def testEmailClientApprovalGrantNotificationLinkLeadsToACorrectPage(self):
client_id = self.SetupClient(0)
security.ClientApprovalRequestor(
reason=self.APPROVAL_REASON,
subject_urn=client_id,
approver=self.GRANTOR_TOKEN.username,
token=self.token).Request()
security.ClientApprovalGrantor(
reason=self.APPROVAL_REASON,
subject_urn=client_id,
token=self.GRANTOR_TOKEN,
delegate=self.token.username).Grant()
# There should be 1 message for approval request and 1 message
# for approval grant notification.
self.assertEqual(len(self.messages_sent), 2)
message = self.messages_sent[1]
self.assertTrue(self.APPROVAL_REASON in message)
self.assertTrue(self.GRANTOR_TOKEN.username in message)
self.assertTrue(client_id.Basename() in message)
self.Open(self._ExtractLinkFromMessage(message))
# We should end up on client's page. Check that host information is
# displayed.
self.WaitUntil(self.IsTextPresent, client_id.Basename())
self.WaitUntil(self.IsTextPresent, "Host-0")
# Check that the reason is displayed.
self.WaitUntil(self.IsTextPresent, self.APPROVAL_REASON)
def GrantClientApproval(self,
client_id,
reason=None,
requestor=None,
approver="approver"):
"""Grant an approval from approver to delegate.
Args:
client_id: ClientURN
reason: reason for approval request.
requestor: username string of the user receiving approval.
approver: username string of the user granting approval.
"""
if hasattr(client_id, "Basename"):
client_id = client_id.Basename()
self.CreateAdminUser(approver)
if not requestor:
requestor = self.token.username
if not reason:
reason = self.token.reason
approver_token = access_control.ACLToken(username=approver)
grantor = security.ClientApprovalGrantor(subject_urn=client_id,
reason=reason,
delegate=requestor,
token=approver_token)
grantor.Grant()
def testIncludesApproversInResultWhenApprovalIsGranted(self):
approval_urn = aff4_security.ClientApprovalRequestor(
reason="blah",
subject_urn=self.client_id,
approver="approver",
token=self.token).Request()
approval_id = approval_urn.Basename()
approver_token = access_control.ACLToken(username="******")
aff4_security.ClientApprovalGrantor(
reason="blah",
delegate=self.token.username,
subject_urn=self.client_id,
token=approver_token).Grant()
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertTrue(result.is_valid)
self.assertEqual(
sorted(result.approvers),
sorted([approver_token.username, self.token.username]))
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
clients = self.SetupClients(2)
for client_id in clients:
# Delete the certificate as it's being regenerated every time the
# client is created.
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as grr_client:
grr_client.DeleteAttribute(grr_client.Schema.CERT)
with test_lib.FakeTime(44):
approval_urn = security.ClientApprovalRequestor(
reason=self.token.reason,
subject_urn=clients[0],
approver="approver",
token=self.token).Request()
approval1_id = approval_urn.Basename()
with test_lib.FakeTime(45):
approval_urn = security.ClientApprovalRequestor(
reason=self.token.reason,
subject_urn=clients[1],
approver="approver",
token=self.token).Request()
approval2_id = approval_urn.Basename()
with test_lib.FakeTime(84):
approver_token = access_control.ACLToken(username="******")
security.ClientApprovalGrantor(reason=self.token.reason,
delegate=self.token.username,
subject_urn=clients[1],
token=approver_token).Grant()
with test_lib.FakeTime(126):
self.Check("ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
self.Check("ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(
client_id=clients[0].Basename()),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
def RequestAndGrantClientApproval(client_id,
token=None,
approver="approver",
reason="testing"):
token = token or GetToken()
ApprovalRequest(client_id, token=token, approver=approver, reason=reason)
user = aff4.FACTORY.Create(
"aff4:/users/%s" % approver, users.GRRUser, token=token.SetUID())
user.Flush()
approver_token = access_control.ACLToken(username=approver)
security.ClientApprovalGrantor(
reason=reason,
delegate=token.username,
subject_urn=rdf_client.ClientURN(client_id),
token=approver_token).Grant()
def ApprovalGrant(token=None):
"""Iterate through requested access approving or not."""
user = getpass.getuser()
notifications = GetNotifications(user=user, token=token)
requests = [n for n in notifications if n.type == "GrantAccess"]
for request in requests:
_, client_id, user, reason = rdfvalue.RDFURN(request.subject).Split()
reason = utils.DecodeReasonString(reason)
print request
print "Reason: %s" % reason
if raw_input("Do you approve this request? [y/N] ").lower() == "y":
security.ClientApprovalGrantor(
subject_urn=client_id, reason=reason, delegate=user,
token=token).Grant()
# TODO(user): Remove the notification.
else:
print "skipping request"
print "Approval sent"
def testClientACLWorkflow(self):
self.Open("/")
self.Type("client_query", "C.0000000000000001")
self.Click("client_query_submit")
self.WaitUntilEqual(u"C.0000000000000001", self.GetText,
"css=span[type=subject]")
# Choose client 1
self.Click("css=td:contains('0001')")
# We do not have an approval, so we need to request one.
self.WaitUntil(self.IsElementPresent, "css=div.no-approval")
self.Click("css=button[name=requestApproval]")
self.WaitUntil(self.IsElementPresent,
"css=h3:contains('Create a new approval')")
# This asks the user "test" (which is us) to approve the request.
self.Type("css=grr-request-approval-dialog input[name=acl_approver]",
self.token.username)
self.Type("css=grr-request-approval-dialog input[name=acl_reason]",
self.reason)
self.Click(
"css=grr-request-approval-dialog button[name=Proceed]:not([disabled])")
self.WaitForNotification("aff4:/users/%s" % self.token.username)
# User test logs in as an approver.
self.Open("/")
self.WaitUntil(lambda: self.GetText("notification_button") != "0")
self.Click("notification_button")
self.Click("css=td:contains('grant access to GRR client')")
self.WaitUntilContains("Grant access", self.GetText,
"css=h2:contains('Grant')")
self.WaitUntil(self.IsTextPresent,
"The user %s has requested" % self.token.username)
self.Click("css=button:contains('Approve')")
self.WaitUntil(self.IsTextPresent, "Approval granted.")
self.WaitForNotification("aff4:/users/%s" % self.token.username)
self.Open("/")
# We should be notified that we have an approval
self.WaitUntil(lambda: self.GetText("notification_button") != "0")
self.Click("notification_button")
self.Click("css=td:contains('has granted you access')")
# This is insufficient - we need 2 approvers.
self.WaitUntil(self.IsTextPresent,
"You do not have an approval for this client.")
# Lets add another approver.
token = access_control.ACLToken(username="******")
security.ClientApprovalGrantor(
reason=self.reason,
delegate=self.token.username,
subject_urn=rdf_client.ClientURN("C.0000000000000001"),
token=token).Grant()
# Check if we see that the approval has already been granted.
self.Open("/")
self.Click("notification_button")
self.Click("css=td:contains('grant access to GRR client')")
self.WaitUntil(self.IsTextPresent,
"This approval has already been granted!")
# Try again:
self.Open("/")
self.Click("notification_button")
self.Click("css=td:contains('has granted you access')")
# Host information page should be displayed.
self.WaitUntil(self.IsTextPresent, "Last booted")
self.WaitUntil(self.IsTextPresent, "Interfaces")
# One email for the original request and one for each approval.
self.assertEqual(len(self.emails_sent), 3)
