def test_unlock_user_account(
create_user_with_policy_enable_self_service_unlock_account,
core_session_unauthorized, core_session):
"""
Lock user via enter wrong password, then unlock User Account
"""
user = create_user_with_policy_enable_self_service_unlock_account
i = 0
# Do fail to login 3 times, then the user be locked automatically
while i < 3:
i = i + 1
r = core_session_unauthorized.start_authentication(
user.get_login_name())
result = r.json()['Result']
assert 'Challenges' in result, f'This user does not have MFA challenges!'
mechanisms1 = result['Challenges'][0]['Mechanisms']
mechanisms2 = result['Challenges'][1]['Mechanisms']
sq_mech_id = None
for mechanism in mechanisms1:
if mechanism['Name'] == 'SQ':
sq_mech_id = mechanism['MechanismId']
sq_mechanism = mechanism
break
assert sq_mech_id is not None, 'Security question MechanismId does not exist!'
security_questions = user.get_security_questions()
core_session_unauthorized.sq_advance_authentication(
security_questions, sq_mechanism, sq_mech_id)
up_mech_id = None
for mechanism in mechanisms2:
if mechanism['Name'] == 'UP':
up_mech_id = mechanism['MechanismId']
break
assert up_mech_id is not None, 'Password MechanismId does not exist!'
# use wrong password to login
r = core_session_unauthorized.advance_authentication(
answer=user.get_password() + ",", mechanism_id=up_mech_id)
assert r.json()['success'] is False, 'Authentication passed!'
# Check user was locked
uid = UserManager.get_user_id(core_session, user.get_login_name())
user_attr = UserManager.get_user(core_session, uid)
assert user_attr['DisplayName'] in user.get_login_name(
), 'Get locked user name is wrong!'
assert user_attr['State'] == "Locked", 'Get user state is not be Locked!'
# unlock user
r = UserManager.set_user_state(core_session, uid, False)
assert r, "set user state fail"
# Check user was unlocked
user_attr = UserManager.get_user(core_session, uid)
assert user_attr['DisplayName'] in user.get_login_name(
), 'Get locked user name is wrong!'
assert user_attr['State'] == "None", 'Get user state is not None!'
def test_add_a_new_top_level_stand_alone_folder(core_session,
create_secret_folder,
pas_general_secrets):
"""
Test method to create a Folder &
verifying the rights of the folder created
:param core_session: Authenticated Centrify Session
:param create_secret_folder: Fixture to create a folder & yields folder related details
:param pas_general_secrets: Fixture to read secret data from yaml file
"""
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
# Getting the Id of the user.
user_details = core_session.__dict__
user_id = user_details['auth_details']['UserId']
# Refreshing the page.
refresh_result = UserManager.refresh_token(core_session, user_id)
assert refresh_result["success"], f"Failed to reload:API response result:{refresh_result}"
# Getting permissions of the folder created
permissions = SetsManager.get_collection_rights(core_session, folder_id)
verify_permissions = 'View, Edit, Delete, Grant, Add'
assert verify_permissions == permissions["Result"], \
f'Failed to verify permissions for the folder{permissions["Result"]}'
logger.info(f'Permissions of the folder created: {permissions}')
def check_rights(session, ui_user, api_user, expected_rights):
assert ui_user == api_user, f'UI and API fixtures should return the same user'
response = UserManager.get_user_role_rights(session, api_user.get_id())
if expected_rights[0] is not None:
assert response['Result'][
'Count'] == 2, f'User should be in everybody role, and a role with admin rights'
else:
assert response['Result'][
'Count'] == 1, f'User should be in everybody role only'
rights_role_found = False
everbody_found = False
for result in response['Result']['Results']:
row = result['Row']
if len(row['AdministrativeRights']) > 0:
rights_found = list(
map(lambda right: right['Description'],
row['AdministrativeRights']))
rights_found.sort()
expected_rights.sort()
assert rights_found == expected_rights, f'Role with administrative rights does not have expected rights {expected_rights}, instead has {rights_found}'
rights_role_found = True
elif row['Name'] == 'Everybody':
everbody_found = True
else:
assert False, f'Unexpected role found {row}'
if expected_rights[0] is not None:
assert rights_role_found is True, f'Role containing expected rights found'
assert everbody_found is True, f'Everybody role not found'
def test_assign_view_permission_to_shared_report(core_session, create_report,
users_and_roles):
"""
TCID: C6351 Assign 'View' permission to shared report
:param core_session: Centrify Authentication session
:param create_report: To create the report
:param users_and_roles: To open an UI and assign specific right to user
"""
my_report = create_report(core_session,
"Select Name From Server",
dir="/Reports")
report_name = my_report['Name']
grant_str = "0000000000000000000000000000000000000000000000000000000010000100"
ui = users_and_roles.get_ui_as_user("Application Management")
user_details = ui.get_user()
user_name = user_details.get_login_name()
user_id = user_details.get_id()
role = UserManager.get_user_role_rights(core_session, user_id)
assign_result = ReportsManager.assign_directory_rights_to_role(
core_session, "/Reports",
[{
"Role": role['Result']['Results'][0]['Entities'][0]['Key'],
"Rights": ["Read"]
}, {
"Role": "Everybody",
"Rights": ["Read"]
}])
assert assign_result, f'Failed to give the read the permission to Shared Folder'
result, success, message = ReportsManager.update_report_permission(
core_session, user_name, user_id, grant_str, report_name, ['Read'])
assert success, f'Failed to assign View permission to Application Management user:{message}'
logger.info(
f'Successfully assign the View permission to Application Management user:{result}'
)
ui.navigate("Reports", check_rendered_tab=False)
ui.expect_disappear(LoadingMask(), "Reports page did not loaded properly")
ui.expect(RestCallComplete(), "Expected rest call to complete.")
ui.expect(TreeFolder("Shared Reports"),
"Failed to find shared Reports Tab under Reports",
time_to_wait=60)
shared_reports_button = ui._searchAndExpect(
TreeFolder("Shared Reports"),
f'Expected find Shared Reports Folder in Tree',
time_to_wait=60)
shared_reports_button.try_click()
ui.expect(
GridCell(report_name),
f'Can not see the shared report which assigned View permission to federation user'
)
ui.check_actions(["Copy", "Details", "Export Report", "Email Report"],
report_name)
ui.action("Details", report_name)
session = users_and_roles.get_session_for_user('Application Management')
query = "Select * from role"
result, success, message = ReportsManager.modify_report(
session, "/Reports", report_name, query)
assert success is False, f'Report modified:{result}'
logger.info(f'Report can not modified, API response: {message}')
def test_bulk_account_delete_generates_secret_with_ssh_accounts(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_ssh_systems_with_accounts(
core_session,
2,
2,
list_of_created_systems,
system_prefix=f'test_ssh',
user_prefix=f'test_usr_ssh')
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1])
secret_name = "TestSecret-" + str(
ResourceManager.time_mark_in_hours()) + "-" + guid()
result, success = ResourceManager.del_multiple_accounts(
core_session,
all_accounts,
save_passwords=True,
secret_name=secret_name)
assert success, "Api did not complete successfully for bulk account delete MSG: " + result
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "Secret not found"
secret_cleaner.append(secret_id)
assert len(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == 0, "Expected zero added accounts remain"
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name,
"View,Edit,Retrieve",
user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.count("\n") == 1 + len(
all_accounts
), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("AutomationTestKey") == len(
all_accounts
), f"Secret file contained the wrong number of keys {secret_file_contents}"
for server_id in all_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_add_nested_secret(core_session, pas_general_secrets,
cleanup_secrets_and_folders):
"""
C283806: Can add nested secret
:param core_session: Authenticated Centrify session
:param pas_general_secrets: Fixture to read secrets data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
"""
params = pas_general_secrets
folder_list = cleanup_secrets_and_folders[1]
secrets_list = cleanup_secrets_and_folders[0]
suffix = guid()
# Creating nested secrets
added_secret_success, details, added_secret_id = create_text_secret(
core_session, params['nested_secret_name_new'] + suffix,
params['secret_text'])
assert added_secret_success, f"Added Secret Failed, API response result: {added_secret_id}"
logger.info(f'Added secrets info: {details, added_secret_id}')
folders_and_secret_name = details['SecretName']
# Getting details of nested secrets
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, added_secret_id)
logger.info(f'Secret created details: {get_secret_details}')
secret_name = get_secret_details['SecretName']
child_folder_id = get_secret_details['FolderId']
parent_path = get_secret_details['ParentPath']
parent_folder_and_child_folder = parent_path.split('\\')
parent_name = parent_folder_and_child_folder[0]
child_folder_name = parent_folder_and_child_folder[1]
# Getting added secret status
secret_activity = UserManager.get_secret_activity(core_session,
added_secret_id)
logger.info(f'Secret Created activity:{secret_activity} ')
added_secret_status = False
for rows in secret_activity:
if 'added a secret' in rows['Detail']:
added_secret_status = True
assert added_secret_status, f'Failed to add secret: {added_secret_status}'
assert parent_name in folders_and_secret_name, f'Failed to verify parent folder name: {parent_name}'
assert child_folder_name in folders_and_secret_name, f'Failed to verify child folder name: {child_folder_name}'
assert secret_name in folders_and_secret_name, f'Failed to verify secret name: {secret_name}'
# Getting details of the parent folder & child folder
parent_id = get_folder(core_session, parent_name)
logger.info(
f'parent folder id::{parent_id["Result"]["Results"][0]["Row"]["ID"]}')
secrets_list.append(added_secret_id)
folder_list.append(child_folder_id)
folder_list.append(parent_id['Result']['Results'][0]['Row']['ID'])
logger.info(f'Added folder deleted successfully : {folder_list}')
logger.info(f'Added Secret deleted successfully : {secrets_list}')
def test_check_ui_domain_page(core_session, domain_setups, core_admin_ui):
"""
Shown the bubble info completely on main Domains page
:return:
"""
name, domain_name, password, user_name, administrative_account_name, child_domain = domain_setups
ui = core_admin_ui
# Set Administrative account
directory_services = CoreManager.get_directory_services(core_session)
logger.info(
f" Successfully get all the Domain Directory Services. {directory_services}"
)
for directory_service in directory_services.json(
)['Result']['Results']: # Get the Active Domain Directory Service
if directory_service['Row']['Name'] == name:
directory_service = directory_service['Row'][
'directoryServiceUuid']
break
# Get the child domain details of a Particular Active Directory
active_directory_service_child_domain, add_success = UserManager.directory_query_user(
core_session, "Administ", [directory_service])
admin_account = active_directory_service_child_domain['SystemName']
result, add_admin_account_success, message = ResourceManager.set_administrative_account(
core_session,
child_domain,
password=password,
user=admin_account,
directoryservices=directory_service)
assert add_admin_account_success, f'Failed to set administrative account of Active Directory {message}'
logger.info(
f"Administrative account for Active Directory set successfully in the Domain{result}."
)
ui.navigate('Resources', 'Domains')
ui.search(child_domain)
actual_administrative_account_bubble = ui.expect(
GridCell(user_name, data_content=True),
"Domain bubble name").mouse_hover()
logger.info(
f'Shows the bubble info of administrative account {actual_administrative_account_bubble}'
)
expected_administrative_account_bubble = administrative_account_name
actual_administrative_account_bubble = ui.expect(GridCell(
user_name, True), "Domain bubble name").get_attribute("data-content")
assert expected_administrative_account_bubble == actual_administrative_account_bubble, f"Domain name bubble not appeared "
logger.info(
f'successsfully shown the bubble info completely on main Domains page {actual_administrative_account_bubble}'
)
def _verify_step_3_policy_settings(self, cp_row):
result = UserManager.user_policy_pas_summary(self.session, cp_row['ID'], "CloudProviders", None)
result_data = self.session.get_response_data(result)
rsop = result_data["rsop"]
assert rsop['/PAS/ConfigurationSetting/CloudProviders/EnableUnmanagedPasswordRotationPrompt'] == (self.prompt_to_change is True), f"Policy wrong {rsop}"
assert rsop['/PAS/ConfigurationSetting/CloudProviders/EnableUnmanagedPasswordRotation'] == (self.enable_rotation is True), f"Policy wrong {rsop}"
min_days_numeric = self.minimum_days
if min_days_numeric is None:
min_days_numeric = 0
assert rsop['/PAS/ConfigurationSetting/CloudProviders/EnableUnmanagedPasswordRotationReminder'] == (self.enable_reminder is True), f"Policy wrong {rsop}"
assert rsop['/PAS/ConfigurationSetting/CloudProviders/UnmanagedPasswordRotationReminderDuration'] == min_days_numeric, f"Policy wrong {rsop}"
def test_nested_secret_with_backslashes(core_session, pas_general_secrets,
cleanup_secrets_and_folders):
"""test method to add nested secret with '\\' """
secrets_list = cleanup_secrets_and_folders[0]
folder_list = cleanup_secrets_and_folders[1]
secrets_params = pas_general_secrets
secret_prefix = guid()
secret_parameters = {
'SecretName':
secret_prefix + secrets_params['nested_secret_backslashes'],
'SecretText': secrets_params['secret_text'],
'Type': 'Text',
'Description': secrets_params['secret_description'],
'FolderId': ''
}
logger.info(
f'Creating nested secrets : { secrets_params["nested_secret_backslashes"]}'
)
"""Api to create nested secret with backslashes"""
secret_result = core_session.post(EndPoints.SECRET_ADD,
secret_parameters).json()
logger.info(
f'Secret Created successfully:{secret_result}{secret_result["success"]}'
)
assert secret_result[
'success'], f'Not able to create secret with {secret_result}'
secret_id = secret_result["Result"]
"""Api to get secret activity"""
secret_activity = UserManager.get_secret_activity(core_session, secret_id)
logger.info(f'Secret Created activity:{secret_activity} ')
str1 = 'added a secret "Topsecret" of type "Text"'
assert str1 in secret_activity[0]['Detail'], "Failed to assert"
"""Api to get text type secret details"""
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, secret_id)
logger.info(f'Secret created details: {get_secret_details}')
child_folder = get_secret_details['FolderId']
parent_path = get_secret_details['ParentPath']
parent_folder_name = parent_path.split('\\')
parent_folder_sliced = parent_folder_name[0]
parent_id = get_folder(core_session, parent_folder_sliced)
logger.info(
f'parent folder id::{parent_id["Result"]["Results"][0]["Row"]["ID"]}')
secrets_list.append(secret_id)
folder_list.append(child_folder)
folder_list.append(parent_id['Result']['Results'][0]['Row']['ID'])
logger.info(f'Added folder deleted successfully : {folder_list}')
logger.info(f'Added Secret deleted successfully : {secrets_list}')
def test_assign_edit_permission_to_shared_report(core_session, create_report, users_and_roles):
"""
TCID: C6352 Assign 'Edit' permission to shared report
:param core_session: Centrify Authentication session
:param create_report: To create the report
:param users_and_roles: To open an UI and assign specific right to user
"""
my_report = create_report(core_session, "Select Name From Server", dir="/Reports")
report_name = my_report['Name']
grant_str = "0000000000000000000000000000000000000000000000000000000011101100"
ui = users_and_roles.get_ui_as_user("MFA Unlock")
user = ui.get_user()
user_name = user.get_login_name()
user_id = user.get_id()
role = UserManager.get_user_role_rights(core_session, user_id)
assign_result = ReportsManager.assign_directory_rights_to_role(core_session, "/Reports",
[{"Role":
role['Result']['Results'][0]['Entities'][0][
'Key'],
"Rights": ["Read"]},
{"Role": "Everybody",
"Rights": ["Read"]
}])
assert assign_result, f'Failed to give the read the permission to Shared Folder'
result, success, message = ReportsManager.update_report_permission(core_session, user_name,
user_id, grant_str, report_name, ['ReadWrite'])
assert success, f'Failed to assign Edit permission to MFA user:{message}'
logger.info(f'Successfully assign the Edit permission to MFA user:{result}')
ui.navigate("Reports", check_rendered_tab=False)
ui.expect_disappear(LoadingMask(), "Report page did not load properly", 60)
ui.expect(RestCallComplete(), "Expected rest call to complete.")
ui.expect(TreeFolder("Shared Reports"), "Failed to find shared Reports Tab under Reports", time_to_wait=60)
shared_reports_button = ui._searchAndExpect(TreeFolder("Shared Reports"),
f'Expected find Shared Reports Folder in Tree', time_to_wait=60)
shared_reports_button.try_click()
ui.expect(GridCell(report_name),
f'Can not see the shared report which assigned Edit permission to MFA user')
ui.check_actions(["Copy", "Move", "Delete", "Modify", "Export Report", "Email Report"], report_name)
ui.action("Modify", report_name)
session = users_and_roles.get_session_for_user('MFA Unlock')
query = "Select * From role"
result, success, message = ReportsManager.modify_report(session, "/Reports", report_name, query)
assert success, f'Script editor could not modified successfully:{message}'
logger.info(f'Script editor could not modified successfully:{result}')
ui.tab("Permissions")
ui.expect(DisabledButton("Add"), "Add is not grey can edit the permission")
logger.info(f"'Add' button is grey, and cannot modify the existing permission")
def test_select_two_records_in_my_system_account_field(
core_session, create_resources_with_accounts, core_admin_ui,
cleanup_accounts):
"""
Test case id : C14833
:param core_session: Centrify session
:param create_resources_with_accounts: fixture to create system with accounts
:param core_admin_ui: Ui session
:param cleanup_accounts: cleanup fixture for accounts after test completion
"""
sys = create_resources_with_accounts(core_session, 1, 'Windows', 2)[0]
acc = sys['Accounts']
sys1 = acc[0]["User"]
sys2 = acc[1]["User"]
ui = core_admin_ui
admin_user_uuid = UserManager.get_user_id(
core_session, ui.user.centrify_user["Username"])
rights = "View,Login,UserPortalLogin"
for account in range(len(acc)):
result, status = ResourceManager.assign_account_permissions(
core_session,
rights,
ui.user.centrify_user["Username"],
admin_user_uuid,
pvid=acc[account]['ID'])
assert status, f'failed to assign {rights} permission to cloud admin {ui.user.centrify_user["Username"]}. returned result is: {result}'
logger.info(
f'rights {rights} are provided to {ui.user.centrify_user["Username"]} for account {acc[account]["Name"]}'
)
ui.user_menu('Reload Rights')
ui.navigate(('Workspace', 'My System Accounts'))
# Expecting to find both added systems in My System Account List in workspace
ui.expect(
GridRowByGuid(acc[0]["ID"]),
f'Expected to find system {sys1} in My System Account but did not')
ui.expect(
GridRowByGuid(acc[1]["ID"]),
f'Expected to find system {sys2} in My System Account but did not')
ui.check_actions(['Rotate credentials', 'Manage Accounts', 'Add To Set'],
[sys1, sys2])
logger.info('Add To set option is available')
def test_assign_grant_permission_to_shared_reports(core_session, create_report, users_and_roles):
"""
TCID: C6353 Assign 'Grant' permission to shared report
:param core_session: Centrify Authentication Session
"""
my_report = create_report(core_session, "Select Name From Server", dir="/Reports")
report_name = my_report['Name']
session_user = core_session.get_user()
session_user_name = session_user.get_login_name()
session_user_id = session_user.get_id()
grant_str = "0000000000000000000000000000000000000000000000000000000011101101"
ui = users_and_roles.get_ui_as_user("Federation Management")
user_details = ui.get_user()
user_name = user_details.get_login_name()
user_id = user_details.get_id()
role = UserManager.get_user_role_rights(core_session, user_id)
assign_result = ReportsManager.assign_directory_rights_to_role(core_session, "/Reports",
[{"Role": role['Result']['Results'][0]['Entities'][0][
'Key'],
"Rights": ["Read"]},
{"Role": "Everybody",
"Rights": ["Read"]
}])
assert assign_result, f'Failed to give the read the permission to Shared Folder'
result, success, message = ReportsManager.update_report_permission(core_session, user_name, user_id, grant_str,
report_name, ['Owner'])
assert success, f'Failed to assign grant permission to Federation user:{message}'
logger.info(f'Successfully assign the grant permission to federation user:{result}')
ui.navigate("Reports", check_rendered_tab=False)
ui.expect_disappear(LoadingMask(), 'Report page did not load properly')
ui.expect(TreeFolder("My Reports"), "Failed to find Shared Reports Tab under Reports", time_to_wait=30)
ui.expect(TreeFolder("Shared Reports"), f'Expected find Shared Reports Folder in Tree', time_to_wait=30).try_click()
ui.expect(GridCell(report_name),
f'Can not see the shared report which assigned grant permission to federation user')
ui.check_actions(["Copy", "Move", "Delete", "Modify", "Export Report", "Email Report"], report_name)
ui.action("Modify", report_name)
ui.expect(Div("Report Builder"), f'Failed to enter report detail page')
session = users_and_roles.get_session_for_user('Federation Management')
result, success, message = ReportsManager.update_report_permission(session,
session_user_name, session_user_id,
grant_str, report_name, ['Owner'])
assert success, f'Failed to save permission, API response: {message}'
logger.info(f'Permission saved successfully:{result}')
def test_user_login_from_invited_email(
create_user_with_policy_enable_auth_email, core_session,
get_email_authentication_link):
"""
Login Portal using invited email link with user
"""
user = create_user_with_policy_enable_auth_email
is_invite = UserManager.invite_users_by_action(core_session,
[user.get_login_name()])
assert is_invite
# to get the user email link
urls = get_email_authentication_link(user.get_login_name().lower())
# Access the Link for authentication
session = requests.session()
response = session.request("POST", urls)
assert user.get_login_name().lower() in str(response.content).lower(), f"User {user.get_login_name()} " \
f"MFA Login Failed"
def test_bulk_system_delete_generates_secret(clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 3, list_of_created_systems)
batch3 = ResourceManager.add_multiple_ssh_systems_with_accounts(core_session, 1, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3])
all_non_ssh_systems, all_non_shh_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2])
secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid()
sql_query = RedrockController.get_query_for_ids('Server', all_systems)
ResourceManager.del_multiple_systems_by_query(core_session, sql_query, True, secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.strip().count("\n") == len(
all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("thisIsaPAsSwO0rd") == len(
all_non_shh_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}"
# Commenting following assert as AutomationTestKey is not available in secret_file_contents, Tested on both AWS,
# Azure devdog tenants
# assert 'AutomationTestKey' in secret_file_contents, f"Name of SSH key did not appear in secret file {secret_file_contents}"
for server_id in all_non_ssh_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_non_shh_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_bulk_system_delete_generates_secret_with_garbage_in_list(clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2])
secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid()
clean_delete_system_ids = list(all_systems)
delete_system_ids = ["foo", "", clean_delete_system_ids[2]] + clean_delete_system_ids + ["!@#$%^&*()", "1", "?",
"Jason Alexander", "bar"]
ResourceManager.del_multiple_systems(core_session, delete_system_ids, savepasswords=True, secretname=secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.count("\n") == 1 + len(
all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("bsd_tst_usr_") == len(
all_accounts), f"Secret file contained the wrong number of accounts {secret_file_contents}"
assert secret_file_contents.count("thisIsaPAsSwO0rd") == len(
all_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}"
for server_id in all_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_grant_view_portal_login_permission_to_privileged_access_service_user(core_session, system_with_ssh_account,
core_admin_ui):
"""
TC: C2069
:param core_session: Authenticated Centrify session.
:param system_with_ssh_account: Valid unix system with ssh account
:param core_admin_ui: Authenticated browser session.
"""
system_id, account_id, ssh_id, system_list, account_list, ssh_list = system_with_ssh_account
ui = core_admin_ui
user_id = UserManager.get_user_id(core_session, ui.user.centrify_user['Username'])
result, status = ResourceManager.assign_account_permissions(core_session, rights="View,Login,UserPortalLogin",
principal=ui.user.centrify_user['Username'],
principalid=user_id, pvid=account_id)
assert status, f'failed to assign UserPortalLogin permission of account to user {ui.user.centrify_user["Username"]}'
logger.info(f'UserPortalLogin permission of account assigned successfully to user '
f'{ui.user.centrify_user["Username"]}')
ui = core_admin_ui
# "SSH Key" on column "Credential Type"
result, status = ResourceManager.get_workspace_my_system_account(core_session)
for account in result:
if account['Host'] == system_id:
assert account['CredentialType'] == 'SshKey', f'SSH Key not displayed in CredentialType column in ' \
f'My System Account'
logger.info('SSH key displayed in Credential type column.')
# Login to the ssh account
ui.navigate(('Workspace', 'My System Accounts'))
ui.right_click_action(GridRowByGuid(account_id), 'Login')
ui.switch_to_pop_up_window()
ui.expect_disappear(LoadingMask(), 'RDP session never exited loading state for system', time_to_wait=60)
ui.switch_to_main_window()
status, result = ResourceManager.get_my_active_sessions(core_session, account_id)
assert status, f'failed to retrieve details for active account session data, return result is {result}'
logger.info(f'details for active account found in My Active sessions, returned row is {result}.')
def test_add_sap_ase_db_with_unmanaged_account(core_session,
add_database_with_account):
"""
Test case: C286609
:param core_session: Authenticated Centrify session
:param add_database_with_account: fixture to create database with account
"""
db_name, db_id, db_account_id, db_data, database_cleaner_list, account_cleaner_list = \
add_database_with_account(db_class='sapase', add_account=True)
result = UserManager.security_refresh_token(core_session)
assert result['success'], 'failed to refresh Centrify session.'
db_row = RedrockController.get_database(core_session, db_id=db_id)
assert db_name == db_row[
'Name'], f'"{db_name}" not found in Centrify portal.'
logger.info(
f'Database {db_name} found in Centrify portal with details {db_row}')
result, status = ResourceManager.check_account_health(
core_session, db_account_id)
assert status, f"failed to verify DB account {db_data['db_account']} health"
logger.info(
f"database account {db_data['db_account']} verified successfully")
def agent_get_user(core_tenant_global, core_session_global):
"""Creates a random user to be used for agent enrollment
:return: agent name (str)
"""
session = core_session_global
tenant = core_tenant_global
username = tenant['admin_user']
suffix = username.split("@")[1]
response = UserManager.create_random_user(session, suffix)
logger.debug("User created: " + response['Name'] + " uuid: " +
response['Uuid'])
response1 = UserManager.create_random_user(session, suffix)
logger.debug("User created: " + response1['Name'] + " uuid: " +
response1['Uuid'])
yield response["Name"], response1["Name"]
UserManager.delete_user(session, response['Uuid'])
logger.debug("User deleted: " + response['Name'])
UserManager.delete_user(session, response1['Uuid'])
logger.debug("User deleted: " + response1['Name'])
def test_checkout_lifetime_to_blank(core_session, pas_windows_setup):
"""
TC:C2213 Set the Checkout lifetime to blank.
:param core_session: Returns a API session.
:param pas_windows_setup: Returns a fixture
"""
# Getting the Id of the user.
user_details = core_session.__dict__
user_id = user_details['auth_details']['UserId']
# Adding a system with account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
# Setting the lifetime checkout to 15 min.
checkout_lifetime = 15
updated_account_result, update_account_success = \
ResourceManager.update_account(core_session,
account_id,
sys_info[4],
host=system_id,
ismanaged=False,
default_checkout_time=checkout_lifetime)
assert update_account_success, f"Failed to add default checkout time: API response result:{updated_account_result}"
logger.info(
f'Successfully added default checkout time: {updated_account_result}"')
# Checking the lifetime checkout value.
account_info_result, account_info_success = ResourceManager.get_account_information(
core_session, account_id)
account_checkout_lifetime = account_info_result['VaultAccount']['Row'][
'DefaultCheckoutTime']
assert account_checkout_lifetime == checkout_lifetime, f'Failed to found default checkout time in account info: ' \
f'API response ' \
f'result:{account_info_result} '
logger.info(
f"Successfully Found check out time in account info: {account_checkout_lifetime}"
)
# Setting the lifetime checkout to blank.
updated_account_result, update_account_success = ResourceManager.update_account(
core_session,
account_id,
sys_info[4],
host=system_id,
ismanaged=False,
default_checkout_time=None)
assert update_account_success, f"Failed to update default checkout time to blank: " \
f"API response result:{updated_account_result} "
logger.info(
f'Successfully updated default checkout time to blank:{updated_account_result}. '
)
# Checking the lifetime checkout value.
account_info_result, account_info_success = ResourceManager.get_account_information(
core_session, account_id)
updated_account_checkout_lifetime = account_info_result['VaultAccount'][
'Row']
assert 'DefaultCheckoutTime' not in updated_account_checkout_lifetime, "DefaultCheckoutTime is present"
logger.info(
f"'DefaultCheckoutTime' is not present in account info: {updated_account_checkout_lifetime}"
)
# Refreshing the page.
refresh_result = UserManager.refresh_token(core_session, user_id)
assert refresh_result[
"success"], f"Failed to reload:API response result:{refresh_result}"
# Checking the lifetime value after refresh.
modified_account_info_result, modified_account_info_success = ResourceManager. \
get_account_information(core_session, account_id)
modified_account_checkout_lifetime = modified_account_info_result[
'VaultAccount']['Row']
assert 'DefaultCheckoutTime' not in modified_account_checkout_lifetime, "DefaultCheckoutTime is present"
logger.info(
f"'DefaultCheckoutTime' is not present in account info: {updated_account_checkout_lifetime}"
)
def test_user_type_parameter(core_session, cleanup_accounts, cleanup_reports):
"""
TCID: C6341 Create report with User type parameter required
:param core_session: Centrify Authentication session
"""
user_list = cleanup_accounts[2]
session_user = core_session.__dict__
display_name_1 = session_user['auth_details']['DisplayName']
user_create_data = Configs.get_test_node('platform_report_data',
'automation_main')
prefix = user_create_data['prefix']
user_alias = core_session.auth_details['User'].split('@')[1]
user_name_2 = prefix + guid() + "@" + user_alias
user_props = {
"Mail": user_create_data['user_email'],
"Password": user_create_data['password'],
"PasswordNeverExpire": True,
"DisplayName": user_create_data['display_name'],
"Username": user_name_2,
"Name": user_name_2
}
success, result_user_2 = UserManager.create_user_with_args(
core_session, user_props)
assert success, f'Failed to create an user:{result_user_2}'
logger.info(f'Successfully created an user:{result_user_2}')
reports = Reports(core_session, pop_prefix_base)
report = reports.create_report({
"Name":
"report_A",
"Query":
"select Username, LastLogin from user where DisplayName= @userNM",
"Parameters": [{
"Type": "User",
"Name": "userNM",
"Label": "Input searched username",
"ObjectProperty": "DisplayName"
}]
})
assert report, f'Failed to create the report:{report}'
logger.info(f'Successfully Created report: {report}')
# Actual result for all user list with display name same as session user display name.
# and this details will compare all the user from reports page
actual_script_1 = f'Select Username, LastLogin from user where DisplayName = "{display_name_1}"'
actual_user_list_1 = []
actual_result_1 = RedrockController.redrock_query(core_session,
actual_script_1)
for user in actual_result_1:
actual_user_list_1.append(user['Row'])
# Expected result for all users which user name same as session user display name and will assert the list
# of users of actual session user display name list
expected_result_1 = RedrockController.get_report_result_list_of_user(
core_session, "userNM", display_name_1, "Input searched username")
expected_user_list_1 = []
for expected_result in expected_result_1:
expected_user_list_1.append(expected_result['Row'])
assert expected_user_list_1 == actual_user_list_1, f'The report result list all users whose DisplayName is not ' \
f'same with selected users DisplayName:{actual_user_list_1}'
logger.info(f'The report result list all users whose DisplayName is '
f'same with selected users displayname:{expected_user_list_1}')
# Actual result for all user list with display name same as another user display name.
# and this details will compare all the user from reports page
actual_script_2 = f'Select Username, LastLogin from user where DisplayName = "{user_create_data["display_name"]}"'
actual_user_list_2 = []
actual_result_2 = RedrockController.redrock_query(core_session,
actual_script_2)
for user in actual_result_2:
actual_user_list_2.append(user['Row'])
# Expected result for all users which user name same as another user display name and will assert the list
# of users of actual another user display name list
expected_result_2 = RedrockController.get_report_result_list_of_user(
core_session, "userNM", user_create_data['display_name'],
"Input searched username")
expected_user_list_2 = []
for user in expected_result_2:
expected_user_list_2.append(user['Row'])
assert expected_user_list_2 == actual_user_list_2, f'The report result list all users whose DisplayName is not ' \
f'same with selected users DisplayName:{actual_user_list_2}'
logger.info(f'The report result list all users whose DisplayName is '
f'same with selected users displayname:{expected_user_list_2}')
# Delete the created user
user_list.append(result_user_2)
found_report = reports.get_report_by_name(core_session,
report['Name'] + ".report")
cleanup_reports.append(found_report['Path'])
def test_string_type_parameter(core_session, created_suffix, suffix_cleaner,
cleanup_accounts, cleanup_reports):
"""
TCID: C6340 Create report with String type parameter required
:param created_suffix: centrify Authentication Session
:param core_session: Fixture to add the suffix
:param suffix_cleaner: Fixture to delete the created suffix
:param cleanup_accounts: Fixture to delete the created user
:param cleanup_reports: Fixture to delete the created report
"""
user_list = cleanup_accounts[2]
user_create_data = Configs.get_test_node('platform_report_data',
'automation_main')
prefix = user_create_data['prefix']
user_alias = core_session.auth_details['User'].split('@')[1]
user_name_1 = prefix + guid() + "@" + user_alias
user_props = {
"Mail": user_create_data['user_email'],
"Password": user_create_data['password'],
"PasswordNeverExpire": True,
"Username": user_name_1,
"Name": user_name_1
}
success, result_user_1 = UserManager.create_user_with_args(
core_session, user_props)
assert success, f'Failed to create an user:{result_user_1}'
logger.info(f'Successfully created an user:{result_user_1}')
suffix_alias = created_suffix
user_name_2 = prefix + guid() + "@" + suffix_alias['alias']
user_props = {
"Mail": user_create_data['user_email'],
"Password": user_create_data['password'],
"PasswordNeverExpire": True,
"Username": user_name_2,
"Name": user_name_2
}
success, result_user_2 = UserManager.create_user_with_args(
core_session, user_props)
assert success, f'Failed to create an user:{result_user_2}'
logger.info(f'Successfully created an user:{result_user_2}')
reports = Reports(core_session, pop_prefix_base)
report = reports.create_report({
"Name":
"report_A",
"Query":
"select Username, "
"lastlogin from user where Username like @userNM",
"Parameters": [{
"Type": "string",
"Name": "userNM",
"Label": "Input searched username"
}]
})
assert report, f'Failed to create the report:{report}'
logger.info(f'Successfully Created report: {report}')
# All users whose username starts with prefix
sript_1 = f"select Username, lastlogin from user where Username like '{prefix}%'"
result_prefix = RedrockController.redrock_query(core_session, sript_1)
username_with_prefix = []
for username in result_prefix:
username_with_prefix.append(username['Row']['Username'])
for i in username_with_prefix:
assert i.startswith(
prefix
), f'The report result user list are not starting with {prefix}'
logger.info(
f'The report result list all users whose Username starts with: {username_with_prefix}'
)
# All users whose username ends with suffix
sript_2 = f"select Username, lastlogin from user where Username like '%{suffix_alias['alias']}'"
result_suffix = RedrockController.redrock_query(core_session, sript_2)
username_with_suffix = []
for username_suffix in result_suffix:
username_with_suffix.append(username_suffix['Row']['Username'])
for i in username_with_suffix:
assert i.endswith(
suffix_alias['alias']
), f'The report result user list are not ending with:{suffix_alias["alias"]}'
logger.info(
f'The report result list all users whose Username ends with: {username_with_prefix}'
)
# Delete created report, user and suffix
found_report = reports.get_report_by_name(core_session,
report['Name'] + ".report")
cleanup_reports.append(found_report['Path'])
user_list.append(result_user_2)
user_list.append(result_user_1)
suffix_cleaner.append(suffix_alias['alias'])
def test_update_retrieve_replace_activity_logged(core_session, added_secrets,
pas_general_secrets,
users_and_roles,
clean_up_policy):
"""
C3071: Update, retrieve, replace activity logged
:param core_session: Authenticated Centrify Session
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param clean_up_policy: Fixture to clean up the policy created
"""
secret_suffix = guid()
added_text_secret_id, added_text_secret_name = added_secrets
secrets_params = pas_general_secrets
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Api to give user permissions to secrets
set_permission_result, set_permission_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant', user_id,
added_text_secret_id[0])
assert set_permission_success, f'Failed to set permission: {set_permission_result}'
logger.info(
f'Setting permission:{set_permission_result}{set_permission_success}')
# Retrieving details(text) of the secret
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, added_text_secret_id[0])
assert get_secret_success, f'Failed to retrieve the secret:{get_secret_text}'
logger.info(f' Retrieved secret details: {get_secret_details} ')
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + secret_suffix,
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to update secret(assign policy & update name)
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
secrets_params['updated_secret_name'] +
secret_suffix,
policy_id=policy_result)
assert policy_assigned[
'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Api to retrieve the activity of the secret
rows_result = UserManager.get_secret_activity(core_session,
added_text_secret_id[0])
assert rows_result, f'Failed to fetch Secret updated details & activity fetched:{rows_result}'
logger.info(f'Activity list:{rows_result}')
assert 'updated the secret' in rows_result[0][
"Detail"], f'Failed to update the secret:{rows_result[0]["Detail"]}'
assert 'viewed the secret' in rows_result[1][
"Detail"], f'Failed to retrieve the secret :{rows_result[1]["Detail"]}'
added_secret_status = False
added_permissions_status = False
for rows in rows_result:
if 'added a secret' in rows['Detail']:
added_secret_status = True
assert added_secret_status, f'Failed to add secret: {added_secret_status}'
for rows in rows_result:
if 'granted User' in rows['Detail']:
added_permissions_status = True
assert added_permissions_status, f'Failed to add permissions: {added_permissions_status}'
# Api to remove policy from the secret
policy_assigned = update_secret(core_session, added_text_secret_id[0],
added_text_secret_name)
assert policy_assigned[
'success'], f'Failed to remove policy from secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy removed from secret: {policy_assigned}')
def test_cloud_admin_login_from_my_system_account(core_session, pas_config,
core_admin_ui,
cleanup_accounts,
cleanup_resources,
remote_users_qty1):
"""
Test case: C14831
:param core_session: centrify session
:param core_admin_ui: Centrify UI session
"""
maximum_event_wait_time = 120
account_list = cleanup_accounts[0]
system_list = cleanup_resources[0]
systems = ServerManager.get_all_resources(core_session)
accounts = ServerManager.get_all_accounts(core_session)
for system in systems:
system_list.append(system['ID'])
for account in accounts:
account_list.append(account['ID'])
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty1
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
ui = core_admin_ui
admin_user_uuid = UserManager.get_user_id(
core_session, ui.user.centrify_user["Username"])
# assigning cloud admin workspace login permission
rights = "View,Login,UserPortalLogin"
result, status = ResourceManager.assign_account_permissions(
core_session,
rights,
ui.user.centrify_user["Username"],
admin_user_uuid,
pvid=acc_result)
assert status, f'failed to assign {rights} permission to cloud admin {ui.user.centrify_user["Username"]}.' \
f'returned result is: {result}'
# Updating allow remote to enable RDP session for targeted system
result, success = ResourceManager.update_system(core_session,
add_sys_result,
sys_name,
fdqn,
"Windows",
allowremote=True)
assert success, f'failed to assign rdp policy to account {add_user_in_target_system[0]} of system {sys_name}'
ui.navigate(('Workspace', 'My System Accounts'))
ui.expect(
GridRow(sys_name),
f'Expected to find system {sys_name} in My System Account but did not')
ui.right_click_action(GridRow(sys_name), 'Login')
ui.switch_to_pop_up_window()
ui.expect_disappear(
LoadingMask(),
'Error occurred while launching workspace login session',
time_to_wait=250)
ui.switch_to_main_window()
# wait for manged password change event
filter = [['AccountName', add_user_in_target_system[0]]]
RedrockController.wait_for_event_by_type_filter(
core_session,
"Cloud.Server.LocalAccount.RDPSession.Start",
filter=filter,
maximum_wait_second=maximum_event_wait_time) # wait for 20 seonds
# Api call to get details of account active session
status, result = ResourceManager.get_my_active_sessions(
core_session, acc_result)
assert status, f'failed to retrieve details for active account session data, return result is {result}'
logger.info(
f'details for active account {add_user_in_target_system[0]} are {result}'
)
ui.navigate('Resources', 'Systems')
ui.search(sys_name)
ui.expect(GridRowByGuid(add_sys_result),
expectation_message=
f'failed to search for the system by id {add_sys_result}')
ui.click_row(GridRowByGuid(add_sys_result))
# fetching Active session value from system view page
ui.inner_text_of_element(ActiveSessionTextCount(),
expectation_message='1',
warning_message="RDP Not taken from user")
logger.info(f'Active session value incremented to 1: Active Sessions:1')
def test_multiple_updates_in_permissions_policy_name_verify_all_2(
core_session, added_secrets, pas_general_secrets, users_and_roles,
clean_up_policy):
"""
test method to verify multiple updates like (permissions, policy, name ..) for a secret
:param core_session: Authenticated Centrify Session
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param clean_up_policy: Fixture to clean up the policy created
"""
secret_prefix = guid()
added_text_secret_id, added_text_secret_name = added_secrets
secrets_params = pas_general_secrets
application_management_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = application_management_user.get_login_name()
user_id = application_management_user.get_id()
# API to set user permissions for text_type_secret
set_permissions_result, set_permissions_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant,Edit', user_id,
added_text_secret_id[0])
assert set_permissions_success, f'setting permissions for file type secret failed: {set_permissions_result}'
logger.info(
f'setting permissions for text type secret: {set_permissions_success} {set_permissions_result}'
)
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secret_prefix + secrets_params['policy_name'],
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to assign policy to the secret
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
added_text_secret_name,
policy_id=policy_result)
assert policy_assigned[
'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Api to update settings(secret_name) of the secret
result = update_secret(
core_session, added_text_secret_id[0],
secret_prefix + secrets_params['updated_secret_name'])
assert result[
'success'], f'Not Able to update the settings {result["Result"]} '
logger.info(
f'Updating the settings for secret: {result["success"]} & {result["Exception"]}'
)
# Api to retrieve the activity of the secret
rows_result = UserManager.get_secret_activity(core_session,
added_text_secret_id[0])
assert rows_result is not None, f'Unable to fetch Secret updated details & activity fetched:{rows_result}'
logger.info(f'activity list:{rows_result}')
verify_name = 'update_secret1'
verify_permissions = 'View , Grant , Edit'
permissions_updated = False
assert verify_name in rows_result[0][
"Detail"], f'Unable to update the name:{rows_result[0]["Detail"]}'
logger.info(f'Secret Updated details: {rows_result[0]["Detail"]}')
for x in rows_result:
if verify_permissions in x['Detail']:
permissions_updated = True
assert permissions_updated, f'Unable to update the permissions: {permissions_updated}'
def test_normal_user_save_admin_account_without_grant_permission(core_session, domain_config_data,
get_admin_user_module):
""" Tc# C282246
Steps for this scenario using API:
1)Login Admin Portal as a Normal User
2)Call API to clear administrative account
3)Set Administrative account from active directory by calling set Administrative account API
"""
conf = domain_config_data
limited_sesh, limited_user = get_admin_user_module
name = conf['pas_bat_scenario1_infrastructure_data'][0]
domain_name = name["Domain_name2"]
domain_list = [domain_name]
data = conf['pas_scenario1_new_accounts'][0]
user = conf['pas_scenario1_new_accounts'][1]
admin_user = user['User_name']
user_data = core_session.get_user()
username = user_data.get_login_name()
user_id = user_data.get_id()
# Get the domain Id from domain section
script = f'Select ID from VaultDomain where Name = "{domain_name}"'
request = RedrockController.redrock_query(core_session, script)
directory_service = request[0]['Row']['ID']
permissions = "Edit"
result, add_domain_account_success = ResourceManager.set_domain_account_permissions(core_session, permissions,
limited_user.get_login_name(),
limited_user.get_id(),
id=directory_service,
pvid=directory_service,
rowkey=directory_service)
assert add_domain_account_success, f'Failed to set add account permission in the domain {result}'
logger.info(f"add account permission set successfully in the Domain.")
directory_services = CoreManager.get_directory_services(core_session)
logger.info(f" Successfully get all the Domain Directory Services.")
# Get the Active Domain Directory Service
for child_directory_service in directory_services.json()['Result']['Results']:
if child_directory_service['Row']['Name'] == name['Domain_name4']:
child_directory_service = child_directory_service['Row']['directoryServiceUuid']
break
active_directory_service_child_domain, add_success = UserManager.directory_query_user(core_session, admin_user,
[child_directory_service])
# set permission
permissions = "Grant,View,Edit,Delete,UnlockAccount,AddAccount"
result, add_domain_account_success = ResourceManager.set_domain_account_permissions(core_session, permissions,
username,
user_id,
id=directory_service,
pvid=directory_service,
rowkey=directory_service)
assert add_domain_account_success, f'Failed to set permission in the domain {result}'
logger.info(f" Permission set successfully in the Domain.")
admin_account = active_directory_service_child_domain['SystemName']
result, add_admin_account_success, message = ResourceManager.set_administrative_account(
core_session,
domain_list,
password=data['Password'],
user=admin_account,
directoryservices=child_directory_service)
assert add_admin_account_success, f'Failed to set administrative account of Active Directory: {message}'
logger.info(f"Administrative account for Active Directory set successfully in the Domain.{result}")
# Clear Administrative account by Normal User in Admin Portal
result, clear_admin_account_success, message = ResourceManager.set_administrative_account(get_admin_user_module[0],
domain_list)
assert clear_admin_account_success, f'Failed to clear administrative account {message}'
logger.info(f"Administrative account for Active Directory clear successfully in the Domain.{message}")
# Normal User set an Administrative account
result, add_admin_account_success, message = ResourceManager.set_administrative_account(
get_admin_user_module[0],
domain_list,
password=data['Password'],
user=admin_account,
directoryservices=child_directory_service)
assert add_admin_account_success is False, f'Successfully set administrative account. {result}'
logger.info(f"Failed to set administrative account, {message}.")
def verify_step_5(self):
# todo: Revisit combining all verify steps
counts_as_none = [None, '', '--', []]
assert self.root_email is not None, "This should not be called if root account not configured"
cp_row = self._cloud_provider_db_row()
results, success = CloudProviderManager.\
get_account_db_rows_by_cloud_provider_id(self.session, cp_row['ID'], root_accounts=True, retries=10)
assert success and len(results) == 1, f"Expected exactly one result {results}"
result = results[0]
account_id = result['ID']
result = UserManager.user_policy_pas_summary(self.session, cp_row['ID'], "CloudProviders", None)
result_data = self.session.get_response_data(result)
rsop = result_data["rsop"]
result = UserManager.user_policy_pas_summary(self.session, account_id, "VaultAccount", None)
result_data = self.session.get_response_data(result)
rsop2 = result_data["rsop"]
key = '/PAS/CloudProviders/LoginRules'
login_rules = None
if key in rsop:
login_rules = rsop[key]
if login_rules in counts_as_none:
login_rules = None
if self.login_conditional_rules is not None:
expected_value = [{'Conditions': [{'Prop': 'IpAddress', 'Op': 'OpInCorpIpRange'}],
'ProfileId': self.policies_map[self.login_conditional_rules]}]
actual_value = json.dumps(login_rules['_Value'], sort_keys=True)
expected_value = json.dumps(expected_value, sort_keys=True)
assert actual_value == expected_value, f"Invalid policy for login conditional {actual_value} expected {expected_value}"
else:
assert login_rules is None or login_rules['_Value'] in counts_as_none, f"Policy should be none for login conditional {login_rules}"
key = '/PAS/CloudProviders/LoginDefaultProfile'
actual_id = None
if key in rsop:
actual_id = rsop[key]
if actual_id in counts_as_none:
actual_id = None
expected_id = None
if self.login_default_rules is not None:
expected_id = self.policies_map[self.login_default_rules]
if expected_id in counts_as_none:
expected_id = None
assert actual_id == expected_id, f"Invalid default login rules {actual_id} != {expected_id}"
expected_id = None
if self.checkout_default_rules is not None:
expected_id = self.policies_map[self.checkout_default_rules]
actual_id = None
key = '/PAS/VaultAccount/PasswordCheckoutDefaultProfile'
if key in rsop2:
actual_id = rsop2[key]
if actual_id in counts_as_none:
actual_id = None
assert actual_id == expected_id, f"Invalid default checkout rules {rsop2}"
key = '/PAS/VaultAccount/PasswordCheckoutRules'
actual_value = None
if key in rsop2:
actual_value = rsop2[key]['_Value']
if actual_value in counts_as_none:
actual_value = None
expected_value = None
if self.checkout_conditional_rules is not None:
expected_value = [{'Conditions': [{'Prop': 'IpAddress', 'Op': 'OpInCorpIpRange'}],
'ProfileId': self.policies_map[self.checkout_conditional_rules]}]
if expected_value in counts_as_none:
expected_value = None
else:
actual_value = json.dumps(actual_value, sort_keys=True)
expected_value = json.dumps(expected_value, sort_keys=True)
assert actual_value == expected_value, f"Invalid root account conditional policy {actual_value} {expected_value}"
