def RenderAjax(self, request, response):
"""Run the flow for granting access."""
approval_urn = rdfvalue.RDFURN(request.REQ.get("acl", "/"))
_, namespace, _ = approval_urn.Split(3)
if namespace == "hunts":
try:
_, _, hunt_id, user, reason = approval_urn.Split()
self.subject = rdfvalue.RDFURN(namespace).Add(hunt_id)
self.user = user
self.reason = utils.DecodeReasonString(reason)
except (ValueError, TypeError):
raise access_control.UnauthorizedAccess(
"Approval object is not well formed.")
flow.GRRFlow.StartFlow(flow_name="GrantHuntApprovalFlow",
subject_urn=self.subject,
reason=self.reason,
delegate=self.user,
token=request.token)
elif namespace == "cron":
try:
_, _, cron_job_name, user, reason = approval_urn.Split()
self.subject = rdfvalue.RDFURN(namespace).Add(cron_job_name)
self.user = user
self.reason = utils.DecodeReasonString(reason)
except (ValueError, TypeError):
raise access_control.UnauthorizedAccess(
"Approval object is not well formed.")
flow.GRRFlow.StartFlow(flow_name="GrantCronJobApprovalFlow",
subject_urn=self.subject,
reason=self.reason,
delegate=self.user,
token=request.token)
elif aff4.AFF4Object.VFSGRRClient.CLIENT_ID_RE.match(namespace):
try:
_, client_id, user, reason = approval_urn.Split()
self.subject = client_id
self.user = user
self.reason = utils.DecodeReasonString(reason)
except (ValueError, TypeError):
raise access_control.UnauthorizedAccess(
"Approval object is not well formed.")
flow.GRRFlow.StartFlow(client_id=client_id,
flow_name="GrantClientApprovalFlow",
reason=self.reason,
delegate=self.user,
subject_urn=rdf_client.ClientURN(self.subject),
token=request.token)
else:
raise access_control.UnauthorizedAccess(
"Approval object is not well formed.")
return renderers.TemplateRenderer.Layout(self,
request,
response,
apply_template=self.ajax_template)
def ApprovalGrant(token=None):
"""Iterate through requested access approving or not."""
user = getpass.getuser()
notifications = GetNotifications(user=user, token=token)
requests = [n for n in notifications if n.type == "GrantAccess"]
for request in requests:
_, client_id, user, reason = rdfvalue.RDFURN(request.subject).Split()
reason = utils.DecodeReasonString(reason)
print request
print "Reason: %s" % reason
if raw_input("Do you approve this request? [y/N] ").lower() == "y":
security.ClientApprovalGrantor(
subject_urn=client_id, reason=reason, delegate=user,
token=token).Grant()
# TODO(user): Remove the notification.
else:
print "skipping request"
print "Approval sent"
def GetApprovalForObject(object_urn, token=None, username=""):
"""Looks for approvals for an object and returns available valid tokens.
Args:
object_urn: Urn of the object we want access to.
token: The token to use to lookup the ACLs.
username: The user to get the approval for, if "" we get it from the
token.
Returns:
A token for access to the object on success, otherwise raises.
Raises:
UnauthorizedAccess: If there are no valid approvals available.
"""
if token is None:
raise access_control.UnauthorizedAccess(
"No token given, cannot authenticate.")
if not username:
username = token.username
approval_urn = aff4.ROOT_URN.Add("ACL").Add(
object_urn.Path()).Add(username)
error = "No approvals available"
fd = aff4.FACTORY.Open(approval_urn, mode="r", token=token)
for auth_request in fd.OpenChildren():
try:
reason = utils.DecodeReasonString(auth_request.urn.Basename())
except TypeError:
continue
# Check authorization using the data_store for an authoritative source.
test_token = access_control.ACLToken(username=username,
reason=reason)
try:
# TODO(user): stop making assumptions about URNs
if object_urn.Split()[0] == "cron":
# Checking that we can access the cron job
flow.GRRFlow.StartFlow(flow_name="ManageCronJobFlow",
token=test_token,
urn=object_urn)
elif object_urn.Split()[0] == "hunts":
# Checking that we can access the hunt
flow.GRRFlow.StartFlow(flow_name="CheckHuntAccessFlow",
token=test_token,
hunt_urn=object_urn)
else:
# Check if we can access a non-existent path under this one.
aff4.FACTORY.Open(
rdfvalue.RDFURN(object_urn).Add("acl_chk"),
mode="r",
token=test_token)
return test_token
except access_control.UnauthorizedAccess as e:
error = e
# We tried all auth_requests, but got no usable results.
raise access_control.UnauthorizedAccess(error, subject=object_urn)
