def RenderAjax(self, request, response): """Run the flow for granting access.""" approval_urn = rdfvalue.RDFURN(request.REQ.get("acl", "/")) _, namespace, _ = approval_urn.Split(3) if namespace == "hunts": try: _, _, hunt_id, user, reason = approval_urn.Split() self.subject = rdfvalue.RDFURN(namespace).Add(hunt_id) self.user = user self.reason = utils.DecodeReasonString(reason) except (ValueError, TypeError): raise access_control.UnauthorizedAccess( "Approval object is not well formed.") flow.GRRFlow.StartFlow(flow_name="GrantHuntApprovalFlow", subject_urn=self.subject, reason=self.reason, delegate=self.user, token=request.token) elif namespace == "cron": try: _, _, cron_job_name, user, reason = approval_urn.Split() self.subject = rdfvalue.RDFURN(namespace).Add(cron_job_name) self.user = user self.reason = utils.DecodeReasonString(reason) except (ValueError, TypeError): raise access_control.UnauthorizedAccess( "Approval object is not well formed.") flow.GRRFlow.StartFlow(flow_name="GrantCronJobApprovalFlow", subject_urn=self.subject, reason=self.reason, delegate=self.user, token=request.token) elif aff4.AFF4Object.VFSGRRClient.CLIENT_ID_RE.match(namespace): try: _, client_id, user, reason = approval_urn.Split() self.subject = client_id self.user = user self.reason = utils.DecodeReasonString(reason) except (ValueError, TypeError): raise access_control.UnauthorizedAccess( "Approval object is not well formed.") flow.GRRFlow.StartFlow(client_id=client_id, flow_name="GrantClientApprovalFlow", reason=self.reason, delegate=self.user, subject_urn=rdf_client.ClientURN(self.subject), token=request.token) else: raise access_control.UnauthorizedAccess( "Approval object is not well formed.") return renderers.TemplateRenderer.Layout(self, request, response, apply_template=self.ajax_template)
def ApprovalGrant(token=None): """Iterate through requested access approving or not.""" user = getpass.getuser() notifications = GetNotifications(user=user, token=token) requests = [n for n in notifications if n.type == "GrantAccess"] for request in requests: _, client_id, user, reason = rdfvalue.RDFURN(request.subject).Split() reason = utils.DecodeReasonString(reason) print request print "Reason: %s" % reason if raw_input("Do you approve this request? [y/N] ").lower() == "y": security.ClientApprovalGrantor( subject_urn=client_id, reason=reason, delegate=user, token=token).Grant() # TODO(user): Remove the notification. else: print "skipping request" print "Approval sent"
def GetApprovalForObject(object_urn, token=None, username=""): """Looks for approvals for an object and returns available valid tokens. Args: object_urn: Urn of the object we want access to. token: The token to use to lookup the ACLs. username: The user to get the approval for, if "" we get it from the token. Returns: A token for access to the object on success, otherwise raises. Raises: UnauthorizedAccess: If there are no valid approvals available. """ if token is None: raise access_control.UnauthorizedAccess( "No token given, cannot authenticate.") if not username: username = token.username approval_urn = aff4.ROOT_URN.Add("ACL").Add( object_urn.Path()).Add(username) error = "No approvals available" fd = aff4.FACTORY.Open(approval_urn, mode="r", token=token) for auth_request in fd.OpenChildren(): try: reason = utils.DecodeReasonString(auth_request.urn.Basename()) except TypeError: continue # Check authorization using the data_store for an authoritative source. test_token = access_control.ACLToken(username=username, reason=reason) try: # TODO(user): stop making assumptions about URNs if object_urn.Split()[0] == "cron": # Checking that we can access the cron job flow.GRRFlow.StartFlow(flow_name="ManageCronJobFlow", token=test_token, urn=object_urn) elif object_urn.Split()[0] == "hunts": # Checking that we can access the hunt flow.GRRFlow.StartFlow(flow_name="CheckHuntAccessFlow", token=test_token, hunt_urn=object_urn) else: # Check if we can access a non-existent path under this one. aff4.FACTORY.Open( rdfvalue.RDFURN(object_urn).Add("acl_chk"), mode="r", token=test_token) return test_token except access_control.UnauthorizedAccess as e: error = e # We tried all auth_requests, but got no usable results. raise access_control.UnauthorizedAccess(error, subject=object_urn)