def test_system_level_password_checkout_yes(core_session, pas_windows_setup,
users_and_roles,
update_tenant_multiple_checkouts):
"""
C1547 : System level password checkout set to 'yes'
:param core_session: Authenticated Centrify Session
:param pas_windows_setup: Added and return Windows system and Account associated to it.
:param users_and_roles: Gets user and role on demand.
"""
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
user_session = users_and_roles.get_session_for_user(
"Privileged Access Service Administrator")
pas_admin = user_session.__dict__['auth_details']
# Setting 'Allow multiple password checkouts for this system' policy to Yes on Advanced tab
result, success = ResourceManager.update_system(
core_session,
system_id,
sys_info[0],
sys_info[1],
sys_info[2],
allowmultiplecheckouts=True)
assert success, f"'Allow multiple password checkouts' policy not set to 'yes' for System : {system_id}. " \
f"API response result: {result}. "
logger.info(
f"'Allow multiple password checkouts' policy set to 'yes' for system : {system_id}"
)
# Setting 'Allow multiple password checkouts' policy to Uncheck on Global Security Setting page
result, success = update_tenant_multiple_checkouts(core_session, False)
assert success, f"Not able to disable 'Allow multiple password checkouts' policy on " \
f"Global Security Setting page. API response result: {result}. "
logger.info(
f"'Allow multiple password checkouts' policy Unchecked on Global Security Setting page"
)
# Assigning 'Checkout' permission to user for account.
account_result, account_success = ResourceManager.assign_account_permissions(
core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User',
account_id)
assert account_success, f"Assign Checkout permission to account : {account_id} failed. " \
f"API response result: {account_result}. "
logger.info(
f"'Checkout' permission given to user: {pas_admin['User']} for Account:{account_id}."
)
# Checkout account while logged in as Cloud Admin
admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password(
core_session, 1, account_id)
assert admin_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \
f"response result: {admin_checkout_result}. "
logger.info(f"Account Checkout successful for Account :{account_id}.")
# Checkout account while logged in as Privileged Access Service Administrator
user_checkout_result, user_checkout_success = ResourceManager.check_out_password(
user_session, 1, account_id)
assert user_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \
f"response result: {user_checkout_result}. "
logger.info(f"Account CheckIn successful for Account :{account_id}.")
def test_system_level_password_checkout_blank(
core_session, pas_windows_setup, users_and_roles,
update_tenant_multiple_checkouts):
"""
C1548 : System level password checkout set to '--'
:param core_session: Authenticated Centrify Session
:param pas_windows_setup: Added and return Windows system and Account associated to it.
:param users_and_roles: Gets user and role on demand.
"""
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
user_session = users_and_roles.get_session_for_user(
"Privileged Access Service Administrator")
pas_admin = user_session.__dict__['auth_details']
# Setting 'Allow multiple password checkouts' policy to Uncheck on Global Security Setting page
result, success = update_tenant_multiple_checkouts(core_session, False)
assert success, f"Not able to disable 'Allow multiple password checkouts' policy on Global " \
f"Security Setting page. API response result: {result}."
logger.info(
f"'Allow multiple password checkouts' policy Unchecked on Global Security Setting page"
)
# Assigning 'Checkout' permission to user for Account.
account_result, account_success = ResourceManager.assign_account_permissions(
core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User',
account_id)
assert account_success, f"Assign Checkout permission to account : {account_id} failed. " \
f"API response result: {account_result}"
logger.info(
f"'Checkout' permission given to user: {pas_admin['User']} for Account:{account_id}."
)
# Checkout account while logged in as Cloud Admin
admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password(
core_session, 1, account_id)
assert admin_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \
f"response result: {admin_checkout_result} "
logger.info(f"Account Checkout successful for Account :{account_id}.")
# Checkout account while logged in as Privileged Access Service Administrator
user_checkout_result, user_checkout_success = ResourceManager.check_out_password(
user_session, 1, account_id)
assert not user_checkout_success, f"Checkout Account successful : {account_id} : API response " \
f"result: {user_checkout_result}"
logger.info(f"Not able to checkout Account : {account_id}")
activity = RedrockController.get_account_activity(user_session,
account_id)[0]['Detail']
assert 'Multiple checkouts not allowed' in activity, f"Checkout Failed activity not found " \
f"for account : {account_id}. API response result: {activity} "
logger.info(
f"Checkout Failed activity found in Activity for account : {account_id}"
)
def test_database_level_password_checkout_blank(
core_session, create_databases_with_accounts, users_and_roles,
update_tenant_multiple_checkouts):
"""
C1552 : Database Level password checkout set to 'default'.
:param core_session: Authenticated Centrify Session.
:param create_databases_with_accounts: Added and return Database and Account associated to it.
:param users_and_roles: Gets user and role on demand.
"""
database = create_databases_with_accounts(core_session, 1, 1)[0]
user_session = users_and_roles.get_session_for_user(
"Privileged Access Service Administrator")
pas_admin = user_session.__dict__['auth_details']
# Setting 'Allow multiple password checkouts' policy to enable on Global Security Setting page
result, success = update_tenant_multiple_checkouts(core_session, True)
assert success, f"Not able to enable 'Allow multiple password checkouts' policy on Global Security Setting page. " \
f"API response result: {result}."
logger.info(
f"'Allow multiple password checkouts' policy Enabled on Global Security Setting page"
)
# Assigning 'Checkout' permission to user for account.
account_result, account_success = ResourceManager.assign_account_permissions(
core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User',
database['Accounts'][0]['ID'])
assert account_success, f"Assign Checkout permission to account : {database['Accounts'][0]['ID']} " \
f"failed. API response result: {account_result}. "
logger.info(
f"'Checkout' permission given to user: {pas_admin['User']} for "
f"Account:{database['Accounts'][0]['ID']}.")
# Checkout account while logged in as Cloud Admin
admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password(
core_session, 1, database['Accounts'][0]['ID'])
assert admin_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. API response " \
f"result: {admin_checkout_result}. "
logger.info(
f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}."
)
# Checkout account while logged in as Privileged Access Service Administrator
user_checkout_result, user_checkout_success = ResourceManager.check_out_password(
user_session, 1, database['Accounts'][0]['ID'])
assert user_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. API response " \
f"result: {user_checkout_result}. "
logger.info(
f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}."
)
def _verify_get_mfa_token(self, account_id, expect_challenge_on_checkout):
pas_user = self.session.get_user()
result, success = ResourceManager.assign_account_permissions(self.session,
"Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword",
pas_user.get_login_name(), pas_user.get_id(),
pvid=account_id)
assert success, f"Failed to set account permissions {result}"
result, success = ResourceManager.check_out_password(self.session, 6, account_id)
if not expect_challenge_on_checkout:
assert success and result['Password'] == self.root_password, f"Unexpected value for password {result}"
new_coid = result['COID']
result, success = ResourceManager.check_in_password(self.session, coid=new_coid)
assert success, "Did not check in password"
else:
assert 'ChallengeId' in result and len(
result) == 1, f"Did not receive expected challenge {result} {success}"
result, success = CloudProviderManager.get_mfa_token(self.session, account_id)
if self.mfa_code:
assert success, f"Failed to get_mfa_token {result}"
assert len(result['code']) == 6, f"Token returned was wrong length {result}"
else:
assert not success, f"Should fail with MFA not set {result}"
def test_checkout_password_for_sql_unmanaged_account(
core_session, add_database_with_account):
"""
Test case: C1101 - Checkout password for a SQL unmanaged account
:param core_session: Authenticated centrify session
:param add_database_with_account: fixture to create database with account as optional.
"""
db_name, db_id, db_account_id, db_data, database_cleaner_list, sql_account_cleaner_list = \
add_database_with_account(db_class='sql', add_account=True)
result, status = ResourceManager.check_out_password(
core_session, lifetime=15, accountid=db_account_id)
assert status, f'failed to checkout account {db_data["db_account"]} password.'
assert result['Password'] == db_data[
'password'], "Checked out password dose'nt match the actual password"
logger.info(f'{db_data["db_account"]} password check out successfully.')
acc_activity = RedrockController.get_account_activity(
core_session, db_account_id)
assert f'{core_session.auth_details["User"]} checked out database account "{db_data["db_account"]}" password for ' \
f'database "{db_name}"' in \
acc_activity[0]['Detail'], f"no activity of checkout found for account {db_data['db_account']}"
logger.info(
f"There is a checkout record for the account {db_data['db_account']} in activity"
)
def test_add_managed_proxy_account(core_session, pas_windows_setup):
"""
:param core_session: Authenticated Centrify Session.
:param pas_windows_setup: Fixture for adding a system and an account associated with it.
TC: C2537 - Add system with managed account and Proxy account with WinRM https settings
trying to Add system with managed account and Proxy account with WinRM https settings
Steps:
Pre: Create system with 1 manage and proxy account
1. Try to fetch the management mode in setting page
-Assert Failure
2. Try to check out password from account
-Assert Failure
"""
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(True, True)
logger.info(f"System: {sys_info[0]} successfully added with UUID: {system_id} and account: {sys_info[4]} "
f"with UUID: {account_id} associated with it.")
managementmode = RedrockController.get_computer_with_ID(core_session, system_id)
assert managementmode['ManagementMode'] == "WinRMOverHttps", \
f"management mode is failed because of system doesnt have proxy account. API response result: {managementmode}"
logger.info(f"Fetch management mode successfully: {managementmode['ManagementMode']}")
password_checkout_result, password_checkout_success = ResourceManager.check_out_password(core_session, 1,
accountid=account_id)
assert password_checkout_result['Password'] is not user_password, \
f"password checkout Failed. API response result: {password_checkout_result}"
logger.info(f"password successfully checkout Account password: {password_checkout_result['COID']}")
def test_password_checkin_from_my_password_checkout_field(
core_session, pas_setup, core_admin_ui):
"""
Test case: C14838
:param core_session: Centrify session
:param pas_setup: fixture to create system with account
:param core_admin_ui: UI session
"""
system_id, account_id, system_info = pas_setup
result, status = ResourceManager.check_out_password(
core_session, 1, account_id, 'test checkout account')
assert status, f'failed to checkout password for account {system_info[4]}, returned result is: {result}'
ui = core_admin_ui
ui.navigate(('Workspace', 'My Password Checkouts'))
ui.expect(
GridCell(f'{system_info[4]} ({system_info[0]})'),
f'expected to find checkout details for account '
f'{system_info[4]} but did not')
logger.info(
f'found details for account {system_info[4]} in My Password Checkout view'
)
ui.right_click_action(GridCell(f'{system_info[4]} ({system_info[0]})'),
'Checkin')
ui.expect_disappear(
GridCell(f'{system_info[4]} ({system_info[0]})'),
f'Expacted to find no records for '
f'{system_info[4]} in My Password Checkout, but found one')
logger.info(f'successfully checkin password for account {system_info[4]} ')
def test_update_managed_account(pas_setup, core_session, pas_config):
"""
:param pas_config:
:param pas_setup: Fixture for adding a system and an account associated with it.
:param core_admin_ui: Authenticated Centrify Session.
:param core_session: Authenticated Centrify Session.
TC: C2547 - Update managed account
trying to Update managed account password
Steps:
Pre: Create system with 1 manage account hand
1. Try to update invalid password
-Assert Failure
2. Try to update valid password
-Assert Failure
3. Try to check password history
"""
user_name = core_session.get_user().get_login_name()
System_configurations_from_yaml = pas_config
system_data = System_configurations_from_yaml[
'Windows_infrastructure_data']
added_system_id, account_id, sys_info = pas_setup
Result, success = ResourceManager.update_password(core_session, account_id,
guid())
assert success, "Did not update password"
Result, success = ResourceManager.update_password(core_session, account_id,
system_data['password'])
assert success, "Did not update password"
result, success = ResourceManager.check_out_password(
core_session, 1, account_id)
assert success, "Did not retrieve password"
query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \
f"'{account_id}' and StateUpdatedBy='{user_name}' and State='Retired'"
password_history = RedrockController.get_result_rows(
RedrockController.redrock_query(core_session, query))[0]
assert len(password_history) > 0, "Password history table did not update"
def test_checkin_password_for_unmanaged_account(core_session, setup_pas_system_for_unix):
"""
TC: C279514 - Checkin password for unmanaged account.
:param core_session: Authenticated Centrify Session.
:param setup_pas_system_for_unix: Adds and yields uuid of a Unix system and account associated to it.
"""
added_system_id, account_id, sys_info = setup_pas_system_for_unix
co_result, co_success = ResourceManager.check_out_password(core_session, 1, account_id, "checkout test")
assert co_success, f"Account checkout failed with APi response result: {co_result}."
checkin_result, checkin_success = ResourceManager.check_in_password(core_session, co_result['COID'])
assert checkin_success, f"Checkin for account {account_id} failed with API response result: {checkin_result}"
logger.info(f'Successfully checked in the password for account {account_id} with API response result:'
f' {checkin_result} and success: {checkin_success}')
def test_check_number_of_total_checkout(core_session, pas_setup,
users_and_roles):
"""
Test case: C286364
:param core_session: Authenticated Centrify session
:param users_and_roles: Fixture to manage roles and user
"""
system_id, account_id, sys_info = pas_setup
# Cloud user session with "Privileged Access Service Administrator"
cloud_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Administrator')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Assigning system view permission
result, status = ResourceManager.assign_system_permissions(core_session,
"View",
user_name,
user_id,
pvid=system_id)
assert status, f"Failed to assign system permissions return result is {result}"
logger.info(
f'View rights assigned to user {user_name} for system {sys_info[0]}')
# Assigning cloud user view and checkout permission for account
account_rights = "View,Naked"
acc_result, acc_status = ResourceManager.assign_account_permissions(
core_session, account_rights, user_name, user_id, pvid=account_id)
assert acc_status, f"failed to assign account permission, returned result is {acc_result}"
logger.info(
f'successfully assigned {account_rights} permission for account {sys_info[4]} of '
f'{sys_info[0]} to user {user_name}')
# Checkout password using cloud user
result, success = ResourceManager.check_out_password(
cloud_user_session, 1, account_id)
assert success, f"cloud user: {user_name} failed to checkout account {sys_info[4]}."
logger.info(
f"Cloud user: {user_name} successfully checked out account {sys_info[4]} of system {sys_info[0]}."
)
# retrieving my total checkout value from workspace
checkout_count = ResourceManager.get_my_total_checkout(
cloud_user_session, user_id)
assert checkout_count > 0, f'failed to retrieve total checkout value as it never updated. returned count is ' \
f'{checkout_count}'
logger.info(f'My total Checkout field is updated by {checkout_count}')
def test_check_my_password_checkout_field_after_checkout_account(core_session, pas_setup, core_admin_ui):
"""
Test case: C14837
:param core_session: Centrify session
:param pas_setup: fixture to create system with account
:param core_admin_ui: UI session
"""
system_id, account_id, system_info = pas_setup
result, status = ResourceManager.check_out_password(core_session, 1, account_id, 'test checkout account')
assert status, f'failed to checkout password for account {system_info[4]}, returned result is: {result}'
ui = core_admin_ui
ui.navigate(('Workspace', 'My Password Checkouts'))
ui.expect(GridCell(f'{system_info[4]} ({system_info[0]})'), f'expected to find checkout details for account '
f'{system_info[4]} but did not')
def test_update_un_managed_account(pas_windows_setup, core_session):
"""
:param pas_windows_setup: Fixture for adding a system and an account associated with it.
:param core_session: Authenticated Centrify Session.
TC: C2548 - Update un managed account
trying to Update un managed account password
Steps:
Pre: Create system with 1 un manage account hand
1. Try to update valid password
-Assert Failure
2. Try to get activity of updated password
-Assert Failure
3. Try to check password history
"""
user_name = core_session.get_user().get_login_name()
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
logger.info(
f"System: {sys_info[0]} successfully added with UUID: {system_id} and account: {sys_info[4]} "
f"with UUID: {account_id} associated with it.")
Result, success = ResourceManager.update_password(core_session, account_id,
guid())
assert success, f"Did not update password, API Response: {Result}"
logger.info(f'user not able to update password, API Response::{Result}')
row = ResourceManager.get_system_activity(core_session, system_id)
assert f'{user_name} updated local account "{sys_info[4]}" password for "{sys_info[0]}"' in row[0]['Detail'], \
"user not able to update un managed account password"
logger.info(
f'account activity logs for un manage account API response:{row}')
result, success = ResourceManager.check_out_password(
core_session, 1, account_id)
assert success, f"Did not retrieve password API response: {result}"
logger.info(f'user not able to retrieve password API response:{result}')
query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \
f"'{account_id}' and StateUpdatedBy='{user_name}' and State='Retired'"
password_history = RedrockController.get_result_rows(
RedrockController.redrock_query(core_session, query))[0]
assert len(
password_history
) > 0, f"Password history table did not update {password_history}"
logger.info(f'Password history table API response:{password_history}')
def test_checkin_password_for_managed_account_from_workspace(
core_session, setup_pas_system_for_unix, core_admin_ui):
"""
TC: C2503 - Checkin password for managed account from Workspace page
:param core_session: Authenticated Centrify Session.
:param setup_pas_system_for_unix: Adds and yields uuid of a Unix system and account associated to it.
"""
added_system_id, account_id, sys_info = setup_pas_system_for_unix
co_result, co_success = ResourceManager.check_out_password(
core_session, 1, account_id, "checkout test")
assert co_success, f"Account checkout failed with APi response result: {co_result}."
ui = core_admin_ui
ui.navigate(['Workspace', 'My Password Checkouts'])
ui.check_row_by_guid(co_result["COID"])
ui.action('Checkin')
logger.info(
f'Password for {account_id} has been checked-in from workspace page.')
result, success = ResourceManager.check_in_password(
core_session, account_id)
assert success is False, "Password checkin from workspace page failed"
logger.info('Password successfully checked-in from workspace page.')
def test_checkout_un_managed_account(core_session, pas_windows_setup,
pas_config):
"""
Test case:C2552 Checkout password for an un managed account
:param core_session: Returns a API session.
:param pas_windows_setup: Returns a fixture.
:param pas_config: fixture for fetching up the value from yaml.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
# Checking out the password and validating the password.
password_checkout_result, password_checkout_success = ResourceManager.check_out_password(
core_session, 1, accountid=account_id)
assert password_checkout_result['Password'] == user_password, \
f"password checkout Failed. API response result: {password_checkout_result}"
logger.info(
f"password successfully checkout Account password: {password_checkout_result['COID']}"
)
def test_check_in_password_un_managed_account(core_session, pas_windows_setup,
pas_config):
"""
Test case: C2553 Check in password for the un managed account
:param core_session: Returns a API session.
:param pas_windows_setup: Returns a fixture.
:param pas_config: fixture for fetching up the value from yaml.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
# Checking out the password and validating the password.
password_checkout_result, password_checkout_success = ResourceManager.check_out_password(
core_session, 1, accountid=account_id)
assert password_checkout_result['Password'] == user_password, \
f"password checkout Failed. API response result: {password_checkout_result}"
logger.info(
f"password successfully checkout Account password: {password_checkout_result['COID']}"
)
# Checking in password.
password_check_in_result, password_check_in_success = ResourceManager.check_in_password(
core_session, coid=password_checkout_result['COID'])
assert password_check_in_success, f"password check-in Failed. API response result: {password_check_in_result}"
logger.info(
f"password successfully check in for account: {password_check_in_result}"
)
# Checking the activity.
username = core_session.get_user().get_login_name()
result_activity = ResourceManager.get_system_activity(
core_session, system_id)
assert f'{username} checked in local account "{sys_info[4]}" password for system "{sys_info[0]}"' \
f'({sys_info[1]})' in result_activity[0]['Detail'], \
"Fail to check in password:API response result: {password_check_in_result} "
logger.info(f"account activity list:{result_activity}")
def test_check_systems_checkouts(core_session, pas_setup):
"""
Test Case ID: C2209
Test Case Description: Check Top System Checkouts on Dashboards after checking out
:param core_session: Authenticates API session
:param pas_setup: Creates a windows system and account
"""
system_id, account_id, sys_info = pas_setup
system_name = sys_info[0]
result, success = ResourceManager.check_out_password(core_session,
lifetime=2,
accountid=account_id)
assert success, f'Failed to checkout password due to result: {result}'
logger.info('Successfully checkout account')
get_system_checkouts = ResourceManager.get_top_system_checkouts(
core_session)
list_to_store_checkout = []
for name in get_system_checkouts:
if name['Row']['Name'] == system_name:
list_to_store_checkout.append(name['Row']['Name'])
assert list_to_store_checkout, f'{system_name} is not present in Top Systems Checkouts'
logger.info(f'{system_name} is present in Top system checkouts.')
def test_checkout_password_for_unmanaged_account_from_account_page(
setup_pas_system_for_unix, core_session):
"""
TC: C2506 - Checkout password for unmanaged account from account page
:param setup_pas_system_for_unix: Adds and yield UUID of a Unix system and account associated to it.
:param core_admin_ui: Authenticated Centrify browser session with cloud admin credentials from core.yaml
"""
added_system_id, account_id, sys_info = setup_pas_system_for_unix
automation_data = Configs.get_environment_node('resources_data',
'automation_main')
password = automation_data['Unix_infrastructure_data']['password']
result, success = ResourceManager.check_out_password(
core_session, 1, account_id, "Copy the password")
assert success, f"Password checkout failed with API response result: {result}"
logger.info(
f"Password successfully checked out for account: '{sys_info[4]}'")
assert result[
'Password'] == password, "Clipboard contents didn't change after clicking 'Copy Password' button."
logger.info(
"Successfully clicked on 'Copy Password' button to copy the password.")
def test_checkin_password_for_unmanaged_account(core_session,
add_database_with_account):
"""
Test case: C1104
:param core_session: Authenticated centrify session
:param add_database_with_account: fixture to create database with account as optional.
"""
db_name, db_id, db_account_id, db_data, database_cleaner_list, sql_account_cleaner_list = \
add_database_with_account(db_class='sql', add_account=True)
checkout_result, status = ResourceManager.check_out_password(
core_session, lifetime=15, accountid=db_account_id)
assert status, f'failed to checkout account {db_data["db_account"]} password. returned result is {checkout_result}'
assert checkout_result['Password'] == db_data[
'password'], "Checked out password dose'nt match the actual password"
logger.info(f'{db_data["db_account"]} password check out successfully.')
result, status = ResourceManager.check_in_password(core_session,
checkout_result['COID'])
assert status, f'failed to checkin password for account {db_data["db_account"]}, return result is {result}'
logger.info(
f'account {db_data["db_account"]} password checked in successfully')
acc_activity = RedrockController.get_account_activity(
core_session, db_account_id)
assert f'{core_session.auth_details["User"]} checked in database account "{db_data["db_account"]}" password for ' \
f'database "{db_name}"' in \
acc_activity[0]['Detail'], f"no activity of checkout found for account {db_data['db_account']}"
logger.info(
f"There is a checkout record for the account {db_data['db_account']} in activity"
)
for activity in acc_activity:
assert 'Reason: Change password after checked-in' not in activity[
'Detail'], f'activity for change password behavior found.'
logger.info('activity for change password behavior not found.')
def test_Change_Account_managed(core_session, pas_config, remote_users_qty1,
detect_proxy):
"""
:param core_session: Authenticated Centrify Session.
:param pas_config: fixture reading data from resources_data.yaml file.
TC: C2544 - Change Account to be a managed account and verify password changed in 5 minutes
trying to validate the added manage Account password Activity log's
Steps:
1. Try to add a system along with an manage account
-Assert Failure
2. Try to check in the account password is rotated
-Assert Failure
3. Try to validate account activity log's
"""
user = core_session.get_user()
user_name = user.get_login_name()
sys_name = f"Automatedsystem{guid()}"
res_data = pas_config
user = remote_users_qty1
sys_result, status = ResourceManager.add_system(
core_session, sys_name,
res_data['Windows_infrastructure_data']['FQDN'], 'Windows', "Rdp")
assert status, f"failed to add system"
success, response = ResourceManager.update_system(
core_session,
sys_result,
sys_name,
res_data['Windows_infrastructure_data']['FQDN'],
'Windows',
managementmode='RpcOverTcp')
assert success, f"failed to change the management mode:API response result:{response}"
logger.info(f"Successfully updated the system:{response}")
account_id, status = ResourceManager.add_account(core_session, user[0],
'Hello123', sys_result)
assert status, f'failed to add account'
success, response = ResourceManager.update_account(core_session,
account_id,
user[0],
host=sys_result,
ismanaged=True)
assert success, f'Updating account failed. API response: {response}'
server_id = ResourceManager.wait_for_server_to_exist_return_id(
core_session, sys_name)
acc_id = ResourceManager.wait_for_account_to_exist_return_id(
core_session, user[0])
assert server_id == sys_result, "Server was not created"
assert acc_id == account_id, "Account was not created"
res, success = ResourceManager.rotate_password(core_session, account_id)
assert success, f"Failed to add account in the portal: {res}"
checkout_password, response = ResourceManager.check_out_password(
core_session, 1, accountid=account_id)
assert checkout_password[
'Password'] != 'Hello123', f'Checkout Password Failed. API response: {response}'
row = ResourceManager.get_system_activity(core_session, sys_result)
checkout_activity = row[0]['Detail']
created_date_json = str(row[0]['When'])
ResourceManager.get_date(created_date_json)
assert f'{user_name} checked out local account "{user[0]}" password for system "{sys_name}"' \
f'({res_data["Windows_infrastructure_data"]["FQDN"]})' == checkout_activity, "No system activity data "
logger.info(f"account activity list:{row}")
def test_verify_rule_restrict_character(core_session, cleanup_accounts,
create_basic_pass_profile, pas_setup,
remote_users_qty1):
"""
TC C281499: Verify the rule(Restrict number of character occurrences) work correct
:param core_session: Authenticates API session
:param create_basic_pass_profile: Creates a password profile
:param pas_setup: Creates system and account
:param remote_users_qty1: Creates account in target system
:param cleanup_accounts: Deletes Accounts
"""
accounts_list = cleanup_accounts[0]
added_system_id, account_id, sys_info = pas_setup
logger.info(
f"System: {sys_info[0]} successfully added with UUID: {added_system_id} and account: {sys_info[4]} "
f"with UUID: {account_id} associated with it.")
# Adding user in target machine
add_user_in_target_system = remote_users_qty1
user_password = "******"
# Adding account in portal
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=added_system_id,
ismanaged=True)
assert acc_success, f"Failed to add account: {acc_result}"
logger.info("Successfully added account in system")
# Cleanup Account
accounts_list.append(acc_result)
# Creating Password Profile
profile = create_basic_pass_profile(core_session, 1)[0]
profile_name_cps = profile[0]['Name']
cps_prof_id = profile[0]['_RowKey']
cps_prof_result, cps_prof_success = ResourceManager.get_password_profile_by_id(
core_session, cps_prof_id)
assert cps_prof_success, f"Failed to create Profile due to {cps_prof_result}"
logger.info(f'System successfully updated with result: {cps_prof_result}')
# Updating Password Profile
update_cps_prof_success = ResourceManager.update_password_profile(
core_session,
cps_prof_id,
profile_name_cps,
58,
128,
one_lwr_case=False,
one_upp_case=False,
one_digit=False,
consecutive_chars=False,
one_special_char=False,
min_alphabetic_char=5,
max_alphabetic_char=3,
restrict_occurrence=1)
assert update_cps_prof_success, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user"
logger.info(f'Profile {profile_name_cps} successfully updated')
cps_prof_result, cps_prof_success = ResourceManager.get_password_profile_by_id(
core_session, cps_prof_id)
assert cps_prof_success, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user"
assert cps_prof_result['MinimumPasswordLength'] == 58, \
f"Getting Min Password length for Profile {cps_prof_id} is {cps_prof_result['MinimumPasswordLength']} " \
f"instead of 8"
logger.info("Successfully updated minimum password length as 8")
assert cps_prof_result['MaximumPasswordLength'] == 128, \
f"Getting Min Password length for Profile {cps_prof_id} is {cps_prof_result['MaximumPasswordLength']} " \
f"instead of 20"
logger.info("Successfully updated minimum password length as 20")
assert cps_prof_result['MinimumAlphabeticCharacterCount'] == 5, \
f"Getting Min Password length for Profile {cps_prof_id} is " \
f"{cps_prof_result['MinimumAlphabeticCharacterCount']} instead of 5"
logger.info("Updated Minimum Alphabetic Character Count successfully")
assert cps_prof_result['MinimumNonAlphabeticCharacterCount'] == 3, \
f"Getting Min Password length for Profile {cps_prof_id} is " \
f"{cps_prof_result['MinimumNonAlphabeticCharacterCount']} instead of 3"
logger.info("Updated Minimum Alphabetic Character Count successfully")
assert cps_prof_result['MaximumCharOccurrenceCount'] == 1, \
f"Getting Min Password length for Profile {cps_prof_id} is " \
f"{cps_prof_result['MinimumNonAlphabeticCharacterCount']} instead of 3"
logger.info("Updated Minimum Alphabetic Character Count successfully")
update_result, update_success = ResourceManager.update_system(
core_session,
added_system_id,
sys_info[0],
sys_info[1],
sys_info[2],
passwordprofileid=cps_prof_id)
assert update_success, f"Failed to update system sue to {update_result}"
logger.info(f"Successfully update system {sys_info[0]}")
# Rotate Password
rotate_password_result, rotate_password_success = ResourceManager.rotate_password(
core_session, acc_result)
assert rotate_password_success, f"Failed to rotate password due to {rotate_password_result}"
logger.info("Rotate password successfully")
# Checkout Password
check_out_password_result, check_out_password_success = ResourceManager.check_out_password(
core_session, lifetime=1, accountid=acc_result)
assert check_out_password_success, f"Failed to checkout password due to {check_out_password_result}"
logger.info("Password checkout successfully")
# Getting check out password value
co_password_value = check_out_password_result['Password']
# Getting all the alpha characters in password check out
get_alpha_characters = re.findall('[a-zA-Z]', co_password_value)
# Checking the maximum occurrence of characters in a list
count_alpha_chars = Counter(get_alpha_characters)
for item, ct in count_alpha_chars.items():
assert len(item) == 1, "Item is grater than 1"
logger.info('%s occurred %d times' % (item, ct))
# Removing password profile from system
update_result, update_success = ResourceManager.update_system(
core_session,
added_system_id,
sys_info[0],
sys_info[1],
sys_info[2],
passwordprofileid=None)
assert update_success, f"Failed to remove password profile from system {sys_info[0]}"
logger.info(
f"Successfully removed password profile from system {sys_info[0]}")
def test_database_level_password_checkout_yes(
core_session, create_databases_with_accounts, users_and_roles,
update_tenant_multiple_checkouts):
"""
C1551 : Database Level password checkout set to 'yes'.
:param core_session: Authenticated Centrify Session.
:param create_databases_with_accounts: Added and return Database and Account associated to it.
:param users_and_roles: Gets user and role on demand.
"""
database = create_databases_with_accounts(core_session, 1, 1)[0]
user_session = users_and_roles.get_session_for_user(
"Privileged Access Service Administrator")
pas_admin = user_session.__dict__['auth_details']
# Setting 'Allow multiple password checkouts per database account' setting to 'Yes' on Advanced tab
result, success = ResourceManager.update_database(
core_session,
database['ID'],
database['Name'],
database['FQDN'],
database['Port'],
database['Description'],
database['InstanceName'],
allowmultiplecheckouts=True)
assert success, f"'Allow multiple password checkouts per database' policy not set to 'yes' for " \
f"Database : {database['ID']}. API response result: {result}. "
logger.info(
f"'Allow multiple password checkouts per database' policy set to 'yes' for Database : {database['ID']}"
)
# Setting 'Allow multiple password checkouts' policy to Uncheck on Global Security Setting page
result, success = update_tenant_multiple_checkouts(core_session, False)
assert success, f"Not able to disable 'Allow multiple password checkouts' policy on Global Security " \
f"Setting page. API response result: {result}. "
logger.info(
f"'Allow multiple password checkouts' policy Unchecked on Global Security Setting page"
)
# Assigning 'Checkout' permission to user for account.
account_result, account_success = ResourceManager.assign_account_permissions(
core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User',
database['Accounts'][0]['ID'])
assert account_success, f"Assign Checkout permission to account : {database['Accounts'][0]['ID']} failed. API " \
f"response result: {account_result}. "
logger.info(
f"'Checkout' permission given to user: {pas_admin['User']} for "
f"Account:{database['Accounts'][0]['ID']}.")
# Checkout account while logged in as Cloud Admin
admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password(
core_session, 1, database['Accounts'][0]['ID'])
assert admin_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. " \
f"API response result: {admin_checkout_result}. "
logger.info(
f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}."
)
# Checkout account while logged in as Privileged Access Service Administrator
user_checkout_result, user_checkout_success = ResourceManager.check_out_password(
user_session, 1, database['Accounts'][0]['ID'])
assert user_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. API response " \
f"result: {user_checkout_result}. "
logger.info(
f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}."
)
def test_check_menu_two_sys_under_password_checkouts(core_session,
list_of_created_systems,
core_admin_ui,
cleanup_resources,
cleanup_accounts):
"""
TC:C2174 Check menu when choosing two systems under My Password Checkouts.
:param:core_session: Returns Authenticated Centrify session.
:param:list_of_created_systems:Container for created system.
:param:core_admin_ui: Returns browser session.
:param:cleanup_resources: Cleans up system.
:param:cleanup_accounts:Cleans up accounts.
"""
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Creating multiple system and accounts.
batches = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batches])
assert len(
ResourceManager.get_multi_added_system_ids(core_session, all_systems)) == 2, f"Failed to create multiple " \
f"system with accounts: API " \
f"response result: {batches} "
assert len(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == 2, f"Failed to create multiple system " \
f"with accounts: API response result: " \
f"{batches} "
logger.info(
f'Successfully Created multiple system with accounts.:{batches}')
# Appending the created system and accounts id for cleanup.
for all_account in all_accounts:
accounts_list.append(all_account)
for all_system in all_systems:
system_list.append(all_system)
# Checking out password for the account created.
accounts_password_checkout = []
for account_id in all_accounts:
result, status = ResourceManager.check_out_password(
core_session, 1, account_id, 'test checkout account')
accounts_password_checkout.append(result['COID'])
assert status, f'Failed to checkout password: API response result: {result}'
# Getting the account name.
accounts_name = []
for account_id in all_accounts:
result, success = ResourceManager.get_account_information(
core_session, account_id)
accounts_name.append(result["VaultAccount"]["Row"]['User'])
# Validating "No actions available" after selecting two accounts from My Password Checkout Title in workspace.
ui = core_admin_ui
ui.navigate(("Workspace", "My Password Checkouts"))
ui.switch_context(RenderedTab('My Password Checkouts'))
ui.check_actions_by_guid([], accounts_password_checkout)
logger.info(
'Successfully found "No actions available." after password account checkout.'
)
def test_windows_client_account_unlock(users_and_roles, agent_enrolled_windows_system_with_users, proxy_start_stop):
# NOTE: policy must be set on the system to lock the account after 3 failed login attemps
"""
This test verifies account unlock using agent, connector and both
Steps for this scenario:
* Enroll a windows system and create a managed account.Also set admin account and enable manual unlock
* Verify the managed account's password is rotated.
* Lock the account (try to verify the account multiple times with wrong password to lock the account)
* Unlock the account
- Verify success
- Verify OperationMode is Connector
* stop the connector
* Lock the account
* Get the account status
- Verify failure
* Start the agent (only Agent is availabe)
* Unlock the account
- Verify success
- Verify OperationMode is Client
* Lock the account
* Start the connector
* Unlock the account
- Verify success
- Verify OperationMode is Client
"""
"""
Testrail Link:
https://testrail.centrify.com/index.php?/cases/view/1293479
https://testrail.centrify.com/index.php?/cases/view/1293480
https://testrail.centrify.com/index.php?/cases/view/1293481
"""
# verfiy the test is run with single thread.
assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, f'This test cannot be run with multiple threads due to starting and stopping connectors'
enrolledsystems = agent_enrolled_windows_system_with_users
accounts = enrolledsystems[0]["Accounts"]
resourceId = enrolledsystems[0]["ResourceId"]
proxyid = enrolledsystems[0]["ProxyId"]
hostName = enrolledsystems[0]["ResourceFQDN"]
winrm_session_as_admin = enrolledsystems[0]["Session"]
proxycontrol = proxy_start_stop
right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
accountuser = accounts[1]
logger.info("stop the agent")
winrm_helper.stop_agent(winrm_session_as_admin)
proxycontrol(proxyid, True)
# get the correct password of the account.
result, success = ResourceManager.check_out_password(requester_session, 15, accountuser["Id"])
assert success, "Reconciliation failed during checkout, Account " + accountuser['Name']
password = result['Password']
# count managed password change events
filter = [['AccountName', accountuser['Name']], ['ComputerID', resourceId]]
# lock the account
winrm_helper.lock_account(hostName, accountuser['Name'], password)
result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"])
assert success, f"Failed to unlock account. {message}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(requester_session,
"Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock",
filter=filter)
eventcount = len(rows)
logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}")
assert rows[0]["OperationMode"] == "Connector", "Failed to verify OperationMode"
# stop Connector, Should fail
logger.info("Stopping the connector")
proxycontrol(proxyid, False)
# set a different password for the user
winrm_helper.lock_account(hostName, accountuser['Name'], password)
result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"])
assert (success == False), "Unlock account succeeded when agent and conmnector are not available."
# Start agent
logger.info("Starting the agent")
winrm_helper.start_agent(winrm_session_as_admin)
winrm_helper.lock_account(hostName, accountuser['Name'], password)
result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"])
assert success, f"Failed to unlock account. {message}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock",
filter=filter, count=eventcount + 1)
eventcount = len(rows)
logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}")
assert rows[0]["OperationMode"] == "Client", "Failed to verify OperationMode is Client"
# verify account again, both connector and agent are running
logger.info("Starting connector")
proxycontrol(proxyid, True)
# set a different password
winrm_helper.lock_account(hostName, accountuser['Name'], password)
result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"])
assert success, f"Failed to unlock account. {message}"
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(requester_session,
accountuser["Id"])
assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock",
filter=filter, count=eventcount + 1)
eventcount = len(rows)
logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}")
assert rows[0]["OperationMode"] == "Client", "Failed to verify OperationMode is Client"
def test_verify_rule_work_correct(core_session, cleanup_accounts,
create_basic_pass_profile, pas_setup,
remote_users_qty1, cleanup_password_profile):
"""
TC C281498: Verify the rule (Min number of non-alpha characters)
:param core_session: Authenticates API session
:param create_basic_pass_profile: Creates a password profile
:param pas_setup: Creates system and account
:param remote_users_qty1: Creates account in target system
:param cleanup_password_profile: Deletes password profile
:param cleanup_accounts: Deletes Account
"""
accounts_list = cleanup_accounts[0]
added_system_id, account_id, sys_info = pas_setup
logger.info(
f"System: {sys_info[0]} successfully added with UUID: {added_system_id} and account: {sys_info[4]} "
f"with UUID: {account_id} associated with it.")
profile_list = cleanup_password_profile
# Adding user in target machine
add_user_in_target_system = remote_users_qty1
user_password = "******"
# Adding account in portal
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=added_system_id,
ismanaged=True)
assert acc_success, f"Failed to add account: {acc_result}"
logger.info("Successfully added account in system")
# Cleanup Account
accounts_list.append(acc_result)
# Creating Password Profile
profile = create_basic_pass_profile(core_session, 1)[0]
profile_name_cps = profile[0]['Name']
cps_prof_id = profile[0]['_RowKey']
# Deleting Password Profile
profile_list.append(cps_prof_id)
cps_prof_result, cps_prof_success = ResourceManager.get_password_profile_by_id(
core_session, cps_prof_id)
assert cps_prof_success, f"Failed to create Profile due to {cps_prof_result}"
logger.info(f'System successfully updated with result: {cps_prof_result}')
# Updating Password Profile
update_cps_prof_success = ResourceManager.update_password_profile(
core_session,
cps_prof_id,
profile_name_cps,
8,
20,
one_lwr_case=False,
one_upp_case=False,
one_digit=False,
consecutive_chars=False,
one_special_char=False,
min_alphabetic_char=5,
max_alphabetic_char=3,
)
assert update_cps_prof_success, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user"
logger.info(f'Profile {profile_name_cps} successfully updated')
cps_prof_result, cps_prof_success = ResourceManager.get_password_profile_by_id(
core_session, cps_prof_id)
assert cps_prof_success, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user"
assert cps_prof_result['MinimumPasswordLength'] == 8, \
f"Getting Min Password length for Profile {cps_prof_id} is {cps_prof_result['MinimumPasswordLength']} " \
f"instead of 8"
logger.info("Successfully updated minimum password length as 8")
assert cps_prof_result['MaximumPasswordLength'] == 20, \
f"Getting Min Password length for Profile {cps_prof_id} is {cps_prof_result['MaximumPasswordLength']} " \
f"instead of 20"
logger.info("Successfully updated minimum password length as 20")
assert cps_prof_result['MinimumAlphabeticCharacterCount'] == 5, \
f"Getting Min Password length for Profile {cps_prof_id} is " \
f"{cps_prof_result['MinimumAlphabeticCharacterCount']} instead of 5"
logger.info("Updated Minimum Alphabetic Character Count successfully")
assert cps_prof_result['MinimumNonAlphabeticCharacterCount'] == 3, \
f"Getting Min Password length for Profile {cps_prof_id} is " \
f"{cps_prof_result['MinimumNonAlphabeticCharacterCount']} instead of 3"
logger.info("Updated Minimum Alphabetic Character Count successfully")
update_result, update_success = ResourceManager.update_system(
core_session,
added_system_id,
sys_info[0],
sys_info[1],
sys_info[2],
passwordprofileid=cps_prof_id)
assert update_success, f"Failed to update system sue to {update_result}"
logger.info(f"Successfully update system {sys_info[0]}")
# Rotate Password
rotate_password_result, rotate_password_success = ResourceManager.rotate_password(
core_session, acc_result)
assert rotate_password_success, f"Failed to rotate password due to {rotate_password_result}"
logger.info("Rotate password successfully")
# Checkout Password
check_out_password_result, check_out_password_success = ResourceManager.check_out_password(
core_session, lifetime=1, accountid=acc_result)
assert check_out_password_success, f"Failed to checkout password due to {check_out_password_result}"
logger.info("Password checkout successfully")
# Getting password value after checkout
co_password_value = check_out_password_result['Password']
# Finding all non alpha characters after check out password
get_non_alpha_characters = re.findall('[^a-zA-Z]', co_password_value)
assert len(
get_non_alpha_characters
) >= 3, "Length of Minimum Alphabetic Character Count is less than 3"
logger.info(
"Minimum Non Alphabetic Character Count is greater than or equal to 3")
# Removing Password Profile from system so that profile can be deleted
update_result, update_success = ResourceManager.update_system(
core_session,
added_system_id,
sys_info[0],
sys_info[1],
sys_info[2],
passwordprofileid=None)
assert update_success, f"Failed to remove password profile from system {sys_info[0]}"
logger.info(
f"Successfully removed password profile from system {sys_info[0]}")
def test_add_manage_account_with_proxy_account(core_session, pas_config,
remote_users_qty3,
cleanup_resources,
cleanup_accounts, test_proxy):
"""
TC: C2574 - Add system with managed account using proxy account
trying to Add system with managed account using proxy account
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to checkout password
-Assert Failure
2. Try to check activity of manage account
-Assert Failure
"""
user_name = core_session.get_user().get_login_name()
logger.info(f'core sessoin user {core_session.get_user()}')
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty3
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Update system with proxy user
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
proxyuser=add_user_in_target_system[1],
proxyuserpassword=user_password,
proxyuserismanaged=True)
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Update system with management mode 'Smb'.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
managementmode='Smb')
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
server_id = ResourceManager.wait_for_server_to_exist_return_id(
core_session, sys_name)
acc_id = ResourceManager.wait_for_account_to_exist_return_id(
core_session, add_user_in_target_system[0])
assert server_id == add_sys_result, "Server was not created"
assert acc_id == acc_result, "Account was not created"
res, success = ResourceManager.rotate_password(core_session, acc_result)
assert success, f"Failed to add account in the portal: {res}"
result, success = ResourceManager.check_out_password(
core_session, 1, acc_result)
assert result['Password'] != "Hello123", \
f"password checkout Failed. API response result: {result}"
logger.info(
f"password successfully checkout Account password: {result['COID']}")
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \
f'password for system "{sys_name}"({fdqn})' in row[0]['Detail'], \
"Did not retrieve the activity of rotate password"
logger.info(f"User able to get the activity logs: {row[0]['Detail']}")
accounts_list.append(acc_result)
def test_add_account_existing_system(core_session, pas_config,
remote_users_qty1, test_proxy,
cleanup_resources, cleanup_accounts):
"""
TC: C2575 - Add managed account to existing system
trying to Add managed account to existing system
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to checkout password
-Assert Failure
2. Try to check activity of manage account
-Assert Failure
"""
user_details = core_session.__dict__['auth_details']
user_name = core_session.get_user().get_login_name()
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty1
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
rights = "Owner,View,Manage,Delete,Login,Naked,RotatePassword,FileTransfer"
result, success = ResourceManager.assign_account_permissions(
core_session,
rights,
user_details['User'],
user_details['UserId'],
pvid=acc_result)
assert success, f"Did not rotate password, API response: {result}"
# Update system with management mode 'Smb'.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
managementmode='Smb')
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
res, success = ResourceManager.rotate_password(core_session, acc_result)
assert success, f"Failed to add account in the portal: {res}"
result, success = ResourceManager.check_out_password(
core_session, 1, acc_result)
assert result['Password'] != "Hello123", \
f"password checkout Failed. API response result: {result}"
logger.info(
f"password successfully checkout Account password: {result['COID']}")
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \
f'password for system "{sys_name}"({fdqn})' in row[0]['Detail'], \
"Did not retrieve the activity of rotate password"
logger.info(f"User able to get the activity logs: {row[0]['Detail']}")
accounts_list.append(acc_result)
def test_unix_client_account_checkout_reconciliation(
users_and_roles, unix_machine_environment_config,
agent_enrolled_unix_system_with_users, proxy_start_stop):
"""
This test verifies password reconcilation using agent, connector and both during checkout operation
Steps for this scenario:
* Enroll an unix system and create a managed account.
* Verify the managed account's password is rotated.
* Change the password of the account on the target system
* stop the agent and checkout the password of managed account(only connector is availabe)
- Verify success
- Verify OperationMode is Connector
* Verify managed acount
- Verify success
* Change the password of the account on the target system
* stop the connector and checkout the password of managed account
- Verify failure
* Start the agent and checkout the password of managed account (only Agent is availabe)
- Verify success
- Verify OperationMode is Client
* Verify managed acount
- Verify success
* Change the password of the account on the target system
* Start the connector and checkout the password of managed account (Both agent and connector are available)
- Verify success
- Verify OperationMode is Client
* Verify managed acount
- Verify success
"""
"""
Testrail Link:
https://testrail.centrify.com/index.php?/cases/view/1293462
https://testrail.centrify.com/index.php?/cases/view/1293463
https://testrail.centrify.com/index.php?/cases/view/1293464
"""
# verfiy the test is run with single thread.
assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, \
f'This test cannot be run with multiple threads due to starting and stopping connectors'
enrolledsystems = agent_enrolled_unix_system_with_users
accounts = enrolledsystems[0]["Accounts"]
resourceId = enrolledsystems[0]["ResourceId"]
proxyid = enrolledsystems[0]["ProxyId"]
session = enrolledsystems[0]["Session"]
proxycontrol = proxy_start_stop
conf = unix_machine_environment_config
success_message = conf['success_message']
right_data = ("Privileged Access Service Power User",
"role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
accountuser = accounts[1]
logger.info("stop the agent")
ssh_manager.ssh_stop_agent(session)
proxycontrol(proxyid, True)
# count managed password change events
filter = [['AccountName', accountuser['Name']],
['ComputerID', resourceId]]
# set a different password for the user
ssh_manager.change_sshuser_password(session, accountuser['Name'],
"differentpassword3",
success_message)
logger.info(
"Rotate account and verify reconciliation, Connector is available")
result, success = ResourceManager.check_out_password(
requester_session, 1, accountuser["Id"])
assert success, "Reconciliation failed during checkout, Account " + accountuser[
'Name']
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
requester_session, accountuser["Id"])
assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.AdministrativeResetAccountPassword",
filter=filter)
eventcount = len(rows)
logger.info(
f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}"
)
assert rows[0][
"OperationMode"] == "Connector", "Failed to verify OperationMode"
# stop Connector, Should fail
logger.info("Stopping the connector")
proxycontrol(proxyid, False)
# set a different password for the user
ssh_manager.change_sshuser_password(session, accountuser['Name'],
"differentpassword4",
success_message)
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
requester_session, accountuser["Id"])
assert verify_pass_result != 'OK', f"Verify Failed on Account: {accountuser['Name']}"
# Start agent
logger.info("Starting the agent")
ssh_manager.ssh_start_agent(session, True)
# set a different password for the user
ssh_manager.change_sshuser_password(session, accountuser['Name'],
"differentpassword5",
success_message)
logger.info(
"Rotate account and verify reconciliation, Agent is available")
result, success = ResourceManager.check_out_password(
requester_session, 1, accountuser["Id"])
assert success, f"Reconciliation failed during checkout, Account {accountuser['Name']}"
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
requester_session, accountuser["Id"])
assert verify_pass_result == 'OK', f"Verify Failed on account: {accountuser['Name']}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.AdministrativeResetAccountPassword",
filter=filter,
count=eventcount + 1)
eventcount = len(rows)
logger.info(
f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}"
)
assert rows[0][
"OperationMode"] == "Client", "Failed to verify OperationMode is Client"
# verify account again, both connector and agent are running
logger.info("Starting connector")
proxycontrol(proxyid, True)
# set a different password
ssh_manager.change_sshuser_password(session, accountuser['Name'],
"differentpassword3",
success_message)
logger.info(
"Rotate account and verify reconciliation, client and connector are available"
)
result, success = ResourceManager.check_out_password(
requester_session, 1, accountuser["Id"])
assert success, f"Reconciliation failed during checkout, Account {accountuser['Name']}"
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
requester_session, accountuser["Id"])
assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}"
# verify operationMode
rows = RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.AdministrativeResetAccountPassword",
filter=filter,
count=eventcount + 1)
eventcount = len(rows)
logger.info(
f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}"
)
assert rows[0][
"OperationMode"] == "Client", "Failed to verify OperationMode is Client"
def test_system_local_account_level(core_session, pas_config,
remote_users_qty1, cleanup_accounts,
cleanup_resources):
"""
TC C282671: System Local Account Level.
:param cleanup_resources: cleanup for systems.
:param core_session: Authenticates API session
:param pas_config: returns yaml object
:param remote_users_qty1: Creates account in target system.
:param cleanup_accounts: cleanup for account.
"""
systems_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f"{'Win-2012'}{guid()}"
sys_details = pas_config
sys_fqdn = sys_details['Windows_infrastructure_data']['FQDN']
add_user_in_target_system = remote_users_qty1
user_password = '******'
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, sys_fqdn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
systems_list.append(add_sys_result)
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
# Setting the lifetime checkout for account to 15 min.
default_checkout_lifetime = 15
updated_account_result, update_account_success = \
ResourceManager.update_account(core_session,
acc_result,
add_user_in_target_system[0],
host=add_sys_result,
default_checkout_time=default_checkout_lifetime)
assert update_account_success, f"Failed to add default checkout time: API response result:{updated_account_result}"
logger.info(
f'Successfully added default checkout time: {updated_account_result}"')
# Setting the lifetime checkout for system to 60 min.
updated_sys_result, update_sys_success = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
sys_fqdn,
'Windows',
defaultcheckouttime=60)
assert update_sys_success, f"Failed to add default checkout time: API response result:{updated_account_result}"
logger.info(
f'Successfully added default checkout time: {updated_sys_result}"')
# Checking the default account password set to default ie 60 min.
default_account_password_chk_lifetime = 60
results, success = ServerManager.get_server_settings(core_session,
key='policy')
assert results['DefaultCheckoutTime'] == default_account_password_chk_lifetime, \
f"account password checkout lifetime is not {default_account_password_chk_lifetime} "
# Checkout account.
checkout_result, checkout_success = ResourceManager.check_out_password(
core_session, 15, acc_result)
assert checkout_success, f"Fail to checkout account : {acc_result} : API response " \
f"result: {checkout_result}"
logger.info(f"Successfully checked account : {checkout_result}")
# Checking the checkout in the workspace and validating the checkout lifetime.
checkout_remaining_time = str(default_checkout_lifetime - 1)
checkout_accounts = RedrockController.get_password_checkout_from_workspace(
core_session, core_session.auth_details['UserId'])
for checkout_account in checkout_accounts:
if checkout_account['ID'] == checkout_result['COID']:
assert checkout_account['Remaining'].split()[0] == checkout_remaining_time,\
f"Fail to find the remaining checkout time equal to {checkout_remaining_time} "
logger.info(
" Successfully found the checkout activity in workspace.")
# Trying to checkout once again,expecting a null checkout ID.
failed_checkout_result, failed_checkout_success = ResourceManager.check_out_password(
core_session, 15, acc_result)
assert failed_checkout_result['COID'] is None, f"checkout account ID generated for : " \
f"{add_user_in_target_system[0]}:" \
f"API response result: {failed_checkout_result}"
logger.info(f"Check in option is action enable : {failed_checkout_result}")
# Checking out checkout activity.
acc_activity = RedrockController.get_account_activity(
core_session, acc_result)
assert f'{core_session.auth_details["User"]} checked out local account "{add_user_in_target_system[0]}" password ' \
f'for system "{sys_name}"({sys_fqdn})' in \
acc_activity[0]['Detail'], f"no activity of checkout found for account {add_user_in_target_system[0]}"
logger.info(
f"There is a checkout record for the account {add_user_in_target_system[0]} in activity"
)
def test_settings_Policy_page(core_session, pas_config, remote_users_qty1,
cleanup_resources, cleanup_accounts,
core_admin_ui):
"""C2541 Settings on Policy page
trying to get rdp through system account with in 15 minute
Steps:
Pre: Create system with 1 account hand
1. Try to take rdp for system
-Assert Failure
2. Try to checkout password for account
-Assert Failure
"""
core_ui = core_admin_ui
user_name = core_ui.get_user().get_login_name()
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty1
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
success, response = ResourceManager.update_system(core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
allowremote=True,
defaultcheckouttime=15)
assert success, f"failed to change the management mode:API response result:{response}"
logger.info(f"Successfully updated the system:{add_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
core_ui.navigate('Resources', 'Accounts')
core_ui.search(add_user_in_target_system[0])
core_ui.right_click_action(GridRowByGuid(acc_result), 'Login')
core_ui.switch_to_pop_up_window()
core_ui.expect_disappear(
LoadingMask(),
f'RDP session never exited loading state for system {sys_name}',
time_to_wait=50)
core_ui.switch_to_main_window()
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} logged into system "{sys_name}"({fdqn}) from "web" using local account ' \
f'"{add_user_in_target_system[0]}"' in row[0]['Detail'], "user not able to take rdp"
password_checkout_result, password_checkout_success = \
ResourceManager.check_out_password(core_session, 1, accountid=acc_result)
new_cid = password_checkout_result['COID']
assert password_checkout_result['Password'] is not user_password, \
f"expected password equal to actual password: {password_checkout_result}"
logger.info(f"password successfully checkout Account password: {new_cid}")
def test_update_manage_proxy_account(pas_config, core_session, winrm_engine,
remote_users_qty3, test_proxy,
cleanup_accounts, cleanup_resources):
"""
TC: C2549 - Update managed account with using proxy account
trying to Update managed account with using proxy account
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to update invalid password for proxy account
-Assert Failure
2. Try to update valid password for proxy account
-Assert Failure
3. Try to check activity log's
-Assert Failure
4. Try to check password history
"""
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
sys_details = pas_config
add_user_in_target_system = remote_users_qty3
user_password = '******'
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Update system with proxy user
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
proxyuser=add_user_in_target_system[1],
proxyuserpassword=user_password,
proxyuserismanaged=True)
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Update system with proxy user password.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
proxyuser=add_user_in_target_system[1],
proxyuserpassword=guid(),
proxyuserismanaged=True)
assert update_sys_result is False, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
# set a different password for the user
update_user_password(winrm_engine, add_user_in_target_system[1],
user_password)
user_name = core_session.get_user().get_login_name()
# rotate password for manage account
result, success = ResourceManager.rotate_password(core_session, acc_result)
assert success, f"Did not Rotate Password {result}"
logger.info(
f'account activity logs for un manage account API response:{result}')
result, success = ResourceManager.check_out_password(
core_session, 1, acc_result)
assert success, f"Did not retrieve password {result}"
logger.info(
f'account activity logs for un manage account API response:{result}')
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \
f'password for system "{sys_name}"({fdqn})' in \
row[0]['Detail'], "user not able to update un managed account password"
logger.info(
f'account activity logs for un manage account API response:{row}')
query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \
f"'{acc_result}' and StateUpdatedBy='{user_name}' and State='Retired'"
password_history = RedrockController.get_result_rows(
RedrockController.redrock_query(core_session, query))[0]
assert len(
password_history
) > 0, f"Password history table did not update {password_history}"
logger.info(f'Password history table API response:{password_history}')
