def testReturnsFirstRouterWhenMatchingByUser(self):
acls = """
router: "DummyAuthManagerTestApiRouter"
users:
- "u1"
- "u3"
---
router: "DummyAuthManagerTestApiRouter2"
users:
- "u1"
- "u2"
---
router: "DummyAuthManagerTestApiRouter3"
users:
- "u2"
- "u4"
"""
with mock.patch.object(__builtin__, "open", mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager()
router = auth_mgr.GetRouterForUser("u2")
self.assertEqual(router.__class__, DummyAuthManagerTestApiRouter2)
router = auth_mgr.GetRouterForUser("u4")
self.assertTrue(router.__class__, DummyAuthManagerTestApiRouter3)
def testDefaultRouterIsReturnedIfNoConfigFileDefined(self):
"""The default router is returned if no API.RouterACLConfigFile defined."""
with test_lib.ConfigOverrider({"API.RouterACLConfigFile": ""}):
auth_mgr = api_auth_manager.APIAuthorizationManager()
router = auth_mgr.GetRouterForUser("u1")
self.assertEqual(router.__class__,
DefaultDummyAuthManagerTestApiRouter)
def testDefaultRouterIsReturnedIfNoConfigFileDefined(self):
"""The default router is returned if no API.RouterACLConfigFile defined."""
with test_lib.ConfigOverrider({"API.RouterACLConfigFile": ""}):
auth_mgr = api_auth_manager.APIAuthorizationManager().Initialize()
router = auth_mgr.GetRouterForUser("u1")
self.assertTrue(
router.__class__ == api_call_router.DisabledApiCallRouter)
def testNoACLs(self):
"""All checking is skipped if no API.HandlerACLFile is defined."""
with test_lib.ConfigOverrider({"API.HandlerACLFile": ""}):
auth_mgr = api_auth_manager.APIAuthorizationManager()
auth_mgr.CheckAccess(self.mock_handler, "u1")
bad_handler = mock.MagicMock()
bad_handler.enabled_by_default = True
bad_handler.__class__.__name__ = "BadHandler"
auth_mgr.CheckAccess(bad_handler, "u2")
def testDenyAll(self):
acls = """
handler: "DummyAuthManagerTestApiHandler"
"""
with mock.patch.object(__builtin__, "open",
mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager()
with self.assertRaises(access_control.UnauthorizedAccess):
auth_mgr.CheckAccess(self.mock_handler, "u1")
def testRaiseIfGroupsDefined(self):
"""We have no way to expand groups, so raise if defined."""
acls = """
router: "DummyAuthManagerTestApiRouter"
groups: ["g1"]
"""
with mock.patch.object(__builtin__, "open",
mock.mock_open(read_data=acls)):
with self.assertRaises(NotImplementedError):
api_auth_manager.APIAuthorizationManager().Initialize()
def testHandleApiCallNotEnabled(self):
"""Raises if no matching ACL and enabled_by_default=False."""
with test_lib.ConfigOverrider({"API.HandlerACLFile": ""}):
auth_mgr = api_auth_manager.APIAuthorizationManager()
self.mock_handler.enabled_by_default = False
with mock.patch.object(api_call_handlers, "API_AUTH_MGR",
auth_mgr):
with self.assertRaises(access_control.UnauthorizedAccess):
api_call_handlers.HandleApiCall(self.mock_handler,
"",
token=self.token)
def testDenyAll(self):
acls = """
router: "DummyAuthManagerTestApiRouter"
"""
with mock.patch.object(__builtin__, "open",
mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager().Initialize()
router = auth_mgr.GetRouterForUser("u1")
self.assertTrue(
router.__class__ == api_call_router.DisabledApiCallRouter)
def testReturnsDefaultOnNoMatchByUser(self):
acls = """
router: "DummyAuthManagerTestApiRouter"
users:
- "u1"
- "u2"
"""
with mock.patch.object(__builtin__, "open", mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager()
router = auth_mgr.GetRouterForUser("u4")
self.assertEqual(router.__class__, DefaultDummyAuthManagerTestApiRouter)
def testMatchingByGroupWorks(self):
acls = """
router: "DummyAuthManagerTestApiRouter2"
groups:
- "g1"
"""
with mock.patch.object(__builtin__, "open", mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager()
router = auth_mgr.GetRouterForUser("u1")
self.assertEqual(router.__class__, DummyAuthManagerTestApiRouter2)
def testConfigurableRouterIsInitializedWithoutParameters(self):
acls = """
router: "DummyAuthManagerTestConfigurableApiRouter"
users:
- "u1"
"""
with mock.patch.object(__builtin__, "open", mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager()
router = auth_mgr.GetRouterForUser("u1")
self.assertEqual(router.params.foo, "")
self.assertEqual(router.params.bar, 0)
def testMatchesIfOneOfUsersIsMatching(self):
acls = """
router: "DummyAuthManagerTestApiRouter"
users:
- "u1"
- "u2"
"""
with mock.patch.object(__builtin__, "open", mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager()
router = auth_mgr.GetRouterForUser("u1")
self.assertEqual(router.__class__, DummyAuthManagerTestApiRouter)
router = auth_mgr.GetRouterForUser("u2")
self.assertEqual(router.__class__, DummyAuthManagerTestApiRouter)
def testRaisesWhenNonConfigurableRouterInitializedWithParams(self):
acls = """
router: "DummyAuthManagerTestApiRouter"
router_params:
foo: "Oh no!"
bar: 42
users:
- "u1"
"""
with self.assertRaises(
api_auth_manager.ApiCallRouterDoesNotExpectParameters):
with mock.patch.object(
__builtin__, "open", mock.mock_open(read_data=acls)):
api_auth_manager.APIAuthorizationManager()
def testReturnsDefaultRouterWhenNothingMatchesByGroup(self):
acls = """
router: "DummyAuthManagerTestApiRouter"
groups:
- "g5"
---
router: "DummyAuthManagerTestApiRouter2"
groups:
- "g6"
"""
with mock.patch.object(__builtin__, "open", mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager()
router = auth_mgr.GetRouterForUser("u1")
self.assertEqual(router.__class__, DefaultDummyAuthManagerTestApiRouter)
def RunOnce(self):
stats.STATS.RegisterCounterMetric("grr_api_auth_success",
fields=[("handler", str),
("user", str)])
stats.STATS.RegisterCounterMetric("grr_api_auth_fail",
fields=[("handler", str),
("user", str)])
global API_AUTH_MGR
API_AUTH_MGR = api_auth_manager.APIAuthorizationManager()
# Quickly validate the list of handlers.
for handler in API_AUTH_MGR.ACLedHandlers():
if handler not in api_call_handler_base.ApiCallHandler.classes:
raise ApiCallHandlerNotFoundError("%s not a valid handler" %
handler)
def testReturnsFirstMatchingRouterWhenItMatchesByGroupAndOtherByUser(self):
acls = """
router: "DummyAuthManagerTestApiRouter"
groups:
- "g3"
---
router: "DummyAuthManagerTestApiRouter2"
users:
- "u1"
"""
with mock.patch.object(__builtin__, "open", mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager()
router = auth_mgr.GetRouterForUser("u1")
self.assertEqual(router.__class__, DummyAuthManagerTestApiRouter)
def testHandleApiCallNotEnabledWithACL(self):
"""Matching ACL and enabled_by_default=False is allowed."""
acls = """
handler: "DummyAuthManagerTestApiHandler"
users:
- "test"
"""
with mock.patch.object(__builtin__, "open",
mock.mock_open(read_data=acls)):
auth_mgr = api_auth_manager.APIAuthorizationManager()
self.mock_handler.enabled_by_default = False
with mock.patch.object(api_call_handlers, "API_AUTH_MGR", auth_mgr):
with mock.patch.object(self.mock_handler, "Handle"):
self.mock_handler.Handle.return_value = None
api_call_handlers.HandleApiCall(self.mock_handler,
None,
token=self.token)
self.mock_handler.Handle.assert_called_once_with(
None, token=self.token)
