def testGet_Admin(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(primary_user=user.nickname)
test_utils.CreateExemption(host.key.id())
with self.LoggedInUser(admin=True):
response = self.testapp.get(self.ROUTE % host.key.id())
output = response.json
self.assertIn('application/json', response.headers['Content-type'])
self.assertIsInstance(output, dict)
self.assertIn('exemption', output)
def testGet_PrimaryUser_NoPriorExemption(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(primary_user=user.nickname)
self.assertTrue(model_utils.IsHostAssociatedWithUser(host, user))
with self.LoggedInUser(user=user):
response = self.testapp.get(self.ROUTE % host.key.id())
output = response.json
self.assertIn('application/json', response.headers['Content-type'])
self.assertIsInstance(output, dict)
self.assertNotIn('exemption', output)
def testException_PolicyCheckException(self, mock_metric):
host_key = test_utils.CreateSantaHost().key
exm_key = test_utils.CreateExemption(host_key.id())
self._PatchPolicyChecks(_ApprovingPolicyCheck, _ApprovingPolicyCheck,
_ExceptionPolicyCheck)
api.Process(exm_key)
exm = exm_key.get()
self.assertEqual(_STATE.REQUESTED, exm.state)
self.assertBigQueryInsertions([constants.BIGQUERY_TABLE.EXEMPTION] * 2)
mock_metric.Increment.assert_called_once()
def testDefers(self):
mock_send = self.Patch(notify.mail_utils, 'Send')
host_id = test_utils.CreateSantaHost(primary_user='******').key.id()
exm_key = test_utils.CreateExemption(host_id)
notify.DeferUpdateEmail(exm_key, _STATE.APPROVED, transactional=False)
self.assertTaskCount(constants.TASK_QUEUE.EXEMPTIONS, 1)
self.DrainTaskQueue(constants.TASK_QUEUE.EXEMPTIONS)
mock_send.assert_called_once_with(mock.ANY,
mock.ANY,
to=['aaaa'],
html=True)
def testAssociated_HasEvent(self):
user = test_utils.CreateUser()
other_user = test_utils.CreateUser()
# Create a host not owned by `user`.
host = test_utils.CreateSantaHost(primary_user=other_user.nickname)
# Create an Event which was generated by `user`.
blockable = test_utils.CreateSantaBlockable()
parent_key = datastore_utils.ConcatenateKeys(user.key, host.key,
blockable.key)
test_utils.CreateSantaEvent(blockable,
host_id=host.key.id(),
parent=parent_key)
self.assertTrue(model_utils.IsSantaHostAssociatedWithUser(host, user))
def testChangeClientMode(self):
host_key = test_utils.CreateSantaHost(
client_mode=constants.CLIENT_MODE.MONITOR,
client_mode_lock=False).key
self.assertEqual(
constants.CLIENT_MODE.MONITOR, host_key.get().client_mode)
self.assertFalse(host_key.get().client_mode_lock)
host_models.SantaHost.ChangeClientMode(
host_key.id(), constants.CLIENT_MODE.LOCKDOWN)
self.assertEqual(
constants.CLIENT_MODE.LOCKDOWN, host_key.get().client_mode)
self.assertTrue(host_key.get().client_mode_lock)
def testGetSelf_Sorted(self):
"""Hosts are sorted by their rule_sync_dts."""
early, middle, recent, recenter = common_test_utils.GetSequentialTimes(
4)
user = test_utils.CreateUser()
santa_host_1 = test_utils.CreateSantaHost(primary_user=user.nickname,
rule_sync_dt=early)
santa_host_2 = test_utils.CreateSantaHost(primary_user=user.nickname,
rule_sync_dt=middle)
test_utils.CreateSantaHost(rule_sync_dt=recent)
bit9_host_1 = test_utils.CreateBit9Host(users=[user.nickname],
last_event_dt=recenter)
self.assertTrue(
model_utils.IsHostAssociatedWithUser(santa_host_1, user))
self.assertTrue(
model_utils.IsHostAssociatedWithUser(santa_host_2, user))
self.assertTrue(model_utils.IsHostAssociatedWithUser(
bit9_host_1, user))
with self.LoggedInUser(user=user):
response = self.testapp.get(self.SELF_ROUTE)
output = response.json
self.assertIn('application/json', response.headers['Content-type'])
self.assertLen(output, 3)
expected_host_ids = [
bit9_host_1.key.id(),
santa_host_2.key.id(),
santa_host_1.key.id()
]
actual_host_ids = [entry['id'] for entry in output]
self.assertListEqual(sorted(expected_host_ids),
sorted(actual_host_ids))
def testSuccess_Santa(self):
host_key = test_utils.CreateSantaHost(primary_user='******').key
exm_key = test_utils.CreateExemption(host_key.id(),
initial_state=_STATE.APPROVED)
api.Cancel(exm_key)
exm = exm_key.get()
self.assertEqual(_STATE.CANCELLED, exm.state)
self.assertBigQueryInsertions([
constants.BIGQUERY_TABLE.HOST, constants.BIGQUERY_TABLE.EXEMPTION
])
self.DrainTaskQueue(constants.TASK_QUEUE.EXEMPTIONS)
self.mock_send.assert_called_once()
def testSuccess(self):
user = test_utils.CreateUser()
other_user = test_utils.CreateUser()
santa_host_key_1 = test_utils.CreateSantaHost(
primary_user=user.nickname).key
santa_host_key_2 = test_utils.CreateSantaHost(
primary_user=other_user.nickname).key
test_utils.CreateSantaHost(primary_user=other_user.nickname)
blockable = test_utils.CreateSantaBlockable()
parent_key = datastore_utils.ConcatenateKeys(user.key,
santa_host_key_2,
blockable.key)
test_utils.CreateSantaEvent(blockable,
host_id=santa_host_key_2.id(),
parent=parent_key)
expected_host_ids = sorted(
[santa_host_key_1.id(),
santa_host_key_2.id()])
actual_host_ids = sorted(model_utils.GetSantaHostIdsForUser(user))
self.assertListEqual(expected_host_ids, actual_host_ids)
def testApproved(self, mock_disable):
host_key = test_utils.CreateSantaHost().key
exm_key = test_utils.CreateExemption(host_key.id())
self._PatchPolicyChecks(
_ApprovingPolicyCheck,
_ApprovingPolicyCheck)
api.Process(exm_key)
exm = exm_key.get()
mock_disable.assert_called()
self.assertEqual(_STATE.APPROVED, exm.state)
self.assertBigQueryInsertions([constants.BIGQUERY_TABLE.EXEMPTION] * 2)
def testPost_BadRequest_InvalidDurationErrorProvided(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(primary_user=user.nickname)
params = {
'duration': 'some_invalid_duration',
'reason': constants.EXEMPTION_REASON.DEVELOPER_MACOS
}
with self.LoggedInUser(user=user):
self.testapp.post(self.ROUTE % host.key.id(),
params=params,
status=httplib.BAD_REQUEST)
self.mock_process.assert_not_called()
def testAssociations(self):
bit9_user = test_utils.CreateUser()
bit9_host = test_utils.CreateBit9Host(users=[bit9_user.nickname])
santa_user = test_utils.CreateUser()
santa_host = test_utils.CreateSantaHost(primary_user=santa_user.nickname)
self.assertTrue(
model_utils.IsHostAssociatedWithUser(bit9_host, bit9_user))
self.assertTrue(
model_utils.IsHostAssociatedWithUser(santa_host, santa_user))
self.assertFalse(
model_utils.IsHostAssociatedWithUser(bit9_host, santa_user))
self.assertFalse(
model_utils.IsHostAssociatedWithUser(santa_host, bit9_user))
def testPut_WithoutExemption(self, mock_change):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(primary_user=user.nickname)
with self.LoggedInUser(user=user):
url = self.ROUTE % (host.key.id(), 'false')
response = self.testapp.put(url, status=httplib.OK)
output = response.json
self.assertIn('application/json', response.headers['Content-type'])
self.assertIsInstance(output, dict)
self.assertIn('transitiveWhitelistingEnabled', output)
self.assertNotIn('exemption', output)
mock_change.assert_called_once()
def testSuccess(self, mock_send):
# Create a number of APPROVED Exemptions that expire at different times.
deactivation_dts = [
datetime.datetime(2018, 12, 19, h) for h in xrange(10)
]
for deactivation_dt in deactivation_dts:
host = test_utils.CreateSantaHost()
test_utils.CreateExemption(
host.key.id(),
initial_state=constants.EXEMPTION_STATE.APPROVED,
deactivation_dt=deactivation_dt)
start_dt = datetime.datetime(2018, 12, 19, 3)
end_dt = datetime.datetime(2018, 12, 19, 7)
exemption_upkeep._NotifyExpirationsInRange(start_dt, end_dt)
self.assertEqual(4, mock_send.call_count)
def testPost_AsAdmin_Success(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(primary_user=user.nickname)
params = {
'duration': 'DAY',
'reason': constants.EXEMPTION_REASON.DEVELOPER_MACOS
}
with self.LoggedInUser(admin=True):
self.testapp.post(self.ROUTE % host.key.id(),
params=params,
status=httplib.OK)
exm = exemption_models.Exemption.Get(host.key.id())
self.assertEqual(constants.EXEMPTION_STATE.REQUESTED, exm.state)
self.assertBigQueryInsertion(constants.BIGQUERY_TABLE.EXEMPTION)
self.mock_process.assert_called_once()
def testGet_AssociatedUser(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(primary_user=user.nickname)
test_utils.CreateExemption(host.key.id())
blockable = test_utils.CreateBlockable()
test_utils.CreateSantaEvent(
blockable, host_id=host.key.id(), executing_user=user.nickname,
parent=datastore_utils.ConcatenateKeys(
user.key, host.key, blockable.key))
self.assertTrue(model_utils.IsHostAssociatedWithUser(host, user))
with self.LoggedInUser(user=user):
response = self.testapp.get(self.ROUTE % host.key.id())
output = response.json
self.assertIn('application/json', response.headers['Content-type'])
self.assertIsInstance(output, dict)
self.assertIn('exemption', output)
def testGetByUserId_IsAdmin(self):
user = test_utils.CreateUser()
bit9_host_id = test_utils.CreateBit9Host(users=[user.nickname]).key.id()
santa_host_key = test_utils.CreateSantaHost(
primary_user=user.nickname).key
santa_host_id = santa_host_key.id()
blockable = test_utils.CreateSantaBlockable()
event_parent_key = datastore_utils.ConcatenateKeys(
user.key, santa_host_key, blockable.key)
test_utils.CreateSantaEvent(
blockable, host_id=santa_host_id, parent=event_parent_key)
with self.LoggedInUser(admin=True):
response = self.testapp.get(self.USER_ID_ROUTE % user.key.id())
output = response.json
self.assertLen(output, 2)
actual_ids = set(host['id'] for host in output)
self.assertSetEqual(set([santa_host_id, bit9_host_id]), actual_ids)
def testChangeModeForGroup_MultiBatch(self, mock_ctor):
users = [
test_utils.CreateUser() for _ in xrange(roles.BATCH_SIZE + 1)]
hosts = [
test_utils.CreateSantaHost(
primary_user=user_map.EmailToUsername(user.key.id()),
client_mode=MONITOR)
for user in users]
mock_ctor.return_value.AllMembers.return_value = [
user.key.id() for user in users]
response = self.testapp.get('')
self.assertEqual(httplib.OK, response.status_int)
self.assertTaskCount(constants.TASK_QUEUE.DEFAULT, 2)
self.DrainTaskQueue(constants.TASK_QUEUE.DEFAULT)
new_hosts = ndb.get_multi(host.key for host in hosts)
self.assertTrue(all(host.client_mode == LOCKDOWN for host in new_hosts))
def testPost_Admin_Update(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(
primary_user=user.nickname, client_mode_lock=True,
client_mode=constants.CLIENT_MODE.MONITOR)
params = {
'clientModeLock': 'false',
'clientMode': constants.CLIENT_MODE.LOCKDOWN}
with self.LoggedInUser(admin=True):
response = self.testapp.post(self.ROUTE % host.key.id(), params)
output = response.json
self.assertIn('application/json', response.headers['Content-type'])
self.assertIsInstance(output, dict)
self.assertEqual(host.client_mode, constants.CLIENT_MODE.LOCKDOWN)
self.assertFalse(host.client_mode_lock)
def testUser_GetOwnEvent_CaseMismatch(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost()
blockable = test_utils.CreateSantaBlockable()
event_parent_key = datastore_utils.ConcatenateKeys(
user.key, host.key, blockable.key)
event = test_utils.CreateSantaEvent(blockable,
executing_user=user.nickname,
parent=event_parent_key)
with self.LoggedInUser(user=user):
response = self.testapp.get(self.ROUTE %
blockable.key.id().upper())
output = response.json
self.assertIn('application/json', response.headers['Content-type'])
self.assertIsInstance(output, dict)
self.assertEqual(output['id'], event.key.id())
self.assertEqual(output['hostId'], event.host_id)
self.assertIn('Event', output['class_'])
def testPost_AsAdmin_Success(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(primary_user=user.nickname)
params = {
'duration': 'DAY',
'reason': constants.EXEMPTION_REASON.DEVELOPER_MACOS}
with self.LoggedInUser(admin=True):
response = self.testapp.post(
self.ROUTE % host.key.id(), params=params, status=httplib.OK)
output = response.json
exm = exemption_models.Exemption.Get(host.key.id())
self.assertIn('application/json', response.headers['Content-type'])
self.assertIsInstance(output, dict)
self.assertEqual(
constants.EXEMPTION_STATE.REQUESTED, output['exemption']['state'])
self.assertIn('transitiveWhitelistingEnabled', output)
self.assertEqual(constants.EXEMPTION_STATE.REQUESTED, exm.state)
self.assertBigQueryInsertion(constants.BIGQUERY_TABLE.EXEMPTION)
self.mock_process.assert_called_once()
def testGetHostId(self): expected_host_id = test_utils.CreateSantaHost().key.id() exm_key = test_utils.CreateExemption(expected_host_id) actual_host_id = exemption.Exemption.GetHostId(exm_key) self.assertEqual(expected_host_id, actual_host_id)
def testInvalidClientModeError(self, mock_metric):
host_id = test_utils.CreateSantaHost().key.id()
with self.assertRaises(api.InvalidClientModeError):
api._ChangeEnforcementInSanta(host_id, 'WHATEVER')
mock_metric.Increment.assert_called_once()
def testSanta(self, mock_change): host_id = test_utils.CreateSantaHost().key.id() exm_key = test_utils.CreateExemption(host_id) api._DisableLockdown(exm_key) mock_change.assert_called_once_with(host_id, _SANTA_MODE.MONITOR)
def setUp(self):
app = webapp2.WSGIApplication(routes=[events.ROUTES])
super(EventsTest, self).setUp(wsgi_app=app)
self.santa_cert = test_utils.CreateSantaCertificate()
self.santa_blockable1 = test_utils.CreateSantaBlockable(
id='aaaabbbbccccddddeeeeffffgggg',
file_name='Product.app',
cert_key=self.santa_cert.key,
cert_sha256=self.santa_cert.key.id())
self.santa_blockable2 = test_utils.CreateSantaBlockable(
id='hhhhiiiijjjjkkkkllllmmmmnnnn', file_name='Another Product.app')
self.bit9_blockable1 = test_utils.CreateBit9Binary(
id='zzzzaaaayyyybbbbxxxxccccwwww', file_name='notepad++.exe')
self.user_1 = test_utils.CreateUser()
self.user_2 = test_utils.CreateUser()
self.santa_host1 = test_utils.CreateSantaHost(
id='AAAAAAAA-1111-BBBB-2222-CCCCCCCCCCCC',
recorded_dt=datetime.datetime(2015, 2, 1, 1, 0, 0))
self.santa_host2 = test_utils.CreateSantaHost(
id='DDDDDDDD-3333-EEEE-33333-FFFFFFFFFFFF',
recorded_dt=datetime.datetime(2015, 2, 1, 1, 0, 0))
self.bit9_host1 = test_utils.CreateSantaHost(
id='CHANGE-ME', recorded_dt=datetime.datetime(2015, 2, 1, 1, 0, 0))
self.bit9_host2 = test_utils.CreateSantaHost(
id='CHANGE-ME2',
recorded_dt=datetime.datetime(2015, 2, 1, 1, 0, 0))
self.santa_event1_from_user1 = test_utils.CreateSantaEvent(
self.santa_blockable1,
cert_key=self.santa_cert.key,
cert_sha256=self.santa_blockable1.cert_sha256,
executing_user=self.user_1.nickname,
event_type=constants.EVENT_TYPE.ALLOW_UNKNOWN,
file_name=self.santa_blockable1.file_name,
file_path='/Applications/Product.app/Contents/MacOs',
host_id=self.santa_host1.key.id(),
last_blocked_dt=datetime.datetime(2015, 3, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 3, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_1.key, self.santa_host1.key,
self.santa_blockable1.key))
self.santa_event2_from_user1 = test_utils.CreateSantaEvent(
self.santa_blockable1,
cert_key=self.santa_cert.key,
cert_sha256=self.santa_blockable1.cert_sha256,
executing_user=self.user_1.nickname,
event_type=constants.EVENT_TYPE.ALLOW_UNKNOWN,
file_name=self.santa_blockable1.file_name,
file_path='/Applications/Product.app/Contents/MacOs',
host_id=self.santa_host2.key.id(),
last_blocked_dt=datetime.datetime(2015, 4, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 4, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_1.key, self.santa_host2.key,
self.santa_blockable1.key))
self.santa_event3_from_user1 = test_utils.CreateSantaEvent(
self.santa_blockable2,
event_type=constants.EVENT_TYPE.ALLOW_UNKNOWN,
executing_user=self.user_1.nickname,
file_name=self.santa_blockable2.file_name,
file_path='/Applications/Another Product.app/Contents/MacOs',
host_id=self.santa_host1.key.id(),
last_blocked_dt=datetime.datetime(2015, 5, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 5, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_1.key, self.santa_host1.key,
self.santa_blockable2.key))
self.santa_event1_from_user2 = test_utils.CreateSantaEvent(
self.santa_blockable1,
event_type=constants.EVENT_TYPE.ALLOW_UNKNOWN,
executing_user=self.user_2.nickname,
file_name=self.santa_blockable1.file_name,
file_path='/Applications/Product.app/Contents/MacOs',
host_id=self.santa_host2.key.id(),
last_blocked_dt=datetime.datetime(2015, 3, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 3, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_2.key, self.santa_host2.key,
self.santa_blockable1.key))
self.bit9_event1_from_user1 = test_utils.CreateBit9Event(
self.bit9_blockable1,
executing_user=self.user_1.nickname,
file_name=self.bit9_blockable1.file_name,
file_path=r'c:\program files (x86)\notepad++',
host_id=self.bit9_host1.key.id(),
last_blocked_dt=datetime.datetime(2015, 6, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 6, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_1.key, self.bit9_host1.key,
self.bit9_blockable1.key))
self.bit9_event1_from_user2 = test_utils.CreateBit9Event(
self.bit9_blockable1,
executing_user=self.user_2.nickname,
file_name='notepad++.exe',
file_path=r'c:\program files (x86)\notepad++',
host_id=self.bit9_host2.key.id(),
last_blocked_dt=datetime.datetime(2015, 4, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 4, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_2.key, self.bit9_host2.key,
self.bit9_blockable1.key))
self.PatchValidateXSRFToken()
def testHostIsAssociatedWithUser_PrimaryUser(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(primary_user=user.nickname)
self.assertTrue(host.IsAssociatedWithUser(user))
def testNotAssociated_NoEvent(self):
user = test_utils.CreateUser()
# Create a host not owned by `user`.
host = test_utils.CreateSantaHost(primary_user='******')
self.assertFalse(model_utils.IsSantaHostAssociatedWithUser(host, user))
def testAssociated_PrimaryUser(self):
user = test_utils.CreateUser()
host = test_utils.CreateSantaHost(primary_user=user.nickname)
self.assertTrue(model_utils.IsSantaHostAssociatedWithUser(host, user))
def testPost_NoPermission(self):
user = test_utils.CreateUser(roles=[constants.USER_ROLE.UNTRUSTED_USER])
host = test_utils.CreateSantaHost(primary_user=user.nickname)
with self.LoggedInUser(user=user):
self.testapp.post(self.ROUTE % host.key.id(), status=httplib.FORBIDDEN)
self.mock_process.assert_not_called()