def testEmailCronjobApprovalGrantNotificationLinkLeadsToCorrectPage(self): cronjobs.ScheduleSystemCronFlows( names=[cron_system.OSBreakDown.__name__], token=self.token) cronjobs.CRON_MANAGER.DisableJob(rdfvalue.RDFURN("aff4:/cron/OSBreakDown")) security.CronJobApprovalRequestor( reason=self.APPROVAL_REASON, subject_urn="aff4:/cron/OSBreakDown", approver=self.GRANTOR_TOKEN.username, token=self.token).Request() security.CronJobApprovalGrantor( reason=self.APPROVAL_REASON, subject_urn="aff4:/cron/OSBreakDown", token=self.GRANTOR_TOKEN, delegate=self.token.username).Grant() # There should be 1 message for approval request and 1 message # for approval grant notification. self.assertEqual(len(self.messages_sent), 2) message = self.messages_sent[1] self.assertTrue(self.APPROVAL_REASON in message) self.assertTrue(self.GRANTOR_TOKEN.username in message) self.Open(self._ExtractLinkFromMessage(message)) self.WaitUntil(self.IsTextPresent, "OSBreakDown")
def Run(self): with test_lib.FakeTime(42): self.CreateAdminUser("approver") cron_manager = aff4_cronjobs.CronManager() cron_args = aff4_cronjobs.CreateCronJobFlowArgs( periodicity="1d", allow_overruns=False) cron1_urn = cron_manager.ScheduleFlow(cron_args=cron_args, token=self.token) cron2_urn = cron_manager.ScheduleFlow(cron_args=cron_args, token=self.token) with test_lib.FakeTime(44): approval_urn = security.CronJobApprovalRequestor( reason="foo", subject_urn=cron1_urn, approver="approver", token=self.token).Request() approval1_id = approval_urn.Basename() with test_lib.FakeTime(45): approval_urn = security.CronJobApprovalRequestor( reason="bar", subject_urn=cron2_urn, approver="approver", token=self.token).Request() approval2_id = approval_urn.Basename() with test_lib.FakeTime(84): approver_token = access_control.ACLToken(username="******") security.CronJobApprovalGrantor(reason="bar", delegate=self.token.username, subject_urn=cron2_urn, token=approver_token).Grant() with test_lib.FakeTime(126): self.Check("GetCronJobApproval", args=user_plugin.ApiGetCronJobApprovalArgs( username=self.token.username, cron_job_id=cron1_urn.Basename(), approval_id=approval1_id), replace={ cron1_urn.Basename(): "CronJob_123456", approval1_id: "approval:111111" }) self.Check("GetCronJobApproval", args=user_plugin.ApiGetCronJobApprovalArgs( username=self.token.username, cron_job_id=cron2_urn.Basename(), approval_id=approval2_id), replace={ cron2_urn.Basename(): "CronJob_567890", approval2_id: "approval:222222" })
def GrantCronJobApproval(self, cron_job_id, requestor=None, reason=None, approver="approver"): """Grants an approval for a given cron job.""" if not requestor: requestor = self.token.username if not reason: reason = self.token.reason self.CreateAdminUser(approver) approver_token = access_control.ACLToken(username=approver) security.CronJobApprovalGrantor( subject_urn=rdfvalue.RDFURN("cron").Add(cron_job_id), reason=reason, delegate=requestor, token=approver_token).Grant()
def testCronJobACLWorkflow(self): cronjobs.ScheduleSystemCronFlows( names=[cron_system.OSBreakDown.__name__], token=self.token) cronjobs.CRON_MANAGER.DisableJob( rdfvalue.RDFURN("aff4:/cron/OSBreakDown")) # Open up and click on Cron Job Viewer. self.Open("/") self.WaitUntil(self.IsElementPresent, "client_query") self.Click("css=a[grrtarget=crons]") # Select a cron job self.Click("css=td:contains('OSBreakDown')") # Click on Enable button and check that dialog appears. self.Click("css=button[name=EnableCronJob]") self.WaitUntil(self.IsTextPresent, "Are you sure you want to ENABLE this cron job?") # Click on "Proceed" and wait for authorization dialog to appear. self.Click("css=button[name=Proceed]") self.WaitUntil(self.IsElementPresent, "css=h3:contains('Create a new approval')") # This asks the our user to approve the request. self.Type("css=grr-request-approval-dialog input[name=acl_approver]", self.token.username) self.Type("css=grr-request-approval-dialog input[name=acl_reason]", self.reason) self.Click( "css=grr-request-approval-dialog button[name=Proceed]:not([disabled])" ) # "Request Approval" dialog should go away self.WaitUntilNot(self.IsVisible, "css=.modal-open") self.Open("/") self.WaitUntil(lambda: self.GetText("notification_button") != "0") self.Click("notification_button") self.Click("css=td:contains('Please grant access to a cron job')") self.WaitUntilContains("Grant access", self.GetText, "css=h2:contains('Grant')") self.WaitUntil(self.IsTextPresent, "The user %s has requested" % self.token.username) # Cron job overview should be visible self.WaitUntil(self.IsTextPresent, cron_system.OSBreakDown.__name__) self.WaitUntil(self.IsTextPresent, "Periodicity") self.Click("css=button:contains('Approve')") self.WaitUntil(self.IsTextPresent, "Approval granted.") # Now test starts up self.Open("/") # We should be notified that we have an approval self.WaitUntil(lambda: self.GetText("notification_button") != "0") self.Click("notification_button") self.WaitUntil( self.GetText, "css=td:contains('has granted you access to " "a cron job')") self.Click("css=tr:contains('has granted you access') a") # Enable OSBreakDown cron job (it should be selected by default). self.Click("css=td:contains('OSBreakDown')") # Click on Enable and wait for dialog again. self.Click("css=button[name=EnableCronJob]:not([disabled])") self.WaitUntil(self.IsTextPresent, "Are you sure you want to ENABLE this cron job?") # Click on "Proceed" and wait for authorization dialog to appear. self.Click("css=button[name=Proceed]") # This is insufficient - we need 2 approvers. self.WaitUntilContains( "Need at least 1 additional approver for access.", self.GetText, "css=grr-request-approval-dialog") # Lets add another approver. token = access_control.ACLToken(username="******") security.CronJobApprovalGrantor( subject_urn=rdfvalue.RDFURN("aff4:/cron/OSBreakDown"), reason=self.reason, delegate=self.token.username, token=token).Grant() # Now test starts up self.Open("/") # We should be notified that we have an approval self.WaitUntil(lambda: self.GetText("notification_button") != "0") self.Click("notification_button") self.Click("css=tr:contains('has granted you access') a") # Wait for modal backdrop to go away. self.WaitUntilNot(self.IsVisible, "css=.modal-open") self.WaitUntil(self.IsTextPresent, cron_system.OSBreakDown.__name__) # Enable OSBreakDown cron job (it should be selected by default). self.Click("css=button[name=EnableCronJob]:not([disabled])") self.WaitUntil(self.IsTextPresent, "Are you sure you want to ENABLE this cron job?") # Click on "Proceed" and wait for authorization dialog to appear. self.Click("css=button[name=Proceed]") # This is still insufficient - one of the approvers should have # "admin" label. self.WaitUntilContains( "Need at least 1 additional approver with the 'admin' label for access", self.GetText, "css=grr-request-approval-dialog") # Let's make "approver" an admin. self.CreateAdminUser("approver") # And try again self.Open("/") self.Click("css=a[grrtarget=crons]") # Select and enable OSBreakDown cron job. self.Click("css=td:contains('OSBreakDown')") # Click on Enable button and check that dialog appears. self.Click("css=button[name=EnableCronJob]:not([disabled])") self.WaitUntil(self.IsTextPresent, "Are you sure you want to ENABLE this cron job?") # Click on "Proceed" and wait for success label to appear. # Also check that "Proceed" button gets disabled. self.Click("css=button[name=Proceed]") self.WaitUntil(self.IsTextPresent, "Cron job was ENABLED successfully!")