def test_verify_accounts_credential_my_system_accounts(core_session,
pas_windows_setup,
users_and_roles):
"""
TC:C2068 Verify account's credential on "My System Accounts".
:param:core_session: Returns a API session.
:param:users_and_roles:Fixture to manage roles and user.
:param pas_windows_setup:Returns a fixture.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
# Cloud user session with "Privileged Access Service Administrator".
cloud_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Administrator')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Assigning "Workspace Login" permission for account to limited user.
rights = "View,Login,UserPortalLogin"
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \
f'API response result:{assign_account_perm_res}'
logger.info(
f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"'
)
# Assigning "View" permission for system to limited user.
assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(
core_session, "View", user_name, user_id, 'User', system_id)
assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \
f'API response result {assign_system_perm_res}.'
logger.info(
f"Successfully assign system permission to user'{assign_system_perm_res}'"
)
# Getting the details from "My System Accounts" in workspace and validating account in "My System Accounts" list.
workspace_account_list = []
workspace_result_detail, workspace_success = ResourceManager.\
get_my_system_accounts_from_workspace(cloud_user_session)
for workspace_result in workspace_result_detail:
if workspace_result['Name'] == sys_info[0]:
workspace_account_list.append(workspace_result['User'])
assert sys_info[
4] in workspace_account_list, f'failed to get the account {sys_info[4]} on workspace.'
logger.info(f"Could display on Account{sys_info[4]} on workspace")
# validating Account health.
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
core_session, account_id)
assert verify_pass_success, f"Failed to verify account health:API response result:{verify_pass_result}. "
logger.info(f"Successfully account verified:{verify_pass_result}")
def test_sort_accounts(core_session, pas_setup):
"""
Test Case ID: C2101
Test Case Description: Sort accounts
:param core_session: Authenticate API session
:param pas_setup: Creates System and Account
"""
system_id, account_id, sys_info = pas_setup
sorting = ServerManager.get_all_accounts(core_session,
sortby='Status',
ascending=True)
get_result_account_health, get_success_account_health = ResourceManager.check_account_health(
core_session, account_id)
assert get_success_account_health, f'Account is not reachable due to result: {get_result_account_health}'
logger.info('Account created successfully')
# Checking whether the first account's status is blank
assert sorting[0][
'Status'] == "", "Status is not blank because Account is unreachable"
logger.info(
'Status is blank and it appears at the top after sorting it in ascending order.'
)
def test_add_sap_ase_db_with_unmanaged_account(core_session,
add_database_with_account):
"""
Test case: C286609
:param core_session: Authenticated Centrify session
:param add_database_with_account: fixture to create database with account
"""
db_name, db_id, db_account_id, db_data, database_cleaner_list, account_cleaner_list = \
add_database_with_account(db_class='sapase', add_account=True)
result = UserManager.security_refresh_token(core_session)
assert result['success'], 'failed to refresh Centrify session.'
db_row = RedrockController.get_database(core_session, db_id=db_id)
assert db_name == db_row[
'Name'], f'"{db_name}" not found in Centrify portal.'
logger.info(
f'Database {db_name} found in Centrify portal with details {db_row}')
result, status = ResourceManager.check_account_health(
core_session, db_account_id)
assert status, f"failed to verify DB account {db_data['db_account']} health"
logger.info(
f"database account {db_data['db_account']} verified successfully")
def test_unix_client_account_verification(
core_session, agent_enrolled_unix_system_with_users,
proxy_start_stop):
"""
This test verifies accounts using Client, Connectors
Steps for this scenario:
* Enroll an unix system and create a managed account and an unmanaged account.
* Verify the managed account's password is changed.
* stop the agent, start connector and verify both accounts (only connector is availabe)
- Verify success
* stop the connector and verify both accounts
- Verify failure
* Start the agent and verify both accounts (only Agent is availabe)
- Verify success
* Start the connector and verify both accounts (Both agent and connector are available)
- Verify success
"""
"""
Testrail Link:
https://testrail.centrify.com/index.php?/cases/view/1293456
https://testrail.centrify.com/index.php?/cases/view/1293457
https://testrail.centrify.com/index.php?/cases/view/1293458
"""
# verfiy the test is run with single thread.
assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, \
f'This test cannot be run with multiple threads due to starting and stopping connectors'
enrolledsystems = agent_enrolled_unix_system_with_users
accounts = enrolledsystems[0]["Accounts"]
proxyid = enrolledsystems[0]["ProxyId"]
session = enrolledsystems[0]["Session"]
proxycontrol = proxy_start_stop
logger.info("stop the agent")
ssh_manager.ssh_stop_agent(session)
logger.info("start the connector")
proxycontrol(proxyid, True)
logger.info("Verifying accounts, Connector is available")
for i, val in enumerate(accounts):
logger.info(str(i) + ", Name: " + val["Name"])
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
core_session, val["Id"])
assert verify_pass_result == 'OK', "Verify Failed on Account: " + val[
'Name'] + ", " + verify_pass_result
# stop Conector , Should fail
logger.info("Stopping the connector")
proxycontrol(proxyid, False)
logger.info("Verifying accounts, no agent or connector")
for i, val in enumerate(accounts):
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
core_session, val["Id"])
assert verify_pass_result != 'OK', "Verify success on Account: " + val[
'Name'] + ", " + verify_pass_result
# Start agent
logger.info("Starting the agent")
ssh_manager.ssh_start_agent(session, True)
logger.info("Verifying accounts, agent is available.")
for i, val in enumerate(accounts):
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
core_session, val["Id"])
assert verify_pass_result == 'OK', "Verify failed on Account: " + val[
'Name'] + ", " + verify_pass_result
# verify account again, both connector and agent are running
proxycontrol(proxyid, True)
logger.info(
"Verifying accounts, both agent and connector are available")
for i, val in enumerate(accounts):
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
core_session, val["Id"])
assert verify_pass_result == 'OK', "Verify Failed on Account: " + val[
'Name'] + ", " + verify_pass_result
def test_unix_client_account_checkout_reconciliation(
users_and_roles, unix_machine_environment_config,
agent_enrolled_unix_system_with_users, proxy_start_stop):
"""
This test verifies password reconcilation using agent, connector and both during checkout operation
Steps for this scenario:
* Enroll an unix system and create a managed account.
* Verify the managed account's password is rotated.
* Change the password of the account on the target system
* stop the agent and checkout the password of managed account(only connector is availabe)
- Verify success
- Verify OperationMode is Connector
* Verify managed acount
- Verify success
* Change the password of the account on the target system
* stop the connector and checkout the password of managed account
- Verify failure
* Start the agent and checkout the password of managed account (only Agent is availabe)
- Verify success
- Verify OperationMode is Client
* Verify managed acount
- Verify success
* Change the password of the account on the target system
* Start the connector and checkout the password of managed account (Both agent and connector are available)
- Verify success
- Verify OperationMode is Client
* Verify managed acount
- Verify success
"""
"""
Testrail Link:
https://testrail.centrify.com/index.php?/cases/view/1293462
https://testrail.centrify.com/index.php?/cases/view/1293463
https://testrail.centrify.com/index.php?/cases/view/1293464
"""
# verfiy the test is run with single thread.
assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, \
f'This test cannot be run with multiple threads due to starting and stopping connectors'
enrolledsystems = agent_enrolled_unix_system_with_users
accounts = enrolledsystems[0]["Accounts"]
resourceId = enrolledsystems[0]["ResourceId"]
proxyid = enrolledsystems[0]["ProxyId"]
session = enrolledsystems[0]["Session"]
proxycontrol = proxy_start_stop
conf = unix_machine_environment_config
success_message = conf['success_message']
right_data = ("Privileged Access Service Power User",
"role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
accountuser = accounts[1]
logger.info("stop the agent")
ssh_manager.ssh_stop_agent(session)
proxycontrol(proxyid, True)
# count managed password change events
filter = [['AccountName', accountuser['Name']],
['ComputerID', resourceId]]
# set a different password for the user
ssh_manager.change_sshuser_password(session, accountuser['Name'],
"differentpassword3",
success_message)
logger.info(
"Rotate account and verify reconciliation, Connector is available")
result, success = ResourceManager.check_out_password(
requester_session, 1, accountuser["Id"])
assert success, "Reconciliation failed during checkout, Account " + accountuser[
'Name']
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
requester_session, accountuser["Id"])
assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.AdministrativeResetAccountPassword",
filter=filter)
eventcount = len(rows)
logger.info(
f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}"
)
assert rows[0][
"OperationMode"] == "Connector", "Failed to verify OperationMode"
# stop Connector, Should fail
logger.info("Stopping the connector")
proxycontrol(proxyid, False)
# set a different password for the user
ssh_manager.change_sshuser_password(session, accountuser['Name'],
"differentpassword4",
success_message)
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
requester_session, accountuser["Id"])
assert verify_pass_result != 'OK', f"Verify Failed on Account: {accountuser['Name']}"
# Start agent
logger.info("Starting the agent")
ssh_manager.ssh_start_agent(session, True)
# set a different password for the user
ssh_manager.change_sshuser_password(session, accountuser['Name'],
"differentpassword5",
success_message)
logger.info(
"Rotate account and verify reconciliation, Agent is available")
result, success = ResourceManager.check_out_password(
requester_session, 1, accountuser["Id"])
assert success, f"Reconciliation failed during checkout, Account {accountuser['Name']}"
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
requester_session, accountuser["Id"])
assert verify_pass_result == 'OK', f"Verify Failed on account: {accountuser['Name']}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.AdministrativeResetAccountPassword",
filter=filter,
count=eventcount + 1)
eventcount = len(rows)
logger.info(
f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}"
)
assert rows[0][
"OperationMode"] == "Client", "Failed to verify OperationMode is Client"
# verify account again, both connector and agent are running
logger.info("Starting connector")
proxycontrol(proxyid, True)
# set a different password
ssh_manager.change_sshuser_password(session, accountuser['Name'],
"differentpassword3",
success_message)
logger.info(
"Rotate account and verify reconciliation, client and connector are available"
)
result, success = ResourceManager.check_out_password(
requester_session, 1, accountuser["Id"])
assert success, f"Reconciliation failed during checkout, Account {accountuser['Name']}"
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
requester_session, accountuser["Id"])
assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.AdministrativeResetAccountPassword",
filter=filter,
count=eventcount + 1)
eventcount = len(rows)
logger.info(
f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}"
)
assert rows[0][
"OperationMode"] == "Client", "Failed to verify OperationMode is Client"
def test_windows_client_account_unlock(users_and_roles, agent_enrolled_windows_system_with_users, proxy_start_stop):
# NOTE: policy must be set on the system to lock the account after 3 failed login attemps
"""
This test verifies account unlock using agent, connector and both
Steps for this scenario:
* Enroll a windows system and create a managed account.Also set admin account and enable manual unlock
* Verify the managed account's password is rotated.
* Lock the account (try to verify the account multiple times with wrong password to lock the account)
* Unlock the account
- Verify success
- Verify OperationMode is Connector
* stop the connector
* Lock the account
* Get the account status
- Verify failure
* Start the agent (only Agent is availabe)
* Unlock the account
- Verify success
- Verify OperationMode is Client
* Lock the account
* Start the connector
* Unlock the account
- Verify success
- Verify OperationMode is Client
"""
"""
Testrail Link:
https://testrail.centrify.com/index.php?/cases/view/1293479
https://testrail.centrify.com/index.php?/cases/view/1293480
https://testrail.centrify.com/index.php?/cases/view/1293481
"""
# verfiy the test is run with single thread.
assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, f'This test cannot be run with multiple threads due to starting and stopping connectors'
enrolledsystems = agent_enrolled_windows_system_with_users
accounts = enrolledsystems[0]["Accounts"]
resourceId = enrolledsystems[0]["ResourceId"]
proxyid = enrolledsystems[0]["ProxyId"]
hostName = enrolledsystems[0]["ResourceFQDN"]
winrm_session_as_admin = enrolledsystems[0]["Session"]
proxycontrol = proxy_start_stop
right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
accountuser = accounts[1]
logger.info("stop the agent")
winrm_helper.stop_agent(winrm_session_as_admin)
proxycontrol(proxyid, True)
# get the correct password of the account.
result, success = ResourceManager.check_out_password(requester_session, 15, accountuser["Id"])
assert success, "Reconciliation failed during checkout, Account " + accountuser['Name']
password = result['Password']
# count managed password change events
filter = [['AccountName', accountuser['Name']], ['ComputerID', resourceId]]
# lock the account
winrm_helper.lock_account(hostName, accountuser['Name'], password)
result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"])
assert success, f"Failed to unlock account. {message}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(requester_session,
"Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock",
filter=filter)
eventcount = len(rows)
logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}")
assert rows[0]["OperationMode"] == "Connector", "Failed to verify OperationMode"
# stop Connector, Should fail
logger.info("Stopping the connector")
proxycontrol(proxyid, False)
# set a different password for the user
winrm_helper.lock_account(hostName, accountuser['Name'], password)
result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"])
assert (success == False), "Unlock account succeeded when agent and conmnector are not available."
# Start agent
logger.info("Starting the agent")
winrm_helper.start_agent(winrm_session_as_admin)
winrm_helper.lock_account(hostName, accountuser['Name'], password)
result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"])
assert success, f"Failed to unlock account. {message}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock",
filter=filter, count=eventcount + 1)
eventcount = len(rows)
logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}")
assert rows[0]["OperationMode"] == "Client", "Failed to verify OperationMode is Client"
# verify account again, both connector and agent are running
logger.info("Starting connector")
proxycontrol(proxyid, True)
# set a different password
winrm_helper.lock_account(hostName, accountuser['Name'], password)
result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"])
assert success, f"Failed to unlock account. {message}"
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(requester_session,
accountuser["Id"])
assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock",
filter=filter, count=eventcount + 1)
eventcount = len(rows)
logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}")
assert rows[0]["OperationMode"] == "Client", "Failed to verify OperationMode is Client"
