def test_checkout_password_for_sql_unmanaged_account( core_session, add_database_with_account): """ Test case: C1101 - Checkout password for a SQL unmanaged account :param core_session: Authenticated centrify session :param add_database_with_account: fixture to create database with account as optional. """ db_name, db_id, db_account_id, db_data, database_cleaner_list, sql_account_cleaner_list = \ add_database_with_account(db_class='sql', add_account=True) result, status = ResourceManager.check_out_password( core_session, lifetime=15, accountid=db_account_id) assert status, f'failed to checkout account {db_data["db_account"]} password.' assert result['Password'] == db_data[ 'password'], "Checked out password dose'nt match the actual password" logger.info(f'{db_data["db_account"]} password check out successfully.') acc_activity = RedrockController.get_account_activity( core_session, db_account_id) assert f'{core_session.auth_details["User"]} checked out database account "{db_data["db_account"]}" password for ' \ f'database "{db_name}"' in \ acc_activity[0]['Detail'], f"no activity of checkout found for account {db_data['db_account']}" logger.info( f"There is a checkout record for the account {db_data['db_account']} in activity" )
def test_manage_account_for_valid_domain_account(domain_config_data, core_ui, core_session): """ TCID: C1330: Manage password using administrative account for a valid domain account :param core_ui: To Open the UI :param core_session: To create the session """ conf = domain_config_data name = conf['pas_bat_scenario1_infrastructure_data'][0] domain_name = name["Domain_name3"] data = conf['pas_scenario1_new_accounts'][0] account_name = data['Managed_account'] ui = core_ui ui.navigate("Resources", "Domains") ui.search(domain_name) ui.click_row(GridRow(domain_name)) ui.user_menu("Reload Rights") ui._waitUntilSettled() ui.launch_modal("Add", modal_title="Add Account") ui.input("User", account_name) ui.uncheck("IsManaged") ui.input("Password", "aaa") ui.check("IsManaged") check_disabled_textbox = ui.expect(DisabledTextBox("Password"), f'Text box is still enabled') assert check_disabled_textbox, f'Password Text Box is not disabled' ui.button("Add") ui.user_menu("Reload Rights") ui._waitUntilSettled() account_id = None results = ServerManager.get_all_accounts(core_session) for result in results: if result['User'] == account_name: account_id = result['ID'] while True: result, success = ResourceManager.get_account_information( core_session, account_id) if result['VaultAccount']['Row']['Status'] != "Missing Password": break else: continue activity = RedrockController.get_account_activity(core_session, account_id) detail = [] for activity_detail in activity: detail.append(activity_detail['Detail']) assert f'SYSTEM$ changed domain account "{account_name}" password for {domain_name}' in detail[ 0], f'could not able to change password' logger.info(f"detail list are: , {detail}") result, success = ResourceManager.del_account(core_session, account_id) assert success, f'Account did not get delete ' logger.info(f"result is, {result}")
def test_system_level_password_checkout_blank( core_session, pas_windows_setup, users_and_roles, update_tenant_multiple_checkouts): """ C1548 : System level password checkout set to '--' :param core_session: Authenticated Centrify Session :param pas_windows_setup: Added and return Windows system and Account associated to it. :param users_and_roles: Gets user and role on demand. """ system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup( ) user_session = users_and_roles.get_session_for_user( "Privileged Access Service Administrator") pas_admin = user_session.__dict__['auth_details'] # Setting 'Allow multiple password checkouts' policy to Uncheck on Global Security Setting page result, success = update_tenant_multiple_checkouts(core_session, False) assert success, f"Not able to disable 'Allow multiple password checkouts' policy on Global " \ f"Security Setting page. API response result: {result}." logger.info( f"'Allow multiple password checkouts' policy Unchecked on Global Security Setting page" ) # Assigning 'Checkout' permission to user for Account. account_result, account_success = ResourceManager.assign_account_permissions( core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User', account_id) assert account_success, f"Assign Checkout permission to account : {account_id} failed. " \ f"API response result: {account_result}" logger.info( f"'Checkout' permission given to user: {pas_admin['User']} for Account:{account_id}." ) # Checkout account while logged in as Cloud Admin admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password( core_session, 1, account_id) assert admin_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \ f"response result: {admin_checkout_result} " logger.info(f"Account Checkout successful for Account :{account_id}.") # Checkout account while logged in as Privileged Access Service Administrator user_checkout_result, user_checkout_success = ResourceManager.check_out_password( user_session, 1, account_id) assert not user_checkout_success, f"Checkout Account successful : {account_id} : API response " \ f"result: {user_checkout_result}" logger.info(f"Not able to checkout Account : {account_id}") activity = RedrockController.get_account_activity(user_session, account_id)[0]['Detail'] assert 'Multiple checkouts not allowed' in activity, f"Checkout Failed activity not found " \ f"for account : {account_id}. API response result: {activity} " logger.info( f"Checkout Failed activity found in Activity for account : {account_id}" )
def test_update_unmanaged_account_password(core_session, setup_pas_system_for_unix): """ TC: C280138 - Update unmanaged account and check password history :param core_session: Authenticated Centrify session :param setup_pas_system_for_unix: Yields UUID for an added Unix system and an account associated to it. Steps: 1. Adding a valid system with managed account. 2. Change the password. 3. Check password change activity under "Account Activies". """ added_system_id, account_id, sys_info = setup_pas_system_for_unix # Updating Password for unmanaged account password_result, password_success = ResourceManager.update_password( core_session, account_id, guid()) assert password_success, f"Password updation failed with API response Result: {password_result}" logger.info(f"Password Updated successfully for account {account_id}") # Verify Account Activity after password updated activity_logs = RedrockController.get_account_activity( core_session, account_id) events = [] for activity in activity_logs: events.append(activity['EventType']) assert "Cloud.Server.LocalAccount.PasswordUpdate" in events, f"Password update activity not displayed under" \ f" Account Activity Section for Account : {account_id}" logger.info( f"Password updated record displayed in Account Activity section") # Verifying Password History for account password_history_records = RedrockController.get_password_history_with_id( core_session, account_id) assert password_history_records, f"Password updated history not found for account {account_id}" logger.info( f"Password history successfully retrieved for account: {account_id}")
def test_checkin_password_for_unmanaged_account(core_session, add_database_with_account): """ Test case: C1104 :param core_session: Authenticated centrify session :param add_database_with_account: fixture to create database with account as optional. """ db_name, db_id, db_account_id, db_data, database_cleaner_list, sql_account_cleaner_list = \ add_database_with_account(db_class='sql', add_account=True) checkout_result, status = ResourceManager.check_out_password( core_session, lifetime=15, accountid=db_account_id) assert status, f'failed to checkout account {db_data["db_account"]} password. returned result is {checkout_result}' assert checkout_result['Password'] == db_data[ 'password'], "Checked out password dose'nt match the actual password" logger.info(f'{db_data["db_account"]} password check out successfully.') result, status = ResourceManager.check_in_password(core_session, checkout_result['COID']) assert status, f'failed to checkin password for account {db_data["db_account"]}, return result is {result}' logger.info( f'account {db_data["db_account"]} password checked in successfully') acc_activity = RedrockController.get_account_activity( core_session, db_account_id) assert f'{core_session.auth_details["User"]} checked in database account "{db_data["db_account"]}" password for ' \ f'database "{db_name}"' in \ acc_activity[0]['Detail'], f"no activity of checkout found for account {db_data['db_account']}" logger.info( f"There is a checkout record for the account {db_data['db_account']} in activity" ) for activity in acc_activity: assert 'Reason: Change password after checked-in' not in activity[ 'Detail'], f'activity for change password behavior found.' logger.info('activity for change password behavior not found.')
def test_add_managed_account_without_password(domain_config_data, core_session, core_ui): """ TCID: C1329: Add a managed account without password :param core_ui: To Open the UI :param core_session: To create the session """ conf = domain_config_data name = conf['pas_bat_scenario1_infrastructure_data'][0] domain_name = name["Domain_name3"] data = conf['pas_scenario1_new_accounts'][0] account_name = data['Managed_account'] ui = core_ui ui.navigate("Resources", "Domains") ui.search(domain_name) ui.click_row(GridRow(domain_name)) ui.user_menu("Reload Rights") ui._waitUntilSettled() ui.launch_modal("Add", modal_title="Add Account") ui.expect(CheckedCheckbox("IsManaged"), f'Checkbox is not checked already') expected_tooltip_value = "When enabled, the domain administrative account is used to set and manage a password for this account." ui.input("User", account_name) tooltip_element = ui._searchAndExpect( HoverOnToolTip("x-img tooltip-icon x-box-item x-img-default"), f'Could not able to get the tooltip value') tooltip_element.try_click() actual_tooltip_value = ui._searchAndExpect( Div(expected_tooltip_value), f'could not able to find the tool tip value') actual_tooltip_message = actual_tooltip_value.text assert expected_tooltip_value in actual_tooltip_message, f'tooltip text is not matching' logger.info(f"ToolTip text: {actual_tooltip_value}") ui.button("Add") ui.user_menu("Reload Rights") ui._waitUntilSettled() account_id = None results = ServerManager.get_all_accounts(core_session) for result in results: if result['User'] == account_name: account_id = result['ID'] ui.expect(GridCell("Missing Password"), f'Password is not missing') while True: result, success = ResourceManager.get_account_information( core_session, account_id) if result['VaultAccount']['Row']['Status'] != "Missing Password": break else: continue activity = RedrockController.get_account_activity(core_session, account_id) detail = [] for activity_logs in activity: detail.append(activity_logs['Detail']) assert f'SYSTEM$ changed domain account "{account_name}" password for {domain_name}' in detail[0], \ f'could not able to change password' logger.info(f"ToolTip text: {detail}") result, success = ResourceManager.del_account(core_session, account_id) assert success, f"Account did not get deleted" logger.info(f"deleted account response: {success}")
def test_changed_unmanaged_to_managed(domain_config_data, get_admin_user_function, core_session, core_ui): """ TCID: C1331, Add an unmanaged account without password and changed unmanaged to managed :return: """ conf = domain_config_data name = conf['pas_bat_scenario1_infrastructure_data'][0] domain_name = name["Domain_name3"] script = "Select * FROM VaultDomain" request = RedrockController.redrock_query(core_session, script) directory_service_ID = None directory_service_Name = None directory_service_Admin_ID = None for directory_service in request: directory_service = directory_service['Row'] if directory_service['Name'] == name["Domain_name3"]: directory_service_ID = directory_service['ID'] directory_service_Name = directory_service['Name'] directory_service_Admin_ID = directory_service['Administrator'] break permissions = "Grant,View,Edit,Delete,AddAccount" result, add_domain_account_success = ResourceManager.set_domain_account_permissions(core_session, permissions, "System Administrator", "sysadmin", id=directory_service_ID, ptype="Role", pvid=directory_service_ID, rowkey=directory_service_ID) assert add_domain_account_success, f'Failed to set add account permission in the domain {result}' logger.info(f"add account permission set successfully in the Domain.") account, add_domain_success = ResourceManager.get_administrative_account(core_session, "administrator") logger.info(f" Successfully get Domain for adding Administrative account.") assert add_domain_success, f'Failed to get Domain account {account}' name = conf['pas_bat_scenario1_infrastructure_data'] pvid = account[0] domains_name = account[0] domain_name_list = [] for domain_name in name: for key, value in domain_name.items(): domain_name_list.append(value) logger.info(f"Set Administrative account for Domain. {domain_name_list}") result, add_admin_account_success, message = ResourceManager.set_administrative_account(core_session, domain_name_list, pvid=pvid['PVID'], user=domains_name[ 'FullyQualifiedName']) assert add_admin_account_success, f'Failed to set administrative account {message}' logger.info(f"Administrative account Set successfully in the Domain.{message}") result, success = ResourceManager.update_domain_accounts(core_session, directory_service_Name, directory_service_Admin_ID, directory_service_ID, allowautomaticaccountmaintenance=True) assert success, f'failed to update the domain' logger.info(f"update account successfully in the Domain{result}") data = conf['pas_scenario1_new_accounts'][0] account_name = data['Managed_account'] ui = core_ui ui.navigate("Resources", "Domains") ui.search(domain_name['Domain_name3']) ui.click_row(GridRow(domain_name['Domain_name3'])) ui.user_menu("Reload Rights") ui._waitUntilSettled() ui.launch_modal("Add", modal_title="Add Account") ui.input("User", account_name) ui.uncheck("IsManaged") ui.button("Add") ui.expect(GridCell("Missing Password"), f'Password is not missing') ui.right_click(GridCell(account_name)) right_click_values = ui.get_list_of_right_click_element_values("Update Password") assert "Checkout" not in right_click_values, f'Checkout option is appeared' logger.info(f"All right click option:{right_click_values}") account_id = None results = ServerManager.get_all_accounts(core_session) for result in results: if result['User'] == account_name: account_id = result['ID'] added_account = ui._searchAndExpect(GridCell(account_name), f'account is not getting added') added_account.try_click() ui._waitUntilSettled() ui.tab("Settings") ui.check("IsManaged") ui.save() ui._waitUntilSettled() ui.expect(DisabledButton("Save"), f'Account did not get managed') result = RedrockController.get_account_activity(core_session, account_id) counter = 0 while counter < 10: result = RedrockController.get_account_activity(core_session, account_id) if result[0]['Detail'].__contains__("SYSTEM$"): break counter += 1 assert f'SYSTEM$ changed domain account "{account_name}" password for {domain_name["Domain_name3"]}' in result[0]['Detail'], f'could not able to change password' logger.info(f"All Activity's are: , {result}") result, success = ResourceManager.del_account(core_session, account_id) assert success, f'Account did not get delete{result}' logger.info(f"Account got deleted successfully, {result}")
def test_check_permission_name_on_portal(core_session, pas_setup, clean_up_collections): """ Test case: C2059 :param core_session: Authenticated Centrify Session :param pas_setup: fixture to create system with accounts in portal :param core_admin_ui: Authenticated Centrify ui session """ system_id, account_id, sys_info = pas_setup # Getting the Id of the user. user_details = core_session.__dict__ user_id = user_details['auth_details']['UserId'] User_name = user_details['auth_details']['User'] # Assigning 'UserPortalLogin' permission to user for account. account_result, account_success = ResourceManager.assign_account_permissions(core_session, 'UserPortalLogin', User_name, user_id, 'User', account_id) assert account_success, f"Failed to give 'UserPortalLogin' permission to user: {User_name} for " \ f"Account: {account_id}. API response 'Result': {account_result}" logger.info(f"'UserPortalLogin' permission given to user: {User_name} for Account:{account_id}.") # Fetching account information to validate desired account is un managed result, status = ResourceManager.get_account_information(core_session, account_id) assert status, f"failed to retrieve account information, returned result is {result}" set_name = f"test_setname{guid()}" status, set_result = SetsManager.create_manual_collection(core_session, set_name, "VaultAccount", object_ids=[account_id]) assert status, f"failed to create set {set_name}, returned result is {set_result}" logger.info(f"set {set_name} created for account {sys_info[4]} of system {sys_info[0]}") clean_up_collections.append(set_result) # Set cleanup list # "Workspace Login" rather than "Portal Login" in granted permission activity result, success = ResourceManager.assign_account_permissions(core_session, "UserPortalLogin", User_name, user_id, pvid=account_id) assert success, f'failed to assign permissions "UserPortalLogin" to ' \ f'{User_name} for account {sys_info[4]} ' \ f'for system {sys_info[0]}' activity = RedrockController.get_account_activity(core_session, account_id) assert activity[0]['Detail'] == f'{User_name} granted User "{User_name}" to have "Workspace Login" permissions ' \ f'on local account "{sys_info[4]}" for "{sys_info[0]}"({sys_info[1]})' \ f' with credential type Password ', 'No Workspace Login keyword found in ' \ 'retrieved permission activity ' logger.info(f'Displayed "Workspace Login" rather than "Portal Login" in granted permission activity for ' f'account {sys_info[4]}') status, result, SetsManager.set_collection_member_permission(core_session, User_name, user_id, "UserPortalLogin", set_result) assert status, f'failed to assign workspace login permission to ' \ f'user {User_name} for set {set_name}' logger.info(f'successfully assigned work space login permission to user {User_name}.') # "Workspace Login" in set activity set_activity_rows = ResourceManager.get_activity_for_collection(core_session, set_result) assert set_activity_rows[0]['Detail'] == f'{User_name} granted User ' \ f'"{User_name}" to have ' \ f'"Workspace Login" permissions on the account set "{set_name}"', \ f'failed to get {set_name} activity for permissions' logger.info(f'displayed "Workspace Login" in activity in set {set_name} activity') # displayed "Workspace Login" in user profile activity user_profile_activity = RedrockController.get_user_activity_profile(core_session, user_id) counter = 0 while counter < 10: user_profile_activity = RedrockController.get_user_activity_profile(core_session, user_id) if user_profile_activity[0]['EventMessage'].__contains__(sys_info[0]): break counter += 1 assert user_profile_activity[0]['EventMessage'] == f'{User_name} ' \ f'granted User "{User_name}" to have "Workspace Login" ' \ f'permissions on local account "{sys_info[4]}" ' \ f'for "{sys_info[0]}"({sys_info[1]}) with credential type ' \ f'Password ', \ f'No Workspace Login keyword found in retrieved permission activity ' logger.info('displayed "Workspace Login" in user profile activity')
def test_system_local_account_level(core_session, pas_config, remote_users_qty1, cleanup_accounts, cleanup_resources): """ TC C282671: System Local Account Level. :param cleanup_resources: cleanup for systems. :param core_session: Authenticates API session :param pas_config: returns yaml object :param remote_users_qty1: Creates account in target system. :param cleanup_accounts: cleanup for account. """ systems_list = cleanup_resources[0] accounts_list = cleanup_accounts[0] # Getting system details. sys_name = f"{'Win-2012'}{guid()}" sys_details = pas_config sys_fqdn = sys_details['Windows_infrastructure_data']['FQDN'] add_user_in_target_system = remote_users_qty1 user_password = '******' # Adding system. add_sys_result, add_sys_success = ResourceManager.add_system( core_session, sys_name, sys_fqdn, 'Windows', "Rdp") assert add_sys_success, f"failed to add system:API response result:{add_sys_result}" logger.info(f"Successfully added system:{add_sys_result}") systems_list.append(add_sys_result) # Adding account in portal. acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=user_password, host=add_sys_result, ismanaged=True) assert acc_success, f"Failed to add account in the portal: {acc_result}" logger.info( f"Successfully added account {add_user_in_target_system[0]} in the portal" ) accounts_list.append(acc_result) # Setting the lifetime checkout for account to 15 min. default_checkout_lifetime = 15 updated_account_result, update_account_success = \ ResourceManager.update_account(core_session, acc_result, add_user_in_target_system[0], host=add_sys_result, default_checkout_time=default_checkout_lifetime) assert update_account_success, f"Failed to add default checkout time: API response result:{updated_account_result}" logger.info( f'Successfully added default checkout time: {updated_account_result}"') # Setting the lifetime checkout for system to 60 min. updated_sys_result, update_sys_success = ResourceManager.update_system( core_session, add_sys_result, sys_name, sys_fqdn, 'Windows', defaultcheckouttime=60) assert update_sys_success, f"Failed to add default checkout time: API response result:{updated_account_result}" logger.info( f'Successfully added default checkout time: {updated_sys_result}"') # Checking the default account password set to default ie 60 min. default_account_password_chk_lifetime = 60 results, success = ServerManager.get_server_settings(core_session, key='policy') assert results['DefaultCheckoutTime'] == default_account_password_chk_lifetime, \ f"account password checkout lifetime is not {default_account_password_chk_lifetime} " # Checkout account. checkout_result, checkout_success = ResourceManager.check_out_password( core_session, 15, acc_result) assert checkout_success, f"Fail to checkout account : {acc_result} : API response " \ f"result: {checkout_result}" logger.info(f"Successfully checked account : {checkout_result}") # Checking the checkout in the workspace and validating the checkout lifetime. checkout_remaining_time = str(default_checkout_lifetime - 1) checkout_accounts = RedrockController.get_password_checkout_from_workspace( core_session, core_session.auth_details['UserId']) for checkout_account in checkout_accounts: if checkout_account['ID'] == checkout_result['COID']: assert checkout_account['Remaining'].split()[0] == checkout_remaining_time,\ f"Fail to find the remaining checkout time equal to {checkout_remaining_time} " logger.info( " Successfully found the checkout activity in workspace.") # Trying to checkout once again,expecting a null checkout ID. failed_checkout_result, failed_checkout_success = ResourceManager.check_out_password( core_session, 15, acc_result) assert failed_checkout_result['COID'] is None, f"checkout account ID generated for : " \ f"{add_user_in_target_system[0]}:" \ f"API response result: {failed_checkout_result}" logger.info(f"Check in option is action enable : {failed_checkout_result}") # Checking out checkout activity. acc_activity = RedrockController.get_account_activity( core_session, acc_result) assert f'{core_session.auth_details["User"]} checked out local account "{add_user_in_target_system[0]}" password ' \ f'for system "{sys_name}"({sys_fqdn})' in \ acc_activity[0]['Detail'], f"no activity of checkout found for account {add_user_in_target_system[0]}" logger.info( f"There is a checkout record for the account {add_user_in_target_system[0]} in activity" )
def test_privilege_service_user_with_view_permission(core_session, pas_setup, get_limited_user_module): """ Test case: C286564 :- Privilege Service User with view permission should can see the related activity :param core_session: Authenticated Centrify session :param pas_setup: fixture to create system with account :param get_limited_user_module: creating cloud user with "Privileged Access Service Power User" right """ system_id, account_id, sys_info = pas_setup cloud_user_session, cloud_user = get_limited_user_module username = cloud_user.get_login_name() user_id = cloud_user.get_id() # "View" permission to cloud user for system result, success = ResourceManager.assign_system_permissions(core_session, "View", username, user_id, pvid=system_id) assert success, f'failed to assign view permission to user {username} for system {sys_info[0]}' logger.info( f'view permission for system {sys_info[0]} assigned to user {username}' ) # Activity validation of system by cloud user rows = ResourceManager.get_system_activity(cloud_user_session, system_id) assert rows[0][ 'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on system ' \ f'"{sys_info[0]}"({sys_info[1]})', 'No activity related to view permission found ' logger.info( f'cloud user {username} can see all the activities of system {sys_info[0]}' ) # "View" permission to cloud user for account result, success = ResourceManager.assign_account_permissions( core_session, "View", username, user_id, pvid=account_id) assert success, f'failed to assign permissions "View" to {username} for account {sys_info[4]} ' \ f'for system {sys_info[0]}' logger.info( f'View permission for account {sys_info[4]} of system {sys_info[0]} to user {username}' ) # Activity validation of account by cloud user activity = RedrockController.get_account_activity(cloud_user_session, account_id) assert activity[0][ 'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on local account' \ f' "{sys_info[4]}" for "{sys_info[0]}"({sys_info[1]}) with credential ' \ f'type Password ', 'No activity related to view permission found ' logger.info( f'cloud user {username} can see all the activities of account {sys_info[4]} of system {sys_info[0]}' ) # Created secret secret_name = f"test_secret{guid()}" status, parameters, secret_result = create_text_secret( core_session, secret_name, "test_secret_text") assert status, f'failed to create secret with returned result: {result}' logger.info( f'secret created successfully {result}, returned parameters are {parameters}' ) # Assigning view permission to secret to cloud user result, success = set_users_effective_permissions(core_session, username, "View", user_id, secret_result) assert success, f'failed to set permissions of secret for user {username}' logger.info( f'successfully granted "View" permission for secret to {secret_name} to user {username}' ) # Activity validation of secret by cloud user secret_activity = get_secret_activity(cloud_user_session, secret_result) assert f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on the ' \ f'secret "{secret_name}"' in secret_activity[0]['Detail'], 'No activity related to view permission found ' logger.info( f'cloud user {username} can see all the activities of secret of {secret_name}' )