280)
• Clean metadata.json

Azure

• App Gateway (https://github.com/nccgroup/ScoutSuite-Proprietary/pull/109)
• App Service (https://github.com/nccgroup/ScoutSuite-Proprietary/pull/110)
• Key Vault (Refactoring/azure/keyvault #239)
• Load Balancer (https://github.com/nccgroup/ScoutSuite-Proprietary/pull/111#event-2195042800)
• Monitor (Refactoring/azure/monitor #236)
• Network (Refactoring/azure/network #242)
• Redis Cache (https://github.com/nccgroup/ScoutSuite-Proprietary/pull/112#event-2195042800)
• Security Center (Refactoring/azure/securitycenter #243)
• SQL Database (Refactoring/azure/sqldatabase #214)
• Storage Accounts (Refactoring/azure/storageaccounts #235)

GCP

• CloudResourcesManager (Refactoring/gcp/cloudresourcemanager #231)
• CloudSQL (Refactoring/gcp/cloudsql #232)
• CloudStorage (Refactoring/gcp/cloudstorage #304)
• ComputeEngine (Refactoring/gcp/gce #319)
• IAM (Refactoring/gcp/iam #230)
• KubernetesEngine
• StackDiverLogging (Refactoring/gcp/stackdriverlogging #229)
• StackDriverMonitoring (currently has no logic)

Documentation

• Document the architecture in the wiki (a few figures would also come a long way)
• Document [at a high level] how to add a provider
• Document how to add a service for AWS
• Document how to add a service for Azure
• Document how to add a service for GCP
• Write docstrings for the classes and methods involved in the implementation of a new service

Other

• Ensure that the old logging system works or implement a new one (moved to issue Fetch all logging #283 )
• Go through all the todos we left
• Ensure that the performance is still acceptable, if not better
• [Re-]implement functionality that allows throttling API calls (similar to the current --threads). This is necessary as sometimes you need to run Scout while making sure it doesn't affect the call quota
• Explicitly deprecate python < 2.x

[Aboisier]

After discussing with @misg and @Remi05, we decided we would try implementing a composite pattern. Here's our current state of mind:

Create a hierarchical structure

When improving support for Azure, we noticed there was a lot of friction associated with implementing a new service. This is because Azure's API is very granular; a lot of API calls are needed to get one config. And regarding GCP, Scout Suite current support doesn't reflect very well the hierarchy of organization/project/region/zone used by Google (see #80 and #97). Thus, we tend to think that a composite pattern could address those issues (and make AWS support more readable and maintenable by the way, see the next section below). Basically, each time you would put an id in a resource path, you split in a new config. Each config is responsible for calling fetch_all on its children configs.

Prefer explicitness over magicness

We noticed there was a lot of magic going on. A lot of the code was over-generalized, which encouraged the use of service-specific hacks. Also, there was a lot of magic string wizardry stuff (including heavy use of Python metaprogramming). For example, AWS's targets: they were used for injecting the right API call. This seemed unnecessary and made the code flow very hard to follow and test. We decided to move the API calls to their own configs. This might be a bit redundant, but we feel like it will make the code more readable and maintainable. It will also be more resilient to potential API breaking changes. The API clients instances will be provided by some kind of container class. This will allow for easier per-service unit testing by making the mocking of API clients easy. Another idea is to use a façade. This makes testing easier (less stuff to mock) and removes some code from the service. It makes sense to put the least code possible in the configs since they are basically data models.

Refactor iteratively

This is a huge refactoring. We want to do this the right way, and the right way is to not do one humongous pull request with the whole refactoring at once. In order to do so, we are going to keep BaseConfig's current interface. This is going to allow us to migrate the services iteratively without changing the main structure. We will then remove the unused code.

Collateral improvements

We believe we will be able to make some other changes on the way. For example, we plan on making fetch_all async to allow better management of concurrency and improve scanning performance.

Current state

We are not sure this solution works, so we are currently working on a proof of concept. We will try migrating one service for each provider. We created a branch with the changes common to the three providers. We will each work on a separate branch and do our PRs onto the common branch.

@Aboisier: AWS Lambda (see branch)
@misg: Azure SQL Databases (see branch)
@Remi05: GCP ? (see branch)

[x4v13r64]

I like the approach, going with a Composite (and a bit of Facade) pattern and taking advantage of polymorphism will significantly improve the architecture.

There is indeed a lot of magic happening, especially in RegionConfig's interaction with the metadata.json file. One reason for this is that the architecture is mostly undocumented, so it's a free-for-all of using BaseConfigs, using/not using callbacks, etc. Also a lot of poorly documented and obscure functions such as recurse() and go_to_and_do()/new_go_to_and_do() make understanding the code hard. Let's not make that mistake twice and ensure the Wiki clearly details Scout's inner workings. The changes you propose should also make understanding the code flow less painful.

For GCP I'd recommend doing the PoC with Cloud SQL, as it's a mostly straightforward service.

When improving support for Azure, we noticed there was a lot of friction associated with implementing a new service. This is because Azure's API is very granular; a lot of API calls are needed to get one config.

You could say the same thing of AWS, that's likely why so many callbacks were used.

regarding GCP, Scout Suite current support doesn't reflect very well the hierarchy of organization/project/region/zone

Exactly, as GCP doesn't have a RegionConfig it's impossible to distinguish resource hierarchy. I know this isn't directly related to this thread but Scout's data model (a big dict which acts as a tree) is very much tied to the code's architecture. While you're thinking of refactoring it might be worth giving some thought to whether this approach is still valid given the growth of the tool (as we've already seen it hit some limitations, i.e. the memory limit of browsers).

Also, there was a lot of magic string wizardry stuff (including heavy use of Python metaprogramming). For example, AWS's targets: they were used for injecting the right API call

Agreed. I looks pretty "cool" as you get this large metadata file to define all the API calls, but it's not intuitive (especially without explicit documentation).

Another idea is to use a façade

This will certainly be useful in some cases, e.g. how __main__.py interacts with the providers objects.

we plan on making fetch_all async to allow better management of concurrency and improve scanning performance.

I'm not sure how much this will improve over the current multi threaded approach, but give it a shot!
You'll have to make sure that even if a composite node has a lot of leaves, resource consumption doesn't skyrocket.

In addition, will this break python 2.7 compatibility?