def testReadApprovalRequestsForSubjectIncludesGrantsIntoMultipleResults(self):
client_id = "C.000000000000001"
d = self.db
# Ensure that the requestor user exists.
d.WriteGRRUser("requestor")
for i in range(10):
approval_request = objects.ApprovalRequest(
approval_type=objects.ApprovalRequest.ApprovalType.
APPROVAL_TYPE_CLIENT,
subject_id=client_id,
requestor_username="******",
reason="some test reason %d" % i,
grants=[
objects.ApprovalGrant(grantor_username="******" % i),
objects.ApprovalGrant(grantor_username="******" % i)
],
expiration_time=rdfvalue.RDFDatetime.Now() + rdfvalue.Duration("1d"))
d.WriteApprovalRequest(approval_request)
approvals = sorted(
d.ReadApprovalRequests(
"requestor",
objects.ApprovalRequest.ApprovalType.APPROVAL_TYPE_CLIENT,
subject_id=client_id),
key=lambda a: a.reason)
self.assertEqual(len(approvals), 10)
for i, approval in enumerate(approvals):
self.assertEqual(
sorted(g.grantor_username for g in approval.grants),
["grantor_%d_1" % i, "grantor_%d_2" % i])
def testReadWriteApprovalRequestsWithFilledInUsersEmailsAndGrants(self):
d = self.db
# Ensure that the requestor user exists.
d.WriteGRRUser("requestor")
client_id = "C.0000000050000001"
approval_request = objects.ApprovalRequest(
approval_type=objects.ApprovalRequest.ApprovalType.APPROVAL_TYPE_CLIENT,
subject_id=client_id,
requestor_username="******",
reason="some test reason",
expiration_time=rdfvalue.RDFDatetime(42),
notified_users=["user1", "user2", "user3"],
email_cc_addresses=["*****@*****.**", "*****@*****.**"],
grants=[
objects.ApprovalGrant(grantor_username="******"),
objects.ApprovalGrant(grantor_username="******")
])
approval_id = d.WriteApprovalRequest(approval_request)
read_request = d.ReadApprovalRequest("requestor", approval_id)
self.assertEqual(
sorted(approval_request.notified_users),
sorted(read_request.notified_users))
self.assertEqual(
sorted(approval_request.email_cc_addresses),
sorted(read_request.email_cc_addresses))
self.assertEqual(
sorted(g.grantor_username for g in approval_request.grants),
sorted(g.grantor_username for g in read_request.grants))
def testWhenAuthMgrActiveChecksApproversForEachClientLabel(self, mock_mgr):
data_store.REL_DB.AddClientLabels(self.client.client_id, "GRR",
["foo", "bar"])
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
# Make sure approval manager is active.
mock_mgr.IsActive.return_value = True
approval_checks.CheckApprovalRequest(approval_request)
self.assertEqual(len(mock_mgr.CheckApproversForLabel.mock_calls), 2)
args = mock_mgr.CheckApproversForLabel.mock_calls[0][1]
self.assertEqual(args,
(access_control.ACLToken(username="******"),
rdfvalue.RDFURN(self.client.client_id), "requestor",
set(["grantor1", "grantor2"]), "bar"))
args = mock_mgr.CheckApproversForLabel.mock_calls[1][1]
self.assertEqual(args,
(access_control.ACLToken(username="******"),
rdfvalue.RDFURN(self.client.client_id), "requestor",
set(["grantor1", "grantor2"]), "foo"))
def testReadApprovalRequestsForSubjectIncludesGrantsIntoSingleResult(self):
client_id = "C.0000000050000001"
d = self.db
# Ensure that the requestor user exists.
d.WriteGRRUser("requestor")
approval_request = objects.ApprovalRequest(
approval_type=objects.ApprovalRequest.ApprovalType.APPROVAL_TYPE_CLIENT,
subject_id=client_id,
requestor_username="******",
reason="some test reason",
grants=[
objects.ApprovalGrant(grantor_username="******"),
objects.ApprovalGrant(grantor_username="******")
],
expiration_time=rdfvalue.RDFDatetime.Now() + rdfvalue.Duration("1d"))
approval_id = d.WriteApprovalRequest(approval_request)
approvals = list(
d.ReadApprovalRequests(
"requestor",
objects.ApprovalRequest.ApprovalType.APPROVAL_TYPE_CLIENT,
subject_id=client_id))
self.assertEqual(len(approvals), 1)
self.assertEqual(approvals[0].approval_id, approval_id)
self.assertEqual(
sorted(g.grantor_username for g in approvals[0].grants),
["grantor1", "grantor2"])
def testReturnsIfApprovalIsNotExpiredAndHasTwoGrants(self):
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveReturnsIfClientHasNoLabels(self, mock_mgr):
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
# Make sure approval manager is active.
mock_mgr.IsActive.return_value = True
approval_checks.CheckApprovalRequest(approval_request)
def testRaisesWhenNoGrantsFromAdmins(self):
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
with self.assertRaisesRegexp(
access_control.UnauthorizedAccess,
"Need at least 1 admin approver for access"):
approval_checks.CheckApprovalRequest(approval_request)
def testRaisesIfApprovalExpired(self):
approval_request = self._CreateRequest(
expiration_time=rdfvalue.RDFDatetime.Now() -
rdfvalue.Duration("1m"),
grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
with self.assertRaisesRegexp(access_control.UnauthorizedAccess,
"Approval request is expired"):
approval_checks.CheckApprovalRequest(approval_request)
def _ResponseToApprovalsWithGrants(response):
"""Converts a generator with approval rows into ApprovalRequest objects."""
prev_triplet = None
cur_approval_request = None
for (approval_id_int, approval_timestamp, approval_request_bytes,
grantor_username, grant_timestamp) in response:
cur_triplet = (approval_id_int, approval_timestamp, approval_request_bytes)
if cur_triplet != prev_triplet:
prev_triplet = cur_triplet
if cur_approval_request:
yield cur_approval_request
cur_approval_request = _StringToRDFProto(objects.ApprovalRequest,
approval_request_bytes)
cur_approval_request.approval_id = _IntToApprovalID(approval_id_int)
if grantor_username and grant_timestamp:
cur_approval_request.grants.append(
objects.ApprovalGrant(
grantor_username=grantor_username,
timestamp=_MysqlToRDFDatetime(grant_timestamp)))
if cur_approval_request:
yield cur_approval_request
def testRaisesWhenJustOneGrant(self):
approval_request = self._CreateRequest(
grants=[rdf_objects.ApprovalGrant(grantor_username="******")])
with self.assertRaisesRegexp(
access_control.UnauthorizedAccess,
"Need at least 1 additional approver for access"):
approval_checks.CheckApprovalRequest(approval_request)
def GrantApproval(self, requestor_username, approval_id, grantor_username):
try:
approval = self.approvals_by_username[requestor_username][
approval_id]
approval.grants.append(
objects.ApprovalGrant(grantor_username=grantor_username,
timestamp=rdfvalue.RDFDatetime.Now()))
except KeyError:
raise db.UnknownApprovalRequestError(
"Can't find approval with id: %s" % approval_id)
def testWhenAuthMgrActiveRaisesIfAuthMgrRaises(self, mock_mgr):
data_store.REL_DB.AddClientLabels(self.client.client_id, "GRR",
["foo"])
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
# Make sure approval manager is active.
mock_mgr.IsActive.return_value = True
# CheckApproversForLabel should raise.
error = access_control.UnauthorizedAccess("some error")
mock_mgr.CheckApproversForLabel.side_effect = error
with self.assertRaisesRegexp(access_control.UnauthorizedAccess,
"some error"):
approval_checks.CheckApprovalRequest(approval_request)
def ReadApprovalRequest(self,
requestor_username,
approval_id,
cursor=None):
"""Reads an approval request object with a given id."""
query = (
"SELECT approval_request.approval_id, approval_request.timestamp, "
"approval_request.approval_request, "
"approval_grant.grantor_username, approval_grant.timestamp "
"FROM approval_request "
"LEFT JOIN approval_grant USING (username, approval_id) "
"WHERE approval_request.approval_id=%s "
"AND approval_request.username=%s")
cursor.execute(query,
[_ApprovalIDToInt(approval_id), requestor_username])
res = cursor.fetchall()
if not res:
raise db_module.UnknownApprovalRequestError(
"Approval '%s' not found." % approval_id)
approval_id_int, timestamp, approval_request_bytes, _, _ = res[0]
approval_request = _StringToRDFProto(objects.ApprovalRequest,
approval_request_bytes)
approval_request.approval_id = _IntToApprovalID(approval_id_int)
approval_request.timestamp = _MysqlToRDFDatetime(timestamp)
for _, _, _, grantor_username, timestamp in res:
if not grantor_username:
continue
# Note: serialized approval_request objects are guaranteed to not
# have any grants.
approval_request.grants.append(
objects.ApprovalGrant(
grantor_username=grantor_username,
timestamp=_MysqlToRDFDatetime(timestamp)))
return approval_request
