def test_cannot_manage_accounts_without_permission(
core_session,
remote_unmanaged_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, users_and_roles):
right_data = [
"Privileged Access Service Power User",
"role_Privileged Access Service Power User"
]
requestor_session = users_and_roles.get_session_for_user(right_data[0])
results_role = users_and_roles.get_role(right_data[0])
account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3
job_id, success = ResourceManager.manage_multiple_accounts(
requestor_session, account_ids)
assert success, "Did not kick off bulk manage accounts job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
# Validates accounts are still not managed.
_validate_accounts_are_not_managed(requestor_session, account_ids, job_id)
permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin"
account_id = account_ids[
2] # Grant permission to only one of the accounts, the middle one
result, success = ResourceManager.assign_account_permissions(
core_session, permission_string, results_role['Name'],
results_role['ID'], "Role", account_id)
assert success, "Did not set account permissions " + str(result)
job_id, success = ResourceManager.manage_multiple_accounts(
requestor_session, account_ids)
assert success, "Did not kick off bulk rotate passwords job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
# Validate the one account is managed.
_validate_accounts_are_not_managed(requestor_session,
[account_ids[0], account_ids[1]],
job_id)
_validate_accounts_are_managed(requestor_session, [account_ids[2]], job_id)
user_info = requestor_session.get_current_session_user_info().json(
)['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Failure.Multi'
start_message = f'{username} initiated management of {len(account_ids)} accounts'
end_message = f'{username} failed to manage 2 of 3 accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_app_management_user_can_create_job_but_not_delete_servers(clean_bulk_delete_systems_and_accounts, core_session,
core_tenant, clean_users, users_and_roles,
list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 2, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch])
requestor_session = users_and_roles.get_session_for_user('Application Management')
user_info = requestor_session.get_current_session_user_info().json()['Result']
all_systems = batch.keys()
job_id, result = ResourceManager.del_multiple_systems(requestor_session, all_systems)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
assert len(
ResourceManager.get_multi_added_system_ids(core_session, all_systems)) == 3, "Wrong number of remaining systems"
assert len(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == 6, "Wrong number of remaining accounts"
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Failure.Multi'
start_message = f'{username} initiated delete of {len(all_systems)} systems'
end_message = f'{username} failed to delete {len(all_systems)} of {len(all_systems)} systems'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_cannot_rotate_passwords_without_permission(core_session, remote_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, users_and_roles):
right_data = ["Privileged Access Service Power User", "role_Privileged Access Service Power User"]
requestor_session = users_and_roles.get_session_for_user(right_data[0])
results_role = users_and_roles.get_role(right_data[0])
remote_ip = windows_test_machine_config['ip_address']
account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3)
passwords_fetched = BulkOperations.checkout_users(core_session, accounts)
job_id, success = ResourceManager.rotate_multiple_passwords(requestor_session, account_ids)
assert success, "Did not kick off bulk rotate passwords job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched) # Verify passwords are still right
permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer," \
"UserPortalLogin "
account_id = passwords_fetched[1][3] # Grant permission to only one of the accounts, the middle one
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
results_role['Name'], results_role['ID'],
"Role", account_id)
assert success, "Did not set account permissions " + str(result)
job_id, success = ResourceManager.rotate_multiple_passwords(requestor_session, account_ids)
assert success, "Did not kick off bulk rotate passwords job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [True, False, True])
user_info = requestor_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Failure.Multi'
start_message = f'{username} initiated password rotation of {len(account_ids)} accounts'
end_message = f'{username} failed to rotate 2 of 3 account passwords'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_other_user_cant_see_secret_created_by_first_user(core_session, users_and_roles, created_system_id_list,
swap_roles):
roles = ["Privileged Access Service Administrator", "Privileged Access Service Power User"]
if swap_roles:
roles_new = [roles[1], roles[0]]
roles = roles_new
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, created_system_id_list)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch])
deleter_user_0_session = users_and_roles.get_session_for_user(roles[0])
deleter_user_0_role = users_and_roles.get_role(roles[0])
deleter_user_0_role_name = deleter_user_0_role['Name']
deleter_user_0_role_id = deleter_user_0_role['ID']
other_user_1_session = users_and_roles.get_session_for_user(roles[1])
for account_id in all_accounts:
permission_string = 'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
deleter_user_0_role_name, deleter_user_0_role_id,
"Role", account_id)
assert success, "Did not set account permissions " + str(result)
for system_id in all_systems:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
deleter_user_0_role_name, deleter_user_0_role_id,
"Role", system_id)
assert success, "Did not set system permissions " + result
secret_name = f"secret{guid()}"
job_id, result = ResourceManager.del_multiple_systems(deleter_user_0_session, batch.keys(), secretname=secret_name)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
remaining_accounts = set(ResourceManager.get_multi_added_account_ids(core_session, created_system_id_list))
remaining_systems = set(ResourceManager.get_multi_added_system_ids(core_session, created_system_id_list).values())
assert remaining_accounts == set(), "Remaining accounts did not match expectation"
assert remaining_systems == set(), "Remaining systems did not match expectation"
secret_id = RedrockController.get_secret_id_by_name(deleter_user_0_session, secret_name)
assert secret_id is not None, f"Secret was not visible to creator '{roles[0]}' user, either because it wasn't created or because of a permissions issue"
secret_id = RedrockController.get_secret_id_by_name(other_user_1_session, secret_name)
assert secret_id is None, f"Secret should not be '{roles[1]}' user when created by '{roles[0]}' user"
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, f"Sys admin should be able to see secret created by {roles[0]}"
def test_app_management_user_can_create_job_but_not_delete_accounts(
clean_bulk_delete_systems_and_accounts, core_session, core_tenant,
clean_users, users_and_roles, list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 2, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
assert len(
ResourceManager.get_multi_added_system_ids(
core_session,
all_systems)) == 2, "Added systems not reflected in search"
assert len(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == 4, "Added accounts not reflected in search"
requestor_session = users_and_roles.get_session_for_user(
'Application Management')
job_id, result = ResourceManager.del_multiple_accounts(
requestor_session, all_accounts)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
assert len(ResourceManager.get_multi_added_system_ids(core_session,
all_systems)) == 2, \
"Expected 2 added systems to be found, but received different number"
assert len(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == 4, \
"Expected 4 added accounts to be found, but received different number"
user_info = requestor_session.get_current_session_user_info().json(
)['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.Failure.Multi'
start_message = f'{username} initiated delete of {len(all_accounts)} accounts'
end_message = f'{username} failed to delete {len(all_accounts)} of {len(all_accounts)} accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_add_and_delete_system_with_multiple_benchmarks_per_test(
core_session, created_system_id_list, csv_benchmark):
"""
This test demonstrates measuring multiple things within the same pytest test
See example output at bottom of this file
"""
start, end, info = csv_benchmark
info(filenamesuffix="Bulk System Delete Time Test")
for i in range(3):
info(row=f"Test Run {i+1}")
info(column="Generate Systems")
start()
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 2, created_system_id_list)
end()
secret_name = f"secret{guid()}"
info(column="Delete Job")
start()
job_id, result = ResourceManager.del_multiple_systems(
core_session, batch.keys(), secretname=secret_name)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
end()
info(column="Query Systems and Accounts")
start()
remaining_accounts = set(
ResourceManager.get_multi_added_account_ids(
core_session, created_system_id_list))
remaining_systems = set(
ResourceManager.get_multi_added_system_ids(
core_session, created_system_id_list).values())
assert remaining_accounts == set(
), "Remaining accounts did not match expectation"
assert remaining_systems == set(
), "Remaining systems did not match expectation"
end()
info(column="Query Secret")
start()
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "No secret was created"
end()
def test_power_user_cant_see_secret_created_by_sysadmin_bsd(core_session, users_and_roles, created_system_id_list):
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, created_system_id_list)
secret_name = f"secret{guid()}"
job_id, result = ResourceManager.del_multiple_systems(core_session, batch.keys(), secretname=secret_name)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
remaining_accounts = set(ResourceManager.get_multi_added_account_ids(core_session, created_system_id_list))
remaining_systems = set(ResourceManager.get_multi_added_system_ids(core_session, created_system_id_list).values())
assert remaining_accounts == set(), "Remaining accounts did not match expectation"
assert remaining_systems == set(), "Remaining systems did not match expectation"
requester_session = users_and_roles.get_session_for_user("Privileged Access Service Power User")
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_id = RedrockController.get_secret_id_by_name(requester_session, secret_name)
assert secret_id is None, "Secret should not be visible to Privileged Access Service Power User"
def test_missing_permissions_on_bsd_accounts_and_systems(core_session, users_and_roles, created_system_id_list,
explicit_missing_delete_permission):
"""
Make three systems, with accounts
System 0 - Delete permissions on every account and on system
System 1 - Delete permissions on HALF its accounts and on system
System 2 - Delete permissions on every of its accounts, but not on system
Then Bulk System Delete. All accounts with delete permissions will be gone. Systems 0 and 1 will remain.
:param explicit_missing_delete_permission: If True, the permission string will be set without Delete. If False, the permissions will not be modified (with Delete missing assumed)
:param core_session: Authenticated Centrify Session.
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param created_system_id_list: A list for holding created systems, that will be deleted after the test
:return:
"""
original_systems = 3
original_accounts_per_system = 4
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, original_systems,
original_accounts_per_system, created_system_id_list)
# These two variables will have extra set items added below from System 1
deleted_accounts, expected_preserved_accounts = set(batch[created_system_id_list[0]]).union(
set(batch[created_system_id_list[2]])), set()
split1, split2 = DataManipulation.shuffle_and_split_into_two_lists(batch[created_system_id_list[1]])
deleted_accounts = deleted_accounts.union(set(split1))
expected_preserved_accounts = expected_preserved_accounts.union(set(split2))
# System 1 fails to delete because some of its child accounts are not deleted
# System 2 fails for missing delete permission
expected_preserved_systems = {created_system_id_list[1], created_system_id_list[2]}
delete_system_permissions = {created_system_id_list[0], created_system_id_list[1]}
requester_session = users_and_roles.get_session_for_user("Privileged Access Service Power User")
results_role = users_and_roles.get_role("Privileged Access Service Power User")
for account_id in deleted_accounts:
permission_string = 'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
results_role['Name'], results_role['ID'], "Role",
account_id)
assert success, "Did not set account permissions " + str(result)
if explicit_missing_delete_permission:
for account_id in expected_preserved_accounts:
permission_string = 'Owner,View,Manage,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
results_role['Name'], results_role['ID'],
"Role", account_id)
assert success, "Did not set account permissions " + str(result)
for system_id in created_system_id_list:
if system_id in delete_system_permissions:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
else:
if not explicit_missing_delete_permission:
continue
permission_string = 'Grant,View,Edit,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
results_role['Name'], results_role['ID'], "Role",
system_id)
assert success, "Did not set system permissions " + result
job_id, result = ResourceManager.del_multiple_systems(requester_session, batch.keys())
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
remaining_accounts = set(ResourceManager.get_multi_added_account_ids(core_session, created_system_id_list))
remaining_systems = set(ResourceManager.get_multi_added_system_ids(core_session, created_system_id_list).values())
assert remaining_accounts == expected_preserved_accounts, "Remaining accounts did not match expectation"
assert remaining_systems == expected_preserved_systems, "Remaining systems did not match expectation"
