def test_other_user_cant_see_secret_created_by_first_user_in_bad( core_session, users_and_roles, created_system_id_list, swap_roles): roles = [ "Privileged Access Service Administrator", "Privileged Access Service Power User" ] if swap_roles: roles_new = [roles[1], roles[0]] roles = roles_new batch = ResourceManager.add_multiple_systems_with_accounts( core_session, 2, 2, created_system_id_list) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch]) deleter_user_0_session = users_and_roles.get_session_for_user(roles[0]) deleter_user_0_role = users_and_roles.get_role(roles[0]) other_user_1_session = users_and_roles.get_session_for_user(roles[1]) for account_id in all_accounts: permission_string = 'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin' result, success = ResourceManager.assign_account_permissions( core_session, permission_string, deleter_user_0_role['Name'], deleter_user_0_role['ID'], "Role", account_id) assert success, "Did not set account permissions " + str(result) for system_id in all_systems: permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result, success = ResourceManager.assign_system_permissions( core_session, permission_string, deleter_user_0_role['Name'], deleter_user_0_role['ID'], "Role", system_id) assert success, "Did not set system permissions " + result parent_folder = get_folder(deleter_user_0_session, "Bulk Delete") assert not parent_folder[ 'success'], "Should not be able to see folder before bulk delete operation as new user" secret_name = f"secret{guid()}" job_id, result = ResourceManager.del_multiple_accounts( deleter_user_0_session, all_accounts, save_passwords=True, secret_name=secret_name) result = ResourceManager.get_job_state(core_session, job_id) assert result == "Succeeded", "Job did not execute" parent_folder = get_folder(deleter_user_0_session, "Bulk Delete") assert parent_folder[ 'success'], "Should be able to see folder before bulk delete operation as new user" remaining_accounts = set( ResourceManager.get_multi_added_account_ids(core_session, created_system_id_list)) assert remaining_accounts == set( ), "Remaining accounts did not match expectation" secret_id = RedrockController.get_secret_id_by_name( deleter_user_0_session, secret_name) assert secret_id is not None, f"Secret was not visible to creator '{roles[0]}' user, either because it " \ f"wasn't created or because of a permissions issue" secret_id = RedrockController.get_secret_id_by_name( other_user_1_session, secret_name) assert secret_id is None, f"Secret should not be '{roles[1]}' user when created by '{roles[0]}' user" secret_id = RedrockController.get_secret_id_by_name( core_session, secret_name) assert secret_id is not None, f"Sys admin should be able to see secret created by {roles[0]}"
def agent_enrolled_unix_system_with_users(core_tenant, core_session_global, agent_enrolled_unix_system, users_and_roles, cleanup_accounts, create_unix_users, proxy_start_stop, detect_proxy): config = Configs().get_yaml_node_as_tuple("agents", "generic_cagent_unix") accounts_list = cleanup_accounts[0] proxycontrol = proxy_start_stop logger.info("adding users on the enrolled system") system_id = agent_enrolled_unix_system["ResourceId"] ssh_session = agent_enrolled_unix_system["Session"] adminuser = {"Name": config.username, "Password": config.password} # add users on target system accountusers = create_unix_users(ssh_session, "agent_", 2) logger.info("Users created " + str(len(accountusers))) for i, val in enumerate(accountusers): logger.info( str(i) + ", Name: " + val["Name"] + "Password:"******"Password"]) right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User") requester_session = users_and_roles.get_session_for_user(right_data[0]) role_info = users_and_roles.get_role(right_data[0]) permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result, success = ResourceManager.assign_system_permissions( core_session_global, permission_string, role_info['Name'], role_info['ID'], "Role", system_id) assert success, "Did not set system permissions " + result # Step 3 Create Accounts for testing logger.info("Adding root account") admin_account_id, add_account_success = ResourceManager.add_account( requester_session, adminuser['Name'], adminuser["Password"], system_id, ismanaged=False) assert add_account_success, "Failed to create Account user: root" logger.info(f"Added root Account. Id {admin_account_id}") accounts_list.append(admin_account_id) logger.info("Adding user for reconciliation") new_account_id, add_account_success = ResourceManager.add_account( requester_session, accountusers[0]['Name'], accountusers[0]['Password'], system_id, ismanaged=True) assert add_account_success, "Failed to create manged Account user: "******", Verify CC or agent settings and status" logger.info(f"Added Account for testing. Id {new_account_id}") accounts_list.append(new_account_id) permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin" result, success = ResourceManager.assign_account_permissions( core_session_global, permission_string, role_info['Name'], role_info['ID'], "Role", new_account_id) assert success, "Did not set account permissions " + result # Get computer details for update result = RedrockController.get_system(requester_session, system_id) system = result[0]["Row"] # wait for managed password change event filter = [['AccountName', accountusers[0]['Name']]] RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.PasswordChange", filter=filter, maximum_wait_second=120) # wait for 20 seonds accounts = [{ "Name": adminuser['Name'], "Password": adminuser["Password"], "Id": admin_account_id }, { "Name": accountusers[0]["Name"], "Password": accountusers[0]["Password"], "Id": new_account_id }] proxy = start_proxy_with_machinename(requester_session, proxycontrol, config.proxy_name) assert proxy != None, ( f'Failed to find the connector {config.proxy_name}, Setup the connector properly.' ) # Set Admin Account and enable local account maintenance result, success = ResourceManager.update_system( requester_session, system_id, system["Name"], system["FQDN"], 'Unix', proxycollectionlist=proxy, adminaccountid=admin_account_id, allowautomaticlocalaccountmaintenance=True) assert success, (f'Failed to set administrative account {result}') # return acount ids, computer, yield [{ "ResourceId": system_id, "ProxyId": proxy, "ResourceName": system["Name"], "Accounts": accounts, "Session": ssh_session }] result, success, message = ResourceManager.set_system_administrative_account( requester_session, system_id) assert success, f'Failed to remove administrative account on {message}'
def agent_enrolled_windows_system_with_users( core_session_global, agent_enrolled_windows_system, users_and_roles, remote_users_qty1, cleanup_accounts, pas_ad_domain, pas_ad_administrative_account, cleanup_lapr_systems_and_domains, proxy_start_stop): config = Configs().get_yaml_node_as_tuple("agents", "generic_cagent_win") accounts_list = cleanup_accounts[0] domains_list = cleanup_lapr_systems_and_domains[1] systems_list = cleanup_lapr_systems_and_domains[0] user = remote_users_qty1 proxycontrol = proxy_start_stop accountusers = [{"Name": user[0], "Password": "******"}] logger.info("Users created " + str(len(accountusers))) for i, val in enumerate(accountusers): logger.info( str(i) + ", Name: " + val["Name"] + "Password:"******"Password"]) logger.info("adding users on the enrolled system") system_id = agent_enrolled_windows_system["ResourceId"] winrm_session_as_admin = agent_enrolled_windows_system["Session"] adminuser = { "Name": config.admin_username, "Password": config.admin_password } domain_id = pas_ad_domain['ID'] admin_id = pas_ad_administrative_account['ID'] right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User") requester_session = users_and_roles.get_session_for_user(right_data[0]) role_info = users_and_roles.get_role(right_data[0]) domains_list.append(pas_ad_domain) systems_list.append(system_id) logger.info( "Setting Domain Administrator user as Administrative Account on domain." ) result, success, response = ResourceManager.set_administrative_account( core_session_global, [pas_ad_domain['Name']], pas_ad_administrative_account['User'], pas_ad_administrative_account['ID']) logger.info( "Setting Administrative Account on domain, but with no lapr settings enabled." ) result, success = ResourceManager.update_domain_accounts( core_session_global, pas_ad_domain['Name'], admin_id, domain_id, allowautomaticlocalaccountmaintenance=True, allowmanuallocalaccountunlock=True) permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result, success = ResourceManager.assign_system_permissions( core_session_global, permission_string, role_info['Name'], role_info['ID'], "Role", system_id) assert success, f"Did not set system permissions {result}" # Step 3 Create Accounts for testing logger.info("Adding Admin account") admin_account_id, add_account_success = ResourceManager.add_account( requester_session, adminuser['Name'], adminuser["Password"], system_id, ismanaged=False) assert add_account_success, "Failed to create admin user" logger.info(f"Added root Account. Id {admin_account_id}") accounts_list.append(admin_account_id) logger.info("Adding user for reconciliation") new_account_id, add_account_success = ResourceManager.add_account( requester_session, accountusers[0]['Name'], accountusers[0]['Password'], system_id, ismanaged=True) assert add_account_success, "Failed to create manged Account user: "******", Verify CC or agent settings and status" logger.info(f"Added Account for testing. Id {new_account_id}") accounts_list.append(new_account_id) permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin" result, success = ResourceManager.assign_account_permissions( core_session_global, permission_string, role_info['Name'], role_info['ID'], "Role", new_account_id) assert success, "Did not set account permissions " + result # Get computer details for update result = RedrockController.get_system(requester_session, system_id) system = result[0]["Row"] # wait for managed password change event filter = [['AccountName', accountusers[0]['Name']]] RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.PasswordChange", filter=filter, maximum_wait_second=120) # wait for 120 seonds accounts = [{ "Name": adminuser['Name'], "Password": adminuser["Password"], "Id": admin_account_id }, { "Name": accountusers[0]["Name"], "Password": accountusers[0]["Password"], "Id": new_account_id }] # set proxy proxy = start_proxy_with_machinename(requester_session, proxycontrol, config.proxy_name) assert proxy != None, ( f'Failed to find the connector {config.proxy_name}, Setup the connector properly before the test' ) result, success = ResourceManager.update_system(requester_session, system_id, system["Name"], system["FQDN"], 'Windows', domainid=domain_id, proxycollectionlist=proxy) assert success, (f'Failed to set reconciliation settings {result}') result, success = ResourceManager.update_system( requester_session, system_id, system["Name"], system["FQDN"], 'Windows', proxycollectionlist=proxy, allowautomaticlocalaccountmaintenance=True, allowmanuallocalaccountunlock=True) assert success, (f'Failed to set reconciliation settings {result}') # update_system reset the proxycollectionlist setting? Set it again. result, success = ResourceManager.update_system(requester_session, system_id, system["Name"], system["FQDN"], 'Windows', domainid=domain_id, proxycollectionlist=proxy) assert success, (f'Failed to set reconciliation settings {result}') # return acount ids, computer, yield [{ "ResourceId": system_id, "ProxyId": proxy, "ResourceFQDN": system["FQDN"], "Accounts": accounts, "Session": winrm_session_as_admin }] result, success, message = ResourceManager.set_system_administrative_account( requester_session, system_id) assert success, f'Failed to remove administrative account on {message}'
def test_accounts_removed_my_sys_account_delete_workspace_permission(core_session, users_and_roles, pas_windows_setup): """ TC:C2060 Account will removed from "My System Account" after delete "Workspace Login" permission. :param:core_session: Returns a API session. :param:users_and_roles:Fixture to manage roles and user. :param pas_windows_setup:Returns a fixture. """ # Creating a system and account. system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup() # Cloud user session with "Privileged Access Service Administrator". cloud_user_session = users_and_roles.get_session_for_user('Privileged Access Service Administrator') user_name = cloud_user_session.auth_details['User'] user_id = cloud_user_session.auth_details['UserId'] # Not Assigning "Workspace_login account permission to user. assign_account_perm_res, assign_account_perm_success = \ ResourceManager.assign_account_permissions(core_session, "View", user_name, user_id, 'User', account_id) assert assign_account_perm_success, f" Workspace account permission is assigned: " \ f"API response result:{assign_account_perm_res}" logger.info(f"Successfully not assign account Workspace permission to user'{assign_account_perm_res}'") # Assigning "View" permission for system to limited user. assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(core_session, "View", user_name, user_id, 'User', system_id) assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \ f'API response result {assign_system_perm_res}.' logger.info(f"Successfully assign system permission to user'{assign_system_perm_res}'") # Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts" # list. workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session) assert sys_info[4] not in workspace_result, f'Could find the account {sys_info[4]} on workspace.' logger.info("Could not display Account on workspace") # Assigning "Workspace Login" permission for account to limited user. rights = "View,Login,UserPortalLogin" assign_account_perm_res, assign_account_perm_success = \ ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id) assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \ f'API response result:{assign_account_perm_res}' logger.info(f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"') # Getting the details from "My System Accounts" in workspace and validating account in "My System Accounts" list. workspace_account_list = [] workspace_result_detail, workspace_success = ResourceManager.\ get_my_system_accounts_from_workspace(cloud_user_session) for workspace_result in workspace_result_detail: if workspace_result['Name'] == sys_info[0]: workspace_account_list.append(workspace_result['User']) assert sys_info[4] in workspace_account_list, f'failed to get the account {sys_info[4]} on workspace.' logger.info(f"Successfully display account {sys_info[4]} on workspace") # Not Assigning "Workspace_login account permission to user. assign_account_perm_res, assign_account_perm_success = \ ResourceManager.assign_account_permissions(core_session, "View", user_name, user_id, 'User', account_id) assert assign_account_perm_success, f" Workspace account permission is assigned: " \ f"API response result:{assign_account_perm_res}" logger.info(f"Successfully not assign account Workspace permission to user'{assign_account_perm_res}'") # Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts" # list. workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session) assert sys_info[4] not in workspace_result, f'Could find the account {sys_info[4]} on workspace.' logger.info(f"Failed to display on Account {sys_info[4]} on workspace")
def test_check_connector_page_for_system(core_session, pas_windows_setup, users_and_roles): """ TC:C2171 Check UI on Connectors page for a system. :param:core_session: Returns Authenticated Centrify session. :param:users_and_roles:Fixture to manage roles and user. :param pas_windows_setup: Return a fixture. """ # Creating a system and account. system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup( ) # Cloud user session with "Privileged Access Service Administrator". cloud_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Administrator') user_name = cloud_user_session.auth_details['User'] user_id = cloud_user_session.auth_details['UserId'] # UI session with "Privileged Access Service Administrator" rights. ui = users_and_roles.get_ui_as_user( 'Privileged Access Service Administrator') # Assigning system "View,Delete" permission assign_system_result, assign_system_success = ResourceManager.assign_system_permissions( core_session, "View,Delete", user_name, user_id, 'User', system_id) assert assign_system_success, f"Failed to assign system permissions: API response result: {assign_system_result}" logger.info( f'Successfully assigned "View" permission to user:{assign_system_result}.' ) # Getting the connectors Details. connector_details = Configs.get_environment_node('connector_data', 'automation_main') list_connectors_id = [] connectors_details = RedrockController.get_all_proxy(core_session) for connector_detail in connectors_details: if connector_detail['Name'] == connector_details['connector']: list_connectors_id.append(connector_detail['ID']) # Choosing the connector for the system. result, success = ResourceManager.update_system( core_session, system_id=system_id, name=sys_info[0], fqdn=sys_info[1], computerclass=sys_info[2], proxycollectionlist=connector_id, chooseConnector="on", filterConnectorCombo="all") assert success, f'Failed to save the connector for the system: API response result: {result}.' logger.info( f'Successfully save the connector for the system: API response result: {result}.' ) # UI Launch ui.navigate('Resources', 'Systems') ui.search(sys_info[0]) ui.click_row(GridRowByGuid(system_id)) ui.tab('Connectors', check_rendered_tab=False) ui.switch_context(ActiveMainContentArea()) ui.expect( ReadOnlyTextField('filterConnectorCombo'), 'Expected the username field to be readonly for this filterConnectorCombo strategy but it is not.' ) logger.info( 'Successfully found connector settings grayed and no error icon')
def test_accounts_set_my_system_accounts(core_session, pas_windows_setup, users_and_roles, clean_up_collections): """ TC:C2067 Add account to set on "My System Accounts". :param:core_session: Returns a API session. :param:users_and_roles:Fixture to manage roles and user. :param pas_windows_setup:Returns a fixture. :param:clean_up_collections: Cleans up Set. """ # Creating a system and account. system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup() # Cloud user session with "Privileged Access Service Administrator". cloud_user_session = users_and_roles.get_session_for_user('Privileged Access Service Administrator') user_name = cloud_user_session.auth_details['User'] user_id = cloud_user_session.auth_details['UserId'] # Assigning "Workspace Login" permission for account to limited user. rights = "View,Login,UserPortalLogin" assign_account_perm_res, assign_account_perm_success = \ ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id) assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \ f'API response result:{assign_account_perm_res}' logger.info(f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"') # Assigning "View" permission for system to limited user. assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(core_session, "View", user_name, user_id, 'User', system_id) assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \ f'API response result {assign_system_perm_res}.' logger.info(f"Successfully assign system permission to user'{assign_system_perm_res}'") # Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts" # list. workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session) assert sys_info[4] not in workspace_result, f'Could find the account:API response result:{workspace_result}' logger.info("Failed to display on Account on workspace") # Creating a set and adding a account to set. account_set_name = f'Set_test{guid()}' success, account_set_result = SetsManager.create_manual_collection(core_session, account_set_name, 'VaultAccount', object_ids=[account_id]) assert success, f"Failed to create system set {account_set_result}" logger.info(f'Successfully created set:{account_set_result}') # Getting the details of created_account_set in Accounts page and validating account is in created set. account_set_details = RedrockController.get_set_account_details(core_session, account_id=account_id, set_id=account_set_result) assert account_set_details[0]['User'] == sys_info[4], f'Fail to find the account{sys_info[4]}' logger.info(f'Successfully find "{account_set_details[0]["User"]}" in created set" {account_set_name}".') # Cleanup the created set. clean_up_collections.append(RedrockController.get_id_from_name(core_session, account_set_name, "Sets")) logger.info(f'Successfully deleted created set" {account_set_name}".')
def test_privilege_elevation_workflow_can_be_enabled_by_sys_admin( test_agent, cds_ui, cds_session, core_session): ui, ui_user = cds_ui session, user = cds_session main_admin_session = core_session main_admin_user = main_admin_session.get_user() server_id = test_agent.computerUuid permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result, success = ResourceManager.assign_system_permissions( main_admin_session, permission_string, ui_user.get_login_name(), ui_user.get_id(), "User", server_id) # Create an assignment at collection scope ui.navigate('Resources', 'Systems') ui.click_row_by_guid(server_id) ui.tab('Workflow') ui.select_option('PrivilegeElevationWorkflowEnabled', 'Yes') ui.switch_context(Component('privilegeElevationApproverGrid')) ui.button('Add') ui.select_option('Type', 'Specified User or Role') ui.launch_modal(Button('Add', 'inlineAddButton'), 'Select User or Role') ui.search(user.get_login_name()) ui.check_row(user.get_login_name()) ui.close_modal('Add') ui.save() time.sleep(20) request_settings = { 'assignment_type': 'Temporary', 'start_grant_value': '10', 'end_grant_value': '50', 'start_time_interval': 'hours', 'start_time_interval_value': 60, 'end_time_interval': 'hours', 'end_time_interval_value': 60, 'ticket': '1' } # Request twice so we can approve/reject _request_pe_permission(ui, request_settings, server_id) _request_pe_permission(ui, request_settings, server_id) jobs, is_get = WorkflowManager.get_my_jobs(session) request_jobs = [] options = None for i in jobs: if i['Row']['Context']['Scope'] == server_id: job = i['Row'] request_jobs.append(job) options = job['Context']['RequestedOptions'] assert options['StartGrantValue'] == int( request_settings['start_grant_value'] ), f'StartGrantValue is not correct in job context compared to ui entry' assert options['EndGrantValue'] == int( request_settings['end_grant_value'] ), f'EndGrantValue is not correct in job context compared to ui entry' assert options['StartTimeInterval'] == request_settings[ 'start_time_interval_value'], f'StartTimeInterval is not correct in job context compared to ui entry' assert options['EndTimeInterval'] == request_settings[ 'end_time_interval_value'], f'EndTimeInterval is not correct in job context compared to ui entry' approve_job = request_jobs[0] ui.navigate('Access', 'Requests') ui.click_row_by_guid(approve_job['ID']) ui.launch_modal('Approve', 'Approve Privilege Elevation Request') time.sleep(20) ui.button( 'Submit', expectations={ 'click_element_should_dissapear': True, 'seconds_to_wait': 60 #because Azure }) job = WorkflowManager.get_my_job(session, approve_job['ID']) assert job[ 'TargetPrincipalAction'] == 'Approved', f'PE workflow request should have been approved after UI interaction but it is not' reject_job = request_jobs[1] ui.navigate('Access', 'Requests') ui.click_row_by_guid(reject_job['ID']) ui.launch_modal('Reject', 'Reject Privilege Elevation Request') ui.input('Reason', 'Not today') time.sleep(20) ui.button( 'Submit', expectations={ 'click_element_should_dissapear': True, 'seconds_to_wait': 60 #because Azure }) job = WorkflowManager.get_my_job(session, reject_job['ID']) assert job[ 'TargetPrincipalAction'] == 'Rejected', f'PE workflow request should have been approved after UI interaction but it is not' system_direct_selector = GridRow(user.get_login_name()) # Look at the server directly, make sure the system assignment via workflow is there. ui.navigate('Resources', 'Systems') ui.click_row_by_guid(server_id) ui.tab('Privilege Elevation') ui.expect( system_direct_selector, 'Command assignment directly on system not present even though we just created it.' ) time.sleep(20)
def test_ui_check_after_request_login_checkout(core_session, pas_setup, get_limited_user_function): """ Test case: C2121 :param core_session: Authenticated Centrify session :param pas_setup: fixture to create system with accounts :param users_and_roles: fixture to create user with specific right """ system_id, account_id, sys_info = pas_setup limited_sesh, limited_user = get_limited_user_function username = limited_sesh.auth_details["User"] user_id = limited_sesh.auth_details['UserId'] result, status = ResourceManager.assign_system_permissions(core_session, "View,Edit", username, user_id, pvid=system_id) assert status, f'failed to assign "Edit" permission to user {username} for system {sys_info[0]}' logger.info( f'Edit permission assigned to user {username} for system {sys_info[0]}' ) # Assigning rights to cloud user, excluding checkout and Login right. rights = "View,Manage" result, success = ResourceManager.assign_account_permissions( core_session, rights, username, user_id, pvid=account_id) assert success, f'failed to assign rights: {rights} to cloud user {username} for account {sys_info[4]} ' \ f'of {sys_info[0]}.' logger.info( f'rights {rights} successfully assigned to to cloud user {username} for account {sys_info[4]} ' f'of {sys_info[0]}.') # enabling account workflow result, status = ResourceManager.update_account_with_approver( core_session, account_id, sys_info[4], system_id, core_session.get_user().get_id(), core_session.get_user().get_login_name()) assert status, f'failed to enable account workflow for account {sys_info[4]} of system {sys_info[0]}' logger.info( f'workflow enabled for account {sys_info[4]} of system {sys_info[0]}.') req_request, req_success = WorkflowManager.request_checkout( limited_sesh, account_id, starttime=None, endtime=None, accesstype="Login", assignmenttype="perm") assert req_success, "Workflow Request Failed" logger.info(f'Workflow Request is success: {req_request}') logger.info( f'user: {username} successfully requested for Login in account: {sys_info[4]}' ) # Step: Request login for an Account timenow = datetime.datetime.utcnow() start_time = str(timenow) end_time = str(timenow + datetime.timedelta(hours=1)) req_request, req_success = WorkflowManager.request_checkout( limited_sesh, account_id, start_time, end_time, "Reason: Testing", "Checkout") assert req_success, "Workflow checkout Request Failed" logger.info(f'Workflow checkout Request is success: {req_request}') logger.info( f'user: {username} successfully requested for checkout of account: {sys_info[4]}' ) test_description = f"Test description by user: {username}" result, success = ResourceManager.update_system( core_session, system_id, sys_info[0], sys_info[1], "Windows", description=test_description) assert success, f"Unable to add a description: {sys_info[0]}. API response result: {result}" logger.info( f'successfully updated the description of system: {sys_info[0]}') # Get computer details result = RedrockController.get_system(core_session, system_id) assert result[0]['Row'][ 'Description'] == test_description, f'System description is mismatched' logger.info( f'successfully matched the description of system: {sys_info[0]}')
def test_check_total_session(core_session, pas_setup, get_admin_user_function, users_and_roles): """ Test case: C2117 :param core_session: Authenticated Centrify session manager :param pas_setup: fixture to create system with accounts :param users_and_roles: fixture to create user with roles """ system_id, account_id, sys_info = pas_setup cloud_user_session, user = get_admin_user_function cloud_user, user_id, user_password = user.get_login_name(), user.get_id( ), user.get_password() user = {"Username": cloud_user, "Password": user_password} result, status = ResourceManager.assign_system_permissions( core_session, "View", principal=cloud_user, principalid=user_id, pvid=system_id) assert status, f'failed to assign view permission to user {cloud_user} for system {sys_info[0]}' logger.info( f'View permission assigned to user {cloud_user} for system {sys_info[0]}' ) result, status = ResourceManager.assign_account_permissions( core_session, "View,Login", principal=cloud_user, principalid=user_id, pvid=account_id) assert status, f'failed to assign view permission to user {cloud_user} for account {sys_info[4]}' logger.info( f'View permission assigned to user {cloud_user} for account {sys_info[4]}' ) # update system to allow system for RDP connections result, success = ResourceManager.update_system(core_session, system_id, sys_info[0], sys_info[1], sys_info[2], allowremote=True) assert success, f"failed to update system {sys_info[0]}, result is {result}" logger.info('system updated for remote connection') ui = users_and_roles.get_ui_as_user(user_properties=user, user_already_exists=True) ui.navigate('Resources', 'Systems') ui.search(sys_info[0]) ui.right_click_action(GridRowByGuid(system_id), 'Select/Request Account') ui.switch_context(Modal(text=f'{sys_info[0]} Login')) account_row = ui.expect( GridCell(sys_info[4]), f'Expected to find account row {sys_info[4]} but did not.') account_row.try_click() ui.close_modal('Select') ui.switch_to_pop_up_window() ui.expect_disappear(LoadingMask(), f'RDP session never exited loading state', time_to_wait=60) ui.switch_to_main_window() ui.user_menu('Reload Rights') # Api call to get details of account active session result, success = ResourceManager.get_active_sessions(core_session) active_session_list = [] for i in range(len(result)): if result[i]["HostName"] == sys_info[0]: active_session_list.append(result[i]["SessionID"]) assert active_session_list, f'Failed to find the login record with "System Name: {active_session_list}"' logger.info(f'Active session details:{active_session_list}')
def test_privilege_service_user_with_view_permission(core_session, pas_setup, get_limited_user_module): """ Test case: C286564 :- Privilege Service User with view permission should can see the related activity :param core_session: Authenticated Centrify session :param pas_setup: fixture to create system with account :param get_limited_user_module: creating cloud user with "Privileged Access Service Power User" right """ system_id, account_id, sys_info = pas_setup cloud_user_session, cloud_user = get_limited_user_module username = cloud_user.get_login_name() user_id = cloud_user.get_id() # "View" permission to cloud user for system result, success = ResourceManager.assign_system_permissions(core_session, "View", username, user_id, pvid=system_id) assert success, f'failed to assign view permission to user {username} for system {sys_info[0]}' logger.info( f'view permission for system {sys_info[0]} assigned to user {username}' ) # Activity validation of system by cloud user rows = ResourceManager.get_system_activity(cloud_user_session, system_id) assert rows[0][ 'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on system ' \ f'"{sys_info[0]}"({sys_info[1]})', 'No activity related to view permission found ' logger.info( f'cloud user {username} can see all the activities of system {sys_info[0]}' ) # "View" permission to cloud user for account result, success = ResourceManager.assign_account_permissions( core_session, "View", username, user_id, pvid=account_id) assert success, f'failed to assign permissions "View" to {username} for account {sys_info[4]} ' \ f'for system {sys_info[0]}' logger.info( f'View permission for account {sys_info[4]} of system {sys_info[0]} to user {username}' ) # Activity validation of account by cloud user activity = RedrockController.get_account_activity(cloud_user_session, account_id) assert activity[0][ 'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on local account' \ f' "{sys_info[4]}" for "{sys_info[0]}"({sys_info[1]}) with credential ' \ f'type Password ', 'No activity related to view permission found ' logger.info( f'cloud user {username} can see all the activities of account {sys_info[4]} of system {sys_info[0]}' ) # Created secret secret_name = f"test_secret{guid()}" status, parameters, secret_result = create_text_secret( core_session, secret_name, "test_secret_text") assert status, f'failed to create secret with returned result: {result}' logger.info( f'secret created successfully {result}, returned parameters are {parameters}' ) # Assigning view permission to secret to cloud user result, success = set_users_effective_permissions(core_session, username, "View", user_id, secret_result) assert success, f'failed to set permissions of secret for user {username}' logger.info( f'successfully granted "View" permission for secret to {secret_name} to user {username}' ) # Activity validation of secret by cloud user secret_activity = get_secret_activity(cloud_user_session, secret_result) assert f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on the ' \ f'secret "{secret_name}"' in secret_activity[0]['Detail'], 'No activity related to view permission found ' logger.info( f'cloud user {username} can see all the activities of secret of {secret_name}' )