def testFileFinderFlowNameCanBeOverriden(self):
router = self._CreateRouter(
file_finder_flow=rr.RobotRouterFileFinderFlowParams(
enabled=True,
file_finder_flow_name=AnotherFileFinder.__name__))
with self.assertRaises(access_control.UnauthorizedAccess):
router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(name=file_finder.FileFinder.__name__),
client_id=self.client_id),
token=self.token)
router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(name=AnotherFileFinder.__name__),
client_id=self.client_id),
token=self.token)
def Handle(self, args, token=None):
flow_urn = args.flow_id.ResolveCronJobFlowURN(args.cron_job_id)
flow_obj = aff4.FACTORY.Open(
flow_urn, aff4_type=flow.GRRFlow, mode="r", token=token)
return api_plugins_flow.ApiFlow().InitFromAff4Object(
flow_obj, with_state_and_context=True)
def Check(path):
router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(
name=file_finder.FileFinder.__name__,
args=rdf_file_finder.FileFinderArgs(paths=[path])),
client_id=self.client_id),
token=self.token)
def InitFromAff4Object(self, approval_obj, approval_subject_obj=None):
if not approval_subject_obj:
approval_subject_obj = aff4.FACTORY.Open(
approval_obj.Get(approval_obj.Schema.SUBJECT),
aff4_type=implementation.GRRHunt,
token=approval_obj.token)
self.subject = api_hunt.ApiHunt().InitFromAff4Object(
approval_subject_obj, with_full_summary=True)
result = _InitApiApprovalFromAff4Object(self, approval_obj)
original_object = approval_subject_obj.runner_args.original_object
if original_object.object_type == "FLOW_REFERENCE":
urn = original_object.flow_reference.ToFlowURN()
original_flow = aff4.FACTORY.Open(urn,
aff4_type=flow.GRRFlow,
token=approval_obj.token)
result.copied_from_flow = api_flow.ApiFlow().InitFromAff4Object(
original_flow, flow_id=original_flow.urn.Basename())
elif original_object.object_type == "HUNT_REFERENCE":
urn = original_object.hunt_reference.ToHuntURN()
original_hunt = aff4.FACTORY.Open(urn,
aff4_type=implementation.GRRHunt,
token=approval_obj.token)
result.copied_from_hunt = api_hunt.ApiHunt().InitFromAff4Object(
original_hunt, with_full_summary=True)
return result
def Check(artifacts):
router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(
name=collectors.ArtifactCollectorFlow.__name__,
args=artifact_utils.ArtifactCollectorFlowArgs(
artifact_list=artifacts)),
client_id=self.client_id),
token=self.token)
def Check(path):
with self.assertRaises(access_control.UnauthorizedAccess):
router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(
name=file_finder.FileFinder.__name__,
args=rdf_file_finder.FileFinderArgs(paths=[path])),
client_id=self.client_id),
token=self.token)
def Check(artifacts):
with self.assertRaises(access_control.UnauthorizedAccess):
router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(
name=collectors.ArtifactCollectorFlow.__name__,
args=artifact_utils.ArtifactCollectorFlowArgs(
artifact_list=artifacts)),
client_id=self.client_id),
token=self.token)
def testArtifactCollectorFlowNameCanBeOverriden(self):
router = self._CreateRouter(
artifact_collector_flow=rr.RobotRouterArtifactCollectorFlowParams(
enabled=True,
artifact_collector_flow_name=AnotherArtifactCollector.__name__)
)
with self.assertRaises(access_control.UnauthorizedAccess):
router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(
name=collectors.ArtifactCollectorFlow.__name__),
client_id=self.client_id),
token=self.token)
router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(name=AnotherArtifactCollector.__name__),
client_id=self.client_id),
token=self.token)
def _CreateFlowWithRobotId(self, flow_name=None, flow_args=None):
flow_name = flow_name or file_finder.FileFinder.__name__
handler = rr.ApiRobotCreateFlowHandler(robot_id=self.robot_id)
flow_result = handler.Handle(api_flow.ApiCreateFlowArgs(
client_id=self.client_id,
flow=api_flow.ApiFlow(name=flow_name, args=flow_args)),
token=self.token)
return flow_result.flow_id
def Handle(self, args, token=None):
flow_urn = aff4_cronjobs.CRON_MANAGER.CRON_JOBS_PATH.Add(
args.cron_job_id).Add(args.flow_id.Basename())
flow_obj = aff4.FACTORY.Open(flow_urn,
aff4_type=flow.GRRFlow,
mode="r",
token=token)
return api_plugins_flow.ApiFlow().InitFromAff4Object(flow_obj)
def testOnlyFileFinderAndArtifactCollectorFlowsAreAllowed(self):
router = self._CreateRouter(
file_finder_flow=rr.RobotRouterFileFinderFlowParams(enabled=True),
artifact_collector_flow=rr.RobotRouterArtifactCollectorFlowParams(
enabled=True))
with self.assertRaises(access_control.UnauthorizedAccess):
router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(name=test_lib.BrokenFlow.__name__),
client_id=self.client_id),
token=self.token)
def testRunnerArgsBaseSessionIdDoesNotAffectCreatedFlow(self):
"""When multiple clients match, check we run on the latest one."""
flow_runner_args = rdf_flows.FlowRunnerArgs(
base_session_id="aff4:/foo")
args = flow_plugin.ApiCreateFlowArgs(
client_id=self.client_id.Basename(),
flow=flow_plugin.ApiFlow(name=processes.ListProcesses.__name__,
runner_args=flow_runner_args))
result = self.handler.Handle(args, token=self.token)
self.assertFalse(utils.SmartStr(result.urn).startswith("aff4:/foo"))
def testLeavesClientIdEmptyForNonClientBasedFlows(self):
client_id = self.SetupClients(1)[0]
flow_urn = flow.GRRFlow.StartFlow(
client_id=client_id,
flow_name=processes.ListProcesses.__name__,
token=self.token)
flow_obj = aff4.FACTORY.Open(flow_urn, token=self.token)
flow_api_obj = flow_plugin.ApiFlow().InitFromAff4Object(
flow_obj, flow_id=flow_urn.Basename())
self.assertEquals(flow_api_obj.client_id,
client_plugin.ApiClientId(client_id))
def testInitializesClientIdForClientBasedFlows(self):
client_id = self.SetupClients(1)[0]
flow_urn = flow.GRRFlow.StartFlow(
# Override base session id, so that the flow URN looks
# like: aff4:/F:112233
base_session_id="aff4:/",
client_id=client_id,
flow_name=processes.ListProcesses.__name__,
token=self.token)
flow_obj = aff4.FACTORY.Open(flow_urn, token=self.token)
flow_api_obj = flow_plugin.ApiFlow().InitFromAff4Object(
flow_obj, flow_id=flow_urn.Basename())
self.assertIsNone(flow_api_obj.client_id)
def Handle(self, args, token=None):
if not args.client_id:
raise RuntimeError("Client id has to be specified.")
if not args.flow.name:
raise RuntimeError("Flow name is not specified.")
# Note that runner_args are dropped. From all the arguments We use only
# the flow name and the arguments.
flow_id = flow.GRRFlow.StartFlow(
client_id=args.client_id.ToClientURN(),
flow_name=args.flow.name,
token=token,
args=self.override_flow_args or args.flow.args)
with aff4.FACTORY.Open(
flow_id, aff4_type=flow.GRRFlow, mode="rw", token=token) as fd:
fd.AddLabel(LABEL_NAME_PREFIX + self.robot_id)
return api_flow.ApiFlow().InitFromAff4Object(
fd, flow_id=flow_id.Basename())
def Run(self):
def ReplaceFlowId():
flows_dir_fd = aff4.FACTORY.Open(self.client_id.Add("flows"),
token=self.token)
flow_urn = list(flows_dir_fd.ListChildren())[0]
return {flow_urn.Basename(): "W:ABCDEF"}
with test_lib.FakeTime(42):
self.Check("CreateFlow",
args=flow_plugin.ApiCreateFlowArgs(
client_id=self.client_id.Basename(),
flow=flow_plugin.ApiFlow(
name=processes.ListProcesses.__name__,
args=processes.ListProcessesArgs(
filename_regex=".", fetch_binaries=True),
runner_args=rdf_flows.FlowRunnerArgs(
output_plugins=[],
priority="HIGH_PRIORITY",
notify_to_user=False))),
replace=ReplaceFlowId)
def testFileFinderHashMaxFileSizeCanBeOverriden(self):
router = self._CreateRouter(
file_finder_flow=rr.RobotRouterFileFinderFlowParams(
enabled=True, max_file_size=42))
ha = rdf_file_finder.FileFinderHashActionOptions()
ha.max_size = 80
ha.oversized_file_policy = ha.OversizedFilePolicy.HASH_TRUNCATED
path = "/foo/bar"
handler = router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(name=file_finder.FileFinder.__name__,
args=rdf_file_finder.FileFinderArgs(
paths=[path],
action=rdf_file_finder.FileFinderAction(
action_type="HASH", hash=ha))),
client_id=self.client_id),
token=self.token)
ha = handler.override_flow_args.action.hash
self.assertEqual(ha.oversized_file_policy, ha.OversizedFilePolicy.SKIP)
self.assertEqual(ha.max_size, 42)
def testFileFinderDownloadMaxFileSizeCanBeOverriden(self):
router = self._CreateRouter(
file_finder_flow=rr.RobotRouterFileFinderFlowParams(
enabled=True, max_file_size=42))
da = rdf_file_finder.FileFinderDownloadActionOptions()
da.max_size = 80
da.oversized_file_policy = da.OversizedFilePolicy.DOWNLOAD_TRUNCATED
path = "/foo/bar"
handler = router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(name=file_finder.FileFinder.__name__,
args=rdf_file_finder.FileFinderArgs(
paths=[path],
action=rdf_file_finder.FileFinderAction(
action_type="DOWNLOAD",
download=da))),
client_id=self.client_id),
token=self.token)
da = handler.override_flow_args.action.download
self.assertEqual(da.oversized_file_policy, da.OversizedFilePolicy.SKIP)
self.assertEqual(da.max_size, 42)
def setUp(self):
super(ApiLabelsRestrictedCallRouterTest, self).setUp()
self.client_urn = self.SetupClient(0)
with aff4.FACTORY.Open(self.client_urn, mode="rw",
token=self.token) as fd:
fd.AddLabel("foo", owner="GRR")
self.client_id = self.client_urn.Basename()
self.hunt_id = "H:123456"
c = api_router.ApiLabelsRestrictedCallRouter
self.checks = {}
# Artifacts methods.
self.CheckMethod(c.ListArtifacts)
self.CheckMethod(c.UploadArtifact)
self.CheckMethod(c.DeleteArtifacts)
# Clients methods
self.CheckMethod(c.SearchClients)
self.CheckMethod(c.GetClient, client_id=self.client_id)
self.CheckMethod(c.GetClientVersions, client_id=self.client_id)
self.CheckMethod(c.GetClientVersionTimes, client_id=self.client_id)
self.CheckMethod(c.InterrogateClient, client_id=self.client_id)
self.CheckMethod(c.GetInterrogateOperationState)
self.CheckMethod(c.GetLastClientIPAddress, client_id=self.client_id)
# Virtual file system methods.
self.CheckMethod(c.ListFiles, client_id=self.client_id)
self.CheckMethod(c.GetFileDetails, client_id=self.client_id)
self.CheckMethod(c.GetFileText, client_id=self.client_id)
self.CheckMethod(c.GetFileBlob, client_id=self.client_id)
self.CheckMethod(c.GetFileVersionTimes, client_id=self.client_id)
self.CheckMethod(c.GetFileDownloadCommand, client_id=self.client_id)
self.CheckMethod(c.CreateVfsRefreshOperation, client_id=self.client_id)
self.CheckMethod(c.GetVfsRefreshOperationState)
self.CheckMethod(c.GetVfsTimeline, client_id=self.client_id)
self.CheckMethod(c.GetVfsTimelineAsCsv, client_id=self.client_id)
# Clients labels methods.
self.CheckMethod(c.ListClientsLabels)
self.CheckMethod(c.AddClientsLabels, client_ids=[self.client_id])
self.CheckMethod(c.RemoveClientsLabels, client_ids=[self.client_id])
# Clients flows methods.
self.CheckMethod(c.ListFlows, client_id=self.client_id)
self.CheckMethod(c.GetFlow, client_id=self.client_id)
self.CheckMethod(
c.CreateFlow,
client_id=self.client_id,
flow=api_flow.ApiFlow(name=processes.ListProcesses.__name__))
self.CheckMethod(c.CancelFlow, client_id=self.client_id)
self.CheckMethod(c.ListFlowResults, client_id=self.client_id)
self.CheckMethod(c.GetFlowResultsExportCommand,
client_id=self.client_id)
self.CheckMethod(c.GetFlowFilesArchive, client_id=self.client_id)
self.CheckMethod(c.ListFlowOutputPlugins, client_id=self.client_id)
self.CheckMethod(c.ListFlowOutputPluginLogs, client_id=self.client_id)
self.CheckMethod(c.ListFlowOutputPluginErrors,
client_id=self.client_id)
self.CheckMethod(c.ListFlowLogs, client_id=self.client_id)
# Cron jobs methods.
self.CheckMethod(c.ListCronJobs)
self.CheckMethod(c.CreateCronJob)
self.CheckMethod(c.DeleteCronJob)
# Hunts methods.
self.CheckMethod(c.ListHunts)
self.CheckMethod(c.GetHunt, hunt_id=self.hunt_id)
self.CheckMethod(c.ListHuntErrors, hunt_id=self.hunt_id)
self.CheckMethod(c.ListHuntLogs, hunt_id=self.hunt_id)
self.CheckMethod(c.ListHuntResults, hunt_id=self.hunt_id)
self.CheckMethod(c.GetHuntResultsExportCommand, hunt_id=self.hunt_id)
self.CheckMethod(c.ListHuntOutputPlugins, hunt_id=self.hunt_id)
self.CheckMethod(c.ListHuntOutputPluginLogs, hunt_id=self.hunt_id)
self.CheckMethod(c.ListHuntOutputPluginErrors, hunt_id=self.hunt_id)
self.CheckMethod(c.ListHuntCrashes, hunt_id=self.hunt_id)
self.CheckMethod(c.GetHuntClientCompletionStats, hunt_id=self.hunt_id)
self.CheckMethod(c.GetHuntStats, hunt_id=self.hunt_id)
self.CheckMethod(c.ListHuntClients, hunt_id=self.hunt_id)
self.CheckMethod(c.GetHuntContext, hunt_id=self.hunt_id)
self.CheckMethod(c.CreateHunt)
self.CheckMethod(c.GetHuntFilesArchive, hunt_id=self.hunt_id)
self.CheckMethod(c.GetHuntFile, hunt_id=self.hunt_id)
# Stats metrics methods.
self.CheckMethod(c.ListStatsStoreMetricsMetadata)
self.CheckMethod(c.GetStatsStoreMetric)
# Approvals methods.
self.CheckMethod(c.CreateClientApproval, client_id=self.client_id)
self.CheckMethod(c.GetClientApproval, client_id=self.client_id)
self.CheckMethod(c.ListClientApprovals, client_id=self.client_id)
self.CheckMethod(c.ListHuntApprovals)
self.CheckMethod(c.ListCronJobApprovals)
# User settings methods.
self.CheckMethod(c.GetPendingUserNotificationsCount)
self.CheckMethod(c.ListPendingUserNotifications)
self.CheckMethod(c.DeletePendingUserNotification)
self.CheckMethod(c.ListAndResetUserNotifications)
self.CheckMethod(c.GetGrrUser)
self.CheckMethod(c.UpdateGrrUser)
self.CheckMethod(c.ListPendingGlobalNotifications)
self.CheckMethod(c.DeletePendingGlobalNotification)
# Config methods.
self.CheckMethod(c.GetConfig)
self.CheckMethod(c.GetConfigOption)
# Reflection methods.
self.CheckMethod(c.ListKbFields)
self.CheckMethod(c.ListFlowDescriptors)
self.CheckMethod(c.ListAff4AttributeDescriptors)
self.CheckMethod(c.GetRDFValueDescriptor)
self.CheckMethod(c.ListRDFValuesDescriptors)
self.CheckMethod(c.ListOutputPluginDescriptors)
self.CheckMethod(c.ListKnownEncodings)
self.CheckMethod(c.ListApiMethods)
non_checked_methods = (set(self.checks.keys()) -
set(c.GetAnnotatedMethods().keys()))
if non_checked_methods:
raise RuntimeError(
"Not all methods are covered with CheckMethod() "
"checks: " + ", ".join(non_checked_methods))
def testAllGlobalFlowsMethodsAreAccessChecked(self):
args = api_flow.ApiCreateFlowArgs(flow=api_flow.ApiFlow(
name="ListProcesses"))
self.CheckMethodIsAccessChecked(self.router.CreateGlobalFlow,
"CheckIfCanStartFlow",
args=args)
