def test_secret_added_to_set(core_session, text_secret, set_cleaner):
set_1_name = guid() + ' Secret Set'
set_2_name = guid() + ' Secret Set'
success, set_1_id = SetsManager.create_manual_collection(
core_session, set_1_name, 'DataVault', object_ids=[text_secret['ID']])
assert success is True, f'Failed to create manual set with one initial member {set_1_id}'
set_cleaner.append(set_1_id)
success, set_2_id = SetsManager.create_manual_collection(
core_session, set_2_name, 'DataVault', object_ids=[text_secret['ID']])
assert success is True, f'Failed to create manual set with one initial member {set_2_id}'
set_cleaner.append(set_2_id)
results = SetsManager.search_object_in_set(core_session,
set_1_name,
text_secret['SecretName'],
'DataVault',
search_columns=['SecretName'])
assert results[0]['Row']['ID'] == text_secret[
'ID'], 'Searching for new secret in set 1 and could not find it. {json.dumps(results)}'
results = SetsManager.search_object_in_set(core_session,
set_2_name,
text_secret['SecretName'],
'DataVault',
search_columns=['SecretName'])
assert results[0]['Row']['ID'] == text_secret['ID'], \
f'Searching for new secret in set 2 and could not find it. {json.dumps(results)}'
def test_bulk_system_by_api_set_correct_systems_and_accounts_fast_track(clean_bulk_delete_systems_and_accounts,
core_session, list_of_created_systems):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 2, list_of_created_systems,
sys_type="Unix")
batch3 = ResourceManager.add_multiple_systems_with_accounts(core_session, 5, 1, list_of_created_systems,
sys_type="Unix")
delete_system_ids, delete_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch2])
keep_system_ids, keep_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch1, batch3])
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3])
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "Server", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server")
SetsManager.update_members_collection(core_session, 'add', list(delete_system_ids), 'Server', set_id)
collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server")
filters = collection_and_filters['Filters']
logger.info(f'Manual set {collection_and_filters} - members - {delete_system_ids}')
result, success = ResourceManager.del_multiple_systems_by_query(core_session, filters, savepasswords=False,
secretname="", run_sync=True)
assert success is True, f'Delete systems job failed when expected success'
SetsManager.delete_collection(core_session, set_id)
assert set(ResourceManager.get_multi_added_system_ids(core_session,
all_systems).values()) == keep_system_ids, "Set of expected remaining systems did not match search"
assert set(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == keep_account_ids, "Set of expected remaining accounts did not match search"
def test_option_all_system_admins_option_has_no_effect_on_non_admins(core_session, cds_session, set_cleaner, global_option, _modifying_setting_mutex):
update_result, update_success = ServerManager.update_server_security_settings(core_session, all_system_admin_see_all_sets_created_by_sys_admin=global_option)
assert update_success, f"Failed to update security Settings {update_result}"
results, success = ServerManager.get_server_settings(core_session, key='policy')
assert success, f"Failed to retrieve policy settings {results}"
assert results["AllSystemAdminSeeAllSetsCreatedBySysAdmin"] is global_option, f"Policy key AllSystemAdminSeeAllSetsCreatedBySysAdmin should be {global_option} {results}"
non_admin_session, api_user = cds_session
admin1_session = core_session
set_name1 = f"test_visibility_{guid()}"
set_name2 = f"test_visibility_{guid()}"
success, set_id1 = SetsManager.create_manual_collection(admin1_session, set_name1, 'DataVault', object_ids=None)
assert success is True, f'Failed to create manual set {set_id1}'
set_cleaner.append(set_id1)
success, set_id2 = SetsManager.create_manual_collection(non_admin_session, set_name2, 'DataVault', object_ids=None)
assert success is True, f'Failed to create manual set {set_id2}'
set_cleaner.append(set_id2)
assert SetsManager.get_collection_id(admin1_session, set_name1, "DataVault", reduce_sys_admin=True) is not None, "Admin 1 should be able to see own set"
assert SetsManager.get_collection_id(non_admin_session, set_name2, "DataVault", reduce_sys_admin=True) is not None, "Non admin should be able to see own set"
assert SetsManager.get_collection_id(non_admin_session, set_name1, "DataVault", reduce_sys_admin=True) is None, "Non admin should NOT be able to see Admin 1 set"
assert SetsManager.get_collection_id(admin1_session, set_name2, "DataVault", reduce_sys_admin=True) is None, "Admin 1 should NOT be able to see non admin set"
assert SetsManager.get_collection_id(non_admin_session, set_name1, "DataVault", reduce_sys_admin=False) is None, "Non admin should not be able to see Admin 1 set when reduce_sys_admin is False (because lacking permission)"
assert SetsManager.get_collection_id(admin1_session, set_name2, "DataVault", reduce_sys_admin=False) is not None, "Admin 1 should be able to see Admin 2 set when reduce_sys_admin is False"
def test_bulk_system_unenroll_by_api_set_correct_systems_fast_track(core_session, test_four_virtual_aapm_agents):
agents, _ = test_four_virtual_aapm_agents
all_agent_ids, all_server_ids = _setup_agents(core_session, agents)
unenroll_agent_ids = all_agent_ids[:2]
unenroll_server_ids = all_server_ids[:2]
keep_agent_ids = all_agent_ids[2:]
_validate_aapm_agent_details(core_session, all_agent_ids, True)
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "Server", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server")
SetsManager.update_members_collection(core_session, 'add', list(unenroll_server_ids), 'Server', set_id)
collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server")
filters = collection_and_filters['Filters']
logger.info(f'Manual set {collection_and_filters} - members - {unenroll_server_ids}')
_, success = ResourceManager.unenroll_multiple_systems_by_query(core_session, filters, wait_time=0,
SkipIfAgentReconciliationEnabled=True,
run_sync=True)
assert success, f'Unenroll systems job failed when expected success: {unenroll_server_ids}'
SetsManager.delete_collection(core_session, set_id)
_validate_aapm_agent_details(core_session, unenroll_agent_ids, False)
_validate_aapm_agent_details(core_session, keep_agent_ids, True)
def test_bulk_manage_works_with_different_methods_of_specifying_systems(
core_session,
remote_unmanaged_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, change_method):
account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3
job_result = None
if change_method == "ids":
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, account_ids)
assert success, "Did not bulk manage account"
elif change_method == "ids_with_invalid":
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, ["foo"] + list(account_ids))
assert success, "Did not bulk manage account"
elif change_method == "sql":
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in account_ids))
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, [], set_query=sql_query)
assert success, "Did not bulk manage accounts"
elif change_method == "group":
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name,
"VaultAccount", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name,
"VaultAccount")
SetsManager.update_members_collection(core_session, 'add', account_ids,
'VaultAccount', set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(
core_session, some_set_name, "VaultAccount")['Filters']
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, [], set_query=filters)
assert success, "Did not bulk manage accounts"
else:
raise Exception(f"Bad input variable change_method {change_method}")
_validate_accounts_are_managed(core_session, account_ids, job_result)
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Success.Multi'
start_message = f'{username} initiated management of {len(account_ids)} accounts'
end_message = f'{username} successfully managed {len(account_ids)} accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_select_more_than_one_domain(core_session, domain_setup, cleanup_resources, clean_up_collections):
"""
TC:C2215 Select more than one domains.
:param core_session: Returns API session.
:param domain_setup: Fixture for domain creation.
:param cleanup_resources: cleaner for domain.
"""
# Creating a parent domain.
parent_domain_id, domain_info = domain_setup
set_list = clean_up_collections
# Create a child domain.
child_domain_name = f"{'child'}{guid()}"
domain_cleanup_list = cleanup_resources[1]
new_child_domain_id, add_child_domain_success = ResourceManager.add_child_domain(core_session, child_domain_name,
description='test_child_domain',
parent_id=parent_domain_id)
assert add_child_domain_success, f'Failed to create child domain:API response result:{new_child_domain_id}'
logger.info(f"Successfully created child domain:API response result: {new_child_domain_id}")
domain_cleanup_list.append(new_child_domain_id)
Result, success = ResourceManager.get_administrative_account(core_session, "administrator")
logger.info(f" Successfully get Domain for adding Administrative account.")
assert success, f'Failed to get Domain account {Result}'
# set name created with guid and add it in the domain set
set_name = f'set_name{guid()}'
add_success, add_result = SetsManager.create_manual_collection(core_session, set_name, "VaultDomain",
object_ids=[parent_domain_id])
assert add_success, f'Failed to create set and addition of member to set as: {add_result}'
logger.info(f'Successfully created set with member:{add_result}')
# cleanup the set and account
set_list.append(add_result)
def test_bulk_rotate_works_with_different_methods_of_specifying_systems(
core_session,
remote_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method):
remote_ip = windows_test_machine_config['ip_address']
account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3)
passwords_fetched = BulkOperations.checkout_users(core_session, accounts)
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched)
if change_method == "checkin": # disabled, out of scope
BulkOperations.check_in_users(core_session, passwords_fetched)
elif change_method == "ids":
result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids)
assert success, "Did not bulk rotate passwords"
elif change_method == "ids_with_invalid":
result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids)
assert success, "Did not bulk rotate passwords"
elif change_method == "sql":
sql_query = 'SELECT * FROM VaultAccount ' \
'WHERE ' + ' OR '.join(('VaultAccount.ID = "' + str(n) + '"' for n in account_ids))
result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=sql_query)
assert success, "Did not bulk rotate passwords"
elif change_method == "group":
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount")
SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(core_session,
some_set_name, "VaultAccount")['Filters']
result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=filters)
assert success, "Did not bulk rotate passwords"
else:
raise Exception(f"Bad input variable change_method {change_method}")
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [False] * len(passwords_fetched), change_method)
# Verify passwords are no longer right
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Success.Multi'
start_message = f'{username} initiated password rotation of {len(account_ids)} accounts'
end_message = f'{username} successfully rotated {len(account_ids)} account passwords'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_check_ui_after_changing_setting(core_session, pas_setup,
clean_up_collections):
"""
Test case: C2206 Check permission for set
:param core_session: Authenticated centrify session
:param pas_setup: Creating a new system with accounts
"""
# Adding Systems for test execution
created_system_id, created_account_id, system_details = pas_setup
user_details = core_session.__dict__
collection_name = "testManualCollection" + guid()
# Get list of permission
get_sys_result, get_sys_success = ResourceManager.get_system_permissions(
core_session, created_system_id)
assert get_sys_success, f"Failed to get system permissions for resource, API result:{get_sys_result}"
permission = get_sys_result[0]['Rights']
permission_list = list(chain(*zip(permission.split())))[:-1]
permission_index_value = [
list((i, permission_list[i])) for i in range(len(permission_list))
]
assert (permission_index_value[3][0] < permission_index_value[4][0]
), f"Failed to get permission 'Grant' is in front of 'View'"
logger.info(
f'Grant is successfully shows in front of View. as Grant index is {permission_index_value[3][0]} and View index is {permission_index_value[4][0]}'
)
# Create set
add_set_success, new_set_id = SetsManager.create_manual_collection(
core_session, collection_name, "Server")
assert add_set_success, "Collection " + new_set_id + " Failed to Create"
# Set cleanup list
clean_up_collections.append(new_set_id)
# Assign permission to the set
set_permissions_result = SetsManager.set_collection_permissions(
core_session, "Grant,View,Edit,Delete",
user_details["auth_details"]["User"],
user_details['auth_details']['UserId'], new_set_id)
logger.info(
f'Successfully set collection Permissions for the set page :{set_permissions_result}'
)
# Get collection permission rights
get_permissions_result = SetsManager.get_collection_rights(
core_session, new_set_id)
set_permission = get_permissions_result['Result']
# Actual set permission rights list
actual_set_permission_list = 'View, Edit, Delete, Grant'
assert set_permission == actual_set_permission_list, f'Failed to verify permissions:{actual_set_permission_list}'
logger.info(
f'Successfully verify Permissions for the set page created:{actual_set_permission_list}'
)
def test_pe_del_assignment_on_set_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_name = "set_" + Util.random_string()
is_create, set_id = SetsManager.create_manual_collection(
core_session, set_name, "Server", object_ids=[added_system_id])
assert is_create, f"Successfully created a set and added system to that set: {set_id}"
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
logger.info(result)
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
logger.info(results)
# Delete Set
isSuccess, results = SetsManager.delete_collection(core_session, set_id)
assert isSuccess, f"Deleting set failed: {results}"
# Make sure rule assignment is not available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}"
logger.info(results)
def test_set_visibility_of_non_admin_set_from_ui(cds_session, set_cleaner,
core_ui):
non_admin_session, api_user = cds_session
ui = core_ui
set_name = f"test_visibility_{guid()}"
success, set_id = SetsManager.create_manual_collection(non_admin_session,
set_name,
'Server',
object_ids=None)
assert success is True, f'Failed to create manual set {set_id}'
set_cleaner.append(set_id)
ui.navigate('Resources', 'Systems')
# this will ensure that the set container is visible and updated
ui.expect(SetRow("All Systems"), "All systems set should be visible")
ui.missing(SetRow(set_name), f"{set_name} should not be visible")
assert ui.check_exists(
Button("Show All Sets")), "Show All Sets link should be visible"
assert not ui.check_exists(
Button("Show My Sets"),
time_to_wait=0), "Show My Sets button should be hidden"
ui.button("Show All Sets")
ui.expect_disappear(SetRow(set_name),
f'{set_name} did not disappear when it should have')
assert ui.check_exists(Button("Show My Sets"),
10), "Show My Sets button should be visible"
ui.button("Show My Sets")
assert ui.check_exists(Button("Show All Sets"),
10), "Show All Sets button should be visible"
ui.missing(SetRow(set_name), f"{set_name} should not be visible")
# ensure button does not erroneously appear
ui.navigate('Access', 'Users')
show_all_button = Button("Show All Sets").inside(ActiveMainContentArea())
show_my_button = Button("Show My Sets").inside(ActiveMainContentArea())
ui.missing(show_all_button,
f'Show All Sets Button should not be present on users tab')
ui.missing(show_my_button,
f'Show My Sets Button should not be present on users tab')
def test_bulk_account_delete_job_fails_due_to_invalid_request_missing_secret(
clean_bulk_delete_systems_and_accounts, core_session, simulate_failure,
list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
some_set_name = "ApiSet" + guid()
success, set_id = SetsManager.create_manual_collection(
core_session, some_set_name, "VaultAccount", None)
assert success, "Did not create collection"
SetsManager.update_members_collection(core_session, 'add',
list(all_accounts), 'VaultAccount',
set_id)
params = Util.scrub_dict({
'Ids': list(all_accounts),
'SaveToSecrets': simulate_failure,
'SecretName': "Bulk Account Delete",
'SetQuery': "",
'SkipIfHasAppsOrServices': simulate_failure
})
if simulate_failure:
request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE,
params)
request_json = request.json()
result, success = request_json['Result'], request_json['success']
ResourceManager.wait_for_job_state_succeeded(core_session, result)
assert simulate_failure == success, f"Query success was unexpected value, with message {result}"
else:
request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE,
params)
request_json = request.json()
result, success = request_json['Result'], request_json['success']
ResourceManager.wait_for_job_state_succeeded(core_session, result)
assert not simulate_failure == success, f"Query success was unexpected value, with message {result}"
total_account = RedrockController.get_accounts(core_session)
SetsManager.delete_collection(core_session, set_id)
list_account = []
for get_account in total_account:
if get_account['ID'] == all_accounts:
list_account.append(get_account['ID'])
assert 0 == len(
list_account
), "Number of remaining added accounts was unexpected number"
def agent_get_set(core_session_global):
"""Creates a resource set to be used for agent enrollment
:return: set name
"""
session = core_session_global
set_name = "set_" + Util.random_string()
is_create, set_id = SetsManager.create_manual_collection(
session, set_name, "Server", None)
if is_create:
logger.debug("Resource set created: " + set_name)
yield set_name
else:
logger.error("Error in creating resource set: " + set_name)
is_create, response = SetsManager.delete_collection(session, set_id)
if is_create:
logger.debug("Resource set deleted: " + set_name)
def test_a_secret_can_belong_to_multiple_sets(core_session, create_set_manual,
added_secrets,
pas_general_secrets,
cleanup_secrets_and_folders,
set_cleaner):
"""test method to check that a secret belongs to multiple set"""
added_secret_id, added_secret_name = added_secrets
set_params = pas_general_secrets
prefix = guid()
set_success, set_id = create_set_manual
"""Api to create another set manually"""
success, setid = SetsManager.create_manual_collection(
core_session, prefix + set_params['set_name'], 'DataVault')
logger.info(f'creating manual set:{success} with setid as: {setid}')
assert success is True, f'Failed to create manual set with one initial member {setid}'
text_secret_id = added_secret_id[0]
"""Api to add set to existing secret"""
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(
core_session, 'add', [text_secret_id], "DataVault", set_id)
assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}'
logger.info(f'Adding secret to one set: {added_to_set_success}')
"""Api to add another set to same secret"""
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(
core_session, 'add', [text_secret_id], "DataVault", setid)
assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}'
logger.info(f'Adding secret to another set: {added_to_set_success}')
"""Redrock query to fetch set related details"""
get_set_1 = RedrockController.verify_set_secret(core_session, set_id,
text_secret_id)
logger.info(f'{get_set_1}')
logger.info(
f'Verifiying secret name {get_set_1[0]["Row"]["SecretName"]} in '
f'set 1 with ID {get_set_1[0]["Row"]["CollectionID"]} ')
get_set_2 = RedrockController.verify_set_secret(core_session, setid,
text_secret_id)
logger.info(
f'Verifiying secret name {get_set_2[0]["Row"]["SecretName"]} in another '
f'set with ID {get_set_2[0]["Row"]["CollectionID"]}')
"""to verify that same secret is added to multiple sets"""
text_to_verify = 'secret1'
assert (text_to_verify in get_set_1[0]["Row"]["SecretName"]) and (
text_to_verify in get_set_2[0]["Row"]["SecretName"]
), f'secret doesnt belong to multiple set'
set_cleaner.append(setid)
def test_add_new_sub_folder_and_set_with_same_name(core_session,
set_cleaner,
create_secret_folder,
pas_general_secrets,
cleanup_secrets_and_folders):
"""
test method to add a set with same name as Sub Folder
:param core_session: Authenticated Centrify Session
:param set_cleaner: Fixture to cleanup the sets created
:param create_secret_folder: Fixture to create a folder & yields folder related details
:param pas_general_secrets: Fixture to read secret data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created
"""
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
folder_params = pas_general_secrets
folders_list = cleanup_secrets_and_folders[1]
folder_prefix = guid()
folder_success, folder_parameters, sub_folder_id = create_folder(core_session,
folder_prefix + folder_params['name'],
folder_params['description'],
parent=folder_id)
assert folder_success, f'Failed to add sub folder:{folder_parameters["Result"]}'
logger.info(f'Folder added successfully: {folder_success}')
folders_list.insert(0, sub_folder_id)
success, set_id = SetsManager.create_manual_collection(core_session,
folder_prefix + folder_params['name'],
'DataVault')
assert success is True, f'Failed to create manual set with same name as Sub Folder {set_id}'
logger.info(f'creating manual set:{success} with setid as: {set_id}')
set_cleaner.append(set_id)
logger.info(f'Added set deleted successfully:{set_cleaner}')
# Getting permissions of the set created
permissions = SetsManager.get_collection_rights(core_session, set_id)
verify_permissions = 'View, Edit, Delete, Grant'
assert verify_permissions == permissions["Result"], \
f'Failed to verify permissions for the set:{permissions["Result"]}'
logger.info(f'Permissions of the set created: {permissions}')
def test_bulk_account_by_api_set_correct_accounts(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, core_admin_ui):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 2, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
delete_ids, keep_ids = DataManipulation.shuffle_and_split_into_two_lists(
all_accounts)
some_set_name = "ApiSet" + guid()
success, set_id = SetsManager.create_manual_collection(
core_session, some_set_name, "VaultAccount", None)
assert success, "Did not create collection"
SetsManager.update_members_collection(core_session, 'add',
list(delete_ids), 'VaultAccount',
set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(
core_session, some_set_name, "VaultAccount")['Filters']
result, success = ResourceManager.del_multiple_accounts_by_query(
core_session, filters)
assert success, "del_multiple_accounts_by_query failed " + result
SetsManager.delete_collection(core_session, set_id)
assert set(
ResourceManager.get_multi_added_system_ids(
core_session, all_systems).values()) == set(
all_systems), "Wrong set of added systems found"
assert set(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == set(keep_ids), "Wrong set of added accounts found"
def test_accounts_set_my_system_accounts(core_session, pas_windows_setup, users_and_roles, clean_up_collections):
"""
TC:C2067 Add account to set on "My System Accounts".
:param:core_session: Returns a API session.
:param:users_and_roles:Fixture to manage roles and user.
:param pas_windows_setup:Returns a fixture.
:param:clean_up_collections: Cleans up Set.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup()
# Cloud user session with "Privileged Access Service Administrator".
cloud_user_session = users_and_roles.get_session_for_user('Privileged Access Service Administrator')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Assigning "Workspace Login" permission for account to limited user.
rights = "View,Login,UserPortalLogin"
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \
f'API response result:{assign_account_perm_res}'
logger.info(f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"')
# Assigning "View" permission for system to limited user.
assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(core_session,
"View",
user_name,
user_id,
'User',
system_id)
assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \
f'API response result {assign_system_perm_res}.'
logger.info(f"Successfully assign system permission to user'{assign_system_perm_res}'")
# Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts"
# list.
workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session)
assert sys_info[4] not in workspace_result, f'Could find the account:API response result:{workspace_result}'
logger.info("Failed to display on Account on workspace")
# Creating a set and adding a account to set.
account_set_name = f'Set_test{guid()}'
success, account_set_result = SetsManager.create_manual_collection(core_session, account_set_name,
'VaultAccount',
object_ids=[account_id])
assert success, f"Failed to create system set {account_set_result}"
logger.info(f'Successfully created set:{account_set_result}')
# Getting the details of created_account_set in Accounts page and validating account is in created set.
account_set_details = RedrockController.get_set_account_details(core_session, account_id=account_id,
set_id=account_set_result)
assert account_set_details[0]['User'] == sys_info[4], f'Fail to find the account{sys_info[4]}'
logger.info(f'Successfully find "{account_set_details[0]["User"]}" in created set" {account_set_name}".')
# Cleanup the created set.
clean_up_collections.append(RedrockController.get_id_from_name(core_session, account_set_name, "Sets"))
logger.info(f'Successfully deleted created set" {account_set_name}".')
def test_needs_edit_permission_to_replace_contents(core_session,
users_and_roles,
added_secrets_file,
added_secrets,
pas_general_secrets):
"""
C283887: User needs edit permission on the secret to replace the contents.
:param core_session: Authenticated Centrify Session
:param users_and_roles: Fixture to create New user with PAS Power User & PAS User Rights
:param added_secrets_file: Fixture to create file type secret
:param added_secrets: Fixture to create text type secret
:param pas_general_secrets: Fixture to read secret data from yaml file
"""
secrets_params = pas_general_secrets
added_file_secret_id = added_secrets_file
added_text_secret_id, added_text_secret_name = added_secrets
suffix = guid()
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'User with PAS Power User Rights login successfully: user_Name:{user_name}')
# setting user permissions for file_type_secret"""
file_type_secret_result, file_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant',
user_id,
added_file_secret_id)
assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}'
logger.info(f'setting permissions for file type secret: {file_type_secret_success}')
# setting user permissions for file_type_secret"""
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant,Edit',
user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}'
logger.info(f'setting permissions for text type secret: : {text_type_secret_success}')
# Replacing the content of the secret
secret_updated = update_secret(pas_power_user_session,
added_text_secret_id[0],
secrets_params['mfa_secret_name_update'] + suffix,
description=secrets_params['mfa_secret_description'],
secret_text=secrets_params['secret_text_updated'] + suffix)
assert secret_updated['success'], f'Failed to update secret: {secret_updated["Result"]["ID"]}'
logger.info(f' Successfully updated text type secret: {secret_updated}')
# Verifying replaced secret
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, added_text_secret_id[0])
logger.info(f'Secret Updated details: {get_secret_details}')
replaced_content = get_secret_details['SecretText']
assert secrets_params['secret_text_updated'] in replaced_content, \
f'Failed to replace the secrets:{replaced_content}'
secret_name = get_secret_details['SecretName']
# creating set manually
success, set_id = SetsManager.create_manual_collection(pas_power_user_session, secrets_params['set_name'] + suffix,
'DataVault')
assert success, f'Failed to create manual set: {set_id}'
logger.info(f'creating manual set:{success} with setid as: {set_id}')
# Adding set to secret
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(pas_power_user_session,
'add',
[added_text_secret_id[0]],
"DataVault", set_id)
assert added_to_set_success, f'Failed to add secret to set: {added_to_set_result}'
logger.info(f'Adding secret to set: {added_to_set_success}')
# Redrock query to fetch "Add to set" related details
get_set_info = RedrockController.verify_set_secret(pas_power_user_session, set_id, added_text_secret_id[0])
logger.info(f'{get_set_info}')
assert get_set_info[0]["Row"]["SecretName"] == secret_name, f' Failed to get "ADD to Set" inside "Actions"'
logger.info(f'Verifiying secret name {get_set_info[0]["Row"]["SecretName"]} in '
f'set with ID {get_set_info[0]["Row"]["CollectionID"]} ')
def test_inherited_member_permissions(core_session, create_secret_folder,
pas_general_secrets, users_and_roles,
cleanup_secrets_and_folders):
"""
C284058: Inherited member permissions
:param core_session: Authenticated Centrify session
:param create_secret_folder: Fixture to create secret folder & yields folder details
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power User & PAS User Rights
:param cleanup_secrets_and_folders: Fixture to clean-up the secrets & folders created.
"""
secrets_list = cleanup_secrets_and_folders[0]
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
secret_params = pas_general_secrets
suffix = guid()
# Getting new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name:{user_name}'
)
# Setting user A permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id, 'View, Add')
assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Setting member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant,Edit', user_id, folder_id)
assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Getting new session for User B
pas_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service User')
assert pas_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name_pas = pas_user_session.auth_details['User']
user_id_pas = pas_user_session.auth_details['UserId']
logger.info(
f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Setting user B permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name_pas, user_id_pas, folder_id, 'View, Add')
assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Setting member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name_pas, 'View,Grant,Edit', user_id_pas, folder_id)
assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Creating set for UserA
success, set_id = SetsManager.create_manual_collection(
pas_power_user_session, secret_params['set_name'] + suffix,
'DataVault')
logger.info(f'creating manual set:{success} with set id as: {set_id}')
assert success, f'Failed to create manual set for User A: {set_id}'
# Create text type secret within folder for User A
added_text_secret_success, added_text_secret_result = create_text_secret_within_folder(
pas_power_user_session, secret_params['secret_name'] + suffix,
secret_params['secret_text'], secret_params['secret_description'],
folder_id, set_id)
assert added_text_secret_success, f'Failed to create secret for User A:{added_text_secret_result}'
logger.info(f'Secret Created successfully: {added_text_secret_success}')
# Verifying inherited permissions for User B
get_permission_result = get_rows_acl(pas_power_user_session,
added_text_secret_result)
assert get_permission_result, f'Failed to inherit permissions for User B:{get_permission_result}'
logger.info(
f' Successfully inherited permissions for User B: {get_permission_result}'
)
secrets_list.append(added_text_secret_result)
rows_returned = get_permission_result['Result']
for rows in rows_returned:
if rows['PrincipalName'] == user_name_pas:
assert rows[
'Inherited'], "Failed to verify the inherited permissions"
def test_check_permission_name_on_portal(core_session, pas_setup, clean_up_collections):
"""
Test case: C2059
:param core_session: Authenticated Centrify Session
:param pas_setup: fixture to create system with accounts in portal
:param core_admin_ui: Authenticated Centrify ui session
"""
system_id, account_id, sys_info = pas_setup
# Getting the Id of the user.
user_details = core_session.__dict__
user_id = user_details['auth_details']['UserId']
User_name = user_details['auth_details']['User']
# Assigning 'UserPortalLogin' permission to user for account.
account_result, account_success = ResourceManager.assign_account_permissions(core_session, 'UserPortalLogin',
User_name,
user_id, 'User',
account_id)
assert account_success, f"Failed to give 'UserPortalLogin' permission to user: {User_name} for " \
f"Account: {account_id}. API response 'Result': {account_result}"
logger.info(f"'UserPortalLogin' permission given to user: {User_name} for Account:{account_id}.")
# Fetching account information to validate desired account is un managed
result, status = ResourceManager.get_account_information(core_session, account_id)
assert status, f"failed to retrieve account information, returned result is {result}"
set_name = f"test_setname{guid()}"
status, set_result = SetsManager.create_manual_collection(core_session, set_name, "VaultAccount",
object_ids=[account_id])
assert status, f"failed to create set {set_name}, returned result is {set_result}"
logger.info(f"set {set_name} created for account {sys_info[4]} of system {sys_info[0]}")
clean_up_collections.append(set_result) # Set cleanup list
# "Workspace Login" rather than "Portal Login" in granted permission activity
result, success = ResourceManager.assign_account_permissions(core_session, "UserPortalLogin",
User_name, user_id,
pvid=account_id)
assert success, f'failed to assign permissions "UserPortalLogin" to ' \
f'{User_name} for account {sys_info[4]} ' \
f'for system {sys_info[0]}'
activity = RedrockController.get_account_activity(core_session, account_id)
assert activity[0]['Detail'] == f'{User_name} granted User "{User_name}" to have "Workspace Login" permissions ' \
f'on local account "{sys_info[4]}" for "{sys_info[0]}"({sys_info[1]})' \
f' with credential type Password ', 'No Workspace Login keyword found in ' \
'retrieved permission activity '
logger.info(f'Displayed "Workspace Login" rather than "Portal Login" in granted permission activity for '
f'account {sys_info[4]}')
status, result, SetsManager.set_collection_member_permission(core_session, User_name,
user_id,
"UserPortalLogin", set_result)
assert status, f'failed to assign workspace login permission to ' \
f'user {User_name} for set {set_name}'
logger.info(f'successfully assigned work space login permission to user {User_name}.')
# "Workspace Login" in set activity
set_activity_rows = ResourceManager.get_activity_for_collection(core_session, set_result)
assert set_activity_rows[0]['Detail'] == f'{User_name} granted User ' \
f'"{User_name}" to have ' \
f'"Workspace Login" permissions on the account set "{set_name}"', \
f'failed to get {set_name} activity for permissions'
logger.info(f'displayed "Workspace Login" in activity in set {set_name} activity')
# displayed "Workspace Login" in user profile activity
user_profile_activity = RedrockController.get_user_activity_profile(core_session, user_id)
counter = 0
while counter < 10:
user_profile_activity = RedrockController.get_user_activity_profile(core_session, user_id)
if user_profile_activity[0]['EventMessage'].__contains__(sys_info[0]):
break
counter += 1
assert user_profile_activity[0]['EventMessage'] == f'{User_name} ' \
f'granted User "{User_name}" to have "Workspace Login" ' \
f'permissions on local account "{sys_info[4]}" ' \
f'for "{sys_info[0]}"({sys_info[1]}) with credential type ' \
f'Password ', \
f'No Workspace Login keyword found in retrieved permission activity '
logger.info('displayed "Workspace Login" in user profile activity')