def testRaisesWhenNoGrants(self):
approval_request = self._CreateRequest(grants=[])
with self.assertRaisesRegexp(
access_control.UnauthorizedAccess,
"Need at least 2 additional approvers for access"):
approval_checks.CheckApprovalRequest(approval_request)
def _CheckAccess(self, username, subject_id, approval_type):
"""Checks access to a given subject by a given user."""
cache_key = (username, subject_id, approval_type)
try:
self.acl_cache.Get(cache_key)
stats.STATS.IncrementCounter("approval_searches",
fields=["-", "cache"])
return True
except KeyError:
stats.STATS.IncrementCounter("approval_searches",
fields=["-", "reldb"])
approvals = data_store.REL_DB.ReadApprovalRequests(
utils.SmartStr(username),
approval_type,
subject_id=subject_id,
include_expired=False)
errors = []
for approval in approvals:
try:
approval_checks.CheckApprovalRequest(approval)
self.acl_cache.Put(cache_key, True)
return
except access_control.UnauthorizedAccess as e:
errors.append(e)
subject = approval_checks.BuildLegacySubject(subject_id, approval_type)
if not errors:
raise access_control.UnauthorizedAccess("No approval found.",
subject=subject)
else:
raise access_control.UnauthorizedAccess(" ".join(
utils.SmartStr(e) for e in errors),
subject=subject)
def testReturnsIfApprovalIsNotExpiredAndHasTwoGrants(self):
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveChecksApproversForEachClientLabel(self, mock_mgr):
data_store.REL_DB.AddClientLabels(self.client.client_id, "GRR",
["foo", "bar"])
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
# Make sure approval manager is active.
mock_mgr.IsActive.return_value = True
approval_checks.CheckApprovalRequest(approval_request)
self.assertEqual(len(mock_mgr.CheckApproversForLabel.mock_calls), 2)
args = mock_mgr.CheckApproversForLabel.mock_calls[0][1]
self.assertEqual(args,
(access_control.ACLToken(username="******"),
rdfvalue.RDFURN(self.client.client_id), "requestor",
set(["grantor1", "grantor2"]), "bar"))
args = mock_mgr.CheckApproversForLabel.mock_calls[1][1]
self.assertEqual(args,
(access_control.ACLToken(username="******"),
rdfvalue.RDFURN(self.client.client_id), "requestor",
set(["grantor1", "grantor2"]), "foo"))
def testRaisesWhenJustOneGrant(self):
approval_request = self._CreateRequest(
grants=[rdf_objects.ApprovalGrant(grantor_username="******")])
with self.assertRaisesRegexp(
access_control.UnauthorizedAccess,
"Need at least 1 additional approver for access"):
approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveReturnsIfClientHasNoLabels(self, mock_mgr):
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
# Make sure approval manager is active.
mock_mgr.IsActive.return_value = True
approval_checks.CheckApprovalRequest(approval_request)
def testRaisesWhenNoGrantsFromAdmins(self):
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
with self.assertRaisesRegexp(
access_control.UnauthorizedAccess,
"Need at least 1 admin approver for access"):
approval_checks.CheckApprovalRequest(approval_request)
def testRaisesIfApprovalExpired(self):
approval_request = self._CreateRequest(
expiration_time=rdfvalue.RDFDatetime.Now() -
rdfvalue.Duration("1m"),
grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
with self.assertRaisesRegexp(access_control.UnauthorizedAccess,
"Approval request is expired"):
approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveRaisesIfAuthMgrRaises(self, mock_mgr):
data_store.REL_DB.AddClientLabels(self.client.client_id, "GRR",
["foo"])
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
# Make sure approval manager is active.
mock_mgr.IsActive.return_value = True
# CheckApproversForLabel should raise.
error = access_control.UnauthorizedAccess("some error")
mock_mgr.CheckApproversForLabel.side_effect = error
with self.assertRaisesRegexp(access_control.UnauthorizedAccess,
"some error"):
approval_checks.CheckApprovalRequest(approval_request)
