def testOwnerNotInMetadata(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4()).upper()
models.User(
key_name='*****@*****.**', user=users.get_current_user(),
filevault_perms=[permissions.ESCROW],
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
qs = {
'hdd_serial': '3uDR0LYQmN',
'platform_uuid': 'stub',
'serial': 'stub',
}
resp = gae_main.app.get_response(
'/filevault/%s?%s' % (vol_uuid, urllib.urlencode(qs)),
{'REQUEST_METHOD': 'PUT'},
POST=secret)
self.assertIn('successfully escrowed', resp.body)
entity = models.FileVaultVolume.all().filter(
'hdd_serial =', '3uDR0LYQmN').get()
self.assertIsNotNone(entity)
def setUp(self):
super(FileVaultChangeOwnerAccessHandlerTest, self).setUp()
settings.KEY_TYPE_DEFAULT_FILEVAULT = settings.KEY_TYPE_DATASTORE_FILEVAULT
settings.KEY_TYPE_DEFAULT_XSRF = settings.KEY_TYPE_DATASTORE_XSRF
test_util.SetUpTestbedTestCase(self)
self.volume_uuid = '4E6A59FF-3D85-4B1C-A5D5-70F8B8A9B4A0'
self.user = models.User(
key_name='*****@*****.**', user=users.User('*****@*****.**'))
self.user.filevault_perms = [permissions.CHANGE_OWNER]
self.user.put()
fvv = models.FileVaultVolume(
hdd_serial='XX123456',
platform_uuid='A4E75A65-FC39-441C-BEF5-49D9A3DC6BE0',
serial='XX123456',
passphrase='SECRET',
volume_uuid=self.volume_uuid,
created_by=users.User('*****@*****.**'))
volume_id = fvv.put()
self.change_owner_url = '/api/internal/change-owner/filevault/%s/' % (
volume_id)
def testByPermRead(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
models.User(
key_name='*****@*****.**', user=users.get_current_user(),
email='*****@*****.**',
provisioning_perms=[permissions.RETRIEVE],
).put()
models.ProvisioningVolume(
key_name=vol_uuid, owner='stub7',
hdd_serial='stub', passphrase=secret,
platform_uuid='stub', serial='stub', volume_uuid='stub',
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
mock_settings.RETRIEVE_AUDIT_ADDRESSES = ['*****@*****.**']
mock_settings.DEFAULT_EMAIL_DOMAIN = 'gmail.com'
with mock.patch.object(util, 'SendEmail') as mock_send_email:
gae_main.app.get_response('/provisioning/' + vol_uuid)
self.assertEqual(1, mock_send_email.call_count)
recipients, _, _ = mock_send_email.call_args[0]
self.assertItemsEqual(
['*****@*****.**', u'*****@*****.**', '*****@*****.**'],
recipients)
def testSetPermsBitLocker(self):
user = models.User()
user.SetPerms(models.permissions.SET_REGULAR,
models.permissions.TYPE_BITLOCKER)
self.assertTrue(
user.HasPerm(models.permissions.SEARCH,
models.permissions.TYPE_BITLOCKER))
def testCheckAuthzCreatorOk(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
models.User(
key_name='*****@*****.**',
user=users.get_current_user(),
filevault_perms=[permissions.RETRIEVE_CREATED_BY],
).put()
models.FileVaultVolume(
owner='stub3',
created_by=users.User('*****@*****.**'),
volume_uuid=vol_uuid,
passphrase=secret,
hdd_serial='stub',
platform_uuid='stub',
serial='stub',
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/filevault/%s?json=1' %
vol_uuid)
self.assertEqual(httplib.OK, resp.status_int)
self.assertIn('"passphrase": "%s"' % secret, resp.body)
def testSetPermsFileVault(self):
user = models.User()
user.SetPerms(models.permissions.SET_REGULAR,
models.permissions.TYPE_FILEVAULT)
self.assertTrue(
user.HasPerm(models.permissions.RETRIEVE,
models.permissions.TYPE_FILEVAULT))
def testAccessDenied(self):
models.User(
key_name='*****@*****.**',
user=users.get_current_user(),
provisioning_perms=[],
).put()
resp = gae_main.app.get_response('/created?json=1',
{'REQUEST_METHOD': 'GET'})
self.assertEqual(httplib.FORBIDDEN, resp.status_int)
def testFail(self):
vol_uuid = str(uuid.uuid4()).upper()
models.User(
key_name='*****@*****.**', user=users.get_current_user(),
email='*****@*****.**', provisioning_perms=[permissions.RETRIEVE],
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
resp = gae_main.app.get_response(
'/bitlocker/%s?only_verify_escrow=1' % vol_uuid)
self.assertEquals(404, resp.status_int)
def _MakeUserEntity(self, email, user_perms):
"""Returns a models.User entity.
Args:
email: str, email address of the user.
user_perms: dict, dict of permission types with lists of db.User
permissions. i.e. {'filevault_perms': [RETRIEVE, ESCROW]}
Returns:
models.User entity.
"""
u = models.User(key_name=email, user=users.User(email=email))
for permission_type in permissions.TYPES:
u.SetPerms(user_perms.get(permission_type, []), permission_type)
return u
def _MakeUserEntity(self, email, user_perms):
"""Returns a models.User entity.
Args:
email: str, email address of the user.
user_perms: dict, dict of permission types with lists of db.User
permissions. i.e. {'filevault_perms': [RETRIEVE, ESCROW]}
Returns:
models.User entity.
"""
filevault_perms = list(
user_perms.get(settings.FILEVAULT_PERMISSIONS_KEY, []))
return models.User(key_name=email,
user=users.User(email=email),
filevault_perms=filevault_perms)
def testOk(self):
models.User(
key_name='*****@*****.**',
user=users.get_current_user(),
filevault_perms=[permissions.SEARCH],
luks_perms=[permissions.SEARCH],
).put()
resp = gae_main.app.get_response('/api/internal/volume_types',
{'REQUEST_METHOD': 'GET'})
self.assertEqual(httplib.OK, resp.status_int)
data = util.FromSafeJson(resp.body)
volume_fields = {x: y for x, y in data.items() if 'fields' in y}
self.assertEqual(2, len(volume_fields))
def testVolumeUuidValid(self):
vol_uuid = str(uuid.uuid4()).upper()
models.User(
key_name='*****@*****.**', user=users.get_current_user(),
filevault_perms=[permissions.RETRIEVE_OWN],
).put()
models.FileVaultVolume(
key_name=vol_uuid, owner='stub',
volume_uuid=vol_uuid, passphrase='stub_pass1',
hdd_serial='stub', platform_uuid='stub', serial='stub',
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
resp = gae_main.app.get_response('/filevault/' + vol_uuid)
self.assertEqual(200, resp.status_int)
self.assertIn('{"passphrase": "stub_pass1"}', resp.body)
def testBarcodeTooLong(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4()) * 10
models.User(
key_name='*****@*****.**', user=users.get_current_user(),
luks_perms=[permissions.RETRIEVE_OWN],
).put()
models.LuksVolume(
key_name=vol_uuid, owner='stub',
hdd_serial='stub', hostname='stub', passphrase=secret,
platform_uuid='stub',
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/luks/%s?json=0' % vol_uuid)
self.assertNotIn('<img class="qr_code" ', resp.body)
def testGetCurrentUserWhenNewAdmin(self):
self.testbed.setup_env(user_is_admin='1', overwrite=True)
mock_user = models.users.get_current_user()
self.mox.StubOutWithMock(models, 'User')
mock_user_entity = self.mox.CreateMockAnything()
models.User.get_by_key_name(self.user_email).AndReturn(None)
models.User(key_name=self.user_email, user=mock_user).AndReturn(
mock_user_entity)
for permission_type in models.permissions.TYPES:
mock_user_entity.SetPerms(
models.permissions.SET_REGULAR, permission_type).AndReturn(None)
mock_user_entity.put().AndReturn(None)
self.mox.ReplayAll()
self.assertEqual(mock_user_entity, models.GetCurrentUser())
self.mox.VerifyAll()
def testWalkthrough(self):
models.ProvisioningVolume.created.auto_now = False
vol_uuid1 = str(uuid.uuid4()).upper()
secret1 = str(uuid.uuid4())
models.User(
key_name='*****@*****.**',
user=users.get_current_user(),
provisioning_perms=[],
).put()
models.ProvisioningVolume(
owner='stub',
created_by=users.get_current_user(),
hdd_serial='stub',
passphrase=secret1,
created=datetime.datetime.now(),
platform_uuid='stub',
serial='stub',
volume_uuid=vol_uuid1,
).put()
old = datetime.datetime.now() - datetime.timedelta(days=365)
models.ProvisioningVolume(owner='stub1',
created_by=users.get_current_user(),
hdd_serial='stub',
passphrase=secret1,
created=old,
platform_uuid='stub',
serial='stub',
volume_uuid=str(uuid.uuid4()).upper()).put()
resp = gae_main.app.get_response('/created?json=1',
{'REQUEST_METHOD': 'GET'})
self.assertEqual(httplib.OK, resp.status_int)
data = util.FromSafeJson(resp.body)
self.assertEqual(1, len(data))
self.assertEqual(secret1, data[0]['passphrase'])
models.ProvisioningVolume.created.auto_now = True
def testProvisioningAsOwner(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
models.User(
key_name='*****@*****.**', user=users.get_current_user(),
provisioning_perms=[permissions.RETRIEVE_OWN],
).put()
models.ProvisioningVolume(
key_name=vol_uuid, owner='stub',
hdd_serial='stub', passphrase=secret,
platform_uuid='stub', serial='stub', volume_uuid='stub',
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/provisioning/' + vol_uuid)
self.assertEqual(200, resp.status_int)
self.assertIn('{"passphrase": "%s"}' % secret, resp.body)
def testSucceed(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
models.User(
key_name='*****@*****.**', user=users.get_current_user(),
email='*****@*****.**',
provisioning_perms=[permissions.RETRIEVE],
).put()
models.BitLockerVolume(
key_name=vol_uuid, owner='stub',
dn='stub', hostname='stub', parent_guid='stub', recovery_key=secret,
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
resp = gae_main.app.get_response(
'/bitlocker/%s?only_verify_escrow=1' % vol_uuid)
self.assertEqual(200, resp.status_int)
self.assertIn('Escrow verified', resp.body)
def testLuksAsNonOwner(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
models.User(
key_name='*****@*****.**', user=users.get_current_user(),
luks_perms=[permissions.RETRIEVE_OWN],
).put()
models.LuksVolume(
key_name=vol_uuid, owner='stub5',
hdd_serial='stub', hostname='stub', passphrase=secret,
platform_uuid='stub',
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/luks/' + vol_uuid)
self.assertEqual(400, resp.status_int)
self.assertIn('Not authorized', resp.body)
def testBarcode(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
models.User(
key_name='*****@*****.**',
user=users.get_current_user(),
luks_perms=[permissions.RETRIEVE_OWN],
).put()
models.LuksVolume(owner='stub',
hdd_serial='stub',
hostname='stub',
passphrase=secret,
platform_uuid='stub',
volume_uuid=vol_uuid).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/luks/%s?json=1' % vol_uuid)
o = util.FromSafeJson(resp.body)
self.assertTrue(o['qr_img_url'])
def testGetModelUserWhenNewAdmin(self):
self.mox.StubOutWithMock(models.users, 'get_current_user')
self.mox.StubOutWithMock(models.User, 'get_by_key_name')
self.mox.StubOutWithMock(models.users, 'is_current_user_admin')
self.mox.StubOutWithMock(models, 'User')
email = '*****@*****.**'
mock_user = self.mox.CreateMockAnything()
mock_user_entity = self.mox.CreateMockAnything()
models.users.get_current_user().AndReturn(mock_user)
mock_user.email().AndReturn(email)
models.User.get_by_key_name(email).AndReturn(None)
models.users.is_current_user_admin().AndReturn(True)
mock_user.email().AndReturn(email)
models.User(key_name=email).AndReturn(mock_user_entity)
mock_user.email().AndReturn(email)
mock_user_entity.put().AndReturn(None)
self.mox.ReplayAll()
self.assertEqual(mock_user_entity,
models.GetCurrentUser(get_model_user=True))
self.mox.VerifyAll()
def testSetPermsWithUnknownPermissionType(self):
user = models.User()
self.assertRaises(ValueError, user.SetPerms,
[models.permissions.SEARCH], 'NOT VALID')
def testHasPermWithUnknownPermissionType(self):
user = models.User()
self.assertRaises(ValueError, user.HasPerm, models.permissions.SEARCH,
'NOT VALID')
def testHasPermBitLocker(self):
user = models.User()
user.bitlocker_perms = list(models.permissions.SET_REGULAR)
self.assertTrue(
user.HasPerm(models.permissions.SEARCH,
models.permissions.TYPE_BITLOCKER))
def testHasPermFileVault(self):
user = models.User()
user.filevault_perms = list(models.permissions.SET_REGULAR)
self.assertTrue(
user.HasPerm(models.permissions.SEARCH,
models.permissions.TYPE_FILEVAULT))