def create_policies(self, n, clean_up_policy):
assert 1 <= n <= 4, f"Number of profiles must be between 1 and 4"
policy_names = []
count = 0
while len(policy_names) < n:
assert count < n, "Loop malfunction"
count += 1
# creating new policy
profile_name = guid()
policy_result = PolicyManager.create_new_auth_profile(self.session, profile_name, ["EMAIL", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
policy_names.append(profile_name)
self.policies_map.update({profile_name: policy_result})
# order policies were created shouldn't matter, so let's make sure it doesn't
random.shuffle(policy_names)
return policy_names
def test_mfa_policy_on_parent_folder_verify_not_challenged_on_settings_update(core_session,
pas_general_secrets,
create_secret_inside_folder,
clean_up_policy):
"""
test method to verify that mfa does not exist on updating the settings & policy for an existing
parent folder "MFAOnParentFolder" with already assigned mfa for that folder
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
prefix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
# creating new policy
policy_result = PolicyManager.create_new_auth_profile(core_session,
prefix + secrets_params['policy_name'],
["UP", None],
None,
"30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# updating settings & policy for Folder
result = update_folder(core_session, folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + prefix,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result['success'], f'Not Able to update the settings: {result["Message"]} '
logger.info(f'Update settings for secret: {result}')
# Getting details of the Folder updated
result_folder = get_folder(core_session, folder_list[0])
description_updated = result_folder["Result"]["Results"][0]["Row"]["Description"]
name_updated = result_folder["Result"]["Results"][0]["Row"]["Name"]
assert 'MFAOnParentFolderUpdate' in name_updated,\
f'Failed to update the name{result_folder["Result"]["Results"][0]["Row"]["Name"]}'
assert 'mfa_description' in description_updated, \
f'Failed to update the description{result_folder["Result"]["Results"][0]["Row"]["Description"]}'
# Removing MFA for Folder
result = update_folder(core_session, folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + prefix,
description=secrets_params['mfa_folder_description'])
assert result['success'], f'Not Able to update the settings: {result["Message"]} '
logger.info(f'Update settings for secret: {result}')
def test_delete_secret_with_mfa_on_parent(core_session, pas_general_secrets,
clean_up_policy, users_and_roles,
create_secret_inside_folder,
cleanup_secrets_and_folders):
"""
C283963: MFA policy on Parent folder, verify challenged
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: fixture to read secrets related data from yaml file
:param clean_up_policy: Fixture to cleanup the policy created
:param users_and_roles: Fixture to create new user with restricted rights
:param create_secret_inside_folder: Fixture to create secrets inside folder & yields secrets & folders data
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
"""
secrets_params = pas_general_secrets
suffix = guid()
folder_id_list, folder_name, secret_id_list = create_secret_inside_folder
secrets_list = cleanup_secrets_and_folders[0]
challenges = ["UP", ""]
# Creating new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Updating the Folder(Applying MFA)
result = update_folder(
core_session,
folder_id_list[0],
folder_name,
folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f' Failed to apply MFA on folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Folder: {result}')
# Getting new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name: {user_name}'
)
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id_list[0], 'View')
assert user_permissions_result, f'Failed to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to set DELETE permissions folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'Grant,View,Delete,Retrieve', user_id,
folder_id_list[0])
assert member_perm_success, f'Failed to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Delete secret with Mfa Authentication
del_success, del_result = del_secret(pas_power_user_session,
secret_id_list[0])
# StartChallenge MFA Authentication
session, mechanism = pas_power_user_session.start_mfa_authentication(
user_name, del_result['ChallengeId'])
# AdvanceAuthentication MFA to Password
result = pas_power_user_session.advance_authentication(
answer=pas_power_user_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
assert result, "Password Authentication Failed"
# After Authentication of MFA delete the secret under folder
del_secret_success, del_secret_result = del_secret_mfa(
pas_power_user_session,
secret_id_list[0],
ChallengeStateId=del_result['ChallengeId'])
assert del_secret_success, f'Failed to delete secret with MFA {del_secret_result} with User: {user_name}'
logger.info(
f'Successfully deleted secret with MFA {del_secret_result} for User: {user_name} '
)
secrets_list.remove(secret_id_list[0])
# Updating the Folder(Removing MFA)
result = update_folder(
core_session,
folder_id_list[0],
folder_name,
folder_name,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA on folder, API response result: {result["Message"]} '
logger.info(f'Successfully Removed MFA on Folder: {result}')
def test_need_to_have_edit_permission_on_secret_to_update_settings_and_policy(
core_session, users_and_roles, added_secrets_file, added_secrets,
pas_general_secrets, clean_up_policy):
"""
test method to set permissions on secrets(with Edit/Without Edit) to update the settings & policy.
:param core_session: Authenticated Centrify Session
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param added_secrets_file: Fixture to create file type secret & yield secret id
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param pas_general_secrets: Fixture to read secret data from yaml file
:param clean_up_policy: Fixture to clean up the policy created
"""
added_file_secret_id = added_secrets_file
added_text_secret_id, added_text_secret_name = added_secrets
secrets_params = pas_general_secrets
secret_prefix = guid()
pas_power_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
# API to set user permissions (Edit)for file_type_secret"""
file_type_secret_result, file_type_secret_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant,Edit', user_id,
added_file_secret_id)
assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}'
logger.info(
f'Setting permissions for file type secret: {file_type_secret_success}'
)
# API to set user permissions (without Edit)for text_type_secret"""
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant', user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'setting permissions for text type secret failed:{text_type_secret_result}'
logger.info(
f'Setting permissions for text type secret: : {text_type_secret_success}'
)
# API to get new session for User A"""
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to update the name of the secret(file_type)
result = update_secret(
pas_power_user_session, added_file_secret_id,
secret_prefix + secrets_params['updated_secret_name'])
assert result[
'success'], f'Not Able to update the settings {result["Result"]} '
logger.info(
f'Updating the settings for secret: {result["success"]} & {result["Exception"]}'
)
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secret_prefix + secrets_params['policy_name'],
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to assign policy to file type secret
policy_assigned = update_secret(pas_power_user_session,
added_file_secret_id,
added_text_secret_name,
policy_id=policy_result)
assert policy_assigned[
'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to secret: {policy_assigned}')
# Api to update settings for text type secret
result = update_secret(
pas_power_user_session, added_text_secret_id[0],
secret_prefix + secrets_params['updated_secret_name'])
assert result[
'success'] is False, f'Able to update the settings: {result["Message"]} '
logger.info(f'Not able to Update settings for secret: {result}')
# Api to assign policy for text type secret
policy_assigned = update_secret(pas_power_user_session,
added_text_secret_id[0],
added_text_secret_name,
policy_id=policy_result)
assert policy_assigned[
'success'] is False, f'Able to assign policy to secret: {policy_assigned["Message"]}'
logger.info(
f' Not able to assign Policy to text type secret: {policy_assigned}')
# Api to Remove policy for file type secret
policy_removed = update_secret(pas_power_user_session,
added_file_secret_id,
added_text_secret_name)
assert policy_removed[
'success'], f'Failed to remove policy to secret: {policy_removed["Message"]}'
logger.info(
f'Successfully removed Policy to text type secret: {policy_removed}')
def test_multiple_updates_in_permissions_policy_name_verify_all_2(
core_session, added_secrets, pas_general_secrets, users_and_roles,
clean_up_policy):
"""
test method to verify multiple updates like (permissions, policy, name ..) for a secret
:param core_session: Authenticated Centrify Session
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param clean_up_policy: Fixture to clean up the policy created
"""
secret_prefix = guid()
added_text_secret_id, added_text_secret_name = added_secrets
secrets_params = pas_general_secrets
application_management_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = application_management_user.get_login_name()
user_id = application_management_user.get_id()
# API to set user permissions for text_type_secret
set_permissions_result, set_permissions_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant,Edit', user_id,
added_text_secret_id[0])
assert set_permissions_success, f'setting permissions for file type secret failed: {set_permissions_result}'
logger.info(
f'setting permissions for text type secret: {set_permissions_success} {set_permissions_result}'
)
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secret_prefix + secrets_params['policy_name'],
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to assign policy to the secret
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
added_text_secret_name,
policy_id=policy_result)
assert policy_assigned[
'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Api to update settings(secret_name) of the secret
result = update_secret(
core_session, added_text_secret_id[0],
secret_prefix + secrets_params['updated_secret_name'])
assert result[
'success'], f'Not Able to update the settings {result["Result"]} '
logger.info(
f'Updating the settings for secret: {result["success"]} & {result["Exception"]}'
)
# Api to retrieve the activity of the secret
rows_result = UserManager.get_secret_activity(core_session,
added_text_secret_id[0])
assert rows_result is not None, f'Unable to fetch Secret updated details & activity fetched:{rows_result}'
logger.info(f'activity list:{rows_result}')
verify_name = 'update_secret1'
verify_permissions = 'View , Grant , Edit'
permissions_updated = False
assert verify_name in rows_result[0][
"Detail"], f'Unable to update the name:{rows_result[0]["Detail"]}'
logger.info(f'Secret Updated details: {rows_result[0]["Detail"]}')
for x in rows_result:
if verify_permissions in x['Detail']:
permissions_updated = True
assert permissions_updated, f'Unable to update the permissions: {permissions_updated}'
def test_replace_mfa_policy_on_secret_verify_challenged(
core_session, pas_general_secrets, create_secret_inside_folder,
core_session_unauthorized, clean_up_policy):
"""
C2979: test method to MFA policy on Secret, verify challenged
1) Set MFA on MFAonSecret
2) Right click "MFAonSecret" then Replace.
3) Verify challenged with MFA popups,
4) Enter password & verify you can replace secret
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param core_session_unauthorized: Fixture to start authentication MFA
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
prefix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
challenges = ["UP", ""]
policy_result = PolicyManager.create_new_auth_profile(
core_session, prefix + secrets_params['policy_name'], challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Secret
result = update_secret(
core_session,
secret_list[0],
prefix + secrets_params['mfa_secret_name_update'],
description=secrets_params['mfa_secret_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA on the secret, API response result:{result["Message"]} '
logger.info(f'MFA Applied on the secret: {result}')
user = core_session.get_user()
user_name = user.get_login_name()
password = user.get_password()
# MFA Authentication starts on the secret to be replaced
mfa_authentication = core_session_unauthorized.start_authentication(
user_name)
result = mfa_authentication.json()['Result']
success = mfa_authentication.json()['success']
assert success, f'Failed to start MFA Authentication on the secret to be replaced, API response result:{result}'
challenge_value = result['Challenges'][0]['Mechanisms'][0]['Name']
assert challenge_value == 'UP', f'Challenge "Password" is not set, API response result:{result}'
logger.info(
f'MFA Authentication starts on the secret to be replaced:{mfa_authentication.json()}'
)
# Advance MFA Authentication starts on the secret to be replaced
up_result = core_session_unauthorized.advance_authentication(
password, challenge_index=0, mechanism_name='UP')
mfa_result = up_result.json()
assert mfa_result[
'success'], f'Failed to respond to challenge, API response result:{ mfa_result["Result"]}'
logger.info(f'MFA popups before secret gets replaced:{mfa_result}')
# Replacing text of the secret & Removing MFA
result = update_secret(core_session,
secret_list[0],
prefix + secrets_params['mfa_secret_name_update'],
secret_text=secrets_params['secret_text_replaced'])
assert result[
'success'], f'Not Able to replace the text of the secret, API response result:{result["Message"]} '
logger.info(f'Secret gets replaced: {result}')
def test_mfa_on_closest_parent_should_override_mfa_on_higher_levels(
core_session, pas_general_secrets, cleanup_secrets_and_folders,
clean_up_policy, core_session_unauthorized):
"""
C2982: MFA on closest parent should override MFA on higher levels
1) Create a multilevel folder "Folder/Subfolder/secretName"
2) Assign different MFA to parent(Folder) & Nested Folder(Subfolder)
3) Verify secretName inherits challenge of subfolder
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created
:param clean_up_policy: Fixture to cleanup the policy created
:param core_session_unauthorized: Fixture to start authentication MFA
"""
folder_list = cleanup_secrets_and_folders[1]
secrets_list = cleanup_secrets_and_folders[0]
folder_params = pas_general_secrets
suffix = guid()
folder_name = folder_params['folder_name_with_frwdslashes'] + suffix
# creating multilevel folder "Folder/Subfolder/secretName"
added_secret_success, details, secret_id = create_text_secret(
core_session, folder_name, folder_params['secret_text'])
assert added_secret_success, "Added Multilevel folder Failed,API response result: {secret_id} "
logger.info(f'Added Multilevel folder info: {details, secret_id}')
secrets_list.append(secret_id)
# Getting details of the secret
found_secret = get_secret(core_session, secret_id)
assert found_secret['success'], \
f'Failed to get the details of the secret, API response result:{found_secret["Message"]}'
logger.info(f'Getting details of the secret: {found_secret}')
nested_folder_id = found_secret['Result']['FolderId']
nested_folder_path = found_secret['Result']['ParentPath']
parent_folder_list = nested_folder_path.split('\\')
parent_folder_name = parent_folder_list[0]
# Getting details of Parent Folder
parent_folder = get_folder(core_session, nested_folder_id)
parent_folder_id = parent_folder["Result"]["Results"][0]["Row"]["Parent"]
nested_folder_name = parent_folder["Result"]["Results"][0]["Row"][
"SecretName"]
logger.info(f'Parent Folder details: {parent_folder}')
if folder_list != []:
folder_list[0] = nested_folder_id
folder_list[1] = parent_folder_id
else:
folder_list.append(nested_folder_id)
folder_list.append(parent_folder_id)
challenges = ["UP", ""]
challenges_v2 = ["UP,EMAIL", ""]
# Creating new policy with Password
policy_result = PolicyManager.create_new_auth_profile(
core_session, folder_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Creating new policy with Password & Email
policy_result_email = PolicyManager.create_new_auth_profile(
core_session, folder_params['policy_name'] + "V2" + suffix,
challenges_v2, 0, 0)
assert policy_result_email, f'Failed to create another policy, API response result:{policy_result_email}'
logger.info(f' Creating another policy:{policy_result_email}')
clean_up_policy.append(policy_result_email)
# Applying MFA on Nested Folder
result = update_folder(core_session,
nested_folder_id,
nested_folder_name,
nested_folder_name,
description=folder_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA on Nested folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Nested Folder: {result}')
# Applying MFA on Parent Folder
result = update_folder(core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=folder_params['mfa_folder_description'],
policy_id=policy_result_email)
assert result[
'success'], f'Not Able to apply MFA on parent folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Parent Folder: {result}')
user = core_session.get_user()
user_name = user.get_login_name()
password = user.get_password()
# MFA Authentication starts on the secret to be replaced
mfa_authentication = core_session_unauthorized.start_authentication(
user_name)
result = mfa_authentication.json()['Result']
success = mfa_authentication.json()['success']
assert success, f'Failed to start MFA Authentication on the secret to be replaced, API response result:{result}'
challenge_value = result['Challenges'][0]['Mechanisms'][0]['Name']
assert challenge_value == 'UP', f'Challenge "Password" is not set, API response result:{result}'
logger.info(
f'MFA Authentication applies for closest parent,Password Only:{mfa_authentication.json()}'
)
# Advance MFA Authentication starts on the secret to be replaced
up_result = core_session_unauthorized.advance_authentication(
password, challenge_index=0, mechanism_name='UP')
mfa_result = up_result.json()
assert mfa_result[
'success'], f'Failed to respond to challenge, API response result:{mfa_result["Result"]}'
logger.info(
f'MFA applies for closest parent,popups before secret gets replaced: {mfa_result}'
)
# Replacing the text of the secret
result = update_secret(core_session,
secret_id,
folder_params['mfa_secret_name_update'] + suffix,
secret_text=folder_params['secret_text_replaced'])
assert result[
'success'], f'Not Able to replace the text of the secret, API response result:{result["Message"]} '
logger.info(f'Secret gets replaced: {result}')
# Removing MFA from Nested folder
result = update_folder(core_session,
nested_folder_id,
nested_folder_name,
nested_folder_name,
description=folder_params['mfa_folder_description'])
assert result[
'success'], f'Not Able to remove mfa from folder, API response result:: {result["Message"]} '
logger.info(f'Removing mfa from folder: {result}')
# Removing MFA from Parent folder
result = update_folder(core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=folder_params['mfa_folder_description'])
assert result[
'success'], f'Not Able to remove mfa from folder, API response result:: {result["Message"]} '
logger.info(f'Removing mfa from folder: {result}')
# Getting details of the Secret Replaced
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, secret_id)
assert get_secret_text == folder_params['secret_text_replaced'], \
f'Failed to replace the secret, API response result: {get_secret_success}'
logger.info(f'Details of the secret Replaced: {get_secret_details}')
def test_retrieve_mfa_on_closest_parent_should_override_mfa(
core_session, pas_general_secrets, cleanup_secrets_and_folders,
clean_up_policy):
"""
C283926: MFA on closest parent should override MFA on higher levels
1) Create a multilevel folder "Folder/Subfolder/secretName"
2) Assign different MFA to parent(Folder) & Nested Folder(Subfolder)
3) Verify secretName inherits challenge of subfolder
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created
:param clean_up_policy: Fixture to cleanup the policy created
"""
folder_list = cleanup_secrets_and_folders[1]
secrets_list = cleanup_secrets_and_folders[0]
folder_params = pas_general_secrets
suffix = guid()
secret_name = folder_params['folder_name_with_frwdslashes'] + suffix
user_name = core_session.auth_details['User']
# creating multilevel folder "Folder/Subfolder/secretName"
added_secret_success, details, secret_id = create_text_secret(
core_session, secret_name, folder_params['secret_text'])
assert added_secret_success, "Added Multilevel folder Failed,API response result: {secret_id} "
logger.info(f'Added Multilevel folder info: {details, secret_id}')
secrets_list.append(secret_id)
# Getting details of the secret
found_secret = get_secret(core_session, secret_id)
assert found_secret['success'], \
f'Failed to get the details of the secret, API response result:{found_secret["Message"]}'
logger.info(f'Getting details of the secret: {found_secret}')
nested_folder_id = found_secret['Result']['FolderId']
nested_folder_path = found_secret['Result']['ParentPath']
parent_folder_list = nested_folder_path.split('\\')
parent_folder_name = parent_folder_list[0]
# Getting details of Parent Folder
parent_folder = get_folder(core_session, nested_folder_id)
parent_folder_id = parent_folder["Result"]["Results"][0]["Row"]["Parent"]
nested_folder_name = parent_folder["Result"]["Results"][0]["Row"][
"SecretName"]
logger.info(f'Parent Folder details: {parent_folder}')
if folder_list != []:
folder_list[0] = nested_folder_id
folder_list[1] = parent_folder_id
else:
folder_list.append(nested_folder_id)
folder_list.append(parent_folder_id)
challenges = ["UP", ""]
challenges_v2 = ["UP,EMAIL", ""]
# Creating new policy with Password
policy_result = PolicyManager.create_new_auth_profile(
core_session, folder_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Creating new policy with Password & Email
policy_result_email = PolicyManager.create_new_auth_profile(
core_session, folder_params['policy_name'] + "V2" + suffix,
challenges_v2, 0, 0)
assert policy_result_email, f'Failed to create another policy, API response result:{policy_result_email}'
logger.info(f' Creating another policy:{policy_result_email}')
clean_up_policy.append(policy_result_email)
# Applying MFA on Nested Folder
result = update_folder(core_session,
nested_folder_id,
nested_folder_name,
nested_folder_name,
description=folder_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Failed to apply MFA on Nested folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Nested Folder: {result}')
# Applying MFA on Parent Folder
result = update_folder(core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=folder_params['mfa_folder_description'],
policy_id=policy_result_email)
assert result[
'success'], f'Failed to apply MFA on parent folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Parent Folder: {result}')
# Move Secret with Mfa Authentication
retrieve_success, retrieve_result = retrieve_secret_contents(
core_session, secret_id)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, retrieve_result['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info(
f'Successfully applied password authentication with closest parent: {mfa_result}'
)
# After Authenticating of MFA move secret with challenge password
retrieve_secret_success, retrieve_secret_result = retrieve_secret_contents_with_mfa(
core_session,
secret_id,
ChallengeStateId=retrieve_result['ChallengeId'])
assert retrieve_secret_success, f'Failed to retrieve secret with closest parent challenge: {retrieve_secret_result}'
logger.info(
f'Successfully retrieved secret with closest parent challenge: {retrieve_secret_result}'
)
# Removing MFA on Nested Folder
result = update_folder(core_session,
nested_folder_id,
nested_folder_name,
nested_folder_name,
description=folder_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA on Nested folder, API response result: {result["Message"]} '
logger.info(f'MFA removed on Nested Folder: {result}')
# Removing MFA on Parent Folder
result = update_folder(core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=folder_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA on parent folder, API response result: {result["Message"]} '
logger.info(f'MFA removed on Parent Folder: {result}')
def test_move_mfa_enabled_folder_to_non_mfa_enabled_folder(
core_session, pas_general_secrets, create_secret_inside_folder,
create_folder_inside_folder, cleanup_secrets_and_folders,
clean_up_policy):
"""
C284026: test method to move Source parent has MFA, destination no MFA, verify challenged
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param create_folder_inside_folder: Fixture to create nested Folder & yields folder & sub folder related details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
:param clean_up_policy: Fixture to clean up the policy created
"""
user_detail = core_session.__dict__
user_name = user_detail['auth_details']['User']
secrets_params = pas_general_secrets
suffix = guid()
folder_id_list, folder_name, secret_list = create_secret_inside_folder
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
folder_list = cleanup_secrets_and_folders[1]
update_folder_name = secrets_params['mfa_folder_name_update'] + suffix
challenges = ["UP", ""]
# creating a new Authentication profile
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(
core_session,
folder_id_list[1],
folder_name,
update_folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Move Folder with Mfa Authentication
result_folder_result = move_folder(core_session, folder_id_list[1],
nested_folder_id)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, result_folder_result['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
# After Authenticating of MFA move mfa enabled folder to the non mfa enabled folder.
moved_success, moved_result = move_folder_by_using_mfa(
core_session,
folder_id_list[1],
target_folder_info=nested_folder_id,
ChallengeStateId=result_folder_result['Result']['ChallengeId'])
assert moved_success, f'User: {user_name} Not Able to move mfa enabled folder' \
f' to the non mfa enabled folder: {moved_result}'
logger.info(
f'User: {user_name} moved mfa enabled folder: {update_folder_name} successfully '
f'to the non mfa enabled folder:')
folder_list.insert(0, folder_list.pop(1))
# Verifying mfa enabled folder moved successfully or not, inside non mfa enabled folder.
moved_folder = get_secrets_and_folders_in_folders(core_session,
nested_folder_id)
moved_folder_name = moved_folder["Result"]["Results"][0]["Row"]["Name"]
assert moved_folder_name == update_folder_name, f'Failed to get the moved folder{moved_folder_name} ' \
f'inside the folder'
logger.info(
f'Moved folder {moved_folder_name} get successfully inside the folder')
# Removing MFA on Folder
result = update_folder(
core_session,
folder_id_list[0],
update_folder_name,
secrets_params['mfa_folder_name_update'] + suffix,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Not Able to remove MFA, API response result: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
def test_delete_folder_with_mfa_enabled(core_session, create_secret_folder,
pas_general_secrets, clean_up_policy,
cleanup_secrets_and_folders):
"""
C284042: Delete folder that has an MFA enabled
:param core_session: Authenticated Centrify Session.
:param create_secret_folder: Fixture to create folder & yields folder related details
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param clean_up_policy: Fixture to clean up the policy created
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
"""
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
folder_name = secret_folder_details['Name']
params = pas_general_secrets
suffix = guid()
challenges1 = ["UP", ""]
user_name = core_session.auth_details['User']
folders_list = cleanup_secrets_and_folders[1]
# creating a new Authentication profile for folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, params['policy_name'] + suffix, challenges1, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Updating the Folder(Applying MFA)
result = update_folder(core_session,
folder_id,
folder_name,
folder_name,
description=params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f' Failed to apply MFA on folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Folder: {result}')
# Delete folder with Mfa Authentication
del_result = del_folder(core_session, folder_id)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, del_result['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
assert result, "Password Authentication Failed"
# After Authentication of MFA delete folder
del_secret_result = del_folder_mfa(
core_session,
folder_id,
ChallengeStateId=del_result['Result']['ChallengeId'])
assert del_secret_result[
'success'], f'Failed to delete folder with mfa, API response result: {del_secret_result}'
logger.info(
f'Successfully deleted folder with MFA & get challenged: {del_secret_result}'
)
folders_list.remove(folder_id)
def test_update_retrieve_replace_activity_logged(core_session, added_secrets,
pas_general_secrets,
users_and_roles,
clean_up_policy):
"""
C3071: Update, retrieve, replace activity logged
:param core_session: Authenticated Centrify Session
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param clean_up_policy: Fixture to clean up the policy created
"""
secret_suffix = guid()
added_text_secret_id, added_text_secret_name = added_secrets
secrets_params = pas_general_secrets
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Api to give user permissions to secrets
set_permission_result, set_permission_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant', user_id,
added_text_secret_id[0])
assert set_permission_success, f'Failed to set permission: {set_permission_result}'
logger.info(
f'Setting permission:{set_permission_result}{set_permission_success}')
# Retrieving details(text) of the secret
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, added_text_secret_id[0])
assert get_secret_success, f'Failed to retrieve the secret:{get_secret_text}'
logger.info(f' Retrieved secret details: {get_secret_details} ')
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + secret_suffix,
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to update secret(assign policy & update name)
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
secrets_params['updated_secret_name'] +
secret_suffix,
policy_id=policy_result)
assert policy_assigned[
'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Api to retrieve the activity of the secret
rows_result = UserManager.get_secret_activity(core_session,
added_text_secret_id[0])
assert rows_result, f'Failed to fetch Secret updated details & activity fetched:{rows_result}'
logger.info(f'Activity list:{rows_result}')
assert 'updated the secret' in rows_result[0][
"Detail"], f'Failed to update the secret:{rows_result[0]["Detail"]}'
assert 'viewed the secret' in rows_result[1][
"Detail"], f'Failed to retrieve the secret :{rows_result[1]["Detail"]}'
added_secret_status = False
added_permissions_status = False
for rows in rows_result:
if 'added a secret' in rows['Detail']:
added_secret_status = True
assert added_secret_status, f'Failed to add secret: {added_secret_status}'
for rows in rows_result:
if 'granted User' in rows['Detail']:
added_permissions_status = True
assert added_permissions_status, f'Failed to add permissions: {added_permissions_status}'
# Api to remove policy from the secret
policy_assigned = update_secret(core_session, added_text_secret_id[0],
added_text_secret_name)
assert policy_assigned[
'success'], f'Failed to remove policy from secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy removed from secret: {policy_assigned}')
def test_mfa_of_target_folder_once_secret_is_moved(core_session,
pas_general_secrets,
create_secret_folder,
added_secrets,
clean_up_policy):
"""
C283940: MFA of the target folder will apply once secret is moved to it
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_folder: Fixture to create secret folder & yields folder related details
:param added_secrets: Fixture to create text type secrets & yields secrets details
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
suffix = guid()
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
secret_id, secret_name = added_secrets
challenges1 = ["UP", ""]
user_name = core_session.auth_details['User']
# creating a new Authentication profile for nested folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges1, 0,
0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(
core_session,
folder_id,
secret_folder_details['Name'],
secret_folder_details['Name'],
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Move Secret with Mfa Authentication
result_secret = move_secret(core_session,
secret_id[0],
folder_info=folder_id)
assert result_secret[
'success'], f'Failed to move secret into folder,API Response Result: {result_secret["Result"]}'
# Moving Secret with new parent inherited policies
secret_new_permissions = move_secret(core_session, secret_id[0])
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, secret_new_permissions['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info(f'successfully applied password authentication: {mfa_result}')
# After Authenticating of MFA move secret with challenge password
moved_success, moved_result = move_secret_by_using_mfa(
core_session,
secret_id[0],
ChallengeStateId=secret_new_permissions['Result']['ChallengeId'])
assert moved_success, f'Failed to move secret with new parent inherited policies: {moved_result}'
logger.info(
f'User: {user_name} successfully moved secret with new parent inherited policies: {moved_result}'
)
# Applying MFA on Folder
result = update_folder(core_session, folder_id,
secret_folder_details['Name'],
secret_folder_details['Name'])
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
def test_edit_folder_permission_to_update_settings_and_policy(
core_session, create_secret_folder, pas_general_secrets,
users_and_roles, cleanup_secrets_and_folders, clean_up_policy):
"""
C3032:test method to login with cloud admin
1) Enable Edit folder permission for UserA,
2) Login with User A
3) Update the Settings and Policy on the folder and
4) Verify that you can edit settings and policy
:param core_session: Authenticated Centrify session
:param create_secret_folder: Fixture to create secret inside folder & yields secret & folder details
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param users_and_roles: Fixture to create random user with PAS Power Rights
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
:param clean_up_policy: Fixture to cleanup the policy created
"""
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
folder_name = secret_folder_details['Name']
folder_prefix = guid()
folder_params = pas_general_secrets
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name: {user_name}'
)
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, folder_prefix + folder_params['policy_name_new'],
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to give user permissions to folder(EDIT Enabled)
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id, 'View,Edit')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Updating settings & policy of the folder created
result = update_folder(pas_power_user_session,
folder_id,
folder_name,
folder_params['mfa_folder_name_update'] +
folder_prefix,
description=folder_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Updating settings & policy Failed: {result["Message"]} '
logger.info(f'Updating settings & policy: {result["success"]} {result}')
# Getting details of the Folder updated
result_folder = get_folder(core_session, folder_id)
logger.info(f'Updated Folder details: {result_folder}')
description_updated = result_folder["Result"]["Results"][0]["Row"][
"Description"]
name_updated = result_folder["Result"]["Results"][0]["Row"]["Name"]
assert 'MFAOnParentFolderUpdate' in name_updated, \
f'Failed to update the name{result_folder["Result"]["Results"][0]["Row"]["Name"]}'
assert 'mfa_description' in description_updated, \
f'Failed to update the description{result_folder["Result"]["Results"][0]["Row"]["Description"]}'
# Removing policy of the folder
result = update_folder(pas_power_user_session,
folder_id,
folder_name,
folder_params['mfa_folder_name_update'] +
folder_prefix,
description=folder_params['mfa_folder_description'])
assert result[
'success'], f'Updating settings & policy Failed: {result["Message"]}'
logger.info(f'Updating settings & policy: {result["success"]} {result}')
def test_mfa_on_moved_folder(core_session, pas_general_secrets,
create_secret_inside_folder,
create_folder_inside_folder,
cleanup_secrets_and_folders, clean_up_policy):
"""
C284029: MFA on moved folder should challenge and be moved over too.
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param create_folder_inside_folder: Fixture to create nested Folder & yields folder & sub folder related details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
:param clean_up_policy: Fixture to clean up the policy created
"""
user_detail = core_session.__dict__
user_name = user_detail['auth_details']['User']
secrets_params = pas_general_secrets
folder_id_list, folder_name, secret_list = create_secret_inside_folder
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
folder_list = cleanup_secrets_and_folders[1]
challenges1 = ["UP", ""]
challenges2 = ["UP,SQ", ""]
# creating First Authentication profile
create_first_profile = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + guid(), challenges1, 0,
0)
assert create_first_profile, f'Failed to create policy, API response result:{create_first_profile}'
logger.info(f' Creating first policy:{create_first_profile}')
clean_up_policy.append(create_first_profile)
# creating second Authentication profile
create_second_profile = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + guid(), challenges2, 0,
0)
assert create_second_profile, f'Failed to create policy, API response result:{create_second_profile}'
logger.info(f' Creating second policy:{create_second_profile}')
clean_up_policy.append(create_second_profile)
# Applying MFA on Folder
result = update_folder(
core_session,
parent_folder_info['ID'],
parent_folder_info['Name'],
secrets_params['mfa_folder_name_update'] + guid(),
description=secrets_params['mfa_folder_description'],
policy_id=create_second_profile)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Applying MFA on another Folder
result = update_folder(
core_session,
folder_id_list[1],
folder_name,
secrets_params['mfa_folder_name_update'] + guid(),
description=secrets_params['mfa_folder_description'],
policy_id=create_first_profile)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Move one mfa enabled folder to another mfa enabled folder.
logger.info(
f'Moving Folder {folder_name} into Folder:{parent_folder_info}')
result_folder_result = move_folder(core_session, folder_id_list[1],
parent_folder_info['ID'])
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, result_folder_result['Result']['ChallengeId'])
assert session, "Failed to ask MFA"
logger.info("Successfully asked MFA")
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info("Password Authentication Success")
# After Authenticating of MFA move mfa enabled folder to the mfa enabled folder.
moved_success, moved_result = move_folder_by_using_mfa(
core_session,
folder_id_list[1],
target_folder_info=parent_folder_info['ID'],
ChallengeStateId=result_folder_result['Result']['ChallengeId'])
assert moved_success, f'User: {user_name} Not Able to move mfa enabled folder' \
f' to the other mfa enabled folder: {moved_result}'
logger.info(f'User: {user_name} moved mfa enabled folder: successfully '
f'to the other mfa enabled folder:')
folder_list.insert(0, folder_list.pop(1))
# Removing MFA on Folder
result = update_folder(
core_session,
folder_id_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + guid(),
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Not Able to remove MFA, API response result: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Removing MFA on Folder
result = update_folder(
core_session,
parent_folder_info['ID'],
parent_folder_info['Name'],
secrets_params['mfa_folder_name_update'] + guid(),
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Not Able to remove MFA, API response result: {result["success"]} '
logger.info(f'Applying MFA for folder: {result}')
def test_move_no_mfa_enabled_folder_to_mfa_enabled_folder(
core_session,
pas_general_secrets,
create_secret_inside_folder,
create_folder_inside_folder,
cleanup_secrets_and_folders,
clean_up_policy):
"""
C284027: test method to Move no mfa enabled folder to mfa enabled folder, verify challenged
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param create_folder_inside_folder: Fixture to create nested Folder & yields folder & sub folder related details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
suffix = guid()
folder_id_list, folder_name, secret_list = create_secret_inside_folder
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
folder_list = cleanup_secrets_and_folders[1]
update_folder_name = secrets_params['mfa_folder_name_update'] + suffix
challenges = ["UP", ""]
policy_result = PolicyManager.create_new_auth_profile(core_session, secrets_params['policy_name'] + suffix,
challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(core_session, parent_folder_info['ID'],
parent_folder_info['Name'],
update_folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result['success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Move no mfa enabled folder to mfa enabled folder.
logger.info(f'Moving Folder {folder_name} into Folder:{parent_folder_info}')
result_move = move_folder(core_session, folder_id_list[1], nested_folder_id)
assert result_move['success'], \
f'Not Able to move no mfa enabled folder to mfa enabled folder, API response result: {result_move["Result"]}'
logger.info(f'Moved successfully non mfa enabled Folder {folder_id_list[1]} to'
f'mfa enabled folder:{nested_folder_id}')
folder_list.insert(0, folder_list.pop(1))
# Verifying non mfa enabled folder moved successfully or not , inside mfa enabled folder.
moved_folder = get_secrets_and_folders_in_folders(core_session, nested_folder_id)
moved_folder_name = moved_folder["Result"]["Results"][0]["Row"]["Name"]
assert moved_folder_name == folder_name, f'Failed to get the moved folder{moved_folder_name} ' \
f'inside the folder'
logger.info(f'Moved folder {moved_folder_name} get successfully inside the folder')
# Removing MFA on Folder
result = update_folder(core_session, parent_folder_info['ID'],
parent_folder_info['Name'],
secrets_params['mfa_folder_name_update'] + suffix,
description=secrets_params['mfa_folder_description'])
assert result['success'], f'Not Able to remove MFA, API response result: {result["success"]} '
logger.info(f'Applying MFA for folder: {result}')
def test_delete_mfa_policy_on_secret(core_session, pas_general_secrets,
clean_up_policy, users_and_roles):
"""
C283962: MFA policy on Secret, verify challenged
:param core_session: Authenticated Centrify session
:param pas_general_secrets: Fixture to read secrets data from yaml file
:param clean_up_policy: Fixture to cleanup the policy created
:param users_and_roles: Fixture to create new user with restricted rights
"""
secrets_params = pas_general_secrets
suffix = guid()
# Create a folder A
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(
core_session, secrets_params['mfa_folder_name'] + suffix,
secrets_params['description'])
assert secret_folder_success, f'Failed to create a folder {secret_folder_id}'
logger.info(f' Folder created successfully: {secret_folder_success} ')
secret_folder_parameters['ID'] = secret_folder_id
# Create a secret under A folder
added_secret_success, added_secret_id = create_text_secret_within_folder(
core_session, secrets_params['mfa_secret_name'] + suffix,
secrets_params['secret_text'], secrets_params['secret_description'],
secret_folder_id)
assert added_secret_success, f"Added Secret Failed {added_secret_id}"
logger.info(f'Added secrets info {added_secret_success, added_secret_id}')
# Getting details of the secret
found_secret = get_secret(core_session, added_secret_id)
assert found_secret['success'], \
f'Failed to get the details of the secret , API response result:{found_secret["Message"]}'
logger.info(f'Getting details of the secret: {found_secret}')
secret_name = found_secret['Result']['SecretName']
challenges = ["UP", ""]
# Creating new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Secret
result = update_secret(
core_session,
added_secret_id,
secret_name,
description=secrets_params['mfa_secret_description'],
policy_id=policy_result)
assert result[
'success'], f' Failed to apply MFA on the secret, API response result:{result["Message"]} '
logger.info(f'MFA Applied on the secret: {result}')
# Getting new session for User
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name: {user_name}'
)
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, secret_folder_id,
'Grant,View,Delete')
assert user_permissions_result, f'Failed to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to set DELETE permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'Grant,View,Delete,Retrieve', user_id,
secret_folder_id)
assert member_perm_success, f'Failed to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Delete secret with Mfa Authentication
del_success, del_result = del_secret(pas_power_user_session,
added_secret_id)
# StartChallenge MFA Authentication
session, mechanism = pas_power_user_session.start_mfa_authentication(
user_name, del_result['ChallengeId'])
# AdvanceAuthentication MFA to Password
result = pas_power_user_session.advance_authentication(
answer=pas_power_user_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
assert result, "Password Authentication Failed"
logger.info(f'Advance authentication: {result}')
# After Authentication of MFA delete the secret under folder
del_secret_success, del_secret_result = del_secret_mfa(
pas_power_user_session,
added_secret_id,
ChallengeStateId=del_result['ChallengeId'])
assert del_secret_success, f'User: {user_name} failed to delete secret from this folder: {secret_folder_id}'
logger.info(
f'User: {user_name} deleted secret: '
f'{added_secret_id} successfully from this folder: {secret_folder_id}')
# Delete folder
del_folder_res = del_folder(core_session, secret_folder_id)
assert del_folder_res, f'User: {user_name} failed to delete folder: {secret_folder_id}'
logger.info(
f'User: {user_name} successfully deleted folder: {secret_folder_id}')
def test_set_update_policy_verify_displayed_on_activity(
core_session, create_secret_folder, users_and_roles,
pas_general_secrets, clean_up_policy):
"""
C3069: test method to Set/Update policy verify it’s displayed on Activity
:param core_session: Authenticated Centrify Session
:param create_secret_folder: Fixture to create secret folder & yields folder details
:param users_and_roles: Fixture to create a random user with PAS Power rights
:param pas_general_secrets: Fixture to read secrets related data from yaml
:param clean_up_policy: Fixture to cleanup the policy created
"""
secrets_params = pas_general_secrets
suffix = guid()
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
folder_name = secret_folder_details['Name']
challenges = ["UP", ""]
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Updating the Folder(Applying MFA)
result = update_folder(
core_session,
folder_id,
folder_name,
folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA on folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Folder: {result}')
# API to get new session for User A
pas_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service User')
assert pas_user_session.auth_details, 'Failed to Login with PAS User'
user_name_user = pas_user_session.auth_details['User']
user_id_user = pas_user_session.auth_details['UserId']
logger.info(
f'User with PAS User Rights login successfully: user_Name:{user_name_user}'
)
# Api to give user permissions to folder
permissions_user = give_user_permissions_to_folder(core_session,
user_name_user,
user_id_user, folder_id,
'View')
assert permissions_user['success'], \
f'Not Able to set user permissions to folder, API response result:{permissions_user["Result"]}'
logger.info(f'User Permissions to folder: {permissions_user}')
# API to get new session for User A
pas_admin_session = users_and_roles.get_session_for_user(
'Privileged Access Service Administrator')
assert pas_admin_session.auth_details, 'Failed to Login with PAS Admin'
user_name_admin = pas_admin_session.auth_details['User']
user_id_admin = pas_admin_session.auth_details['UserId']
logger.info(
f'User with PAS Admin Rights login successfully: user_Name:{user_name_admin}'
)
# Api to give user permissions to folder
permissions_admin = give_user_permissions_to_folder(
core_session, user_name_admin, user_id_admin, folder_id, 'View')
assert permissions_admin['success'], \
f'Not Able to set user permissions to folder, API response result:{permissions_admin["Result"]}'
logger.info(f'User Permissions to folder: {permissions_admin}')
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name_power_user = pas_power_user_session.auth_details['User']
user_id_power_user = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name:{user_name_power_user}'
)
# Api to give user permissions to folder
permissions_admin = give_user_permissions_to_folder(
core_session, user_name_power_user, user_id_power_user, folder_id,
'View')
assert permissions_admin['success'], \
f'Not Able to set user permissions to folder, API response result:{permissions_admin["Result"]}'
logger.info(f'User Permissions to folder: {permissions_admin}')
# Updating the Folder(Removing MFA)
result = update_folder(core_session, folder_id, folder_name, folder_name)
assert result[
'success'], f'Not Able to apply MFA on folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Folder: {result}')
# Getting activity of the folder(updating folder permissions multiple times)
activity_rows = get_folder_activity(core_session, folder_id)
verify_folder_update = 'updated the folder'
verify_folder_permissions_user = f'granted User "{user_name_user}" to have "View" permissions on'
verify_folder_permissions_power_user = f'granted User "{user_name_power_user}" to have "View" permissions on'
verify_folder_permissions_admin = f'granted User "{user_name_admin}" to have "View" permissions on'
assert verify_folder_permissions_user in activity_rows[3]['Detail'], \
f'Failed to verify the activity, API response result::{activity_rows}'
assert verify_folder_permissions_power_user in activity_rows[1]['Detail'], \
f'Failed to verify the activity:{activity_rows}'
assert verify_folder_permissions_admin in activity_rows[2]['Detail'], \
f'Failed to verify the activity, API response result::{activity_rows}'
assert verify_folder_update in activity_rows[0]['Detail'], \
f'Failed to verify the activity, API response result::{activity_rows}'
logger.info(
f'Replace activity found for secret, API response result: {activity_rows}'
)
def test_move_mfa_on_secrets_should_apply(core_session, pas_general_secrets,
create_secret_folder, added_secrets,
clean_up_policy):
"""
C283939: MFA on secret should still apply once moved to another folder
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_folder: Fixture to create secret folder & yields folder related details
:param added_secrets: Fixture to create text type secrets & yields secrets details
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
suffix = guid()
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
secret_id, secret_name = added_secrets
challenges1 = ["UP", ""]
user_name = core_session.auth_details['User']
# creating a new Authentication profile for nested folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges1, 0,
0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA to secret
result = update_secret(
core_session,
secret_id[0],
secret_name,
description=secrets_params['mfa_secret_description'],
policy_id=policy_result)
assert result[
'success'], f'Failed to apply mfa to secret, API response result: {result["Message"]} '
logger.info(f'Successfully applied MFA to Secret: {result}')
# Move Secret with Mfa Authentication
result_secret = move_secret(core_session,
secret_id[0],
folder_info=folder_id)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, result_secret['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info(f'successfully applied password authentication: {mfa_result}')
# After Authenticating of MFA move secret with challenge password
moved_success, moved_result = move_secret_by_using_mfa(
core_session,
secret_id[0],
target_folder_info=folder_id,
ChallengeStateId=result_secret['Result']['ChallengeId'])
assert moved_success, f'User: {user_name} Failed to move secret to another folder: {moved_result}'
logger.info(
f'User: {user_name} successfully moved secret to another folder: {moved_result}'
)
# Move Secret with Mfa Authentication
result_secret = move_secret(core_session, secret_id[0])
assert result_secret['success'] is False, \
f'Failed to preserve MFA Policy,API Response result:{result_secret["Message"]}'
logger.info(f'MFA Policy is preserved successfully: {result_secret}')
# Removing mfa from secret
result = update_secret(
core_session,
secret_id[0],
secret_name,
description=secrets_params['mfa_secret_description'])
assert result[
'success'], f'Failed to remove mfa from secret, API response result: {result["Message"]} '
logger.info(f'Successfully removed mfa from secret: {result}')
def test_move_mfa_on_parent_folder(core_session, pas_general_secrets,
create_secret_inside_folder,
cleanup_secrets_and_folders,
clean_up_policy):
"""
C283936: MFA policy on Parent folder, verify challenged
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret inside folder & yields folder & secret details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
:param clean_up_policy: Fixture to clean up the policy created
"""
user_detail = core_session.__dict__
user_name = user_detail['auth_details']['User']
secrets_params = pas_general_secrets
suffix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
challenges = ["UP", ""]
# creating a new Authentication profile
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(
core_session,
folder_list[0],
folder_name,
folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Failed to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Move Secret with Mfa Authentication
result_secret = move_secret(core_session, secret_list[0])
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, result_secret['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
# After Authenticating of move secret with mfa on parent folder
moved_success, moved_result = move_secret_by_using_mfa(
core_session,
secret_list[0],
ChallengeStateId=result_secret['Result']['ChallengeId'])
assert moved_success, f'Moving secret not challenged by mfa:{moved_result}'
logger.info(
f'Moving secret challenged by mfa on parent successfully:{moved_result} {moved_success}'
)
# Removing MFA on Folder
result = update_folder(
core_session,
folder_list[0],
folder_name,
folder_name,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result:: {result["Message"]} '
logger.info(f'Successfully removed MFA on folder: {result}')
def test_move_mfa_on_closest_parent_should_override(
core_session, pas_general_secrets, create_folder_inside_folder,
cleanup_secrets_and_folders, clean_up_policy, users_and_roles):
"""
C283938: MFA on closest parent should override MFA on higher levels
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_folder_inside_folder: Fixture to create nested Folder & yields folder & sub folder related details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
:param clean_up_policy: Fixture to clean up the policy created
:param users_and_roles: Fixture to create New user with PAS Power Rights
"""
secrets_params = pas_general_secrets
suffix = guid()
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
parent_folder_id = parent_folder_info['ID']
parent_folder_name = parent_folder_info['Name']
secret_list = cleanup_secrets_and_folders[0]
challenges1 = ["UP", ""]
challenges2 = ["SQ", ""]
# Api to create secret within folder
added_text_secret_success, secret_id = create_text_secret_within_folder(
core_session, secrets_params['secret_name'] + suffix,
secrets_params['secret_text'], secrets_params['secret_description'],
nested_folder_id)
assert added_text_secret_success, f'Unable to create secret {secret_id}'
logger.info(f'Secret Created successfully: {added_text_secret_success}')
secret_list.append(secret_id)
# creating a new Authentication profile for nested folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges1, 0,
0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# creating another Authentication profile for parent folder
policy_result_v1 = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + "V1" + suffix,
challenges2, 0, 0)
assert policy_result_v1, f'Failed to create policy, API response result:{policy_result_v1}'
logger.info(f' Creating new policy:{policy_result_v1}')
clean_up_policy.append(policy_result_v1)
# Applying MFA on Nested Folder
result = update_folder(
core_session,
nested_folder_id,
nested_folder_info['Name'],
nested_folder_info['Name'],
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Applying MFA on Parent Folder
result = update_folder(
core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result_v1)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Getting User with PAS Power User rights
pas_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_user_session.auth_details['User']
user_id = pas_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name:{user_name}'
)
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, parent_folder_id, 'View')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View, Edit', user_id, parent_folder_id)
assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Move Secret with Mfa Authentication
result_secret = move_secret(pas_user_session, secret_id)
# StartChallenge MFA Authentication
session, mechanism = pas_user_session.start_mfa_authentication(
user_name, result_secret['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = pas_user_session.advance_authentication(
answer=pas_user_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info(f'successfully applied password authentication: {mfa_result}')
# After Authenticating of MFA move secret with challenge password
moved_success, moved_result = move_secret_by_using_mfa(
pas_user_session,
secret_id,
ChallengeStateId=result_secret['Result']['ChallengeId'])
assert moved_success, f'User: {user_name} Failed to move secret with closest parent challenge: {moved_result}'
logger.info(
f'User: {user_name} successfully moved secret with closest parent challenge: {moved_result}'
)
# Removing MFA on Nested Folder
result = update_folder(
core_session,
nested_folder_id,
nested_folder_info['Name'],
nested_folder_info['Name'],
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Removing MFA for Nested folder: {result}')
# Removing MFA on Parent Folder
result = update_folder(
core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Removing MFA for Parent folder: {result}')
def test_both_source_and_destination_have_mfa(core_session,
pas_general_secrets,
create_secret_inside_folder,
create_secret_folder,
clean_up_policy):
"""
C284028: Both source and destination have MFA
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param create_secret_folder: Fixture to create Folder & yields folder related details
:param clean_up_policy: Fixture to clean up the policy created
"""
user_detail = core_session.__dict__
user_name = user_detail['auth_details']['User']
secrets_params = pas_general_secrets
suffix = guid()
folder_id_source, folder_name_source, secret_list = create_secret_inside_folder
secret_folder_details = create_secret_folder
folder_id_destination = secret_folder_details['ID']
folder_name_destination = secret_folder_details['Name']
challenges = ["UP", ""]
challenges_v2 = ["SQ", ""]
# creating a new Authentication profile
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# creating a new Authentication profile
policy_result_v2 = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + "v2" + suffix,
challenges_v2, 0, 0)
assert policy_result_v2, f'Failed to create policy, API response result:{policy_result_v2}'
logger.info(f' Creating new policy:{policy_result_v2}')
clean_up_policy.append(policy_result_v2)
# Applying MFA on Folder
result = update_folder(
core_session,
folder_id_source[0],
folder_name_source,
folder_name_source,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Applying MFA on Folder
result = update_folder(
core_session,
folder_id_destination,
folder_name_destination,
folder_name_destination,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result_v2)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Move Folder with Mfa Authentication
result_folder_result = move_folder(core_session, folder_id_source[0],
folder_id_destination)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, result_folder_result['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
# After Authenticating of MFA move source folder with mfa to destination folder with mfa.
moved_success, moved_result = move_folder_by_using_mfa(
core_session,
folder_id_source[0],
target_folder_info=folder_id_destination,
ChallengeStateId=result_folder_result['Result']['ChallengeId'])
assert moved_success, f'Failed to verify Mfa challenged by source folder, API response result:{mfa_result} '
logger.info(
f'Successfully verified Mfa challenged by source folder: {moved_result}'
)
# Removing MFA on Folder
result = update_folder(
core_session,
folder_id_source[0],
folder_name_source,
folder_name_source,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Successfully removed MFA for folder: {result}')
# Removing MFA on Folder
result = update_folder(
core_session,
folder_id_destination,
folder_name_destination,
folder_name_destination,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Successfully removed MFA for folder: {result}')
def test_mfa_policy_on_secret_verify_not_challenged_on_settings_update(core_session,
pas_general_secrets,
users_and_roles,
create_secret_inside_folder,
clean_up_policy):
"""
test method to verify that mfa does not exist on updating the settings for an existing secret "MFAOnSecret"
with already assigned mfa for that secret
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
prefix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
pas_power_user = users_and_roles.get_user('Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Edit',
user_id,
secret_list[0])
assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}'
logger.info(f'setting permissions for text type secret: : {text_type_secret_success}')
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(core_session,
prefix + secrets_params['policy_name'],
["UP", None],
None,
"30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to get the details of the secret
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session,
secret_list[0])
assert get_secret_success, f'Failed to get the details of the secret:{get_secret_success}'
logger.info(f'Details of the secret returned:{get_secret_details}')
# Api to assign MFA & update settings of secret
policy_assigned = update_secret(core_session,
secret_list[0],
prefix + secrets_params['mfa_secret_name_update'],
description=secrets_params['mfa_secret_description'],
secret_text=get_secret_text,
policy_id=policy_result)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Api to Remove MFA from secret
result = update_secret(core_session, secret_list[0],
prefix + secrets_params['mfa_secret_name_update'],
description=secrets_params['mfa_secret_description'])
assert result['success'], f'Not Able to update the settings: {result["Message"]} '
logger.info(f'Update settings for secret: {result}')
# Api to get details of the secret updated
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session,
secret_list[0])
description_updated = get_secret_details['Description']
name_updated = get_secret_details['SecretName']
assert 'MFAOnSecretUpdate' in name_updated, f'Failed to update the name{get_secret_success}'
assert 'mfa_description' in description_updated, f'Failed to update the description{get_secret_success}'
logger.info(f'Details of the secret updated: {get_secret_details}')
def test_retrieve_mfa_policy_on_parent_folder_verify_challenged(
core_session, core_admin_ui, pas_general_secrets,
create_secret_inside_folder, clean_up_policy):
"""
C2985: MFA policy on Parent folder, verify challenged
1) Set MFA on MFAonParent
2) Right click "MFAonSecret" then Retrieve.
3) Verify challenged with MFA popups,
4) Enter password & verify you can retrieve secret
:param core_session: Authenticated Centrify Session
:param core_admin_ui: Fixture to launch ui session for cloud admin
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
suffix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
verify_text = secrets_params['secret_text']
# Getting details of the secret replaced
found_secret = get_secret(core_session, secret_list[0])
assert found_secret['success'], \
f'Failed to get the details of the secret updated, API response result:{found_secret["Message"]}'
logger.info(f'Getting details of the secret: {found_secret}')
secret_name = found_secret['Result']['SecretName']
challenges = ["UP", ""]
# Creating new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(core_session,
folder_list[0],
folder_name,
folder_name,
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA, API response result: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
ui = core_admin_ui
password = ui.get_user().get_password()
login = Login(ui)
ui.navigate('Resources', 'Secrets')
ui.search(folder_name)
ui.click_row(GridRowByGuid(folder_list[0]))
ui.click_row(GridRowByGuid(secret_list[0]))
ui.action('Retrieve')
ui.switch_context(Modal(text=secret_name))
ui.button('Show Text')
ui.switch_context(NoTitleModal())
login.click_next_on_auth()
login.enter_login_password(password)
login.click_next_on_auth()
ui.switch_context(ActiveMainContentArea())
ui.expect(InputBoxValue(verify_text),
f'Expect to find {verify_text} in Retrieve but could not.')
logger.info(
f'Text Retrieved with MFA challenge(password only)i.e. MFAonParent successfully: {verify_text}'
)
# Removing MFA on Folder
result = update_folder(
core_session,
folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + suffix,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Not Able to apply MFA, API response result: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
def test_adding_several_items_during_creation(core_session,
added_secrets_file,
added_secrets,
users_and_roles,
pas_general_secrets,
clean_up_policy):
secret_prefix = guid()
secrets_params = pas_general_secrets
added_secret_id = added_secrets_file
added_text_secret_id, added_text_secret_name = added_secrets
application_management_user = users_and_roles.get_user('Privileged Access Service Power User')
user_name = application_management_user.get_login_name()
user_id = application_management_user.get_id()
# setting permissions for User A
set_permission_result, set_permission_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant',
user_id,
added_secret_id)
assert set_permission_success, f'Failed to set permission: {set_permission_result}'
logger.info(f'Setting permission:{set_permission_result}{set_permission_success}')
# creating new policy
policy_result = PolicyManager.create_new_auth_profile(core_session,
secret_prefix + secrets_params['policy_name'],
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Getting details of file type secrets
get_secret_details, get_secret_success, get_secret_created_date = get_file_type_secret_contents(core_session,
added_secret_id)
assert get_secret_success, f'Failed to get the file type secret contents:{get_secret_success}'
logger.info(f'Secret created details: {get_secret_details}')
secrete_file = {'Type': '',
'SecretFilePassword': '******',
'SecretFilePath': '',
'SecretFileSize': '',
'SecretName': get_secret_details['SecretName'],
'ID': added_secret_id,
'DataVaultDefaultProfile': ''
}
local_secret_path = get_asset_path('secret_upload.txt')
# Assigning policy to file type secrets
policy_assigned = update_file_type_secret(core_session, added_secret_id, secrete_file, local_secret_path,
policy_result)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f'Policy assigned to secret : {policy_assigned}')
# Removing policy to file type secrets
policy_assigned = update_file_type_secret(core_session, added_secret_id, secrete_file, local_secret_path)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f'Policy assigned to secret : {policy_assigned}')
# Setting permissions for text type secrets
set_permission_result, set_permission_success = set_users_effective_permissions(core_session, user_name,
'View,Grant', user_id,
added_text_secret_id[0])
assert set_permission_success, f'Failed to set permission: {set_permission_result}'
logger.info(f'Setting permission:{set_permission_result}{set_permission_success}')
# Applying Policy
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
added_text_secret_name,
policy_id=policy_result)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Removing policy
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
added_text_secret_name)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
def test_replace_mfa_policy_on_parent_folder_verify_challenged(
core_session,
pas_general_secrets,
create_secret_inside_folder,
core_session_unauthorized,
clean_up_policy,
users_and_roles):
"""
C2980: test method to MFA policy on Parent folder, verify challenged
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param core_session_unauthorized: Fixture to start authentication MFA
:param clean_up_policy: Fixture to clean up the policy created
:param users_and_roles: Fixture to create random user with pas user rights
"""
secrets_params = pas_general_secrets
suffix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
challenges = ["UP", ""]
policy_result = PolicyManager.create_new_auth_profile(core_session, secrets_params['policy_name'] + suffix,
challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(core_session, folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + suffix,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result['success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'{pas_power_user_session.auth_details}')
logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Getting password for MFA
password = users_and_roles.get_default_user_password()
# Api to give user permissions to folder
user_permissions_alpha = give_user_permissions_to_folder(core_session, user_name, user_id, folder_list[0], 'View')
assert user_permissions_alpha['success'], \
f'Not Able to set user permissions to folder{user_permissions_alpha["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_alpha}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View, Edit',
user_id,
folder_list[0])
assert member_perm_success, f'Not Able to set member permissions to Folder: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# MFA Authentication starts on the secret to be replaced
mfa_authentication = pas_power_user_session.start_authentication(user_name)
result = mfa_authentication.json()['Result']
success = mfa_authentication.json()['success']
assert success, f'Failed to start MFA Authentication on the secret to be replaced, API response result:{result}'
challenge_value = result['Challenges'][0]['Mechanisms'][0]['Name']
assert challenge_value == 'UP', f'Challenge "Password" is not set, API response result:{result}'
logger.info(f'MFA Authentication with "Password" starts on the secret to be replaced:{mfa_authentication.json()}')
# Advance MFA Authentication starts on the secret to be replaced
up_result = pas_power_user_session.advance_authentication(password, challenge_index=0, mechanism_name='UP')
mfa_result = up_result.json()
assert mfa_result['success'], f'Failed to respond to challenge, API response result:{mfa_result["Result"]}'
logger.info(f'MFA popups before secret gets replaced:{mfa_result}')
# Replacing the text of the secret
result = update_secret(pas_power_user_session,
secret_list[0],
secrets_params['mfa_secret_name_update'] + suffix,
secret_text=secrets_params['secret_text_replaced'],
policy_id=policy_result)
assert result['success'], f'Not Able to replace the text of the secret, API response result:{result["Message"]} '
logger.info(f'Secret gets replaced: {result}')
# Removing MFA from secret
result = update_secret(pas_power_user_session,
secret_list[0],
secrets_params['mfa_secret_name_update'] + suffix,
secret_text=secrets_params['secret_text_replaced']
)
assert result['success'], f'Not Able to remove MFA, API response result:{result["Message"]} '
logger.info(f'Removing MFA from secret: {result}')
# Removing MFA from folder
result = update_folder(core_session, folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + suffix
)
assert result['success'], f'Not Able to remove MFA, API response result:: {result["Message"]} '
logger.info(f'Removing MFA from folder: {result}')
# Getting details of the Secret Replaced
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session,
secret_list[0])
assert get_secret_text == secrets_params['secret_text_replaced'], \
f'Failed to replace the secret, API response result: {get_secret_success}'
logger.info(f'Details of the secret Replaced: {get_secret_details}')