def _CheckAccess(self, username, subject_id, approval_type): """Checks access to a given subject by a given user.""" precondition.AssertType(subject_id, Text) cache_key = (username, subject_id, approval_type) try: self.acl_cache.Get(cache_key) APPROVAL_SEARCHES.Increment(fields=["-", "cache"]) return True except KeyError: APPROVAL_SEARCHES.Increment(fields=["-", "reldb"]) approvals = data_store.REL_DB.ReadApprovalRequests( username, approval_type, subject_id=subject_id, include_expired=False) errors = [] for approval in approvals: try: approval_checks.CheckApprovalRequest(approval) self.acl_cache.Put(cache_key, True) return except access_control.UnauthorizedAccess as e: errors.append(e) subject = approval_checks.BuildLegacySubject(subject_id, approval_type) if not errors: raise access_control.UnauthorizedAccess("No approval found.", subject=subject) else: raise access_control.UnauthorizedAccess(" ".join( str(e) for e in errors), subject=subject)
def _CheckAccess(self, username, subject_id, approval_type): """Checks access to a given subject by a given user.""" utils.AssertType(subject_id, unicode) cache_key = (username, subject_id, approval_type) try: self.acl_cache.Get(cache_key) stats.STATS.IncrementCounter("approval_searches", fields=["-", "cache"]) return True except KeyError: stats.STATS.IncrementCounter("approval_searches", fields=["-", "reldb"]) approvals = data_store.REL_DB.ReadApprovalRequests( username, approval_type, subject_id=subject_id, include_expired=False) errors = [] for approval in approvals: try: approval_checks.CheckApprovalRequest(approval) self.acl_cache.Put(cache_key, True) return except access_control.UnauthorizedAccess as e: errors.append(e) subject = approval_checks.BuildLegacySubject(subject_id, approval_type) if not errors: raise access_control.UnauthorizedAccess( "No approval found.", subject=subject) else: raise access_control.UnauthorizedAccess( " ".join(utils.SmartStr(e) for e in errors), subject=subject)
def testReturnsIfApprovalIsNotExpiredAndHasTwoGrants(self): approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username=u"grantor1"), rdf_objects.ApprovalGrant(grantor_username=u"grantor2") ]) approval_checks.CheckApprovalRequest(approval_request)
def testRaisesWhenNoGrants(self): approval_request = self._CreateRequest(grants=[]) with self.assertRaisesRegexp( access_control.UnauthorizedAccess, "Need at least 2 additional approvers for access"): approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveChecksApproversForEachClientLabel(self, mock_mgr): data_store.REL_DB.AddClientLabels(self.client.client_id, u"GRR", [u"foo", u"bar"]) approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username=u"grantor1"), rdf_objects.ApprovalGrant(grantor_username=u"grantor2") ]) # Make sure approval manager is active. mock_mgr.IsActive.return_value = True approval_checks.CheckApprovalRequest(approval_request) self.assertEqual(len(mock_mgr.CheckApproversForLabel.mock_calls), 2) args = mock_mgr.CheckApproversForLabel.mock_calls[0][1] self.assertEqual(args, (access_control.ACLToken(username=u"requestor"), rdfvalue.RDFURN(self.client.client_id), u"requestor", set(["grantor1", "grantor2"]), u"bar")) args = mock_mgr.CheckApproversForLabel.mock_calls[1][1] self.assertEqual(args, (access_control.ACLToken(username=u"requestor"), rdfvalue.RDFURN(self.client.client_id), u"requestor", set(["grantor1", "grantor2"]), u"foo"))
def testRaisesWhenJustOneGrant(self): approval_request = self._CreateRequest( grants=[rdf_objects.ApprovalGrant(grantor_username=u"grantor")]) with self.assertRaisesRegexp( access_control.UnauthorizedAccess, "Need at least 1 additional approver for access"): approval_checks.CheckApprovalRequest(approval_request)
def testRaisesWhenNoGrantsFromAdmins(self): approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username=u"grantor1"), rdf_objects.ApprovalGrant(grantor_username=u"grantor2") ]) with self.assertRaisesRegex(access_control.UnauthorizedAccess, "Need at least 1 admin approver for access"): approval_checks.CheckApprovalRequest(approval_request)
def testReturnsIfApprovalIsNotExpiredAndHasTwoGrantsIncludingAdmin(self): self.CreateAdminUser("grantor2") approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username="******"), rdf_objects.ApprovalGrant(grantor_username="******") ]) approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveReturnsIfClientHasNoLabels(self, mock_mgr): approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username=u"grantor1"), rdf_objects.ApprovalGrant(grantor_username=u"grantor2") ]) # Make sure approval manager is active. mock_mgr.IsActive.return_value = True approval_checks.CheckApprovalRequest(approval_request)
def testRaisesIfApprovalExpired(self): approval_request = self._CreateRequest( expiration_time=rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("1m"), grants=[ rdf_objects.ApprovalGrant(grantor_username=u"grantor1"), rdf_objects.ApprovalGrant(grantor_username=u"grantor2") ]) with self.assertRaisesRegexp(access_control.UnauthorizedAccess, "Approval request is expired"): approval_checks.CheckApprovalRequest(approval_request)
def testRaisesIfApprovalExpired(self): # Make sure that approval is otherwise valid. self.CreateAdminUser(u"grantor2") approval_request = self._CreateRequest( expiration_time=rdfvalue.RDFDatetime.Now() - rdfvalue.Duration.From(1, rdfvalue.MINUTES), grants=[ rdf_objects.ApprovalGrant(grantor_username=u"grantor1"), rdf_objects.ApprovalGrant(grantor_username=u"grantor2") ]) with self.assertRaisesRegex(access_control.UnauthorizedAccess, "Approval request is expired"): approval_checks.CheckApprovalRequest(approval_request)
def testWhenAuthMgrActiveRaisesIfAuthMgrRaises(self, mock_mgr): data_store.REL_DB.AddClientLabels(self.client_id, u"GRR", [u"foo"]) approval_request = self._CreateRequest(grants=[ rdf_objects.ApprovalGrant(grantor_username=u"grantor1"), rdf_objects.ApprovalGrant(grantor_username=u"grantor2") ]) # Make sure approval manager is active. mock_mgr.IsActive.return_value = True # CheckApproversForLabel should raise. error = access_control.UnauthorizedAccess("some error") mock_mgr.CheckApproversForLabel.side_effect = error with self.assertRaisesRegexp(access_control.UnauthorizedAccess, "some error"): approval_checks.CheckApprovalRequest(approval_request)
def _InitApiApprovalFromDatabaseObject(api_approval, db_obj): """Initializes Api(Client|Hunt|CronJob)Approval from the database object.""" api_approval.id = db_obj.approval_id api_approval.requestor = db_obj.requestor_username api_approval.reason = db_obj.reason api_approval.notified_users = sorted(db_obj.notified_users) api_approval.email_cc_addresses = sorted(db_obj.email_cc_addresses) api_approval.email_message_id = db_obj.email_message_id api_approval.approvers = sorted([g.grantor_username for g in db_obj.grants]) try: approval_checks.CheckApprovalRequest(db_obj) api_approval.is_valid = True except access_control.UnauthorizedAccess as e: api_approval.is_valid_message = str(e) api_approval.is_valid = False return api_approval