def testEmailCronjobApprovalGrantNotificationLinkLeadsToCorrectPage(self):
cronjobs.ScheduleSystemCronFlows(
names=[cron_system.OSBreakDown.__name__], token=self.token)
cronjobs.CRON_MANAGER.DisableJob(rdfvalue.RDFURN("aff4:/cron/OSBreakDown"))
security.CronJobApprovalRequestor(
reason=self.APPROVAL_REASON,
subject_urn="aff4:/cron/OSBreakDown",
approver=self.GRANTOR_TOKEN.username,
token=self.token).Request()
security.CronJobApprovalGrantor(
reason=self.APPROVAL_REASON,
subject_urn="aff4:/cron/OSBreakDown",
token=self.GRANTOR_TOKEN,
delegate=self.token.username).Grant()
# There should be 1 message for approval request and 1 message
# for approval grant notification.
self.assertEqual(len(self.messages_sent), 2)
message = self.messages_sent[1]
self.assertTrue(self.APPROVAL_REASON in message)
self.assertTrue(self.GRANTOR_TOKEN.username in message)
self.Open(self._ExtractLinkFromMessage(message))
self.WaitUntil(self.IsTextPresent, "OSBreakDown")
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
cron_manager = aff4_cronjobs.CronManager()
cron_args = aff4_cronjobs.CreateCronJobFlowArgs(
periodicity="1d", allow_overruns=False)
cron1_urn = cron_manager.ScheduleFlow(cron_args=cron_args,
token=self.token)
cron2_urn = cron_manager.ScheduleFlow(cron_args=cron_args,
token=self.token)
with test_lib.FakeTime(44):
approval_urn = security.CronJobApprovalRequestor(
reason="foo",
subject_urn=cron1_urn,
approver="approver",
token=self.token).Request()
approval1_id = approval_urn.Basename()
with test_lib.FakeTime(45):
approval_urn = security.CronJobApprovalRequestor(
reason="bar",
subject_urn=cron2_urn,
approver="approver",
token=self.token).Request()
approval2_id = approval_urn.Basename()
with test_lib.FakeTime(84):
approver_token = access_control.ACLToken(username="******")
security.CronJobApprovalGrantor(reason="bar",
delegate=self.token.username,
subject_urn=cron2_urn,
token=approver_token).Grant()
with test_lib.FakeTime(126):
self.Check("GetCronJobApproval",
args=user_plugin.ApiGetCronJobApprovalArgs(
username=self.token.username,
cron_job_id=cron1_urn.Basename(),
approval_id=approval1_id),
replace={
cron1_urn.Basename(): "CronJob_123456",
approval1_id: "approval:111111"
})
self.Check("GetCronJobApproval",
args=user_plugin.ApiGetCronJobApprovalArgs(
username=self.token.username,
cron_job_id=cron2_urn.Basename(),
approval_id=approval2_id),
replace={
cron2_urn.Basename(): "CronJob_567890",
approval2_id: "approval:222222"
})
def GrantCronJobApproval(self,
cron_job_id,
requestor=None,
reason=None,
approver="approver"):
"""Grants an approval for a given cron job."""
if not requestor:
requestor = self.token.username
if not reason:
reason = self.token.reason
self.CreateAdminUser(approver)
approver_token = access_control.ACLToken(username=approver)
security.CronJobApprovalGrantor(
subject_urn=rdfvalue.RDFURN("cron").Add(cron_job_id),
reason=reason,
delegate=requestor,
token=approver_token).Grant()
def testCronJobACLWorkflow(self):
cronjobs.ScheduleSystemCronFlows(
names=[cron_system.OSBreakDown.__name__], token=self.token)
cronjobs.CRON_MANAGER.DisableJob(
rdfvalue.RDFURN("aff4:/cron/OSBreakDown"))
# Open up and click on Cron Job Viewer.
self.Open("/")
self.WaitUntil(self.IsElementPresent, "client_query")
self.Click("css=a[grrtarget=crons]")
# Select a cron job
self.Click("css=td:contains('OSBreakDown')")
# Click on Enable button and check that dialog appears.
self.Click("css=button[name=EnableCronJob]")
self.WaitUntil(self.IsTextPresent,
"Are you sure you want to ENABLE this cron job?")
# Click on "Proceed" and wait for authorization dialog to appear.
self.Click("css=button[name=Proceed]")
self.WaitUntil(self.IsElementPresent,
"css=h3:contains('Create a new approval')")
# This asks the our user to approve the request.
self.Type("css=grr-request-approval-dialog input[name=acl_approver]",
self.token.username)
self.Type("css=grr-request-approval-dialog input[name=acl_reason]",
self.reason)
self.Click(
"css=grr-request-approval-dialog button[name=Proceed]:not([disabled])"
)
# "Request Approval" dialog should go away
self.WaitUntilNot(self.IsVisible, "css=.modal-open")
self.Open("/")
self.WaitUntil(lambda: self.GetText("notification_button") != "0")
self.Click("notification_button")
self.Click("css=td:contains('Please grant access to a cron job')")
self.WaitUntilContains("Grant access", self.GetText,
"css=h2:contains('Grant')")
self.WaitUntil(self.IsTextPresent,
"The user %s has requested" % self.token.username)
# Cron job overview should be visible
self.WaitUntil(self.IsTextPresent, cron_system.OSBreakDown.__name__)
self.WaitUntil(self.IsTextPresent, "Periodicity")
self.Click("css=button:contains('Approve')")
self.WaitUntil(self.IsTextPresent, "Approval granted.")
# Now test starts up
self.Open("/")
# We should be notified that we have an approval
self.WaitUntil(lambda: self.GetText("notification_button") != "0")
self.Click("notification_button")
self.WaitUntil(
self.GetText, "css=td:contains('has granted you access to "
"a cron job')")
self.Click("css=tr:contains('has granted you access') a")
# Enable OSBreakDown cron job (it should be selected by default).
self.Click("css=td:contains('OSBreakDown')")
# Click on Enable and wait for dialog again.
self.Click("css=button[name=EnableCronJob]:not([disabled])")
self.WaitUntil(self.IsTextPresent,
"Are you sure you want to ENABLE this cron job?")
# Click on "Proceed" and wait for authorization dialog to appear.
self.Click("css=button[name=Proceed]")
# This is insufficient - we need 2 approvers.
self.WaitUntilContains(
"Need at least 1 additional approver for access.", self.GetText,
"css=grr-request-approval-dialog")
# Lets add another approver.
token = access_control.ACLToken(username="******")
security.CronJobApprovalGrantor(
subject_urn=rdfvalue.RDFURN("aff4:/cron/OSBreakDown"),
reason=self.reason,
delegate=self.token.username,
token=token).Grant()
# Now test starts up
self.Open("/")
# We should be notified that we have an approval
self.WaitUntil(lambda: self.GetText("notification_button") != "0")
self.Click("notification_button")
self.Click("css=tr:contains('has granted you access') a")
# Wait for modal backdrop to go away.
self.WaitUntilNot(self.IsVisible, "css=.modal-open")
self.WaitUntil(self.IsTextPresent, cron_system.OSBreakDown.__name__)
# Enable OSBreakDown cron job (it should be selected by default).
self.Click("css=button[name=EnableCronJob]:not([disabled])")
self.WaitUntil(self.IsTextPresent,
"Are you sure you want to ENABLE this cron job?")
# Click on "Proceed" and wait for authorization dialog to appear.
self.Click("css=button[name=Proceed]")
# This is still insufficient - one of the approvers should have
# "admin" label.
self.WaitUntilContains(
"Need at least 1 additional approver with the 'admin' label for access",
self.GetText, "css=grr-request-approval-dialog")
# Let's make "approver" an admin.
self.CreateAdminUser("approver")
# And try again
self.Open("/")
self.Click("css=a[grrtarget=crons]")
# Select and enable OSBreakDown cron job.
self.Click("css=td:contains('OSBreakDown')")
# Click on Enable button and check that dialog appears.
self.Click("css=button[name=EnableCronJob]:not([disabled])")
self.WaitUntil(self.IsTextPresent,
"Are you sure you want to ENABLE this cron job?")
# Click on "Proceed" and wait for success label to appear.
# Also check that "Proceed" button gets disabled.
self.Click("css=button[name=Proceed]")
self.WaitUntil(self.IsTextPresent,
"Cron job was ENABLED successfully!")
