def test_delete_command_with_assignments(core_session, setup_generic_pe_command_with_no_rules):
logger.info("test_delete_command_with_assignments")
commandName, commandID = setup_generic_pe_command_with_no_rules
# Add assignment
principalType = "Role"
principal = "System Administrator"
scopeType = "Global"
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Delete the command with name, should succeed
result, isSuccess = PrivilegeElevation.del_pe_command(core_session, name=commandName)
assert isSuccess, f"Deleting command failed: {result}"
# Make sure list assignment fails
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert not isSuccess, f"List assignments API call not failed after deleting associated command: {results}"
logger.debug(f"List pe assignments response: {results}")
def test_pe_del_assignment_on_set_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_name = "set_" + Util.random_string()
is_create, set_id = SetsManager.create_manual_collection(
core_session, set_name, "Server", object_ids=[added_system_id])
assert is_create, f"Successfully created a set and added system to that set: {set_id}"
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
logger.info(result)
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
logger.info(results)
# Delete Set
isSuccess, results = SetsManager.delete_collection(core_session, set_id)
assert isSuccess, f"Deleting set failed: {results}"
# Make sure rule assignment is not available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}"
logger.info(results)
def test_update_assignment_sysadmin_without_ma_permission_on_system(
core_session, create_resources,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions but MA to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
"User", added_system_id)
assert success, f"Unable to set system permissions for admin: {result}"
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=admin_user_name,
scopeType="System",
scope=added_system_id,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'],
byPassChallenge=False)
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# Update rules
rule_info['BypassChallenge'] = True
# This sysadmin user doesn't have MA permission, should still pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=True)
assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \
f"a set failed, reason: {results}"
# Make sure assignments are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for sysadmin user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_delete_assignment(core_session, setup_generic_pe_command_with_no_rules):
logger.info("test_delete_assignment")
commandName, commandID = setup_generic_pe_command_with_no_rules
# Add 2 assignments
principalType = "Role"
principal = "System Administrator"
scopeType = "Global"
ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Delete rule2
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID2)
assert isSuccess, f" Deleting rule assignment 2 failed: {result}"
result, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {result}"
# Make sure result doesn't have rule2 but has rule1
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID1, result, True), \
f"ruleID1 not present in list of pe assignments response"
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID2, result, False), \
f"ruleID2 present in list of pe assignments response"
def test_pe_user_has_access(core_session, setup_generic_pe_command_with_no_rules, users_and_roles):
commandName, commandID = setup_generic_pe_command_with_no_rules
# Get User
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(user_info)
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role",
principal="System Administrator", scopeType="Global",
scope=None, principalId=None, bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info['ScopeType'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# This user inherited View permission, so should be able to see the rule
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_pe_del_command_scenario2(core_session, setup_generic_pe_command_with_no_rules, users_and_roles,
create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_command_scenario2 user_info: {user_info}")
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting command should be successful, assignments too
result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName)
assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}"
# Deleting assignmnent explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}"
assert re.findall('Privilege Elevation Assignment not found', result), \
f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_pe_del_assignment_on_system_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Give all permissions but the manager assignments permission to admin user on this system
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
admin_user_name, admin_user_id, "User",
added_system_id)
assert success, "Did not set system permissions " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "System"
scope = added_system_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
logger.debug(results)
# Delete System
result, isSuccess = ResourceManager.del_system(core_session, added_system_id)
assert isSuccess, f"deleting System failed: {result}"
# Make sure rule assignment is not available anymore
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}"
logger.info(results)
def test_regular_user_with_no_view_permissions_on_system_set(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user()
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(user_info)
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
logger.info(result)
assert result['success'], "setting admin collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# This user does not have view permission, so should fail
results, isSuccess = PrivilegeElevation.list_pe_assignments(requester_session, commandID=commandID)
assert not isSuccess and results['Message'] == \
"You are not authorized to perform this operation. Please contact your IT helpdesk.", \
f"List Assignments for regular user with no view permissions on a set passed/ failed with " \
f"unknown exception, reason: {results}"
def test_no_bypassChallenge(core_session,
setup_generic_pe_command_with_no_rules,
users_and_roles):
commandName, commandID = setup_generic_pe_command_with_no_rules
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principal="System Administrator",
scopeType="Global",
scope=None,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# updated rules
starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z"
expires = (datetime.datetime.now() + datetime.timedelta(minutes=10)
).replace(microsecond=0).isoformat() + "Z"
rule_info['Starts'] = starts
rule_info['Expires'] = expires
# With sysadmin should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session,
ruleID=ruleID,
starts=rule_info['Starts'],
expires=rule_info['Expires'])
assert isSuccess, f"Update Assignment for sysadmin user failed for Global rule, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_pe_del_assignment_scenario1(core_session, setup_generic_pe_command_with_no_rules, users_and_roles,
create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_assignment_scenario1 user_info: {user_info}")
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Give all permissions but the manage assignments permission to admin user on this system
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
admin_user_name, admin_user_id, "User",
added_system_id)
assert success, f"Did not set system permissions: {result}"
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "System"
scope = added_system_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting assignment explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting rule assignment with no manage permission on system passed: {ruleID}"
assert re.findall('unauthorized', result), \
f"Deleting rule assignment with no manage permission on system did not fail with unauthorized exception: {ruleID}" \
f": {result}"
def test_global_scenario(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles):
commandName, commandID = setup_generic_pe_command_with_no_rules
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principal="System Administrator",
scopeType="Global",
scope=None,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
rule_info['BypassChallenge'] = True
# Since not sys admin should fail
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=True)
assert not isSuccess, f"Update Assignment for PAS power user passed for Global rule, reason: {results}"
# With sysadmin should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=True)
assert isSuccess, f"Update Assignment for sysadmin user failed for Global rule, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_delete_assignment_sysadmin_without_ma_permission_on_system_set(core_session, create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server")['ID']
logger.info(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
logger.info(result)
assert result['success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
assert result['success'], "assigning collection permissions on the resource set for the user failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
# Deleting assignment explicitly should pass
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID)
assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_pe_del_assignment_scenario3(core_session, setup_pe_one_command_one_rule, users_and_roles):
commandName, commandID, ruleID = setup_pe_one_command_one_rule
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_assignment_scenario3: {user_info}")
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting assignment explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting rule assignment with no manage permission on system passed: {ruleID}"
assert re.findall('unauthorized', result), \
f"Deleting rule assignment with no manage permission on system did not fail with unauthorized exception: {ruleID}"
def test_multiple_rules(core_session, setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
# First Rule assignment
rule_info1 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role",
principal="System Administrator", scopeType="Global",
scope=None, principalId=None, bypassChallenge=False)
ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info1['ScopeType'],
principalType=rule_info1['PrincipalType'],
principal=rule_info1['Principal'])
assert isSuccess, f" Adding rule assignment 1 failed"
rule_info1['ID'] = ruleID1
# Get Admin info
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add second rule assignment
rule_info2 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="Global",
scope=None, principalId=admin_user_id,
bypassChallenge=True)
ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info2['ScopeType'],
principalType=rule_info2['PrincipalType'],
principalID=rule_info2['PrincipalId'],
byPassChallenge=True,
starts=rule_info2['Starts'],
expires=rule_info2['Expires'])
assert isSuccess, f" Adding rule assignment 2 failed"
rule_info2['ID'] = ruleID2
# Get both assignments
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, commandID=commandID)
assert isSuccess, f"List Assignments for two assignments failed, reason: {results}"
rule_info_list = [rule_info1, rule_info2]
assert len(results['Result']) == 2 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID1} : {ruleID2}"
def test_commandID_case(core_session, setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role",
principal="System Administrator", scopeType="Global",
scope=None, principalId=None, bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info['ScopeType'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, commandID=commandID)
assert isSuccess, f"List Assignments failed for commandID: {commandID}, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and \
PrivilegeElevation.check_rules_info_in_api_response(rule_info_list, results), \
f"List Assignments complete check failed: {ruleID}"
def test_pe_del_command_scenario3(core_session, setup_pe_one_command_one_rule, users_and_roles):
commandName, commandID, ruleID = setup_pe_one_command_one_rule
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_command_scenario3 - user_info: {user_info}")
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting command should be successful, along with assignments
result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName)
assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}"
# Deleting assignment explicitly should fail, as assignment is already deleted
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}"
assert re.findall('Privilege Elevation Assignment not found', result), \
f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_delete_assignment_sysadmin_without_ma_permission_on_system(core_session, create_resources,
setup_generic_pe_command_with_no_rules,
operating_system):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, operating_system)[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions but MA to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
admin_user_name, admin_user_id, "User",
added_system_id)
assert success, f"Unable to set system permissions for admin: {result}"
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "System"
scope = added_system_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
# Deleting assignment explicitly should pass
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID)
assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_collection_scenario(core_session, users_and_roles, create_resources,
create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.debug(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
assert result[
'success'], "setting admin collection permissions on the set failed: " + result
# Give all permissions to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "setting admin collection permissions on the resourceSet failed: " + result
# Give all permission for the user on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "setting PAS power user collection permissions on the set failed: " + result
# Give all permission but the MA permission to the PAS user on the resource Set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id)
assert result[
'success'], "setting PAS power user collection permissions on the resourceSet failed: " + result
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=user_info['Name'],
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'],
byPassChallenge=False)
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# This user does not have MA permission, so should fail
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=False)
assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \
f"UpdateAssignment for PAS power user with no MA permissions on a set passed, reason: {results}"
# Now assign MA permission but not Edit permission to the user
permission_string = 'Grant,View,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "setting PAS power user collection permissions failed: " + result
# This user does not have Edit permission, so should fail
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=False)
assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \
f"UpdateAssignment for PAS power user with no Edit permissions on a set passed, reason: {results}"
# Now assign MA permission and Edit permission to the user
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id, "User")
assert result[
'success'], "setting PAS power user collection permissions failed: " + result
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "setting PAS power user collection permissions failed: " + result
# updated rules
starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z"
expires = (datetime.datetime.now() + datetime.timedelta(minutes=10)
).replace(microsecond=0).isoformat() + "Z"
rule_info['Starts'] = starts
rule_info['Expires'] = expires
rule_info['BypassChallenge'] = True
# This user has Edit and MA permissions on the set, should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session,
ruleID=ruleID,
bypassChallenge=rule_info['BypassChallenge'],
starts=rule_info['Starts'],
expires=rule_info['Expires'])
assert isSuccess, f"UpdateAssignment for PAS power user with Edit and MA permissions on " \
f"a set failed, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
# Update rules
rule_info['BypassChallenge'] = False
# This sysadmin user does have MA permission, so should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=False)
assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \
f"a set failed, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_system_scenario(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
"User", added_system_id)
assert success, f"Did not set admin system permissions: {result}"
# Give all permission but the ManageAssignment permission to the PE User
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
"User", added_system_id)
assert success, f"Did not set PE user system permissions: {result}"
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=admin_user_name,
scopeType="System",
scope=added_system_id,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'],
byPassChallenge=False)
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# This user does not have ManageAssignment permission, so should fail
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=False)
assert not isSuccess, f"Update Assignment for PE user with no MA permissions on a " \
f"system passed, reason: {results}"
# Add MA permission to the user on the system
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
"User", added_system_id)
assert success, f"Did not set PE user system permissions: {result}"
# Should pass now
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=False)
assert isSuccess, f"Update Assignment for PE user with MA permissions on a " \
f"system failed, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_no_rules(core_session, setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, commandID=commandID)
assert isSuccess and len(results['Result']) == 0, f"List Assignments for no assignments failed, reason: {results}"
def test_no_params_provided(core_session):
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session)
assert not isSuccess and results['Message'] == "Parameter 'Command/CommandId' must be specified.", \
f"List Assignments passed/failed with unknown exception when no params provided, reason: {results}"
def test_invalid_commandName(core_session):
commandName = "abcd_xyz"
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert not isSuccess and results['Message'] == "Privilege Elevation Command not found.", \
f"List Assignments passed/failed with unknown exception" \
f" when invalid commandName provided, commandName: {commandName}, reason: {results}"
def test_update_assignment_sysadmin_without_ma_permission_on_system_set(
core_session, create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(core_session, "Server")['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=admin_user_name,
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'],
byPassChallenge=False)
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# Update rules
rule_info['BypassChallenge'] = True
# This sysadmin user doesn't have MA permission, should still pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=True)
assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \
f"a set failed, reason: {results}"
# Make sure assignments are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for sysadmin user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_commandName_commandID_provided(core_session, setup_pe_one_command_one_rule):
commandName, commandID, ruleID = setup_pe_one_command_one_rule
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, commandID=commandID, command=commandName)
assert not isSuccess and results['Message'] == "Cannot specify both ID and name for Command in request", \
f"List Assignments passed/failed with unknown exception when both " \
f"commandName and commandID passed, reason: {results}"
