def testRaisesWhenNoGrants(self): approval_request = self._CreateRequest(grants=[]) with self.assertRaisesRegexp( access_control.UnauthorizedAccess, "Need at least 2 additional approvers for access"): approval_checks.CheckApprovalRequest(approval_request)
def _CheckAccess(self, username, subject_id, approval_type): """Checks access to a given subject by a given user.""" cache_key = (username, subject_id, approval_type) try: self.acl_cache.Get(cache_key) stats.STATS.IncrementCounter("approval_searches", fields=["-", "cache"]) return True except KeyError: stats.STATS.IncrementCounter("approval_searches", fields=["-", "reldb"]) approvals = data_store.REL_DB.ReadApprovalRequests( utils.SmartStr(username), approval_type, subject_id=subject_id, include_expired=False) errors = [] for approval in approvals: try: approval_checks.CheckApprovalRequest(approval) self.acl_cache.Put(cache_key, True) return except access_control.UnauthorizedAccess as e: errors.append(e) subject = approval_checks.BuildLegacySubject(subject_id, approval_type) if not errors: raise access_control.UnauthorizedAccess("No approval found.", subject=subject) else: raise access_control.UnauthorizedAccess(" ".join( utils.SmartStr(e) for e in errors), subject=subject)
def testReturnsIfApprovalIsNotExpiredAndHasTwoGrants(self): approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username="******"), rdf_objects.ApprovalGrant(grantor_username="******") ]) approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveChecksApproversForEachClientLabel(self, mock_mgr): data_store.REL_DB.AddClientLabels(self.client.client_id, "GRR", ["foo", "bar"]) approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username="******"), rdf_objects.ApprovalGrant(grantor_username="******") ]) # Make sure approval manager is active. mock_mgr.IsActive.return_value = True approval_checks.CheckApprovalRequest(approval_request) self.assertEqual(len(mock_mgr.CheckApproversForLabel.mock_calls), 2) args = mock_mgr.CheckApproversForLabel.mock_calls[0][1] self.assertEqual(args, (access_control.ACLToken(username="******"), rdfvalue.RDFURN(self.client.client_id), "requestor", set(["grantor1", "grantor2"]), "bar")) args = mock_mgr.CheckApproversForLabel.mock_calls[1][1] self.assertEqual(args, (access_control.ACLToken(username="******"), rdfvalue.RDFURN(self.client.client_id), "requestor", set(["grantor1", "grantor2"]), "foo"))
def testRaisesWhenJustOneGrant(self): approval_request = self._CreateRequest( grants=[rdf_objects.ApprovalGrant(grantor_username="******")]) with self.assertRaisesRegexp( access_control.UnauthorizedAccess, "Need at least 1 additional approver for access"): approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveReturnsIfClientHasNoLabels(self, mock_mgr): approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username="******"), rdf_objects.ApprovalGrant(grantor_username="******") ]) # Make sure approval manager is active. mock_mgr.IsActive.return_value = True approval_checks.CheckApprovalRequest(approval_request)
def testRaisesWhenNoGrantsFromAdmins(self): approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username="******"), rdf_objects.ApprovalGrant(grantor_username="******") ]) with self.assertRaisesRegexp( access_control.UnauthorizedAccess, "Need at least 1 admin approver for access"): approval_checks.CheckApprovalRequest(approval_request)
def testRaisesIfApprovalExpired(self): approval_request = self._CreateRequest( expiration_time=rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("1m"), grants=[ rdf_objects.ApprovalGrant(grantor_username="******"), rdf_objects.ApprovalGrant(grantor_username="******") ]) with self.assertRaisesRegexp(access_control.UnauthorizedAccess, "Approval request is expired"): approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveRaisesIfAuthMgrRaises(self, mock_mgr): data_store.REL_DB.AddClientLabels(self.client.client_id, "GRR", ["foo"]) approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username="******"), rdf_objects.ApprovalGrant(grantor_username="******") ]) # Make sure approval manager is active. mock_mgr.IsActive.return_value = True # CheckApproversForLabel should raise. error = access_control.UnauthorizedAccess("some error") mock_mgr.CheckApproversForLabel.side_effect = error with self.assertRaisesRegexp(access_control.UnauthorizedAccess, "some error"): approval_checks.CheckApprovalRequest(approval_request)