def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("approver")
clients = self.SetupClients(2)
for client_id in clients:
# Delete the certificate as it's being regenerated every time the
# client is created.
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as grr_client:
grr_client.DeleteAttribute(grr_client.Schema.CERT)
with test_lib.FakeTime(44):
approval_urn = security.ClientApprovalRequestor(
reason=self.token.reason,
subject_urn=clients[0],
approver="approver",
token=self.token).Request()
approval1_id = approval_urn.Basename()
with test_lib.FakeTime(45):
approval_urn = security.ClientApprovalRequestor(
reason=self.token.reason,
subject_urn=clients[1],
approver="approver",
token=self.token).Request()
approval2_id = approval_urn.Basename()
with test_lib.FakeTime(84):
approver_token = access_control.ACLToken(username="******")
security.ClientApprovalGrantor(reason=self.token.reason,
delegate=self.token.username,
subject_urn=clients[1],
token=approver_token).Grant()
with test_lib.FakeTime(126):
self.Check("ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
self.Check("ListClientApprovals",
args=user_plugin.ApiListClientApprovalsArgs(
client_id=clients[0].Basename()),
replace={
approval1_id: "approval:111111",
approval2_id: "approval:222222"
})
def Run(self):
with test_lib.FakeTime(42):
self.CreateAdminUser("requestor")
clients = self.SetupClients(1)
for client_id in clients:
# Delete the certificate as it's being regenerated every time the
# client is created.
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as grr_client:
grr_client.DeleteAttribute(grr_client.Schema.CERT)
with test_lib.FakeTime(44):
requestor_token = access_control.ACLToken(username="******")
approval_urn = security.ClientApprovalRequestor(
reason="foo",
subject_urn=clients[0],
approver=self.token.username,
token=requestor_token).Request()
approval_id = approval_urn.Basename()
with test_lib.FakeTime(126):
self.Check("GrantClientApproval",
args=user_plugin.ApiGrantClientApprovalArgs(
client_id=clients[0].Basename(),
approval_id=approval_id,
username="******"),
replace={approval_id: "approval:111111"})
def testRendersRequestedClientApproval(self):
approval_urn = aff4_security.ClientApprovalRequestor(
reason="blah",
subject_urn=self.client_id,
approver="approver",
email_cc_address="*****@*****.**",
token=self.token).Request()
approval_id = approval_urn.Basename()
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertEqual(result.subject.urn, self.client_id)
self.assertEqual(result.reason, "blah")
self.assertEqual(result.is_valid, False)
self.assertEqual(result.is_valid_message,
"Requires 2 approvers for access.")
self.assertEqual(result.notified_users, ["approver"])
self.assertEqual(result.email_cc_addresses, ["*****@*****.**"])
# Every approval is self-approved by default.
self.assertEqual(result.approvers, [self.token.username])
def testEmailClientApprovalGrantNotificationLinkLeadsToACorrectPage(self):
client_id = self.SetupClient(0)
security.ClientApprovalRequestor(
reason=self.APPROVAL_REASON,
subject_urn=client_id,
approver=self.GRANTOR_TOKEN.username,
token=self.token).Request()
security.ClientApprovalGrantor(
reason=self.APPROVAL_REASON,
subject_urn=client_id,
token=self.GRANTOR_TOKEN,
delegate=self.token.username).Grant()
# There should be 1 message for approval request and 1 message
# for approval grant notification.
self.assertEqual(len(self.messages_sent), 2)
message = self.messages_sent[1]
self.assertTrue(self.APPROVAL_REASON in message)
self.assertTrue(self.GRANTOR_TOKEN.username in message)
self.assertTrue(client_id.Basename() in message)
self.Open(self._ExtractLinkFromMessage(message))
# We should end up on client's page. Check that host information is
# displayed.
self.WaitUntil(self.IsTextPresent, client_id.Basename())
self.WaitUntil(self.IsTextPresent, "Host-0")
# Check that the reason is displayed.
self.WaitUntil(self.IsTextPresent, self.APPROVAL_REASON)
def testEmailClientApprovalRequestLinkLeadsToACorrectPage(self):
client_id = self.SetupClients(1)[0]
messages_sent = []
def SendEmailStub(unused_from_user, unused_to_user, unused_subject,
message, **unused_kwargs):
messages_sent.append(message)
# Request client approval, it will trigger an email message.
with utils.Stubber(email_alerts.EMAIL_ALERTER, "SendEmail",
SendEmailStub):
security.ClientApprovalRequestor(reason="Please please let me",
subject_urn=client_id,
approver=self.token.username,
token=access_control.ACLToken(
username="******",
reason="test")).Request()
self.assertEqual(len(messages_sent), 1)
# Extract link from the message text and open it.
m = re.search(r"href='(.+?)'", messages_sent[0], re.MULTILINE)
link = urlparse.urlparse(m.group(1))
self.Open(link.path + "?" + link.query + "#" + link.fragment)
# Check that requestor's username and reason are correctly displayed.
self.WaitUntil(self.IsTextPresent, "iwantapproval")
self.WaitUntil(self.IsTextPresent, "Please please let me")
# Check that host information is displayed.
self.WaitUntil(self.IsTextPresent, client_id.Basename())
self.WaitUntil(self.IsTextPresent, "Host-0")
def testIncludesApproversInResultWhenApprovalIsGranted(self):
approval_urn = aff4_security.ClientApprovalRequestor(
reason="blah",
subject_urn=self.client_id,
approver="approver",
token=self.token).Request()
approval_id = approval_urn.Basename()
approver_token = access_control.ACLToken(username="******")
aff4_security.ClientApprovalGrantor(
reason="blah",
delegate=self.token.username,
subject_urn=self.client_id,
token=approver_token).Grant()
args = user_plugin.ApiGetClientApprovalArgs(
client_id=self.client_id,
approval_id=approval_id,
username=self.token.username)
result = self.handler.Handle(args, token=self.token)
self.assertTrue(result.is_valid)
self.assertEqual(
sorted(result.approvers),
sorted([approver_token.username, self.token.username]))
def ApprovalRequest(client_id,
token=None,
approver="approver",
reason="testing"):
token = token or GetToken()
approval_reason = reason or token.reason
security.ClientApprovalRequestor(
reason=approval_reason,
subject_urn=rdf_client.ClientURN(client_id),
approver=approver,
token=token).Request()
def testNonValidApprovalIsMarked(self):
client_id = self.SetupClient(0)
security.ClientApprovalRequestor(reason=self.token.reason,
subject_urn=client_id,
approver="approver",
token=self.token).Request()
self.Open("/")
self.WaitUntil(
self.IsElementPresent, "css=grr-user-dashboard "
"div[name=RecentlyAccessedClients] "
"tr:contains('%s').half-transparent" % client_id.Basename())
def testApprovalDoesNotCreateUser(self):
username = "******"
user = aff4.FACTORY.Open("aff4:/users/%s" % username, token=self.token)
self.assertFalse(isinstance(user, users.GRRUser))
security.ClientApprovalRequestor(subject_urn=self.client_id,
reason=self.token.reason,
approver=username,
token=self.token).Request()
user = aff4.FACTORY.Open("aff4:/users/%s" % username, token=self.token)
self.assertFalse(isinstance(user, users.GRRUser))
def testCreatingApprovalCreatesSymlink(self):
client_id = self.SetupClient(0)
security.ClientApprovalRequestor(subject_urn=client_id,
reason=self.token.reason,
approver="approver",
token=self.token).Request()
approval_id = list(
aff4.FACTORY.ListChildren(
"aff4:/users/test/approvals/client/C.1000000000000000")
)[0].Basename()
self.assertTrue(approval_id.startswith("approval:"))
fd = aff4.FACTORY.Open(
"aff4:/users/test/approvals/client/C.1000000000000000/%s" %
approval_id,
follow_symlinks=False,
mode="r",
token=self.token)
self.assertEqual(fd.Get(fd.Schema.TYPE), "AFF4Symlink")
self.assertEqual(fd.Get(fd.Schema.SYMLINK_TARGET),
"aff4:/ACL/C.1000000000000000/test/%s" % approval_id)
def testEmailClientApprovalRequestLinkLeadsToACorrectPage(self):
client_id = self.SetupClient(0)
security.ClientApprovalRequestor(reason="Please please let me",
subject_urn=client_id,
approver=self.GRANTOR_TOKEN.username,
token=self.token).Request()
self.assertEqual(len(self.messages_sent), 1)
message = self.messages_sent[0]
self.assertTrue(self.APPROVAL_REASON in message)
self.assertTrue(self.token.username in message)
self.assertTrue(client_id.Basename() in message)
self.Open(self._ExtractLinkFromMessage(message))
# Check that requestor's username and reason are correctly displayed.
self.WaitUntil(self.IsTextPresent, self.token.username)
self.WaitUntil(self.IsTextPresent, self.APPROVAL_REASON)
# Check that host information is displayed.
self.WaitUntil(self.IsTextPresent, client_id.Basename())
self.WaitUntil(self.IsTextPresent, "Host-0")
def RequestClientApproval(self,
client_id,
reason=None,
requestor=None,
email_cc_address=None,
approver="approver"):
"""Create an approval request to be sent to approver."""
if hasattr(client_id, "Basename"):
client_id = client_id.Basename()
if not requestor:
requestor = self.token.username
if not reason:
reason = self.token.reason
requestor = security.ClientApprovalRequestor(
subject_urn=client_id,
reason=reason,
approver=approver,
email_cc_address=email_cc_address,
token=access_control.ACLToken(username=requestor))
return requestor.Request().Basename()
