def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser(u"approver")
clients = self.SetupClients(2)
if data_store.AFF4Enabled():
for client_id in clients:
# Delete the certificate as it's being regenerated every time the
# client is created.
with aff4.FACTORY.Open(
client_id, mode="rw", token=self.token) as grr_client:
grr_client.DeleteAttribute(grr_client.Schema.CERT)
with test_lib.FakeTime(44):
approval1_id = self.RequestClientApproval(
clients[0].Basename(),
reason="foo",
approver=u"approver",
requestor=self.token.username)
with test_lib.FakeTime(45):
approval2_id = self.RequestClientApproval(
clients[1].Basename(),
reason="bar",
approver=u"approver",
requestor=self.token.username)
with test_lib.FakeTime(84):
self.GrantClientApproval(
clients[1].Basename(),
approval_id=approval2_id,
approver=u"approver",
requestor=self.token.username)
with test_lib.FakeTime(126):
self.Check(
"GetClientApproval",
args=user_plugin.ApiGetClientApprovalArgs(
client_id=clients[0].Basename(),
approval_id=approval1_id,
username=self.token.username),
replace={approval1_id: "approval:111111"})
self.Check(
"GetClientApproval",
args=user_plugin.ApiGetClientApprovalArgs(
client_id=clients[1].Basename(),
approval_id=approval2_id,
username=self.token.username),
replace={approval2_id: "approval:222222"})
def testRendersRequestedClientApproval(self):
approval_id = self.RequestClientApproval(
self.client_id,
requestor=self.context.username,
reason="blah",
approver=u"approver",
email_cc_address="*****@*****.**")
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.context.username)
result = self.handler.Handle(args, context=self.context)
self.assertEqual(result.subject.client_id.ToString(), self.client_id)
self.assertEqual(result.reason, "blah")
self.assertEqual(result.is_valid, False)
self.assertEqual(result.is_valid_message,
"Need at least 1 additional approver for access.")
self.assertEqual(result.notified_users, [u"approver"])
self.assertEqual(result.email_cc_addresses, ["*****@*****.**"])
# Every approval is self-approved by default.
self.assertEqual(result.approvers, [self.context.username])
def testErrorDuringStartFlowDoesNotBubbleUpToApprovalApiCall(self):
flow.ScheduleFlow(
client_id=self.client_id,
creator=self.context.username,
flow_name=file.CollectSingleFile.__name__,
flow_args=rdf_file_finder.CollectSingleFileArgs(path="/foo"),
runner_args=rdf_flow_runner.FlowRunnerArgs())
with mock.patch.object(
flow, "StartFlow",
side_effect=ValueError("foobazzle")) as start_flow_mock:
approval_id = self.RequestAndGrantClientApproval(
self.client_id,
reason=u"blah",
approver=u"approver",
requestor=self.context.username)
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.context.username)
handler = user_plugin.ApiGetClientApprovalHandler()
approval = handler.Handle(args, context=self.context)
self.assertTrue(approval.is_valid)
self.assertTrue(start_flow_mock.called)
def testRaisesWhenApprovalIsNotFound(self):
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id="approval:112233",
username=self.context.username)
with self.assertRaises(api_call_handler_base.ResourceNotFoundError):
self.handler.Handle(args, context=self.context)
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser(u"approver")
clients = self.SetupClients(2)
with test_lib.FakeTime(44):
approval1_id = self.RequestClientApproval(
clients[0],
reason="foo",
approver=u"approver",
requestor=self.test_username)
with test_lib.FakeTime(45):
approval2_id = self.RequestClientApproval(
clients[1],
reason="bar",
approver=u"approver",
requestor=self.test_username)
with test_lib.FakeTime(84):
self.GrantClientApproval(
clients[1],
approval_id=approval2_id,
approver=u"approver",
requestor=self.test_username)
with test_lib.FakeTime(126):
self.Check(
"GetClientApproval",
args=user_plugin.ApiGetClientApprovalArgs(
client_id=clients[0],
approval_id=approval1_id,
username=self.test_username),
replace={approval1_id: "approval:111111"})
self.Check(
"GetClientApproval",
args=user_plugin.ApiGetClientApprovalArgs(
client_id=clients[1],
approval_id=approval2_id,
username=self.test_username),
replace={approval2_id: "approval:222222"})
def testIncludesApproversInResultWhenApprovalIsGranted(self):
approval_id = self.RequestAndGrantClientApproval(
self.client_id,
reason=u"blah",
approver=u"approver",
requestor=self.token.username)
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertTrue(result.is_valid)
self.assertCountEqual(result.approvers, [self.token.username, u"approver"])
def testStartsScheduledFlowsIfGrantedApprovalIsValid(self):
with mock.patch.object(flow, "StartScheduledFlows") as start_mock:
approval_id = self.RequestAndGrantClientApproval(
self.client_id,
reason=u"blah",
approver=u"approver",
requestor=self.context.username)
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.context.username)
handler = user_plugin.ApiGetClientApprovalHandler()
approval = handler.Handle(args, context=self.context)
self.assertTrue(approval.is_valid)
self.assertTrue(start_mock.called)
start_mock.assert_called_with(
client_id=self.client_id, creator=self.context.username)
def testDoesNotStartScheduledFlowsIfGrantedApprovalIsNotValid(self):
with mock.patch.object(flow, "StartScheduledFlows") as start_mock:
with mock.patch.object(
approval_checks,
"CheckApprovalRequest",
side_effect=access_control.UnauthorizedAccess("foobazzle")):
approval_id = self.RequestAndGrantClientApproval(
self.client_id,
reason=u"blah",
approver=u"approver",
requestor=self.context.username)
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.context.username)
handler = user_plugin.ApiGetClientApprovalHandler()
result = handler.Handle(args, context=self.context)
self.assertFalse(result.is_valid)
self.assertFalse(start_mock.called)