admin / Synapse-Sonar
publicAttack Surface Simulation
Synapse-Sonar / synapse-sonar / prisma / seed.ts
4510 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 | import { PrismaClient } from "@prisma/client"; import bcrypt from "bcryptjs"; import crypto from "crypto"; import { encryptJson } from "../lib/crypto"; const prisma = new PrismaClient(); const sha256 = (v: string) => crypto.createHash("sha256").update(v).digest("hex"); /** * Seeds two tenants to demonstrate isolation, plus a sample topology, a rogue * asset, vulnerabilities, and an enabled NetscanXi integration (with ingestKey). * Run: npm run db:seed */ async function main() { // --- Tenant A: Acme --- const acme = await prisma.tenant.upsert({ where: { slug: "acme" }, update: {}, create: { name: "Acme Corp", slug: "acme" }, }); await prisma.user.upsert({ where: { username: "acmeadmin" }, update: {}, create: { tenantId: acme.id, username: "acmeadmin", email: "[email protected]", name: "Acme Admin", role: "TENANT_ADMIN", status: "ACTIVE", passwordHash: await bcrypt.hash("ChangeMe123!", 10), }, }); // NetscanXi enabled with a sensor ingest key. await prisma.integrationSetting.upsert({ where: { tenantId_provider: { tenantId: acme.id, provider: "NETSCAN_XI" } }, update: {}, create: { tenantId: acme.id, provider: "NETSCAN_XI", enabled: true, // Encrypted secrets blob + a queryable SHA-256 of the sensor ingest key. config: { ...encryptJson({ endpointUrl: "https://netscanxi.acme.test/api/v2", apiKey: "nsx_live_demo_key", }), ingestKeyHash: sha256("sensor_acme_demo_key"), // used by /api/ingest/flow-logs } as never, }, }); // Sample assets const web = await upsertAsset(acme.id, "10.0.1.10", "web-01", "SERVER", "TIER_1_CRITICAL", [80, 443]); const app = await upsertAsset(acme.id, "10.0.2.20", "app-01", "SERVER", "TIER_1_CRITICAL", [8080]); const db = await upsertAsset(acme.id, "10.0.3.30", "db-01", "DATABASE", "TIER_0_CROWN_JEWEL", [5432]); const rogue = await upsertAsset(acme.id, "10.0.9.99", "unknown-host", "UNKNOWN", "TIER_2_STANDARD", [22], true); await upsertEdge(acme.id, web.id, app.id, 8080, 5_000_000); await upsertEdge(acme.id, app.id, db.id, 5432, 20_000_000); await upsertEdge(acme.id, rogue.id, db.id, 5432, 100_000); // lateral movement attempt await prisma.vulnerability.upsert({ where: { assetId_cveId: { assetId: db.id, cveId: "CVE-2024-1234" } }, update: {}, create: { tenantId: acme.id, assetId: db.id, cveId: "CVE-2024-1234", title: "PostgreSQL privilege escalation", cvssScore: 9.8, severity: "CRITICAL", }, }); // Baseline: DB only reachable from app tier on 5432 — rogue→db will violate. await prisma.segmentationRule.create({ data: { tenantId: acme.id, description: "App tier may reach DB on 5432", sourceCidr: "10.0.2.0/24", destCidr: "10.0.3.0/24", port: 5432, action: "ALLOW", priority: 10, }, }); // --- Tenant B: Globex (isolation proof) --- const globex = await prisma.tenant.upsert({ where: { slug: "globex" }, update: {}, create: { name: "Globex", slug: "globex" }, }); await prisma.user.upsert({ where: { username: "globexadmin" }, update: {}, create: { tenantId: globex.id, username: "globexadmin", email: "[email protected]", name: "Globex Admin", role: "TENANT_ADMIN", status: "ACTIVE", passwordHash: await bcrypt.hash("ChangeMe123!", 10), }, }); console.log("Seed complete. Login: acmeadmin / ChangeMe123!"); } async function upsertAsset( tenantId: string, ip: string, hostname: string, assetType: any, criticality: any, openPorts: number[], isRogue = false ) { return prisma.asset.upsert({ where: { tenantId_ipAddress: { tenantId, ipAddress: ip } }, update: {}, create: { tenantId, ipAddress: ip, hostname, assetType, criticality, openPorts, isRogue }, }); } async function upsertEdge( tenantId: string, sourceAssetId: string, targetAssetId: string, port: number, bytes: number ) { return prisma.connection.upsert({ where: { tenantId_sourceAssetId_targetAssetId_port: { tenantId, sourceAssetId, targetAssetId, port }, }, update: { bytes: BigInt(bytes) }, create: { tenantId, sourceAssetId, targetAssetId, port, protocol: "tcp", bytes: BigInt(bytes) }, }); } main() .catch((e) => { console.error(e); process.exit(1); }) .finally(() => prisma.$disconnect()); |