def testFilterConsidersOffsetAndCount(self):
client_id = self.client_ids[0]
# Create five approval requests without granting them.
for i in range(10):
with test_lib.FakeTime(42 + i):
self.token.reason = "Request reason %d" % i
self.RequestClientApproval(client_id, token=self.token)
args = user_plugin.ApiListUserClientApprovalsArgs(client_id=client_id,
offset=0,
count=5)
result = self.handler.Handle(args, token=self.token)
# Approvals are returned newest to oldest, so the first five approvals
# have reason 9 to 5.
self.assertEqual(len(result.items), 5)
for item, i in zip(result.items, reversed(range(6, 10))):
self.assertEqual(item.reason, "Request reason %d" % i)
# When no count is specified, take all items from offset to the end.
args = user_plugin.ApiListUserClientApprovalsArgs(client_id=client_id,
offset=7)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 4)
for item, i in zip(result.items, reversed(range(0, 4))):
self.assertEqual(item.reason, "Request reason %d" % i)
def testRendersRequestedClientApprovals(self):
self._RequestClientApprovals()
args = user_plugin.ApiListUserClientApprovalsArgs()
result = self.handler.Handle(args, token=self.token)
# All approvals should be returned.
self.assertEqual(len(result.items), self.CLIENT_COUNT)
def Layout(self, request, response):
"""Checks the level of access the user has to this client."""
self.subject = request.REQ.get("subject", "")
self.silent = request.REQ.get("silent", "")
token = request.token
# When silent=True, we don't show ACLDialog in case of failure.
# This is useful when we just want to make an access check and set
# the correct reason (if found) without asking for a missing approval.
if self.silent:
self.layout_template = self.silent_template
self.refresh_after_form_submit = True
subject_urn = rdfvalue.RDFURN(self.subject)
namespace, _ = subject_urn.Split(2)
if self.CheckObjectAccess(subject_urn, token):
return self.CallJavascript(response,
"CheckAccess.AccessOk",
reason=self.reason,
silent=self.silent)
self.cc_address = config_lib.CONFIG[
"Email.approval_optional_cc_address"]
recent_reasons_list = api_user.ApiListUserClientApprovalsHandler(
).Handle(api_user.ApiListUserClientApprovalsArgs(count=5),
token=request.token)
self.recent_reasons = [x.reason for x in recent_reasons_list.items]
if namespace == "hunts":
self.approval_renderer = "HuntApprovalRequestRenderer"
self.refresh_after_form_submit = False
elif namespace == "cron":
self.approval_renderer = "CronJobApprovalRequestRenderer"
self.refresh_after_form_submit = False
elif aff4.AFF4Object.VFSGRRClient.CLIENT_ID_RE.match(namespace):
self.approval_renderer = "ClientApprovalRequestRenderer"
self.show_keepalive_option = True
else:
raise RuntimeError(
"Unexpected namespace for access check: %s (subject=%s)." %
(namespace, self.subject))
response = super(CheckAccess, self).Layout(request, response)
if not self.silent:
return self.CallJavascript(
response,
"CheckAccess.Layout",
subject=self.subject,
refresh_after_form_submit=self.refresh_after_form_submit,
approval_renderer=self.approval_renderer)
else:
return response
def testFiltersApprovalsByClientId(self):
client_id = self.client_ids[0]
self._RequestClientApprovals()
# Get approvals for a specific client. There should be exactly one.
args = user_plugin.ApiListUserClientApprovalsArgs(client_id=client_id)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 1)
self.assertEqual(result.items[0].subject.urn, client_id)
def testRendersRequestedClientApprovals(self):
flow.GRRFlow.StartFlow(client_id=self.client_id,
flow_name="RequestClientApprovalFlow",
reason=self.token.reason,
subject_urn=self.client_id,
approver="approver",
token=self.token)
args = user_plugin.ApiListUserClientApprovalsArgs()
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 1)
def testFiltersApprovalsByInvalidState(self):
self._RequestClientApprovals()
# We only requested approvals so far, so all of them should be invalid.
args = user_plugin.ApiListUserClientApprovalsArgs(
state=user_plugin.ApiListUserClientApprovalsArgs.State.INVALID)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), self.CLIENT_COUNT)
# Grant access to one client. Now all but one should be invalid.
self.GrantClientApproval(self.client_ids[0],
self.token.username,
reason=self.token.reason)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), self.CLIENT_COUNT - 1)
def testFiltersApprovalsByValidState(self):
self._RequestClientApprovals()
# We only requested approvals so far, so none of them is valid.
args = user_plugin.ApiListUserClientApprovalsArgs(
state=user_plugin.ApiListUserClientApprovalsArgs.State.VALID)
result = self.handler.Handle(args, token=self.token)
# We do not have any approved approvals yet.
self.assertEqual(len(result.items), 0)
# Grant access to one client. Now exactly one approval should be valid.
self.GrantClientApproval(self.client_ids[0],
self.token.username,
reason=self.token.reason)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 1)
self.assertEqual(result.items[0].subject.urn, self.client_ids[0])
def testFiltersApprovalsByClientIdAndState(self):
client_id = self.client_ids[0]
self._RequestClientApprovals()
# Grant approval to a certain client.
self.GrantClientApproval(client_id,
self.token.username,
reason=self.token.reason)
args = user_plugin.ApiListUserClientApprovalsArgs(
client_id=client_id,
state=user_plugin.ApiListUserClientApprovalsArgs.State.VALID)
result = self.handler.Handle(args, token=self.token)
# We have a valid approval for the requested client.
self.assertEqual(len(result.items), 1)
args.state = user_plugin.ApiListUserClientApprovalsArgs.State.INVALID
result = self.handler.Handle(args, token=self.token)
# However, we do not have any invalid approvals for the client.
self.assertEqual(len(result.items), 0)
