def Create2HuntsForDifferentUsers(self):
# Create 2 hunts. Hunt1 by "otheruser" and hunt2 by us.
# Both hunts will be approved by user "approver".
hunt1_id = self.CreateSampleHunt(token=access_control.ACLToken(
username="******"))
hunt2_id = self.CreateSampleHunt(token=access_control.ACLToken(
username=self.token.username))
self.CreateAdminUser("approver")
token = access_control.ACLToken(username="******")
security.HuntApprovalRequestor(subject_urn=hunt1_id,
reason=self.reason,
approver="approver",
token=token).Request()
token = access_control.ACLToken(username=self.token.username)
security.HuntApprovalRequestor(subject_urn=hunt2_id,
reason=self.reason,
approver="approver",
token=token).Request()
token = access_control.ACLToken(username="******")
security.HuntApprovalGrantor(subject_urn=hunt1_id,
reason=self.reason,
delegate="otheruser",
token=token).Grant()
token = access_control.ACLToken(username="******")
security.HuntApprovalGrantor(subject_urn=hunt2_id,
reason=self.reason,
delegate=self.token.username,
token=token).Grant()
def _RunTestForNormalApprovals(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
with self.CreateHunt(description="hunt1") as hunt_obj:
hunt1_urn = hunt_obj.urn
hunt1_id = hunt1_urn.Basename()
with self.CreateHunt(description="hunt2") as hunt_obj:
hunt2_urn = hunt_obj.urn
hunt2_id = hunt2_urn.Basename()
with test_lib.FakeTime(44):
approval_urn = security.HuntApprovalRequestor(
reason="foo",
subject_urn=hunt1_urn,
approver="approver",
token=self.token).Request()
approval1_id = approval_urn.Basename()
with test_lib.FakeTime(45):
approval_urn = security.HuntApprovalRequestor(
reason="bar",
subject_urn=hunt2_urn,
approver="approver",
token=self.token).Request()
approval2_id = approval_urn.Basename()
with test_lib.FakeTime(84):
approver_token = access_control.ACLToken(username="******")
security.HuntApprovalGrantor(reason="bar",
delegate=self.token.username,
subject_urn=hunt2_urn,
token=approver_token).Grant()
with test_lib.FakeTime(126):
self.Check("GetHuntApproval",
args=user_plugin.ApiGetHuntApprovalArgs(
username=self.token.username,
hunt_id=hunt1_id,
approval_id=approval1_id),
replace={
hunt1_id: "H:123456",
approval1_id: "approval:111111"
})
self.Check("GetHuntApproval",
args=user_plugin.ApiGetHuntApprovalArgs(
username=self.token.username,
hunt_id=hunt2_id,
approval_id=approval2_id),
replace={
hunt2_id: "H:567890",
approval2_id: "approval:222222"
})
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("requestor")
with self.CreateHunt(description="a hunt") as hunt_obj:
hunt_urn = hunt_obj.urn
hunt_id = hunt_urn.Basename()
with test_lib.FakeTime(44):
requestor_token = access_control.ACLToken(username="******")
approval_urn = security.HuntApprovalRequestor(
reason="foo",
subject_urn=hunt_urn,
approver=self.token.username,
token=requestor_token).Request()
approval_id = approval_urn.Basename()
with test_lib.FakeTime(126):
self.Check("GrantHuntApproval",
args=user_plugin.ApiGrantHuntApprovalArgs(
hunt_id=hunt_id,
approval_id=approval_id,
username="******"),
replace={
hunt_id: "H:123456",
approval_id: "approval:111111"
})
def _RunTestForApprovalForHuntCopiedFromAnotherHunt(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
with self.CreateHunt(description="original hunt") as hunt_obj:
hunt1_urn = hunt_obj.urn
hunt1_id = hunt1_urn.Basename()
ref = rdf_hunts.FlowLikeObjectReference.FromHuntId(hunt1_id)
with self.CreateHunt(description="copied hunt",
original_object=ref) as hunt_obj:
hunt2_urn = hunt_obj.urn
hunt2_id = hunt2_urn.Basename()
with test_lib.FakeTime(44):
approval_urn = security.HuntApprovalRequestor(
reason="foo",
subject_urn=hunt2_urn,
approver="approver",
token=self.token).Request()
approval_id = approval_urn.Basename()
with test_lib.FakeTime(126):
self.Check("GetHuntApproval",
args=user_plugin.ApiGetHuntApprovalArgs(
username=self.token.username,
hunt_id=hunt2_id,
approval_id=approval_id),
replace={
hunt1_id: "H:556677",
hunt2_id: "H:DDEEFF",
approval_id: "approval:333333"
})
def testEmailHuntApprovalGrantNotificationLinkLeadsToCorrectPage(self):
hunt_id = self.CreateSampleHunt()
security.HuntApprovalRequestor(
reason=self.APPROVAL_REASON,
subject_urn=hunt_id,
approver=self.GRANTOR_TOKEN.username,
token=self.token).Request()
security.HuntApprovalGrantor(
reason=self.APPROVAL_REASON,
subject_urn=hunt_id,
token=self.GRANTOR_TOKEN,
delegate=self.token.username).Grant()
# There should be 1 message for approval request and 1 message
# for approval grant notification.
self.assertEqual(len(self.messages_sent), 2)
message = self.messages_sent[1]
self.assertTrue(self.APPROVAL_REASON in message)
self.assertTrue(self.GRANTOR_TOKEN.username in message)
self.assertTrue(hunt_id.Basename() in message)
self.Open(self._ExtractLinkFromMessage(message))
# We should end up on hunts's page.
self.WaitUntil(self.IsTextPresent, hunt_id.Basename())
def testEmailHuntApprovalRequestLinkLeadsToACorrectPage(self):
hunt_id = self.CreateSampleHunt()
# Request client approval, it will trigger an email message.
security.HuntApprovalRequestor(
reason=self.APPROVAL_REASON,
subject_urn=hunt_id,
approver=self.GRANTOR_TOKEN.username,
token=self.token).Request()
self.assertEqual(len(self.messages_sent), 1)
message = self.messages_sent[0]
self.assertTrue(self.APPROVAL_REASON in message)
self.assertTrue(self.token.username in message)
self.assertTrue(hunt_id.Basename() in message)
self.Open(self._ExtractLinkFromMessage(message))
# Check that requestor's username and reason are correctly displayed.
self.WaitUntil(self.IsTextPresent, self.token.username)
self.WaitUntil(self.IsTextPresent, self.APPROVAL_REASON)
# Check that host information is displayed.
self.WaitUntil(self.IsTextPresent, hunt_id.Basename())
self.WaitUntil(self.IsTextPresent, "SampleHunt")
def testEmailHuntApprovalRequestLinkLeadsToACorrectPage(self):
hunt_id = self.CreateSampleHunt()
messages_sent = []
def SendEmailStub(unused_from_user, unused_to_user, unused_subject,
message, **unused_kwargs):
messages_sent.append(message)
# Request client approval, it will trigger an email message.
with utils.Stubber(email_alerts.EMAIL_ALERTER, "SendEmail",
SendEmailStub):
security.HuntApprovalRequestor(reason="Please please let me",
subject_urn=hunt_id,
approver=self.token.username,
token=access_control.ACLToken(
username="******",
reason="test")).Request()
self.assertEqual(len(messages_sent), 1)
# Extract link from the message text and open it.
m = re.search(r"href='(.+?)'", messages_sent[0], re.MULTILINE)
link = urlparse.urlparse(m.group(1))
self.Open(link.path + "?" + link.query + "#" + link.fragment)
# Check that requestor's username and reason are correctly displayed.
self.WaitUntil(self.IsTextPresent, "iwantapproval")
self.WaitUntil(self.IsTextPresent, "Please please let me")
# Check that host information is displayed.
self.WaitUntil(self.IsTextPresent, str(hunt_id))
self.WaitUntil(self.IsTextPresent, "SampleHunt")
def _RequestAndOpenApprovalFromSelf(self, hunt_id):
security.HuntApprovalRequestor(subject_urn=hunt_id,
reason=self.reason,
approver=self.token.username,
token=self.token).Request()
self.WaitForNotification("aff4:/users/%s" % self.token.username)
self.Open("/")
self.WaitUntil(lambda: self.GetText("notification_button") != "0")
self.Click("notification_button")
self.Click("css=td:contains('Please grant access to hunt')")
def testRendersRequestedHuntAppoval(self):
with implementation.GRRHunt.StartHunt(
hunt_name=standard.SampleHunt.__name__,
token=self.token) as hunt:
pass
aff4_security.HuntApprovalRequestor(reason=self.token.reason,
subject_urn=hunt.urn,
approver="approver",
token=self.token).Request()
args = user_plugin.ApiListHuntApprovalsArgs()
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 1)
def RequestHuntApproval(self,
hunt_id,
requestor=None,
reason=None,
approver="approver"):
"""Request hunt approval for a given hunt."""
if not requestor:
requestor = self.token.username
if not reason:
reason = self.token.reason
token = access_control.ACLToken(username=requestor)
requestor = security.HuntApprovalRequestor(
subject_urn=rdfvalue.RDFURN("hunts").Add(hunt_id),
reason=reason,
approver=approver,
token=token)
return requestor.Request().Basename()
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
hunt = implementation.GRRHunt.StartHunt(
hunt_name=standard.GenericHunt.__name__, token=self.token)
with test_lib.FakeTime(43):
approval_urn = security.HuntApprovalRequestor(
reason=self.token.reason,
subject_urn=hunt.urn,
approver="approver",
token=self.token).Request()
approval_id = approval_urn.Basename()
with test_lib.FakeTime(126):
self.Check("ListHuntApprovals",
replace={
hunt.urn.Basename(): "H:123456",
approval_id: "approval:112233"
})
def testCreatingApprovalCreatesSymlink(self):
hunt_urn = rdfvalue.RDFURN("aff4:/hunts/H:ABCD1234")
security.HuntApprovalRequestor(reason=self.token.reason,
subject_urn=hunt_urn,
approver="approver",
token=self.token).Request()
approval_id = list(
aff4.FACTORY.ListChildren(
"aff4:/users/test/approvals/hunt/H:ABCD1234"))[0].Basename()
self.assertTrue(approval_id.startswith("approval:"))
fd = aff4.FACTORY.Open(
"aff4:/users/test/approvals/hunt/H:ABCD1234/%s" % approval_id,
follow_symlinks=False,
mode="r",
token=self.token)
self.assertEqual(fd.Get(fd.Schema.TYPE), "AFF4Symlink")
self.assertEqual(fd.Get(fd.Schema.SYMLINK_TARGET),
"aff4:/ACL/hunts/H:ABCD1234/test/%s" % approval_id)
def _RunTestForApprovalForHuntCopiedFromFlow(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
client_urn = self.SetupClients(1)[0]
flow_urn = flow.GRRFlow.StartFlow(
flow_name=discovery.Interrogate.__name__,
client_id=client_urn,
token=self.token)
ref = rdf_hunts.FlowLikeObjectReference.FromFlowIdAndClientId(
flow_urn.Basename(), client_urn.Basename())
with self.CreateHunt(description="hunt started from flow",
original_object=ref) as hunt_obj:
hunt_urn = hunt_obj.urn
hunt_id = hunt_urn.Basename()
with test_lib.FakeTime(44):
approval_urn = security.HuntApprovalRequestor(
reason="foo",
subject_urn=hunt_urn,
approver="approver",
token=self.token).Request()
approval_id = approval_urn.Basename()
with test_lib.FakeTime(126):
self.Check("GetHuntApproval",
args=user_plugin.ApiGetHuntApprovalArgs(
username=self.token.username,
hunt_id=hunt_id,
approval_id=approval_id),
replace={
flow_urn.Basename(): "F:112233",
hunt_id: "H:667788",
approval_id: "approval:444444"
})
