def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
clients = self.SetupClients(2)
for client_id in clients:
# Delete the certificate as it's being regenerated every time the
# client is created.
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as grr_client:
grr_client.DeleteAttribute(grr_client.Schema.CERT)
with test_lib.FakeTime(44):
flow_urn = flow.GRRFlow.StartFlow(
client_id=clients[0],
flow_name="RequestClientApprovalFlow",
reason="foo",
subject_urn=clients[0],
approver="approver",
token=self.token)
flow_fd = aff4.FACTORY.Open(flow_urn,
aff4_type=flow.GRRFlow,
token=self.token)
approval1_id = flow_fd.state.approval_id
with test_lib.FakeTime(45):
flow_urn = flow.GRRFlow.StartFlow(
client_id=clients[1],
flow_name="RequestClientApprovalFlow",
reason="bar",
subject_urn=clients[1],
approver="approver",
token=self.token)
flow_fd = aff4.FACTORY.Open(flow_urn,
aff4_type=flow.GRRFlow,
token=self.token)
approval2_id = flow_fd.state.approval_id
with test_lib.FakeTime(84):
approver_token = access_control.ACLToken(username="******")
flow.GRRFlow.StartFlow(client_id=clients[1],
flow_name="GrantClientApprovalFlow",
reason="bar",
delegate=self.token.username,
subject_urn=clients[1],
token=approver_token)
with test_lib.FakeTime(126):
self.Check("GetClientApproval",
args=user_plugin.ApiGetClientApprovalArgs(
client_id=clients[0].Basename(),
approval_id=approval1_id,
username=self.token.username),
replace={approval1_id: "approval:111111"})
self.Check("GetClientApproval",
args=user_plugin.ApiGetClientApprovalArgs(
client_id=clients[1].Basename(),
approval_id=approval2_id,
username=self.token.username),
replace={approval2_id: "approval:222222"})
def testRendersRequestedClientApproval(self):
approval_id = self.RequestClientApproval(
self.client_id.Basename(),
requestor=self.token.username,
reason="blah",
approver="approver",
email_cc_address="*****@*****.**")
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(result.subject.client_id, self.client_id)
self.assertEqual(result.reason, "blah")
self.assertEqual(result.is_valid, False)
self.assertEqual(result.is_valid_message,
"Need at least 1 additional approver for access.")
self.assertEqual(result.notified_users, ["approver"])
self.assertEqual(result.email_cc_addresses, ["*****@*****.**"])
# Every approval is self-approved by default.
self.assertEqual(result.approvers, [self.token.username])
def testRendersRequestedClientApproval(self):
approval_urn = aff4_security.ClientApprovalRequestor(
reason="blah",
subject_urn=self.client_id,
approver="approver",
email_cc_address="*****@*****.**",
token=self.token).Request()
approval_id = approval_urn.Basename()
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(result.subject.urn, self.client_id)
self.assertEqual(result.reason, "blah")
self.assertEqual(result.is_valid, False)
self.assertEqual(result.is_valid_message,
"Requires 2 approvers for access.")
self.assertEqual(result.notified_users, ["approver"])
self.assertEqual(result.email_cc_addresses, ["*****@*****.**"])
# Every approval is self-approved by default.
self.assertEqual(result.approvers, [self.token.username])
def testIncludesApproversInResultWhenApprovalIsGranted(self):
flow_urn = flow.GRRFlow.StartFlow(
client_id=self.client_id,
flow_name="RequestClientApprovalFlow",
reason="blah",
subject_urn=self.client_id,
approver="approver",
token=self.token)
flow_fd = aff4.FACTORY.Open(flow_urn,
aff4_type=flow.GRRFlow,
token=self.token)
approval_id = flow_fd.state.approval_id
approver_token = access_control.ACLToken(username="******")
flow.GRRFlow.StartFlow(client_id=self.client_id,
flow_name="GrantClientApprovalFlow",
reason="blah",
delegate=self.token.username,
subject_urn=self.client_id,
token=approver_token)
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertTrue(result.is_valid)
self.assertEqual(
sorted(result.approvers),
sorted([approver_token.username, self.token.username]))
def testRendersRequestedClientApproval(self):
flow_urn = flow.GRRFlow.StartFlow(
client_id=self.client_id,
flow_name="RequestClientApprovalFlow",
reason="blah",
subject_urn=self.client_id,
approver="approver",
email_cc_address="*****@*****.**",
token=self.token)
flow_fd = aff4.FACTORY.Open(flow_urn,
aff4_type=flow.GRRFlow,
token=self.token)
approval_id = flow_fd.state.approval_id
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(result.subject.urn, self.client_id)
self.assertEqual(result.reason, "blah")
self.assertEqual(result.is_valid, False)
self.assertEqual(result.is_valid_message,
"Requires 2 approvers for access.")
self.assertEqual(result.notified_users, ["approver"])
self.assertEqual(result.email_cc_addresses, ["*****@*****.**"])
# Every approval is self-approved by default.
self.assertEqual(result.approvers, [self.token.username])
def testIncludesApproversInResultWhenApprovalIsGranted(self):
approval_urn = aff4_security.ClientApprovalRequestor(
reason="blah",
subject_urn=self.client_id,
approver="approver",
token=self.token).Request()
approval_id = approval_urn.Basename()
approver_token = access_control.ACLToken(username="******")
aff4_security.ClientApprovalGrantor(
reason="blah",
delegate=self.token.username,
subject_urn=self.client_id,
token=approver_token).Grant()
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertTrue(result.is_valid)
self.assertEqual(
sorted(result.approvers),
sorted([approver_token.username, self.token.username]))
def testRaisesWhenApprovalIsNotFound(self):
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id="approval:112233",
username=self.token.username)
with self.assertRaises(api_call_handler_base.ResourceNotFoundError):
self.handler.Handle(args, token=self.token)
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
clients = self.SetupClients(2)
for client_id in clients:
# Delete the certificate as it's being regenerated every time the
# client is created.
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as grr_client:
grr_client.DeleteAttribute(grr_client.Schema.CERT)
with test_lib.FakeTime(44):
approval1_id = self.RequestClientApproval(
clients[0].Basename(),
reason="foo",
approver="approver",
requestor=self.token.username)
with test_lib.FakeTime(45):
approval2_id = self.RequestClientApproval(
clients[1].Basename(),
reason="bar",
approver="approver",
requestor=self.token.username)
with test_lib.FakeTime(84):
self.GrantClientApproval(clients[1].Basename(),
reason="bar",
approver="approver",
requestor=self.token.username)
with test_lib.FakeTime(126):
self.Check("GetClientApproval",
args=user_plugin.ApiGetClientApprovalArgs(
client_id=clients[0].Basename(),
approval_id=approval1_id,
username=self.token.username),
replace={approval1_id: "approval:111111"})
self.Check("GetClientApproval",
args=user_plugin.ApiGetClientApprovalArgs(
client_id=clients[1].Basename(),
approval_id=approval2_id,
username=self.token.username),
replace={approval2_id: "approval:222222"})
def testRaisesWhenApprovalIsNotFound(self):
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id="approval:112233",
username=self.token.username)
# TODO(user): throw some standard exception that can be converted to
# HTTP 404 status code.
with self.assertRaises(IOError):
self.handler.Handle(args, token=self.token)
def testIncludesApproversInResultWhenApprovalIsGranted(self):
approval_id = self.RequestAndGrantClientApproval(
self.client_id.Basename(),
reason="blah",
approver="approver",
requestor=self.token.username)
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertTrue(result.is_valid)
self.assertEqual(sorted(result.approvers),
sorted([self.token.username, "approver"]))
