def __init__(self, labels_whitelist=None, labels_owners_whitelist=None, allow_flows=False, allow_vfs_access=False, legacy_manager=None, delegate=None): super(ApiLabelsRestrictedCallRouter, self).__init__() self.labels_whitelist = set(labels_whitelist or []) # "GRR" is a system label. Labels returned by the client during the # interrogate have owner="GRR". self.labels_owners_whitelist = set(labels_owners_whitelist or ["GRR"]) self.allow_flows = allow_flows self.allow_vfs_access = allow_vfs_access if not legacy_manager: legacy_manager = user_managers.FullAccessControlManager() self.legacy_manager = legacy_manager if not delegate: delegate = api_call_router_without_checks.ApiCallRouterWithoutChecks( ) self.delegate = delegate
def testDeleteHuntFlow(self): # We'll need two users for this test. self.CreateUser("user1") token1 = access_control.ACLToken(username="******", reason="testing") self.CreateUser("user2") token2 = access_control.ACLToken(username="******", reason="testing") manager = user_managers.FullAccessControlManager() with utils.Stubber(data_store.DB, "security_manager", manager): # Let user1 create a hunt and delete it, this should work. hunt = self._CreateHunt(token1.SetUID()) aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1) flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow", token=token1, hunt_urn=hunt.urn) self._CheckHuntIsDeleted(hunt.urn) # Let user1 create a hunt and user2 delete it, this should fail. hunt = self._CreateHunt(token1.SetUID()) aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1) with self.assertRaises(access_control.UnauthorizedAccess): flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow", token=token2, hunt_urn=hunt.urn) # Hunt is still there. aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1) # If user2 gets an approval, deletion is ok though. self.GrantHuntApproval(hunt.urn, token=token2) flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow", token=token2, hunt_urn=hunt.urn) self._CheckHuntIsDeleted(hunt.urn) # Let user1 create a hunt and run it. We are not allowed to delete # running hunts. hunt = self._CreateHunt(token1.SetUID()) hunt.Run() hunt.Flush() aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1) with self.assertRaises(RuntimeError): flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow", token=token1, hunt_urn=hunt.urn) # The same is true if the hunt was scheduled on at least one client. hunt = self._CreateHunt(token1.SetUID()) hunt.Set(hunt.Schema.CLIENT_COUNT(1)) hunt.Flush() aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1) with self.assertRaises(RuntimeError): flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow", token=token1, hunt_urn=hunt.urn)
def testReadSomePaths(self): """Tests some real world paths.""" self.access_manager = user_managers.FullAccessControlManager() access = "r" self.Ok("aff4:/", access) self.Ok("aff4:/users", access) self.NotOk("aff4:/users/randomuser", access) self.Ok("aff4:/blobs", access) self.Ok("aff4:/blobs/12345678", access) self.Ok("aff4:/FP", access) self.Ok("aff4:/FP/12345678", access) self.Ok("aff4:/files", access) self.Ok("aff4:/files/12345678", access) self.Ok("aff4:/ACL", access) self.Ok("aff4:/ACL/randomuser", access) self.Ok("aff4:/stats", access) self.Ok("aff4:/stats/FileStoreStats", access) self.Ok("aff4:/config", access) self.Ok("aff4:/config/drivers", access) self.Ok("aff4:/config/drivers/windows/memory/winpmem.amd64.sys", access) self.Ok("aff4:/flows", access) self.Ok("aff4:/flows/F:12345678", access) self.Ok("aff4:/hunts", access) self.Ok("aff4:/hunts/H:12345678/C.1234567890123456", access) self.Ok("aff4:/hunts/H:12345678/C.1234567890123456/F:AAAAAAAA", access) self.Ok("aff4:/cron", access) self.Ok("aff4:/cron/OSBreakDown", access) self.Ok("aff4:/crashes", access) self.Ok("aff4:/crashes/Stream", access) self.Ok("aff4:/audit", access) self.Ok("aff4:/audit/log", access) self.Ok("aff4:/audit/logs", access) self.Ok("aff4:/C.0000000000000001", access) self.NotOk("aff4:/C.0000000000000001/fs/os", access) self.NotOk("aff4:/C.0000000000000001/flows/F:12345678", access) self.Ok("aff4:/tmp", access) self.Ok("aff4:/tmp/C8FAFC0F", access)
def testQuerySomePaths(self): """Tests some real world paths.""" self.access_manager = user_managers.FullAccessControlManager() access = "rq" self.NotOk("aff4:/", access) self.NotOk("aff4:/users", access) self.NotOk("aff4:/users/randomuser", access) self.NotOk("aff4:/blobs", access) self.NotOk("aff4:/FP", access) self.NotOk("aff4:/files", access) self.Ok("aff4:/files/hash/generic/sha256/" + "a" * 64, access) self.Ok("aff4:/ACL", access) self.Ok("aff4:/ACL/randomuser", access) self.NotOk("aff4:/stats", access) self.Ok("aff4:/config", access) self.Ok("aff4:/config/drivers", access) self.Ok("aff4:/config/drivers/windows/memory/winpmem.amd64.sys", access) self.NotOk("aff4:/flows", access) self.Ok("aff4:/flows/W:12345678", access) self.Ok("aff4:/hunts", access) self.Ok("aff4:/hunts/H:12345678/C.1234567890123456", access) self.Ok("aff4:/hunts/H:12345678/C.1234567890123456/F:AAAAAAAA", access) self.Ok("aff4:/cron", access) self.Ok("aff4:/cron/OSBreakDown", access) self.NotOk("aff4:/crashes", access) self.NotOk("aff4:/audit", access) self.Ok("aff4:/audit/logs", access) self.Ok("aff4:/C.0000000000000001", access) self.NotOk("aff4:/C.0000000000000001/fs/os", access) self.NotOk("aff4:/C.0000000000000001/flows", access) self.NotOk("aff4:/tmp", access)
def setUp(self): super(ClientApprovalByLabelTests, self).setUp() # Set up clients and labels before we turn on the FullACM. We need to create # the client because to check labels the client needs to exist. client_ids = self.SetupClients(3) self.client_nolabel = rdf_client.ClientURN(client_ids[0]) self.client_legal = rdf_client.ClientURN(client_ids[1]) self.client_prod = rdf_client.ClientURN(client_ids[2]) with aff4.FACTORY.Open( self.client_legal, aff4_type=aff4_grr.VFSGRRClient, mode="rw", token=self.token) as client_obj: client_obj.AddLabels("legal_approval") with aff4.FACTORY.Open( self.client_prod, aff4_type=aff4_grr.VFSGRRClient, mode="rw", token=self.token) as client_obj: client_obj.AddLabels("legal_approval", "prod_admin_approval") self.db_manager_stubber = utils.Stubber( data_store.DB, "security_manager", user_managers.FullAccessControlManager()) self.db_manager_stubber.Start() self.approver = test_lib.ConfigOverrider({ "ACL.approvers_config_file": os.path.join(self.base_path, "approvers.yaml") }) self.approver.Start() # Get a fresh approval manager object and reload with test approvers. self.approval_manager_stubber = utils.Stubber( client_approval_auth, "CLIENT_APPROVAL_AUTH_MGR", client_approval_auth.ClientApprovalAuthorizationManager()) self.approval_manager_stubber.Start()
def Start(self): self.old_security_manager = data_store.DB.security_manager data_store.DB.security_manager = user_managers.FullAccessControlManager()
def setUp(self): super(FullAccessControlManagerIntegrationTest, self).setUp() data_store.DB.security_manager = user_managers.FullAccessControlManager()