Beispiel #1
0
    def Run(self):
        with test_lib.FakeTime(42):
            self.CreateAdminUser("approver")

            clients = self.SetupClients(2)
            for client_id in clients:
                # Delete the certificate as it's being regenerated every time the
                # client is created.
                with aff4.FACTORY.Open(client_id, mode="rw",
                                       token=self.token) as grr_client:
                    grr_client.DeleteAttribute(grr_client.Schema.CERT)

        with test_lib.FakeTime(44):
            approval_urn = security.ClientApprovalRequestor(
                reason=self.token.reason,
                subject_urn=clients[0],
                approver="approver",
                token=self.token).Request()
            approval1_id = approval_urn.Basename()

        with test_lib.FakeTime(45):
            approval_urn = security.ClientApprovalRequestor(
                reason=self.token.reason,
                subject_urn=clients[1],
                approver="approver",
                token=self.token).Request()
            approval2_id = approval_urn.Basename()

        with test_lib.FakeTime(84):
            approver_token = access_control.ACLToken(username="******")
            security.ClientApprovalGrantor(reason=self.token.reason,
                                           delegate=self.token.username,
                                           subject_urn=clients[1],
                                           token=approver_token).Grant()

        with test_lib.FakeTime(126):
            self.Check("ListClientApprovals",
                       args=user_plugin.ApiListClientApprovalsArgs(),
                       replace={
                           approval1_id: "approval:111111",
                           approval2_id: "approval:222222"
                       })
            self.Check("ListClientApprovals",
                       args=user_plugin.ApiListClientApprovalsArgs(
                           client_id=clients[0].Basename()),
                       replace={
                           approval1_id: "approval:111111",
                           approval2_id: "approval:222222"
                       })
Beispiel #2
0
    def Run(self):
        with test_lib.FakeTime(42):
            self.CreateAdminUser("requestor")

            clients = self.SetupClients(1)
            for client_id in clients:
                # Delete the certificate as it's being regenerated every time the
                # client is created.
                with aff4.FACTORY.Open(client_id, mode="rw",
                                       token=self.token) as grr_client:
                    grr_client.DeleteAttribute(grr_client.Schema.CERT)

        with test_lib.FakeTime(44):
            requestor_token = access_control.ACLToken(username="******")
            approval_urn = security.ClientApprovalRequestor(
                reason="foo",
                subject_urn=clients[0],
                approver=self.token.username,
                token=requestor_token).Request()
            approval_id = approval_urn.Basename()

        with test_lib.FakeTime(126):
            self.Check("GrantClientApproval",
                       args=user_plugin.ApiGrantClientApprovalArgs(
                           client_id=clients[0].Basename(),
                           approval_id=approval_id,
                           username="******"),
                       replace={approval_id: "approval:111111"})
Beispiel #3
0
    def testRendersRequestedClientApproval(self):
        approval_urn = aff4_security.ClientApprovalRequestor(
            reason="blah",
            subject_urn=self.client_id,
            approver="approver",
            email_cc_address="*****@*****.**",
            token=self.token).Request()
        approval_id = approval_urn.Basename()

        args = user_plugin.ApiGetClientApprovalArgs(
            client_id=self.client_id,
            approval_id=approval_id,
            username=self.token.username)
        result = self.handler.Handle(args, token=self.token)

        self.assertEqual(result.subject.urn, self.client_id)
        self.assertEqual(result.reason, "blah")
        self.assertEqual(result.is_valid, False)
        self.assertEqual(result.is_valid_message,
                         "Requires 2 approvers for access.")

        self.assertEqual(result.notified_users, ["approver"])
        self.assertEqual(result.email_cc_addresses, ["*****@*****.**"])

        # Every approval is self-approved by default.
        self.assertEqual(result.approvers, [self.token.username])
Beispiel #4
0
  def testEmailClientApprovalRequestLinkLeadsToACorrectPage(self):
    client_id = self.SetupClients(1)[0]

    messages_sent = []

    def SendEmailStub(unused_from_user, unused_to_user, unused_subject, message,
                      **unused_kwargs):
      messages_sent.append(message)

    # Request client approval, it will trigger an email message.
    with utils.Stubber(email_alerts.EMAIL_ALERTER, "SendEmail", SendEmailStub):
      security.ClientApprovalRequestor(
          reason="Please please let me",
          subject_urn=client_id,
          approver=self.token.username,
          token=access_control.ACLToken(
              username="******", reason="test")).Request()
    self.assertEqual(len(messages_sent), 1)

    # Extract link from the message text and open it.
    m = re.search(r"href='(.+?)'", messages_sent[0], re.MULTILINE)
    link = urlparse.urlparse(m.group(1))
    self.Open(link.path + "?" + link.query + "#" + link.fragment)

    # Check that requestor's username and  reason are correctly displayed.
    self.WaitUntil(self.IsTextPresent, "iwantapproval")
    self.WaitUntil(self.IsTextPresent, "Please please let me")
    # Check that host information is displayed.
    self.WaitUntil(self.IsTextPresent, client_id.Basename())
    self.WaitUntil(self.IsTextPresent, "Host-0")
Beispiel #5
0
 def RequestClientApproval(self,
                           client_id,
                           token=None,
                           approver="approver"):
     """Create an approval request to be sent to approver."""
     requestor = security.ClientApprovalRequestor(subject_urn=client_id,
                                                  reason=token.reason,
                                                  approver=approver,
                                                  token=token)
     return requestor.Request()
Beispiel #6
0
def ApprovalRequest(client_id,
                    token=None,
                    approver="approver",
                    reason="testing"):
  token = token or GetToken()
  approval_reason = reason or token.reason
  security.ClientApprovalRequestor(
      reason=approval_reason,
      subject_urn=rdf_client.ClientURN(client_id),
      approver=approver,
      token=token).Request()
Beispiel #7
0
    def testApprovalDoesNotCreateUser(self):

        username = "******"

        user = aff4.FACTORY.Open("aff4:/users/%s" % username, token=self.token)
        self.assertFalse(isinstance(user, users.GRRUser))

        security.ClientApprovalRequestor(subject_urn=self.client_id,
                                         reason=self.token.reason,
                                         approver=username,
                                         token=self.token).Request()

        user = aff4.FACTORY.Open("aff4:/users/%s" % username, token=self.token)
        self.assertFalse(isinstance(user, users.GRRUser))
Beispiel #8
0
    def testCreatingApprovalCreatesSymlink(self):
        client_id = self.SetupClients(1)[0]

        security.ClientApprovalRequestor(subject_urn=client_id,
                                         reason=self.token.reason,
                                         approver="approver",
                                         token=self.token).Request()

        approval_id = list(
            aff4.FACTORY.ListChildren(
                "aff4:/users/test/approvals/client/C.1000000000000000",
                token=self.token))[0].Basename()
        self.assertTrue(approval_id.startswith("approval:"))

        fd = aff4.FACTORY.Open(
            "aff4:/users/test/approvals/client/C.1000000000000000/%s" %
            approval_id,
            follow_symlinks=False,
            mode="r",
            token=self.token)
        self.assertEqual(fd.Get(fd.Schema.TYPE), "AFF4Symlink")
        self.assertEqual(fd.Get(fd.Schema.SYMLINK_TARGET),
                         "aff4:/ACL/C.1000000000000000/test/%s" % approval_id)
Beispiel #9
0
    def testIncludesApproversInResultWhenApprovalIsGranted(self):
        approval_urn = aff4_security.ClientApprovalRequestor(
            reason="blah",
            subject_urn=self.client_id,
            approver="approver",
            token=self.token).Request()
        approval_id = approval_urn.Basename()

        approver_token = access_control.ACLToken(username="******")
        aff4_security.ClientApprovalGrantor(reason="blah",
                                            delegate=self.token.username,
                                            subject_urn=self.client_id,
                                            token=approver_token).Grant()

        args = user_plugin.ApiGetClientApprovalArgs(
            client_id=self.client_id,
            approval_id=approval_id,
            username=self.token.username)
        result = self.handler.Handle(args, token=self.token)

        self.assertTrue(result.is_valid)
        self.assertEqual(
            sorted(result.approvers),
            sorted([approver_token.username, self.token.username]))