def testEmailClientApprovalGrantNotificationLinkLeadsToACorrectPage(self): client_id = self.SetupClient(0) security.ClientApprovalRequestor( reason=self.APPROVAL_REASON, subject_urn=client_id, approver=self.GRANTOR_TOKEN.username, token=self.token).Request() security.ClientApprovalGrantor( reason=self.APPROVAL_REASON, subject_urn=client_id, token=self.GRANTOR_TOKEN, delegate=self.token.username).Grant() # There should be 1 message for approval request and 1 message # for approval grant notification. self.assertEqual(len(self.messages_sent), 2) message = self.messages_sent[1] self.assertTrue(self.APPROVAL_REASON in message) self.assertTrue(self.GRANTOR_TOKEN.username in message) self.assertTrue(client_id.Basename() in message) self.Open(self._ExtractLinkFromMessage(message)) # We should end up on client's page. Check that host information is # displayed. self.WaitUntil(self.IsTextPresent, client_id.Basename()) self.WaitUntil(self.IsTextPresent, "Host-0") # Check that the reason is displayed. self.WaitUntil(self.IsTextPresent, self.APPROVAL_REASON)
def GrantClientApproval(self, client_id, reason=None, requestor=None, approver="approver"): """Grant an approval from approver to delegate. Args: client_id: ClientURN reason: reason for approval request. requestor: username string of the user receiving approval. approver: username string of the user granting approval. """ if hasattr(client_id, "Basename"): client_id = client_id.Basename() self.CreateAdminUser(approver) if not requestor: requestor = self.token.username if not reason: reason = self.token.reason approver_token = access_control.ACLToken(username=approver) grantor = security.ClientApprovalGrantor(subject_urn=client_id, reason=reason, delegate=requestor, token=approver_token) grantor.Grant()
def testIncludesApproversInResultWhenApprovalIsGranted(self): approval_urn = aff4_security.ClientApprovalRequestor( reason="blah", subject_urn=self.client_id, approver="approver", token=self.token).Request() approval_id = approval_urn.Basename() approver_token = access_control.ACLToken(username="******") aff4_security.ClientApprovalGrantor( reason="blah", delegate=self.token.username, subject_urn=self.client_id, token=approver_token).Grant() args = user_plugin.ApiGetClientApprovalArgs( client_id=self.client_id, approval_id=approval_id, username=self.token.username) result = self.handler.Handle(args, token=self.token) self.assertTrue(result.is_valid) self.assertEqual( sorted(result.approvers), sorted([approver_token.username, self.token.username]))
def Run(self): with test_lib.FakeTime(42): self.CreateAdminUser("approver") clients = self.SetupClients(2) for client_id in clients: # Delete the certificate as it's being regenerated every time the # client is created. with aff4.FACTORY.Open(client_id, mode="rw", token=self.token) as grr_client: grr_client.DeleteAttribute(grr_client.Schema.CERT) with test_lib.FakeTime(44): approval_urn = security.ClientApprovalRequestor( reason=self.token.reason, subject_urn=clients[0], approver="approver", token=self.token).Request() approval1_id = approval_urn.Basename() with test_lib.FakeTime(45): approval_urn = security.ClientApprovalRequestor( reason=self.token.reason, subject_urn=clients[1], approver="approver", token=self.token).Request() approval2_id = approval_urn.Basename() with test_lib.FakeTime(84): approver_token = access_control.ACLToken(username="******") security.ClientApprovalGrantor(reason=self.token.reason, delegate=self.token.username, subject_urn=clients[1], token=approver_token).Grant() with test_lib.FakeTime(126): self.Check("ListClientApprovals", args=user_plugin.ApiListClientApprovalsArgs(), replace={ approval1_id: "approval:111111", approval2_id: "approval:222222" }) self.Check("ListClientApprovals", args=user_plugin.ApiListClientApprovalsArgs( client_id=clients[0].Basename()), replace={ approval1_id: "approval:111111", approval2_id: "approval:222222" })
def RequestAndGrantClientApproval(client_id, token=None, approver="approver", reason="testing"): token = token or GetToken() ApprovalRequest(client_id, token=token, approver=approver, reason=reason) user = aff4.FACTORY.Create( "aff4:/users/%s" % approver, users.GRRUser, token=token.SetUID()) user.Flush() approver_token = access_control.ACLToken(username=approver) security.ClientApprovalGrantor( reason=reason, delegate=token.username, subject_urn=rdf_client.ClientURN(client_id), token=approver_token).Grant()
def ApprovalGrant(token=None): """Iterate through requested access approving or not.""" user = getpass.getuser() notifications = GetNotifications(user=user, token=token) requests = [n for n in notifications if n.type == "GrantAccess"] for request in requests: _, client_id, user, reason = rdfvalue.RDFURN(request.subject).Split() reason = utils.DecodeReasonString(reason) print request print "Reason: %s" % reason if raw_input("Do you approve this request? [y/N] ").lower() == "y": security.ClientApprovalGrantor( subject_urn=client_id, reason=reason, delegate=user, token=token).Grant() # TODO(user): Remove the notification. else: print "skipping request" print "Approval sent"
def testClientACLWorkflow(self): self.Open("/") self.Type("client_query", "C.0000000000000001") self.Click("client_query_submit") self.WaitUntilEqual(u"C.0000000000000001", self.GetText, "css=span[type=subject]") # Choose client 1 self.Click("css=td:contains('0001')") # We do not have an approval, so we need to request one. self.WaitUntil(self.IsElementPresent, "css=div.no-approval") self.Click("css=button[name=requestApproval]") self.WaitUntil(self.IsElementPresent, "css=h3:contains('Create a new approval')") # This asks the user "test" (which is us) to approve the request. self.Type("css=grr-request-approval-dialog input[name=acl_approver]", self.token.username) self.Type("css=grr-request-approval-dialog input[name=acl_reason]", self.reason) self.Click( "css=grr-request-approval-dialog button[name=Proceed]:not([disabled])") self.WaitForNotification("aff4:/users/%s" % self.token.username) # User test logs in as an approver. self.Open("/") self.WaitUntil(lambda: self.GetText("notification_button") != "0") self.Click("notification_button") self.Click("css=td:contains('grant access to GRR client')") self.WaitUntilContains("Grant access", self.GetText, "css=h2:contains('Grant')") self.WaitUntil(self.IsTextPresent, "The user %s has requested" % self.token.username) self.Click("css=button:contains('Approve')") self.WaitUntil(self.IsTextPresent, "Approval granted.") self.WaitForNotification("aff4:/users/%s" % self.token.username) self.Open("/") # We should be notified that we have an approval self.WaitUntil(lambda: self.GetText("notification_button") != "0") self.Click("notification_button") self.Click("css=td:contains('has granted you access')") # This is insufficient - we need 2 approvers. self.WaitUntil(self.IsTextPresent, "You do not have an approval for this client.") # Lets add another approver. token = access_control.ACLToken(username="******") security.ClientApprovalGrantor( reason=self.reason, delegate=self.token.username, subject_urn=rdf_client.ClientURN("C.0000000000000001"), token=token).Grant() # Check if we see that the approval has already been granted. self.Open("/") self.Click("notification_button") self.Click("css=td:contains('grant access to GRR client')") self.WaitUntil(self.IsTextPresent, "This approval has already been granted!") # Try again: self.Open("/") self.Click("notification_button") self.Click("css=td:contains('has granted you access')") # Host information page should be displayed. self.WaitUntil(self.IsTextPresent, "Last booted") self.WaitUntil(self.IsTextPresent, "Interfaces") # One email for the original request and one for each approval. self.assertEqual(len(self.emails_sent), 3)