def Run(self): with test_lib.FakeTime(42): self.CreateAdminUser("approver") clients = self.SetupClients(2) for client_id in clients: # Delete the certificate as it's being regenerated every time the # client is created. with aff4.FACTORY.Open(client_id, mode="rw", token=self.token) as grr_client: grr_client.DeleteAttribute(grr_client.Schema.CERT) with test_lib.FakeTime(44): flow_urn = flow.GRRFlow.StartFlow( client_id=clients[0], flow_name="RequestClientApprovalFlow", reason="foo", subject_urn=clients[0], approver="approver", token=self.token) flow_fd = aff4.FACTORY.Open(flow_urn, aff4_type=flow.GRRFlow, token=self.token) approval1_id = flow_fd.state.approval_id with test_lib.FakeTime(45): flow_urn = flow.GRRFlow.StartFlow( client_id=clients[1], flow_name="RequestClientApprovalFlow", reason="bar", subject_urn=clients[1], approver="approver", token=self.token) flow_fd = aff4.FACTORY.Open(flow_urn, aff4_type=flow.GRRFlow, token=self.token) approval2_id = flow_fd.state.approval_id with test_lib.FakeTime(84): approver_token = access_control.ACLToken(username="******") flow.GRRFlow.StartFlow(client_id=clients[1], flow_name="GrantClientApprovalFlow", reason="bar", delegate=self.token.username, subject_urn=clients[1], token=approver_token) with test_lib.FakeTime(126): self.Check("GetClientApproval", args=user_plugin.ApiGetClientApprovalArgs( client_id=clients[0].Basename(), approval_id=approval1_id, username=self.token.username), replace={approval1_id: "approval:111111"}) self.Check("GetClientApproval", args=user_plugin.ApiGetClientApprovalArgs( client_id=clients[1].Basename(), approval_id=approval2_id, username=self.token.username), replace={approval2_id: "approval:222222"})
def testRendersRequestedClientApproval(self): approval_id = self.RequestClientApproval( self.client_id.Basename(), requestor=self.token.username, reason="blah", approver="approver", email_cc_address="*****@*****.**") args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id=approval_id, username=self.token.username) result = self.handler.Handle(args, token=self.token) self.assertEqual(result.subject.client_id, self.client_id) self.assertEqual(result.reason, "blah") self.assertEqual(result.is_valid, False) self.assertEqual(result.is_valid_message, "Need at least 1 additional approver for access.") self.assertEqual(result.notified_users, ["approver"]) self.assertEqual(result.email_cc_addresses, ["*****@*****.**"]) # Every approval is self-approved by default. self.assertEqual(result.approvers, [self.token.username])
def testRendersRequestedClientApproval(self): approval_urn = aff4_security.ClientApprovalRequestor( reason="blah", subject_urn=self.client_id, approver="approver", email_cc_address="*****@*****.**", token=self.token).Request() approval_id = approval_urn.Basename() args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id=approval_id, username=self.token.username) result = self.handler.Handle(args, token=self.token) self.assertEqual(result.subject.urn, self.client_id) self.assertEqual(result.reason, "blah") self.assertEqual(result.is_valid, False) self.assertEqual(result.is_valid_message, "Requires 2 approvers for access.") self.assertEqual(result.notified_users, ["approver"]) self.assertEqual(result.email_cc_addresses, ["*****@*****.**"]) # Every approval is self-approved by default. self.assertEqual(result.approvers, [self.token.username])
def testIncludesApproversInResultWhenApprovalIsGranted(self): flow_urn = flow.GRRFlow.StartFlow( client_id=self.client_id, flow_name="RequestClientApprovalFlow", reason="blah", subject_urn=self.client_id, approver="approver", token=self.token) flow_fd = aff4.FACTORY.Open(flow_urn, aff4_type=flow.GRRFlow, token=self.token) approval_id = flow_fd.state.approval_id approver_token = access_control.ACLToken(username="******") flow.GRRFlow.StartFlow(client_id=self.client_id, flow_name="GrantClientApprovalFlow", reason="blah", delegate=self.token.username, subject_urn=self.client_id, token=approver_token) args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id=approval_id, username=self.token.username) result = self.handler.Handle(args, token=self.token) self.assertTrue(result.is_valid) self.assertEqual( sorted(result.approvers), sorted([approver_token.username, self.token.username]))
def testRendersRequestedClientApproval(self): flow_urn = flow.GRRFlow.StartFlow( client_id=self.client_id, flow_name="RequestClientApprovalFlow", reason="blah", subject_urn=self.client_id, approver="approver", email_cc_address="*****@*****.**", token=self.token) flow_fd = aff4.FACTORY.Open(flow_urn, aff4_type=flow.GRRFlow, token=self.token) approval_id = flow_fd.state.approval_id args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id=approval_id, username=self.token.username) result = self.handler.Handle(args, token=self.token) self.assertEqual(result.subject.urn, self.client_id) self.assertEqual(result.reason, "blah") self.assertEqual(result.is_valid, False) self.assertEqual(result.is_valid_message, "Requires 2 approvers for access.") self.assertEqual(result.notified_users, ["approver"]) self.assertEqual(result.email_cc_addresses, ["*****@*****.**"]) # Every approval is self-approved by default. self.assertEqual(result.approvers, [self.token.username])
def testIncludesApproversInResultWhenApprovalIsGranted(self): approval_urn = aff4_security.ClientApprovalRequestor( reason="blah", subject_urn=self.client_id, approver="approver", token=self.token).Request() approval_id = approval_urn.Basename() approver_token = access_control.ACLToken(username="******") aff4_security.ClientApprovalGrantor( reason="blah", delegate=self.token.username, subject_urn=self.client_id, token=approver_token).Grant() args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id=approval_id, username=self.token.username) result = self.handler.Handle(args, token=self.token) self.assertTrue(result.is_valid) self.assertEqual( sorted(result.approvers), sorted([approver_token.username, self.token.username]))
def testRaisesWhenApprovalIsNotFound(self): args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id="approval:112233", username=self.token.username) with self.assertRaises(api_call_handler_base.ResourceNotFoundError): self.handler.Handle(args, token=self.token)
def Run(self): with test_lib.FakeTime(42): self.CreateAdminUser("approver") clients = self.SetupClients(2) for client_id in clients: # Delete the certificate as it's being regenerated every time the # client is created. with aff4.FACTORY.Open(client_id, mode="rw", token=self.token) as grr_client: grr_client.DeleteAttribute(grr_client.Schema.CERT) with test_lib.FakeTime(44): approval1_id = self.RequestClientApproval( clients[0].Basename(), reason="foo", approver="approver", requestor=self.token.username) with test_lib.FakeTime(45): approval2_id = self.RequestClientApproval( clients[1].Basename(), reason="bar", approver="approver", requestor=self.token.username) with test_lib.FakeTime(84): self.GrantClientApproval(clients[1].Basename(), reason="bar", approver="approver", requestor=self.token.username) with test_lib.FakeTime(126): self.Check("GetClientApproval", args=user_plugin.ApiGetClientApprovalArgs( client_id=clients[0].Basename(), approval_id=approval1_id, username=self.token.username), replace={approval1_id: "approval:111111"}) self.Check("GetClientApproval", args=user_plugin.ApiGetClientApprovalArgs( client_id=clients[1].Basename(), approval_id=approval2_id, username=self.token.username), replace={approval2_id: "approval:222222"})
def testRaisesWhenApprovalIsNotFound(self): args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id="approval:112233", username=self.token.username) # TODO(user): throw some standard exception that can be converted to # HTTP 404 status code. with self.assertRaises(IOError): self.handler.Handle(args, token=self.token)
def testIncludesApproversInResultWhenApprovalIsGranted(self): approval_id = self.RequestAndGrantClientApproval( self.client_id.Basename(), reason="blah", approver="approver", requestor=self.token.username) args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id=approval_id, username=self.token.username) result = self.handler.Handle(args, token=self.token) self.assertTrue(result.is_valid) self.assertEqual(sorted(result.approvers), sorted([self.token.username, "approver"]))