def testFilterConsidersOffsetAndCount(self): client_id = self.client_ids[0] # Create five approval requests without granting them. for i in range(10): with test_lib.FakeTime(42 + i): self.token.reason = "Request reason %d" % i self.RequestClientApproval(client_id, token=self.token) args = user_plugin.ApiListUserClientApprovalsArgs(client_id=client_id, offset=0, count=5) result = self.handler.Handle(args, token=self.token) # Approvals are returned newest to oldest, so the first five approvals # have reason 9 to 5. self.assertEqual(len(result.items), 5) for item, i in zip(result.items, reversed(range(6, 10))): self.assertEqual(item.reason, "Request reason %d" % i) # When no count is specified, take all items from offset to the end. args = user_plugin.ApiListUserClientApprovalsArgs(client_id=client_id, offset=7) result = self.handler.Handle(args, token=self.token) self.assertEqual(len(result.items), 4) for item, i in zip(result.items, reversed(range(0, 4))): self.assertEqual(item.reason, "Request reason %d" % i)
def testRendersRequestedClientApprovals(self): self._RequestClientApprovals() args = user_plugin.ApiListUserClientApprovalsArgs() result = self.handler.Handle(args, token=self.token) # All approvals should be returned. self.assertEqual(len(result.items), self.CLIENT_COUNT)
def Layout(self, request, response): """Checks the level of access the user has to this client.""" self.subject = request.REQ.get("subject", "") self.silent = request.REQ.get("silent", "") token = request.token # When silent=True, we don't show ACLDialog in case of failure. # This is useful when we just want to make an access check and set # the correct reason (if found) without asking for a missing approval. if self.silent: self.layout_template = self.silent_template self.refresh_after_form_submit = True subject_urn = rdfvalue.RDFURN(self.subject) namespace, _ = subject_urn.Split(2) if self.CheckObjectAccess(subject_urn, token): return self.CallJavascript(response, "CheckAccess.AccessOk", reason=self.reason, silent=self.silent) self.cc_address = config_lib.CONFIG[ "Email.approval_optional_cc_address"] recent_reasons_list = api_user.ApiListUserClientApprovalsHandler( ).Handle(api_user.ApiListUserClientApprovalsArgs(count=5), token=request.token) self.recent_reasons = [x.reason for x in recent_reasons_list.items] if namespace == "hunts": self.approval_renderer = "HuntApprovalRequestRenderer" self.refresh_after_form_submit = False elif namespace == "cron": self.approval_renderer = "CronJobApprovalRequestRenderer" self.refresh_after_form_submit = False elif aff4.AFF4Object.VFSGRRClient.CLIENT_ID_RE.match(namespace): self.approval_renderer = "ClientApprovalRequestRenderer" self.show_keepalive_option = True else: raise RuntimeError( "Unexpected namespace for access check: %s (subject=%s)." % (namespace, self.subject)) response = super(CheckAccess, self).Layout(request, response) if not self.silent: return self.CallJavascript( response, "CheckAccess.Layout", subject=self.subject, refresh_after_form_submit=self.refresh_after_form_submit, approval_renderer=self.approval_renderer) else: return response
def testFiltersApprovalsByClientId(self): client_id = self.client_ids[0] self._RequestClientApprovals() # Get approvals for a specific client. There should be exactly one. args = user_plugin.ApiListUserClientApprovalsArgs(client_id=client_id) result = self.handler.Handle(args, token=self.token) self.assertEqual(len(result.items), 1) self.assertEqual(result.items[0].subject.urn, client_id)
def testRendersRequestedClientApprovals(self): flow.GRRFlow.StartFlow(client_id=self.client_id, flow_name="RequestClientApprovalFlow", reason=self.token.reason, subject_urn=self.client_id, approver="approver", token=self.token) args = user_plugin.ApiListUserClientApprovalsArgs() result = self.handler.Handle(args, token=self.token) self.assertEqual(len(result.items), 1)
def testFiltersApprovalsByInvalidState(self): self._RequestClientApprovals() # We only requested approvals so far, so all of them should be invalid. args = user_plugin.ApiListUserClientApprovalsArgs( state=user_plugin.ApiListUserClientApprovalsArgs.State.INVALID) result = self.handler.Handle(args, token=self.token) self.assertEqual(len(result.items), self.CLIENT_COUNT) # Grant access to one client. Now all but one should be invalid. self.GrantClientApproval(self.client_ids[0], self.token.username, reason=self.token.reason) result = self.handler.Handle(args, token=self.token) self.assertEqual(len(result.items), self.CLIENT_COUNT - 1)
def testFiltersApprovalsByValidState(self): self._RequestClientApprovals() # We only requested approvals so far, so none of them is valid. args = user_plugin.ApiListUserClientApprovalsArgs( state=user_plugin.ApiListUserClientApprovalsArgs.State.VALID) result = self.handler.Handle(args, token=self.token) # We do not have any approved approvals yet. self.assertEqual(len(result.items), 0) # Grant access to one client. Now exactly one approval should be valid. self.GrantClientApproval(self.client_ids[0], self.token.username, reason=self.token.reason) result = self.handler.Handle(args, token=self.token) self.assertEqual(len(result.items), 1) self.assertEqual(result.items[0].subject.urn, self.client_ids[0])
def testFiltersApprovalsByClientIdAndState(self): client_id = self.client_ids[0] self._RequestClientApprovals() # Grant approval to a certain client. self.GrantClientApproval(client_id, self.token.username, reason=self.token.reason) args = user_plugin.ApiListUserClientApprovalsArgs( client_id=client_id, state=user_plugin.ApiListUserClientApprovalsArgs.State.VALID) result = self.handler.Handle(args, token=self.token) # We have a valid approval for the requested client. self.assertEqual(len(result.items), 1) args.state = user_plugin.ApiListUserClientApprovalsArgs.State.INVALID result = self.handler.Handle(args, token=self.token) # However, we do not have any invalid approvals for the client. self.assertEqual(len(result.items), 0)