def test_unlock_user_account(
create_user_with_policy_enable_self_service_unlock_account,
core_session_unauthorized, core_session):
"""
Lock user via enter wrong password, then unlock User Account
"""
user = create_user_with_policy_enable_self_service_unlock_account
i = 0
# Do fail to login 3 times, then the user be locked automatically
while i < 3:
i = i + 1
r = core_session_unauthorized.start_authentication(
user.get_login_name())
result = r.json()['Result']
assert 'Challenges' in result, f'This user does not have MFA challenges!'
mechanisms1 = result['Challenges'][0]['Mechanisms']
mechanisms2 = result['Challenges'][1]['Mechanisms']
sq_mech_id = None
for mechanism in mechanisms1:
if mechanism['Name'] == 'SQ':
sq_mech_id = mechanism['MechanismId']
sq_mechanism = mechanism
break
assert sq_mech_id is not None, 'Security question MechanismId does not exist!'
security_questions = user.get_security_questions()
core_session_unauthorized.sq_advance_authentication(
security_questions, sq_mechanism, sq_mech_id)
up_mech_id = None
for mechanism in mechanisms2:
if mechanism['Name'] == 'UP':
up_mech_id = mechanism['MechanismId']
break
assert up_mech_id is not None, 'Password MechanismId does not exist!'
# use wrong password to login
r = core_session_unauthorized.advance_authentication(
answer=user.get_password() + ",", mechanism_id=up_mech_id)
assert r.json()['success'] is False, 'Authentication passed!'
# Check user was locked
uid = UserManager.get_user_id(core_session, user.get_login_name())
user_attr = UserManager.get_user(core_session, uid)
assert user_attr['DisplayName'] in user.get_login_name(
), 'Get locked user name is wrong!'
assert user_attr['State'] == "Locked", 'Get user state is not be Locked!'
# unlock user
r = UserManager.set_user_state(core_session, uid, False)
assert r, "set user state fail"
# Check user was unlocked
user_attr = UserManager.get_user(core_session, uid)
assert user_attr['DisplayName'] in user.get_login_name(
), 'Get locked user name is wrong!'
assert user_attr['State'] == "None", 'Get user state is not None!'
def test_bulk_account_delete_generates_secret_with_ssh_accounts(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_ssh_systems_with_accounts(
core_session,
2,
2,
list_of_created_systems,
system_prefix=f'test_ssh',
user_prefix=f'test_usr_ssh')
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1])
secret_name = "TestSecret-" + str(
ResourceManager.time_mark_in_hours()) + "-" + guid()
result, success = ResourceManager.del_multiple_accounts(
core_session,
all_accounts,
save_passwords=True,
secret_name=secret_name)
assert success, "Api did not complete successfully for bulk account delete MSG: " + result
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "Secret not found"
secret_cleaner.append(secret_id)
assert len(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == 0, "Expected zero added accounts remain"
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name,
"View,Edit,Retrieve",
user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.count("\n") == 1 + len(
all_accounts
), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("AutomationTestKey") == len(
all_accounts
), f"Secret file contained the wrong number of keys {secret_file_contents}"
for server_id in all_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_select_two_records_in_my_system_account_field(
core_session, create_resources_with_accounts, core_admin_ui,
cleanup_accounts):
"""
Test case id : C14833
:param core_session: Centrify session
:param create_resources_with_accounts: fixture to create system with accounts
:param core_admin_ui: Ui session
:param cleanup_accounts: cleanup fixture for accounts after test completion
"""
sys = create_resources_with_accounts(core_session, 1, 'Windows', 2)[0]
acc = sys['Accounts']
sys1 = acc[0]["User"]
sys2 = acc[1]["User"]
ui = core_admin_ui
admin_user_uuid = UserManager.get_user_id(
core_session, ui.user.centrify_user["Username"])
rights = "View,Login,UserPortalLogin"
for account in range(len(acc)):
result, status = ResourceManager.assign_account_permissions(
core_session,
rights,
ui.user.centrify_user["Username"],
admin_user_uuid,
pvid=acc[account]['ID'])
assert status, f'failed to assign {rights} permission to cloud admin {ui.user.centrify_user["Username"]}. returned result is: {result}'
logger.info(
f'rights {rights} are provided to {ui.user.centrify_user["Username"]} for account {acc[account]["Name"]}'
)
ui.user_menu('Reload Rights')
ui.navigate(('Workspace', 'My System Accounts'))
# Expecting to find both added systems in My System Account List in workspace
ui.expect(
GridRowByGuid(acc[0]["ID"]),
f'Expected to find system {sys1} in My System Account but did not')
ui.expect(
GridRowByGuid(acc[1]["ID"]),
f'Expected to find system {sys2} in My System Account but did not')
ui.check_actions(['Rotate credentials', 'Manage Accounts', 'Add To Set'],
[sys1, sys2])
logger.info('Add To set option is available')
def test_bulk_system_delete_generates_secret(clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 3, list_of_created_systems)
batch3 = ResourceManager.add_multiple_ssh_systems_with_accounts(core_session, 1, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3])
all_non_ssh_systems, all_non_shh_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2])
secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid()
sql_query = RedrockController.get_query_for_ids('Server', all_systems)
ResourceManager.del_multiple_systems_by_query(core_session, sql_query, True, secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.strip().count("\n") == len(
all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("thisIsaPAsSwO0rd") == len(
all_non_shh_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}"
# Commenting following assert as AutomationTestKey is not available in secret_file_contents, Tested on both AWS,
# Azure devdog tenants
# assert 'AutomationTestKey' in secret_file_contents, f"Name of SSH key did not appear in secret file {secret_file_contents}"
for server_id in all_non_ssh_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_non_shh_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_bulk_system_delete_generates_secret_with_garbage_in_list(clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2])
secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid()
clean_delete_system_ids = list(all_systems)
delete_system_ids = ["foo", "", clean_delete_system_ids[2]] + clean_delete_system_ids + ["!@#$%^&*()", "1", "?",
"Jason Alexander", "bar"]
ResourceManager.del_multiple_systems(core_session, delete_system_ids, savepasswords=True, secretname=secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.count("\n") == 1 + len(
all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("bsd_tst_usr_") == len(
all_accounts), f"Secret file contained the wrong number of accounts {secret_file_contents}"
assert secret_file_contents.count("thisIsaPAsSwO0rd") == len(
all_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}"
for server_id in all_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_grant_view_portal_login_permission_to_privileged_access_service_user(core_session, system_with_ssh_account,
core_admin_ui):
"""
TC: C2069
:param core_session: Authenticated Centrify session.
:param system_with_ssh_account: Valid unix system with ssh account
:param core_admin_ui: Authenticated browser session.
"""
system_id, account_id, ssh_id, system_list, account_list, ssh_list = system_with_ssh_account
ui = core_admin_ui
user_id = UserManager.get_user_id(core_session, ui.user.centrify_user['Username'])
result, status = ResourceManager.assign_account_permissions(core_session, rights="View,Login,UserPortalLogin",
principal=ui.user.centrify_user['Username'],
principalid=user_id, pvid=account_id)
assert status, f'failed to assign UserPortalLogin permission of account to user {ui.user.centrify_user["Username"]}'
logger.info(f'UserPortalLogin permission of account assigned successfully to user '
f'{ui.user.centrify_user["Username"]}')
ui = core_admin_ui
# "SSH Key" on column "Credential Type"
result, status = ResourceManager.get_workspace_my_system_account(core_session)
for account in result:
if account['Host'] == system_id:
assert account['CredentialType'] == 'SshKey', f'SSH Key not displayed in CredentialType column in ' \
f'My System Account'
logger.info('SSH key displayed in Credential type column.')
# Login to the ssh account
ui.navigate(('Workspace', 'My System Accounts'))
ui.right_click_action(GridRowByGuid(account_id), 'Login')
ui.switch_to_pop_up_window()
ui.expect_disappear(LoadingMask(), 'RDP session never exited loading state for system', time_to_wait=60)
ui.switch_to_main_window()
status, result = ResourceManager.get_my_active_sessions(core_session, account_id)
assert status, f'failed to retrieve details for active account session data, return result is {result}'
logger.info(f'details for active account found in My Active sessions, returned row is {result}.')
def test_cloud_admin_login_from_my_system_account(core_session, pas_config,
core_admin_ui,
cleanup_accounts,
cleanup_resources,
remote_users_qty1):
"""
Test case: C14831
:param core_session: centrify session
:param core_admin_ui: Centrify UI session
"""
maximum_event_wait_time = 120
account_list = cleanup_accounts[0]
system_list = cleanup_resources[0]
systems = ServerManager.get_all_resources(core_session)
accounts = ServerManager.get_all_accounts(core_session)
for system in systems:
system_list.append(system['ID'])
for account in accounts:
account_list.append(account['ID'])
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty1
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
ui = core_admin_ui
admin_user_uuid = UserManager.get_user_id(
core_session, ui.user.centrify_user["Username"])
# assigning cloud admin workspace login permission
rights = "View,Login,UserPortalLogin"
result, status = ResourceManager.assign_account_permissions(
core_session,
rights,
ui.user.centrify_user["Username"],
admin_user_uuid,
pvid=acc_result)
assert status, f'failed to assign {rights} permission to cloud admin {ui.user.centrify_user["Username"]}.' \
f'returned result is: {result}'
# Updating allow remote to enable RDP session for targeted system
result, success = ResourceManager.update_system(core_session,
add_sys_result,
sys_name,
fdqn,
"Windows",
allowremote=True)
assert success, f'failed to assign rdp policy to account {add_user_in_target_system[0]} of system {sys_name}'
ui.navigate(('Workspace', 'My System Accounts'))
ui.expect(
GridRow(sys_name),
f'Expected to find system {sys_name} in My System Account but did not')
ui.right_click_action(GridRow(sys_name), 'Login')
ui.switch_to_pop_up_window()
ui.expect_disappear(
LoadingMask(),
'Error occurred while launching workspace login session',
time_to_wait=250)
ui.switch_to_main_window()
# wait for manged password change event
filter = [['AccountName', add_user_in_target_system[0]]]
RedrockController.wait_for_event_by_type_filter(
core_session,
"Cloud.Server.LocalAccount.RDPSession.Start",
filter=filter,
maximum_wait_second=maximum_event_wait_time) # wait for 20 seonds
# Api call to get details of account active session
status, result = ResourceManager.get_my_active_sessions(
core_session, acc_result)
assert status, f'failed to retrieve details for active account session data, return result is {result}'
logger.info(
f'details for active account {add_user_in_target_system[0]} are {result}'
)
ui.navigate('Resources', 'Systems')
ui.search(sys_name)
ui.expect(GridRowByGuid(add_sys_result),
expectation_message=
f'failed to search for the system by id {add_sys_result}')
ui.click_row(GridRowByGuid(add_sys_result))
# fetching Active session value from system view page
ui.inner_text_of_element(ActiveSessionTextCount(),
expectation_message='1',
warning_message="RDP Not taken from user")
logger.info(f'Active session value incremented to 1: Active Sessions:1')