def __init__(self,
labels_whitelist=None,
labels_owners_whitelist=None,
allow_flows=False,
allow_vfs_access=False,
legacy_manager=None,
delegate=None):
super(ApiLabelsRestrictedCallRouter, self).__init__()
self.labels_whitelist = set(labels_whitelist or [])
# "GRR" is a system label. Labels returned by the client during the
# interrogate have owner="GRR".
self.labels_owners_whitelist = set(labels_owners_whitelist or ["GRR"])
self.allow_flows = allow_flows
self.allow_vfs_access = allow_vfs_access
if not legacy_manager:
legacy_manager = user_managers.FullAccessControlManager()
self.legacy_manager = legacy_manager
if not delegate:
delegate = api_call_router_without_checks.ApiCallRouterWithoutChecks(
)
self.delegate = delegate
def testDeleteHuntFlow(self):
# We'll need two users for this test.
self.CreateUser("user1")
token1 = access_control.ACLToken(username="******",
reason="testing")
self.CreateUser("user2")
token2 = access_control.ACLToken(username="******",
reason="testing")
manager = user_managers.FullAccessControlManager()
with utils.Stubber(data_store.DB, "security_manager", manager):
# Let user1 create a hunt and delete it, this should work.
hunt = self._CreateHunt(token1.SetUID())
aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1)
flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow",
token=token1, hunt_urn=hunt.urn)
self._CheckHuntIsDeleted(hunt.urn)
# Let user1 create a hunt and user2 delete it, this should fail.
hunt = self._CreateHunt(token1.SetUID())
aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1)
with self.assertRaises(access_control.UnauthorizedAccess):
flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow",
token=token2, hunt_urn=hunt.urn)
# Hunt is still there.
aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1)
# If user2 gets an approval, deletion is ok though.
self.GrantHuntApproval(hunt.urn, token=token2)
flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow",
token=token2, hunt_urn=hunt.urn)
self._CheckHuntIsDeleted(hunt.urn)
# Let user1 create a hunt and run it. We are not allowed to delete
# running hunts.
hunt = self._CreateHunt(token1.SetUID())
hunt.Run()
hunt.Flush()
aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1)
with self.assertRaises(RuntimeError):
flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow",
token=token1, hunt_urn=hunt.urn)
# The same is true if the hunt was scheduled on at least one client.
hunt = self._CreateHunt(token1.SetUID())
hunt.Set(hunt.Schema.CLIENT_COUNT(1))
hunt.Flush()
aff4.FACTORY.Open(hunt.urn, aff4_type="GRRHunt", token=token1)
with self.assertRaises(RuntimeError):
flow.GRRFlow.StartFlow(flow_name="DeleteHuntFlow",
token=token1, hunt_urn=hunt.urn)
def testReadSomePaths(self):
"""Tests some real world paths."""
self.access_manager = user_managers.FullAccessControlManager()
access = "r"
self.Ok("aff4:/", access)
self.Ok("aff4:/users", access)
self.NotOk("aff4:/users/randomuser", access)
self.Ok("aff4:/blobs", access)
self.Ok("aff4:/blobs/12345678", access)
self.Ok("aff4:/FP", access)
self.Ok("aff4:/FP/12345678", access)
self.Ok("aff4:/files", access)
self.Ok("aff4:/files/12345678", access)
self.Ok("aff4:/ACL", access)
self.Ok("aff4:/ACL/randomuser", access)
self.Ok("aff4:/stats", access)
self.Ok("aff4:/stats/FileStoreStats", access)
self.Ok("aff4:/config", access)
self.Ok("aff4:/config/drivers", access)
self.Ok("aff4:/config/drivers/windows/memory/winpmem.amd64.sys",
access)
self.Ok("aff4:/flows", access)
self.Ok("aff4:/flows/F:12345678", access)
self.Ok("aff4:/hunts", access)
self.Ok("aff4:/hunts/H:12345678/C.1234567890123456", access)
self.Ok("aff4:/hunts/H:12345678/C.1234567890123456/F:AAAAAAAA", access)
self.Ok("aff4:/cron", access)
self.Ok("aff4:/cron/OSBreakDown", access)
self.Ok("aff4:/crashes", access)
self.Ok("aff4:/crashes/Stream", access)
self.Ok("aff4:/audit", access)
self.Ok("aff4:/audit/log", access)
self.Ok("aff4:/audit/logs", access)
self.Ok("aff4:/C.0000000000000001", access)
self.NotOk("aff4:/C.0000000000000001/fs/os", access)
self.NotOk("aff4:/C.0000000000000001/flows/F:12345678", access)
self.Ok("aff4:/tmp", access)
self.Ok("aff4:/tmp/C8FAFC0F", access)
def testQuerySomePaths(self):
"""Tests some real world paths."""
self.access_manager = user_managers.FullAccessControlManager()
access = "rq"
self.NotOk("aff4:/", access)
self.NotOk("aff4:/users", access)
self.NotOk("aff4:/users/randomuser", access)
self.NotOk("aff4:/blobs", access)
self.NotOk("aff4:/FP", access)
self.NotOk("aff4:/files", access)
self.Ok("aff4:/files/hash/generic/sha256/" + "a" * 64, access)
self.Ok("aff4:/ACL", access)
self.Ok("aff4:/ACL/randomuser", access)
self.NotOk("aff4:/stats", access)
self.Ok("aff4:/config", access)
self.Ok("aff4:/config/drivers", access)
self.Ok("aff4:/config/drivers/windows/memory/winpmem.amd64.sys",
access)
self.NotOk("aff4:/flows", access)
self.Ok("aff4:/flows/W:12345678", access)
self.Ok("aff4:/hunts", access)
self.Ok("aff4:/hunts/H:12345678/C.1234567890123456", access)
self.Ok("aff4:/hunts/H:12345678/C.1234567890123456/F:AAAAAAAA", access)
self.Ok("aff4:/cron", access)
self.Ok("aff4:/cron/OSBreakDown", access)
self.NotOk("aff4:/crashes", access)
self.NotOk("aff4:/audit", access)
self.Ok("aff4:/audit/logs", access)
self.Ok("aff4:/C.0000000000000001", access)
self.NotOk("aff4:/C.0000000000000001/fs/os", access)
self.NotOk("aff4:/C.0000000000000001/flows", access)
self.NotOk("aff4:/tmp", access)
def setUp(self):
super(ClientApprovalByLabelTests, self).setUp()
# Set up clients and labels before we turn on the FullACM. We need to create
# the client because to check labels the client needs to exist.
client_ids = self.SetupClients(3)
self.client_nolabel = rdf_client.ClientURN(client_ids[0])
self.client_legal = rdf_client.ClientURN(client_ids[1])
self.client_prod = rdf_client.ClientURN(client_ids[2])
with aff4.FACTORY.Open(
self.client_legal,
aff4_type=aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as client_obj:
client_obj.AddLabels("legal_approval")
with aff4.FACTORY.Open(
self.client_prod,
aff4_type=aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as client_obj:
client_obj.AddLabels("legal_approval", "prod_admin_approval")
self.db_manager_stubber = utils.Stubber(
data_store.DB, "security_manager",
user_managers.FullAccessControlManager())
self.db_manager_stubber.Start()
self.approver = test_lib.ConfigOverrider({
"ACL.approvers_config_file":
os.path.join(self.base_path, "approvers.yaml")
})
self.approver.Start()
# Get a fresh approval manager object and reload with test approvers.
self.approval_manager_stubber = utils.Stubber(
client_approval_auth, "CLIENT_APPROVAL_AUTH_MGR",
client_approval_auth.ClientApprovalAuthorizationManager())
self.approval_manager_stubber.Start()
def Start(self): self.old_security_manager = data_store.DB.security_manager data_store.DB.security_manager = user_managers.FullAccessControlManager()
def setUp(self): super(FullAccessControlManagerIntegrationTest, self).setUp() data_store.DB.security_manager = user_managers.FullAccessControlManager()
