def _CheckAccess(self, username, subject_id, approval_type):
"""Checks access to a given subject by a given user."""
precondition.AssertType(subject_id, Text)
cache_key = (username, subject_id, approval_type)
try:
self.acl_cache.Get(cache_key)
APPROVAL_SEARCHES.Increment(fields=["-", "cache"])
return True
except KeyError:
APPROVAL_SEARCHES.Increment(fields=["-", "reldb"])
approvals = data_store.REL_DB.ReadApprovalRequests(
username,
approval_type,
subject_id=subject_id,
include_expired=False)
errors = []
for approval in approvals:
try:
approval_checks.CheckApprovalRequest(approval)
self.acl_cache.Put(cache_key, True)
return
except access_control.UnauthorizedAccess as e:
errors.append(e)
subject = approval_checks.BuildLegacySubject(subject_id, approval_type)
if not errors:
raise access_control.UnauthorizedAccess("No approval found.",
subject=subject)
else:
raise access_control.UnauthorizedAccess(" ".join(
str(e) for e in errors),
subject=subject)
def _CheckAccess(self, username, subject_id, approval_type):
"""Checks access to a given subject by a given user."""
utils.AssertType(subject_id, unicode)
cache_key = (username, subject_id, approval_type)
try:
self.acl_cache.Get(cache_key)
stats.STATS.IncrementCounter("approval_searches", fields=["-", "cache"])
return True
except KeyError:
stats.STATS.IncrementCounter("approval_searches", fields=["-", "reldb"])
approvals = data_store.REL_DB.ReadApprovalRequests(
username, approval_type, subject_id=subject_id, include_expired=False)
errors = []
for approval in approvals:
try:
approval_checks.CheckApprovalRequest(approval)
self.acl_cache.Put(cache_key, True)
return
except access_control.UnauthorizedAccess as e:
errors.append(e)
subject = approval_checks.BuildLegacySubject(subject_id, approval_type)
if not errors:
raise access_control.UnauthorizedAccess(
"No approval found.", subject=subject)
else:
raise access_control.UnauthorizedAccess(
" ".join(utils.SmartStr(e) for e in errors), subject=subject)
def testReturnsIfApprovalIsNotExpiredAndHasTwoGrants(self):
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username=u"grantor1"),
rdf_objects.ApprovalGrant(grantor_username=u"grantor2")
])
approval_checks.CheckApprovalRequest(approval_request)
def testRaisesWhenNoGrants(self):
approval_request = self._CreateRequest(grants=[])
with self.assertRaisesRegexp(
access_control.UnauthorizedAccess,
"Need at least 2 additional approvers for access"):
approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveChecksApproversForEachClientLabel(self, mock_mgr):
data_store.REL_DB.AddClientLabels(self.client.client_id, u"GRR",
[u"foo", u"bar"])
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username=u"grantor1"),
rdf_objects.ApprovalGrant(grantor_username=u"grantor2")
])
# Make sure approval manager is active.
mock_mgr.IsActive.return_value = True
approval_checks.CheckApprovalRequest(approval_request)
self.assertEqual(len(mock_mgr.CheckApproversForLabel.mock_calls), 2)
args = mock_mgr.CheckApproversForLabel.mock_calls[0][1]
self.assertEqual(args,
(access_control.ACLToken(username=u"requestor"),
rdfvalue.RDFURN(self.client.client_id), u"requestor",
set(["grantor1", "grantor2"]), u"bar"))
args = mock_mgr.CheckApproversForLabel.mock_calls[1][1]
self.assertEqual(args,
(access_control.ACLToken(username=u"requestor"),
rdfvalue.RDFURN(self.client.client_id), u"requestor",
set(["grantor1", "grantor2"]), u"foo"))
def testRaisesWhenJustOneGrant(self):
approval_request = self._CreateRequest(
grants=[rdf_objects.ApprovalGrant(grantor_username=u"grantor")])
with self.assertRaisesRegexp(
access_control.UnauthorizedAccess,
"Need at least 1 additional approver for access"):
approval_checks.CheckApprovalRequest(approval_request)
def testRaisesWhenNoGrantsFromAdmins(self):
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username=u"grantor1"),
rdf_objects.ApprovalGrant(grantor_username=u"grantor2")
])
with self.assertRaisesRegex(access_control.UnauthorizedAccess,
"Need at least 1 admin approver for access"):
approval_checks.CheckApprovalRequest(approval_request)
def testReturnsIfApprovalIsNotExpiredAndHasTwoGrantsIncludingAdmin(self):
self.CreateAdminUser("grantor2")
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username="******"),
rdf_objects.ApprovalGrant(grantor_username="******")
])
approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveReturnsIfClientHasNoLabels(self, mock_mgr):
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username=u"grantor1"),
rdf_objects.ApprovalGrant(grantor_username=u"grantor2")
])
# Make sure approval manager is active.
mock_mgr.IsActive.return_value = True
approval_checks.CheckApprovalRequest(approval_request)
def testRaisesIfApprovalExpired(self):
approval_request = self._CreateRequest(
expiration_time=rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("1m"),
grants=[
rdf_objects.ApprovalGrant(grantor_username=u"grantor1"),
rdf_objects.ApprovalGrant(grantor_username=u"grantor2")
])
with self.assertRaisesRegexp(access_control.UnauthorizedAccess,
"Approval request is expired"):
approval_checks.CheckApprovalRequest(approval_request)
def testRaisesIfApprovalExpired(self):
# Make sure that approval is otherwise valid.
self.CreateAdminUser(u"grantor2")
approval_request = self._CreateRequest(
expiration_time=rdfvalue.RDFDatetime.Now() -
rdfvalue.Duration.From(1, rdfvalue.MINUTES),
grants=[
rdf_objects.ApprovalGrant(grantor_username=u"grantor1"),
rdf_objects.ApprovalGrant(grantor_username=u"grantor2")
])
with self.assertRaisesRegex(access_control.UnauthorizedAccess,
"Approval request is expired"):
approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveRaisesIfAuthMgrRaises(self, mock_mgr):
data_store.REL_DB.AddClientLabels(self.client_id, u"GRR", [u"foo"])
approval_request = self._CreateRequest(grants=[
rdf_objects.ApprovalGrant(grantor_username=u"grantor1"),
rdf_objects.ApprovalGrant(grantor_username=u"grantor2")
])
# Make sure approval manager is active.
mock_mgr.IsActive.return_value = True
# CheckApproversForLabel should raise.
error = access_control.UnauthorizedAccess("some error")
mock_mgr.CheckApproversForLabel.side_effect = error
with self.assertRaisesRegexp(access_control.UnauthorizedAccess,
"some error"):
approval_checks.CheckApprovalRequest(approval_request)
def _InitApiApprovalFromDatabaseObject(api_approval, db_obj):
"""Initializes Api(Client|Hunt|CronJob)Approval from the database object."""
api_approval.id = db_obj.approval_id
api_approval.requestor = db_obj.requestor_username
api_approval.reason = db_obj.reason
api_approval.notified_users = sorted(db_obj.notified_users)
api_approval.email_cc_addresses = sorted(db_obj.email_cc_addresses)
api_approval.email_message_id = db_obj.email_message_id
api_approval.approvers = sorted([g.grantor_username for g in db_obj.grants])
try:
approval_checks.CheckApprovalRequest(db_obj)
api_approval.is_valid = True
except access_control.UnauthorizedAccess as e:
api_approval.is_valid_message = str(e)
api_approval.is_valid = False
return api_approval
