def testFilterConsidersOffsetAndCount(self):
client_id = self.client_ids[0]
# Create five approval requests without granting them.
for i in range(10):
with test_lib.FakeTime(42 + i):
self.RequestClientApproval(client_id.Basename(),
reason="Request reason %d" % i)
args = user_plugin.ApiListClientApprovalsArgs(client_id=client_id,
offset=0,
count=5)
result = self.handler.Handle(args, token=self.token)
# Approvals are returned newest to oldest, so the first five approvals
# have reason 9 to 5.
self.assertEqual(len(result.items), 5)
for item, i in zip(result.items, reversed(range(6, 10))):
self.assertEqual(item.reason, "Request reason %d" % i)
# When no count is specified, take all items from offset to the end.
args = user_plugin.ApiListClientApprovalsArgs(client_id=client_id,
offset=7)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 3)
for item, i in zip(result.items, reversed(range(0, 3))):
self.assertEqual(item.reason, "Request reason %d" % i)
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
clients = self.SetupClients(2)
for client_id in clients:
# Delete the certificate as it's being regenerated every time the
# client is created.
with aff4.FACTORY.Open(
client_id, mode="rw", token=self.token) as grr_client:
grr_client.DeleteAttribute(grr_client.Schema.CERT)
with test_lib.FakeTime(44):
approval1_id = self.RequestClientApproval(
clients[0].Basename(),
reason=self.token.reason,
approver="approver",
requestor=self.token.username)
with test_lib.FakeTime(45):
approval2_id = self.RequestClientApproval(
clients[1].Basename(),
reason=self.token.reason,
approver="approver",
requestor=self.token.username)
with test_lib.FakeTime(84):
self.GrantClientApproval(
clients[1].Basename(),
requestor=self.token.username,
approval_id=approval2_id,
approver="approver")
with test_lib.FakeTime(126):
self.Check(
"ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
self.Check(
"ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(
client_id=clients[0].Basename()),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
def testRendersRequestedClientApprovals(self):
self._RequestClientApprovals()
args = user_plugin.ApiListClientApprovalsArgs()
result = self.handler.Handle(args, token=self.token)
# All approvals should be returned.
self.assertEqual(len(result.items), self.CLIENT_COUNT)
def testFiltersApprovalsByClientId(self):
client_id = self.client_ids[0]
self._RequestClientApprovals()
# Get approvals for a specific client. There should be exactly one.
args = user_plugin.ApiListClientApprovalsArgs(client_id=client_id)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 1)
self.assertEqual(result.items[0].subject.client_id, client_id)
def testFiltersApprovalsByInvalidState(self):
approval_ids = self._RequestClientApprovals()
# We only requested approvals so far, so all of them should be invalid.
args = user_plugin.ApiListClientApprovalsArgs(
state=user_plugin.ApiListClientApprovalsArgs.State.INVALID)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), self.CLIENT_COUNT)
# Grant access to one client. Now all but one should be invalid.
self.GrantClientApproval(self.client_ids[0],
requestor=self.token.username,
approval_id=approval_ids[0])
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), self.CLIENT_COUNT - 1)
def testFiltersApprovalsByValidState(self):
approval_ids = self._RequestClientApprovals()
# We only requested approvals so far, so none of them is valid.
args = user_plugin.ApiListClientApprovalsArgs(
state=user_plugin.ApiListClientApprovalsArgs.State.VALID)
result = self.handler.Handle(args, token=self.token)
# We do not have any approved approvals yet.
self.assertEqual(len(result.items), 0)
# Grant access to one client. Now exactly one approval should be valid.
self.GrantClientApproval(self.client_ids[0].Basename(),
requestor=self.token.username,
approval_id=approval_ids[0])
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 1)
self.assertEqual(result.items[0].subject.client_id, self.client_ids[0])
def testFiltersApprovalsByClientIdAndState(self):
client_id = self.client_ids[0]
approval_ids = self._RequestClientApprovals()
# Grant approval to a certain client.
self.GrantClientApproval(client_id.Basename(),
requestor=self.token.username,
approval_id=approval_ids[0])
args = user_plugin.ApiListClientApprovalsArgs(
client_id=client_id,
state=user_plugin.ApiListClientApprovalsArgs.State.VALID)
result = self.handler.Handle(args, token=self.token)
# We have a valid approval for the requested client.
self.assertEqual(len(result.items), 1)
args.state = user_plugin.ApiListClientApprovalsArgs.State.INVALID
result = self.handler.Handle(args, token=self.token)
# However, we do not have any invalid approvals for the client.
self.assertEqual(len(result.items), 0)
def ListClientApprovals(self, requestor=None):
requestor = requestor or self.token.username
handler = api_user.ApiListClientApprovalsHandler()
return handler.Handle(
api_user.ApiListClientApprovalsArgs(),
token=access_control.ACLToken(username=requestor)).items
