def Create2HuntsForDifferentUsers(self):
# Create 2 hunts. Hunt1 by "otheruser" and hunt2 by us.
# Both hunts will be approved by user "approver".
hunt1_id = self.CreateSampleHunt(token=access_control.ACLToken(
username="******"))
hunt2_id = self.CreateSampleHunt(token=access_control.ACLToken(
username=self.token.username))
self.CreateAdminUser("approver")
token = access_control.ACLToken(username="******")
security.HuntApprovalRequestor(subject_urn=hunt1_id,
reason=self.reason,
approver="approver",
token=token).Request()
token = access_control.ACLToken(username=self.token.username)
security.HuntApprovalRequestor(subject_urn=hunt2_id,
reason=self.reason,
approver="approver",
token=token).Request()
token = access_control.ACLToken(username="******")
security.HuntApprovalGrantor(subject_urn=hunt1_id,
reason=self.reason,
delegate="otheruser",
token=token).Grant()
token = access_control.ACLToken(username="******")
security.HuntApprovalGrantor(subject_urn=hunt2_id,
reason=self.reason,
delegate=self.token.username,
token=token).Grant()
def testEmailHuntApprovalGrantNotificationLinkLeadsToCorrectPage(self):
hunt_id = self.CreateSampleHunt()
security.HuntApprovalRequestor(
reason=self.APPROVAL_REASON,
subject_urn=hunt_id,
approver=self.GRANTOR_TOKEN.username,
token=self.token).Request()
security.HuntApprovalGrantor(
reason=self.APPROVAL_REASON,
subject_urn=hunt_id,
token=self.GRANTOR_TOKEN,
delegate=self.token.username).Grant()
# There should be 1 message for approval request and 1 message
# for approval grant notification.
self.assertEqual(len(self.messages_sent), 2)
message = self.messages_sent[1]
self.assertTrue(self.APPROVAL_REASON in message)
self.assertTrue(self.GRANTOR_TOKEN.username in message)
self.assertTrue(hunt_id.Basename() in message)
self.Open(self._ExtractLinkFromMessage(message))
# We should end up on hunts's page.
self.WaitUntil(self.IsTextPresent, hunt_id.Basename())
def ProcessApproval():
time.sleep(1)
self.CreateAdminUser("approver")
approver_token = access_control.ACLToken(username="******")
security.HuntApprovalGrantor(subject_urn=h.urn,
reason="blah",
delegate=self.token.username,
token=approver_token).Grant()
def _RunTestForNormalApprovals(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
with self.CreateHunt(description="hunt1") as hunt_obj:
hunt1_urn = hunt_obj.urn
hunt1_id = hunt1_urn.Basename()
with self.CreateHunt(description="hunt2") as hunt_obj:
hunt2_urn = hunt_obj.urn
hunt2_id = hunt2_urn.Basename()
with test_lib.FakeTime(44):
approval_urn = security.HuntApprovalRequestor(
reason="foo",
subject_urn=hunt1_urn,
approver="approver",
token=self.token).Request()
approval1_id = approval_urn.Basename()
with test_lib.FakeTime(45):
approval_urn = security.HuntApprovalRequestor(
reason="bar",
subject_urn=hunt2_urn,
approver="approver",
token=self.token).Request()
approval2_id = approval_urn.Basename()
with test_lib.FakeTime(84):
approver_token = access_control.ACLToken(username="******")
security.HuntApprovalGrantor(reason="bar",
delegate=self.token.username,
subject_urn=hunt2_urn,
token=approver_token).Grant()
with test_lib.FakeTime(126):
self.Check("GetHuntApproval",
args=user_plugin.ApiGetHuntApprovalArgs(
username=self.token.username,
hunt_id=hunt1_id,
approval_id=approval1_id),
replace={
hunt1_id: "H:123456",
approval1_id: "approval:111111"
})
self.Check("GetHuntApproval",
args=user_plugin.ApiGetHuntApprovalArgs(
username=self.token.username,
hunt_id=hunt2_id,
approval_id=approval2_id),
replace={
hunt2_id: "H:567890",
approval2_id: "approval:222222"
})
def GrantHuntApproval(self,
hunt_id,
requestor=None,
reason=None,
approver="approver"):
"""Grants an approval for a given hunt."""
if not requestor:
requestor = self.token.username
if not reason:
reason = self.token.reason
self.CreateAdminUser(approver)
approver_token = access_control.ACLToken(username=approver)
security.HuntApprovalGrantor(
subject_urn=rdfvalue.RDFURN("hunts").Add(hunt_id),
reason=reason,
delegate=requestor,
token=approver_token).Grant()
def testHuntACLWorkflow(self):
hunt_id = self.CreateSampleHunt()
# Open up and click on View Hunts.
self.Open("/")
self.WaitUntil(self.IsElementPresent, "client_query")
self.Click("css=a[grrtarget=hunts]")
self.WaitUntil(self.IsTextPresent, "SampleHunt")
# Select a Hunt.
self.Click("css=td:contains('SampleHunt')")
# Click on Run and wait for dialog again.
self.Click("css=button[name=RunHunt]")
self.WaitUntil(self.IsTextPresent,
"Are you sure you want to run this hunt?")
# Click on "Proceed" and wait for authorization dialog to appear.
self.Click("css=button[name=Proceed]")
# This should be rejected now and a form request is made.
self.WaitUntil(self.IsElementPresent,
"css=h3:contains('Create a new approval')")
# This asks our user to approve the request.
self.Type("css=grr-request-approval-dialog input[name=acl_approver]",
self.token.username)
self.Type("css=grr-request-approval-dialog input[name=acl_reason]",
self.reason)
self.Click(
"css=grr-request-approval-dialog button[name=Proceed]:not([disabled])"
)
# "Request Approval" dialog should go away
self.WaitUntilNot(self.IsVisible, "css=.modal-open")
self.WaitForNotification("aff4:/users/%s" % self.token.username)
self.Open("/")
self.WaitUntil(lambda: self.GetText("notification_button") != "0")
self.Click("notification_button")
self.Click("css=td:contains('Please grant access to hunt')")
self.WaitUntilContains("Grant access", self.GetText,
"css=h2:contains('Grant')")
self.WaitUntil(self.IsTextPresent,
"The user %s has requested" % self.token.username)
# Hunt overview should be visible
self.WaitUntil(self.IsTextPresent, "SampleHunt")
self.WaitUntil(self.IsTextPresent, "Hunt ID")
self.WaitUntil(self.IsTextPresent, "Clients Scheduled")
self.Click("css=button:contains('Approve')")
self.WaitUntil(self.IsTextPresent, "Approval granted.")
self.WaitForNotification("aff4:/users/%s" % self.token.username)
self.Open("/")
# We should be notified that we have an approval
self.WaitUntil(lambda: self.GetText("notification_button") != "0")
self.Click("notification_button")
self.WaitUntil(self.GetText,
"css=td:contains('has granted you access to hunt')")
self.Click("css=tr:contains('has granted you access') a")
# Run SampleHunt (it should be selected by default).
self.WaitUntil(self.IsTextPresent, "SampleHunt")
# Click on Run and wait for dialog again.
self.Click("css=button[name=RunHunt]:not([disabled])")
self.WaitUntil(self.IsTextPresent,
"Are you sure you want to run this hunt?")
# Click on "Proceed" and wait for authorization dialog to appear.
self.Click("css=button[name=Proceed]")
# This is insufficient - we need 2 approvers.
self.WaitUntilContains(
"Need at least 1 additional approver for access.", self.GetText,
"css=grr-request-approval-dialog")
# Lets add another approver.
token = access_control.ACLToken(username="******")
security.HuntApprovalGrantor(subject_urn=hunt_id,
reason=self.reason,
delegate=self.token.username,
token=token).Grant()
self.WaitForNotification("aff4:/users/%s" % self.token.username)
self.Open("/")
# We should be notified that we have an approval
self.WaitUntil(lambda: self.GetText("notification_button") != "0")
self.Click("notification_button")
self.Click("css=tr:contains('has granted you access') a")
# Wait for modal backdrop to go away.
self.WaitUntilNot(self.IsVisible, "css=.modal-open")
self.WaitUntil(self.IsTextPresent, "SampleHunt")
# Run SampleHunt (it should be selected by default).
self.Click("css=button[name=RunHunt]")
self.WaitUntil(self.IsTextPresent,
"Are you sure you want to run this hunt?")
# Click on "Proceed" and wait for authorization dialog to appear.
self.Click("css=button[name=Proceed]")
# This is still insufficient - one of the approvers should have
# "admin" label.
self.WaitUntilContains(
"Need at least 1 additional approver with the 'admin' label for access",
self.GetText, "css=grr-request-approval-dialog")
# Let's make "approver" an admin.
self.CreateAdminUser("approver")
# Check if we see that the approval has already been granted.
self.Open("/")
self.Click("notification_button")
self.Click("css=td:contains('Please grant access to hunt')")
self.WaitUntil(self.IsTextPresent,
"This approval has already been granted!")
# And try again
self.Open("/")
self.WaitUntil(self.IsElementPresent, "client_query")
self.Click("css=a[grrtarget=hunts]")
self.WaitUntil(self.IsTextPresent, "SampleHunt")
# Select and run SampleHunt.
self.Click("css=td:contains('SampleHunt')")
# Run SampleHunt (it should be selected by default).
self.WaitUntil(self.IsTextPresent, "SampleHunt")
self.Click("css=button[name=RunHunt]")
self.WaitUntil(self.IsTextPresent,
"Are you sure you want to run this hunt?")
# Click on "Proceed" and wait for the success status message.
self.Click("css=button[name=Proceed]")
self.WaitUntil(self.IsTextPresent, "Hunt started successfully!")
