def testFilterConsidersOffsetAndCount(self):
client_id = self.client_ids[0]
# Create five approval requests without granting them.
for i in range(10):
with test_lib.FakeTime(42 + i):
self.RequestClientApproval(client_id.Basename(),
reason="Request reason %d" % i)
args = user_plugin.ApiListClientApprovalsArgs(client_id=client_id,
offset=0,
count=5)
result = self.handler.Handle(args, token=self.token)
# Approvals are returned newest to oldest, so the first five approvals
# have reason 9 to 5.
self.assertEqual(len(result.items), 5)
for item, i in zip(result.items, reversed(range(6, 10))):
self.assertEqual(item.reason, "Request reason %d" % i)
# When no count is specified, take all items from offset to the end.
args = user_plugin.ApiListClientApprovalsArgs(client_id=client_id,
offset=7)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 4)
for item, i in zip(result.items, reversed(range(0, 4))):
self.assertEqual(item.reason, "Request reason %d" % i)
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
clients = self.SetupClients(2)
for client_id in clients:
# Delete the certificate as it's being regenerated every time the
# client is created.
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as grr_client:
grr_client.DeleteAttribute(grr_client.Schema.CERT)
with test_lib.FakeTime(44):
approval_urn = security.ClientApprovalRequestor(
reason=self.token.reason,
subject_urn=clients[0],
approver="approver",
token=self.token).Request()
approval1_id = approval_urn.Basename()
with test_lib.FakeTime(45):
approval_urn = security.ClientApprovalRequestor(
reason=self.token.reason,
subject_urn=clients[1],
approver="approver",
token=self.token).Request()
approval2_id = approval_urn.Basename()
with test_lib.FakeTime(84):
approver_token = access_control.ACLToken(username="******")
security.ClientApprovalGrantor(reason=self.token.reason,
delegate=self.token.username,
subject_urn=clients[1],
token=approver_token).Grant()
with test_lib.FakeTime(126):
self.Check("ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
self.Check("ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(
client_id=clients[0].Basename()),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
def testRendersRequestedClientApprovals(self):
self._RequestClientApprovals()
args = user_plugin.ApiListClientApprovalsArgs()
result = self.handler.Handle(args, token=self.token)
# All approvals should be returned.
self.assertEqual(len(result.items), self.CLIENT_COUNT)
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
clients = self.SetupClients(2)
for client_id in clients:
# Delete the certificate as it's being regenerated every time the
# client is created.
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as grr_client:
grr_client.DeleteAttribute(grr_client.Schema.CERT)
with test_lib.FakeTime(44):
approval1_id = self.RequestClientApproval(
clients[0].Basename(),
reason=self.token.reason,
approver="approver",
requestor=self.token.username)
with test_lib.FakeTime(45):
approval2_id = self.RequestClientApproval(
clients[1].Basename(),
reason=self.token.reason,
approver="approver",
requestor=self.token.username)
with test_lib.FakeTime(84):
self.GrantClientApproval(clients[1].Basename(),
requestor=self.token.username,
reason=self.token.reason,
approver="approver")
with test_lib.FakeTime(126):
self.Check("ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
self.Check("ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(
client_id=clients[0].Basename()),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
def testFiltersApprovalsByClientId(self):
client_id = self.client_ids[0]
self._RequestClientApprovals()
# Get approvals for a specific client. There should be exactly one.
args = user_plugin.ApiListClientApprovalsArgs(client_id=client_id)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 1)
self.assertEqual(result.items[0].subject.client_id, client_id)
def Layout(self, request, response):
"""Checks the level of access the user has to this client."""
self.subject = request.REQ.get("subject", "")
self.silent = request.REQ.get("silent", "")
token = request.token
# When silent=True, we don't show ACLDialog in case of failure.
# This is useful when we just want to make an access check and set
# the correct reason (if found) without asking for a missing approval.
if self.silent:
self.layout_template = self.silent_template
self.refresh_after_form_submit = True
subject_urn = rdfvalue.RDFURN(self.subject)
namespace, _ = subject_urn.Split(2)
if self.CheckObjectAccess(subject_urn, token):
return self.CallJavascript(
response,
"CheckAccess.AccessOk",
reason=self.reason,
silent=self.silent)
self.cc_address = config_lib.CONFIG["Email.approval_optional_cc_address"]
recent_reasons_list = api_user.ApiListClientApprovalsHandler().Handle(
api_user.ApiListClientApprovalsArgs(count=5), token=request.token)
self.recent_reasons = [x.reason for x in recent_reasons_list.items]
if namespace == "hunts":
self.approval_renderer = "HuntApprovalRequestRenderer"
self.refresh_after_form_submit = False
elif namespace == "cron":
self.approval_renderer = "CronJobApprovalRequestRenderer"
self.refresh_after_form_submit = False
elif aff4_grr.VFSGRRClient.CLIENT_ID_RE.match(namespace):
self.approval_renderer = "ClientApprovalRequestRenderer"
self.show_keepalive_option = True
else:
raise RuntimeError(
"Unexpected namespace for access check: %s (subject=%s)." %
(namespace, self.subject))
response = super(CheckAccess, self).Layout(request, response)
if not self.silent:
return self.CallJavascript(
response,
"CheckAccess.Layout",
subject=self.subject,
refresh_after_form_submit=self.refresh_after_form_submit,
approval_renderer=self.approval_renderer)
else:
return response
def testFiltersApprovalsByInvalidState(self):
self._RequestClientApprovals()
# We only requested approvals so far, so all of them should be invalid.
args = user_plugin.ApiListClientApprovalsArgs(
state=user_plugin.ApiListClientApprovalsArgs.State.INVALID)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), self.CLIENT_COUNT)
# Grant access to one client. Now all but one should be invalid.
self.GrantClientApproval(
self.client_ids[0], self.token.username, reason=self.token.reason)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), self.CLIENT_COUNT - 1)
def testFiltersApprovalsByValidState(self):
self._RequestClientApprovals()
# We only requested approvals so far, so none of them is valid.
args = user_plugin.ApiListClientApprovalsArgs(
state=user_plugin.ApiListClientApprovalsArgs.State.VALID)
result = self.handler.Handle(args, token=self.token)
# We do not have any approved approvals yet.
self.assertEqual(len(result.items), 0)
# Grant access to one client. Now exactly one approval should be valid.
self.GrantClientApproval(
self.client_ids[0], self.token.username, reason=self.token.reason)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(len(result.items), 1)
self.assertEqual(result.items[0].subject.client_id, self.client_ids[0])
def testFiltersApprovalsByClientIdAndState(self):
client_id = self.client_ids[0]
self._RequestClientApprovals()
# Grant approval to a certain client.
self.GrantClientApproval(
client_id, self.token.username, reason=self.token.reason)
args = user_plugin.ApiListClientApprovalsArgs(
client_id=client_id,
state=user_plugin.ApiListClientApprovalsArgs.State.VALID)
result = self.handler.Handle(args, token=self.token)
# We have a valid approval for the requested client.
self.assertEqual(len(result.items), 1)
args.state = user_plugin.ApiListClientApprovalsArgs.State.INVALID
result = self.handler.Handle(args, token=self.token)
# However, we do not have any invalid approvals for the client.
self.assertEqual(len(result.items), 0)
def ListClientApprovals(self, requestor=None):
requestor = requestor or self.token.username
handler = api_user.ApiListClientApprovalsHandler()
return handler.Handle(
api_user.ApiListClientApprovalsArgs(),
token=access_control.ACLToken(username=requestor)).items