def Run(self): with test_lib.FakeTime(42): self.CreateAdminUser("approver") clients = self.SetupClients(2) for client_id in clients: # Delete the certificate as it's being regenerated every time the # client is created. with aff4.FACTORY.Open(client_id, mode="rw", token=self.token) as grr_client: grr_client.DeleteAttribute(grr_client.Schema.CERT) with test_lib.FakeTime(44): approval_urn = security.ClientApprovalRequestor( reason=self.token.reason, subject_urn=clients[0], approver="approver", token=self.token).Request() approval1_id = approval_urn.Basename() with test_lib.FakeTime(45): approval_urn = security.ClientApprovalRequestor( reason=self.token.reason, subject_urn=clients[1], approver="approver", token=self.token).Request() approval2_id = approval_urn.Basename() with test_lib.FakeTime(84): approver_token = access_control.ACLToken(username="******") security.ClientApprovalGrantor(reason=self.token.reason, delegate=self.token.username, subject_urn=clients[1], token=approver_token).Grant() with test_lib.FakeTime(126): self.Check("ListClientApprovals", args=user_plugin.ApiListClientApprovalsArgs(), replace={ approval1_id: "approval:111111", approval2_id: "approval:222222" }) self.Check("ListClientApprovals", args=user_plugin.ApiListClientApprovalsArgs( client_id=clients[0].Basename()), replace={ approval1_id: "approval:111111", approval2_id: "approval:222222" })
def Run(self): with test_lib.FakeTime(42): self.CreateAdminUser("requestor") clients = self.SetupClients(1) for client_id in clients: # Delete the certificate as it's being regenerated every time the # client is created. with aff4.FACTORY.Open(client_id, mode="rw", token=self.token) as grr_client: grr_client.DeleteAttribute(grr_client.Schema.CERT) with test_lib.FakeTime(44): requestor_token = access_control.ACLToken(username="******") approval_urn = security.ClientApprovalRequestor( reason="foo", subject_urn=clients[0], approver=self.token.username, token=requestor_token).Request() approval_id = approval_urn.Basename() with test_lib.FakeTime(126): self.Check("GrantClientApproval", args=user_plugin.ApiGrantClientApprovalArgs( client_id=clients[0].Basename(), approval_id=approval_id, username="******"), replace={approval_id: "approval:111111"})
def testRendersRequestedClientApproval(self): approval_urn = aff4_security.ClientApprovalRequestor( reason="blah", subject_urn=self.client_id, approver="approver", email_cc_address="*****@*****.**", token=self.token).Request() approval_id = approval_urn.Basename() args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id=approval_id, username=self.token.username) result = self.handler.Handle(args, token=self.token) self.assertEqual(result.subject.urn, self.client_id) self.assertEqual(result.reason, "blah") self.assertEqual(result.is_valid, False) self.assertEqual(result.is_valid_message, "Requires 2 approvers for access.") self.assertEqual(result.notified_users, ["approver"]) self.assertEqual(result.email_cc_addresses, ["*****@*****.**"]) # Every approval is self-approved by default. self.assertEqual(result.approvers, [self.token.username])
def testEmailClientApprovalGrantNotificationLinkLeadsToACorrectPage(self): client_id = self.SetupClient(0) security.ClientApprovalRequestor( reason=self.APPROVAL_REASON, subject_urn=client_id, approver=self.GRANTOR_TOKEN.username, token=self.token).Request() security.ClientApprovalGrantor( reason=self.APPROVAL_REASON, subject_urn=client_id, token=self.GRANTOR_TOKEN, delegate=self.token.username).Grant() # There should be 1 message for approval request and 1 message # for approval grant notification. self.assertEqual(len(self.messages_sent), 2) message = self.messages_sent[1] self.assertTrue(self.APPROVAL_REASON in message) self.assertTrue(self.GRANTOR_TOKEN.username in message) self.assertTrue(client_id.Basename() in message) self.Open(self._ExtractLinkFromMessage(message)) # We should end up on client's page. Check that host information is # displayed. self.WaitUntil(self.IsTextPresent, client_id.Basename()) self.WaitUntil(self.IsTextPresent, "Host-0") # Check that the reason is displayed. self.WaitUntil(self.IsTextPresent, self.APPROVAL_REASON)
def testEmailClientApprovalRequestLinkLeadsToACorrectPage(self): client_id = self.SetupClients(1)[0] messages_sent = [] def SendEmailStub(unused_from_user, unused_to_user, unused_subject, message, **unused_kwargs): messages_sent.append(message) # Request client approval, it will trigger an email message. with utils.Stubber(email_alerts.EMAIL_ALERTER, "SendEmail", SendEmailStub): security.ClientApprovalRequestor(reason="Please please let me", subject_urn=client_id, approver=self.token.username, token=access_control.ACLToken( username="******", reason="test")).Request() self.assertEqual(len(messages_sent), 1) # Extract link from the message text and open it. m = re.search(r"href='(.+?)'", messages_sent[0], re.MULTILINE) link = urlparse.urlparse(m.group(1)) self.Open(link.path + "?" + link.query + "#" + link.fragment) # Check that requestor's username and reason are correctly displayed. self.WaitUntil(self.IsTextPresent, "iwantapproval") self.WaitUntil(self.IsTextPresent, "Please please let me") # Check that host information is displayed. self.WaitUntil(self.IsTextPresent, client_id.Basename()) self.WaitUntil(self.IsTextPresent, "Host-0")
def testIncludesApproversInResultWhenApprovalIsGranted(self): approval_urn = aff4_security.ClientApprovalRequestor( reason="blah", subject_urn=self.client_id, approver="approver", token=self.token).Request() approval_id = approval_urn.Basename() approver_token = access_control.ACLToken(username="******") aff4_security.ClientApprovalGrantor( reason="blah", delegate=self.token.username, subject_urn=self.client_id, token=approver_token).Grant() args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id=approval_id, username=self.token.username) result = self.handler.Handle(args, token=self.token) self.assertTrue(result.is_valid) self.assertEqual( sorted(result.approvers), sorted([approver_token.username, self.token.username]))
def ApprovalRequest(client_id, token=None, approver="approver", reason="testing"): token = token or GetToken() approval_reason = reason or token.reason security.ClientApprovalRequestor( reason=approval_reason, subject_urn=rdf_client.ClientURN(client_id), approver=approver, token=token).Request()
def testNonValidApprovalIsMarked(self): client_id = self.SetupClient(0) security.ClientApprovalRequestor(reason=self.token.reason, subject_urn=client_id, approver="approver", token=self.token).Request() self.Open("/") self.WaitUntil( self.IsElementPresent, "css=grr-user-dashboard " "div[name=RecentlyAccessedClients] " "tr:contains('%s').half-transparent" % client_id.Basename())
def testApprovalDoesNotCreateUser(self): username = "******" user = aff4.FACTORY.Open("aff4:/users/%s" % username, token=self.token) self.assertFalse(isinstance(user, users.GRRUser)) security.ClientApprovalRequestor(subject_urn=self.client_id, reason=self.token.reason, approver=username, token=self.token).Request() user = aff4.FACTORY.Open("aff4:/users/%s" % username, token=self.token) self.assertFalse(isinstance(user, users.GRRUser))
def testCreatingApprovalCreatesSymlink(self): client_id = self.SetupClient(0) security.ClientApprovalRequestor(subject_urn=client_id, reason=self.token.reason, approver="approver", token=self.token).Request() approval_id = list( aff4.FACTORY.ListChildren( "aff4:/users/test/approvals/client/C.1000000000000000") )[0].Basename() self.assertTrue(approval_id.startswith("approval:")) fd = aff4.FACTORY.Open( "aff4:/users/test/approvals/client/C.1000000000000000/%s" % approval_id, follow_symlinks=False, mode="r", token=self.token) self.assertEqual(fd.Get(fd.Schema.TYPE), "AFF4Symlink") self.assertEqual(fd.Get(fd.Schema.SYMLINK_TARGET), "aff4:/ACL/C.1000000000000000/test/%s" % approval_id)
def testEmailClientApprovalRequestLinkLeadsToACorrectPage(self): client_id = self.SetupClient(0) security.ClientApprovalRequestor(reason="Please please let me", subject_urn=client_id, approver=self.GRANTOR_TOKEN.username, token=self.token).Request() self.assertEqual(len(self.messages_sent), 1) message = self.messages_sent[0] self.assertTrue(self.APPROVAL_REASON in message) self.assertTrue(self.token.username in message) self.assertTrue(client_id.Basename() in message) self.Open(self._ExtractLinkFromMessage(message)) # Check that requestor's username and reason are correctly displayed. self.WaitUntil(self.IsTextPresent, self.token.username) self.WaitUntil(self.IsTextPresent, self.APPROVAL_REASON) # Check that host information is displayed. self.WaitUntil(self.IsTextPresent, client_id.Basename()) self.WaitUntil(self.IsTextPresent, "Host-0")
def RequestClientApproval(self, client_id, reason=None, requestor=None, email_cc_address=None, approver="approver"): """Create an approval request to be sent to approver.""" if hasattr(client_id, "Basename"): client_id = client_id.Basename() if not requestor: requestor = self.token.username if not reason: reason = self.token.reason requestor = security.ClientApprovalRequestor( subject_urn=client_id, reason=reason, approver=approver, email_cc_address=email_cc_address, token=access_control.ACLToken(username=requestor)) return requestor.Request().Basename()