def test_sysadmin_without_explicit_pe_assignment_system_set(
core_session, users_and_roles, create_manual_set):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(core_session, "Server")['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
# This sysadmin user does not have ManageAssignment permission, should still pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="Collection", scope=set_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for sysadmin user without MA permissions on a " \
f"system set failed, reason: {canManage}"
def test_regular_user_on_system_set(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user()
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting admin collection permissions failed: " + result
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=user_info['Name'], scopeType="Collection",
scope=set_id, principalId=None, bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# This user does not have view permission on DB, so should fail
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(requester_session, scopeType="Collection",
commandID=commandID, scope=set_id)
assert not isSuccess and results['Message'] == \
"You are not authorized to perform this operation. Please contact your IT helpdesk.", \
f"GetAssignmentsByScope for regular user with no view permissions on a collection passed, reason: {results}"
# GetAssignmentByScope should succeed if admin does the API request
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="Collection",
commandID=commandID, scope=set_id)
assert isSuccess, f"GetAssignmentsByScope for admin user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and \
PrivilegeElevation.check_rules_info_in_api_response(rule_info_list, results), \
f"GetAssignmentsByScope complete check failed: {ruleID}"
def test_pe_del_command_scenario2(core_session, setup_generic_pe_command_with_no_rules, users_and_roles,
create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_command_scenario2 user_info: {user_info}")
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting command should be successful, assignments too
result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName)
assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}"
# Deleting assignmnent explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}"
assert re.findall('Privilege Elevation Assignment not found', result), \
f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_pe_del_assignment_on_set_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_name = "set_" + Util.random_string()
is_create, set_id = SetsManager.create_manual_collection(
core_session, set_name, "Server", object_ids=[added_system_id])
assert is_create, f"Successfully created a set and added system to that set: {set_id}"
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
logger.info(result)
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
logger.info(results)
# Delete Set
isSuccess, results = SetsManager.delete_collection(core_session, set_id)
assert isSuccess, f"Deleting set failed: {results}"
# Make sure rule assignment is not available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}"
logger.info(results)
def test_regular_user_with_no_view_permissions_on_system_set(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user()
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(user_info)
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
logger.info(result)
assert result['success'], "setting admin collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# This user does not have view permission, so should fail
results, isSuccess = PrivilegeElevation.list_pe_assignments(requester_session, commandID=commandID)
assert not isSuccess and results['Message'] == \
"You are not authorized to perform this operation. Please contact your IT helpdesk.", \
f"List Assignments for regular user with no view permissions on a set passed/ failed with " \
f"unknown exception, reason: {results}"
def test_delete_assignment_sysadmin_without_ma_permission_on_system_set(core_session, create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server")['ID']
logger.info(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
logger.info(result)
assert result['success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
assert result['success'], "assigning collection permissions on the resource set for the user failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
# Deleting assignment explicitly should pass
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID)
assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_update_assignment_sysadmin_without_ma_permission_on_system_set(
core_session, create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(core_session, "Server")['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=admin_user_name,
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'],
byPassChallenge=False)
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# Update rules
rule_info['BypassChallenge'] = True
# This sysadmin user doesn't have MA permission, should still pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=True)
assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \
f"a set failed, reason: {results}"
# Make sure assignments are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for sysadmin user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_collection_scenario(core_session, users_and_roles, create_resources,
create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.debug(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
assert result[
'success'], "setting admin collection permissions on the set failed: " + result
# Give all permissions to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "setting admin collection permissions on the resourceSet failed: " + result
# Give all permission for the user on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "setting PAS power user collection permissions on the set failed: " + result
# Give all permission but the MA permission to the PAS user on the resource Set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id)
assert result[
'success'], "setting PAS power user collection permissions on the resourceSet failed: " + result
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=user_info['Name'],
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'],
byPassChallenge=False)
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# This user does not have MA permission, so should fail
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=False)
assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \
f"UpdateAssignment for PAS power user with no MA permissions on a set passed, reason: {results}"
# Now assign MA permission but not Edit permission to the user
permission_string = 'Grant,View,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "setting PAS power user collection permissions failed: " + result
# This user does not have Edit permission, so should fail
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=False)
assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \
f"UpdateAssignment for PAS power user with no Edit permissions on a set passed, reason: {results}"
# Now assign MA permission and Edit permission to the user
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id, "User")
assert result[
'success'], "setting PAS power user collection permissions failed: " + result
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "setting PAS power user collection permissions failed: " + result
# updated rules
starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z"
expires = (datetime.datetime.now() + datetime.timedelta(minutes=10)
).replace(microsecond=0).isoformat() + "Z"
rule_info['Starts'] = starts
rule_info['Expires'] = expires
rule_info['BypassChallenge'] = True
# This user has Edit and MA permissions on the set, should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session,
ruleID=ruleID,
bypassChallenge=rule_info['BypassChallenge'],
starts=rule_info['Starts'],
expires=rule_info['Expires'])
assert isSuccess, f"UpdateAssignment for PAS power user with Edit and MA permissions on " \
f"a set failed, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
# Update rules
rule_info['BypassChallenge'] = False
# This sysadmin user does have MA permission, so should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=False)
assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \
f"a set failed, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_privilege_elevation_command_assignment_works_at_all_three_scopes(
test_agent, pe_global_command_assignment_cleaner_by_user,
create_manual_set, cds_ui, cds_session, core_session):
ui, user = cds_ui
session, _ = cds_session
main_admin_session = core_session
main_admin_user = main_admin_session.get_user()
# Make sure the users global assignments will be cleaned up
pe_global_command_assignment_cleaner_by_user.append(user.get_id())
server_id = test_agent.computerUuid
logger.info(f'Server guid for vritual agent {server_id}')
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
agent_server_set = create_manual_set(session,
'Server',
object_ids=[server_id])
# Give all permissions to the admin
result = SetsManager.set_collection_resource_permissions(
session, permission_string, user.get_login_name(), user.get_id(),
agent_server_set["ID"], "User")
assert result[
'success'], "setting admin collection permissions failed: " + result
set_name = agent_server_set['Name']
# Create an assignment at global scope
ui.navigate('Settings', 'Resources', 'Security',
'Global Privilege Elevation')
ui.launch_modal('Add', 'Select User, Group, or Role')
ui.search(user.get_login_name())
ui.check_row(user.get_login_name())
ui.close_modal('Add')
ui.save()
global_assignment_selector = GridCell('Global').inside(
GridRow(user.get_login_name()))
# Create an assignment at collection scope
ui.navigate('Resources', 'Systems')
ui.set_action(set_name, "Modify")
ui.tab('Member Privilege Elevation')
ui.expect(
global_assignment_selector,
'Inherited command from global is not present even though we just created it.'
)
ui.launch_modal('Add', 'Select User, Group, or Role')
ui.search(user.get_login_name())
ui.check_row(user.get_login_name())
ui.close_modal('Add')
ui.save()
collection_assignment_selector = GridCell(f'{set_name}').inside(
GridRow(user.get_login_name()))
# Look at the PE tab on the server, make sure inherited assignments are there and add another.
ui.navigate('Resources', 'Systems')
ui.click_row_by_guid(server_id)
ui.tab('Privilege Elevation')
ui.expect(
global_assignment_selector,
'Inherited command from global is not present even though we just created it.'
)
ui.expect(
collection_assignment_selector,
'Inherited command from collection is not present even though we just created it.'
)
ui.launch_modal('Add', 'Select User, Group, or Role')
ui.search(main_admin_user.get_login_name())
ui.check_row(main_admin_user.get_login_name())
ui.close_modal('Add')
ui.save()
system_direct_selector = GridRow(main_admin_user.get_login_name())
# Look at the server directly, make sure all assignments still there.
ui.navigate('Resources', 'Systems')
ui.click_row_by_guid(server_id)
ui.tab('Privilege Elevation')
ui.expect(
global_assignment_selector,
'Inherited command from global is not present even though we just created it.'
)
ui.expect(
collection_assignment_selector,
'Inherited command from collection is not present even though we just created it.'
)
ui.expect(
system_direct_selector,
'Command assignment directly on system not present even though we just created it.'
)
def test_scope_system(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Add System 2
added_system_id2 = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id2}")
# Create Set and the system 1 to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Create Set2 and add both systems to this set
set_id2 = create_manual_set(
core_session, "Server", object_ids=[added_system_id, added_system_id2])['ID']
logger.debug(f"Successfully created a set and added both system to that set: {set_id2}")
# Create Set3 and the system 2 to this set
set_id3 = create_manual_set(
core_session, "Server", object_ids=[added_system_id2])['ID']
logger.debug(f"Successfully created a set and added system 2 to that set: {set_id3}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting admin collection permissions failed: " + result
# same for set 2
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id2,
"User")
assert result['success'], "setting admin collection permissions failed: " + result
#same for set 3
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id3,
"User")
assert result['success'], "setting admin collection permissions failed: " + result
# Adding rules
# First add global assignment
rule_info1 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role",
principal="System Administrator", scopeType="Global",
scope=None, principalId=None, bypassChallenge=False)
ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info1['ScopeType'],
principalType=rule_info1['PrincipalType'],
principal=rule_info1['Principal'])
assert isSuccess, f" Adding rule assignment 1 failed"
rule_info1['ID'] = ruleID1
# Add Assignment for system1
rule_info2 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="System",
scope=added_system_id, principalId=admin_user_id,
bypassChallenge=True)
ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info2['ScopeType'],
scope=rule_info2['Scope'],
principalType=rule_info2['PrincipalType'],
principalID=rule_info2['PrincipalId'],
byPassChallenge=True,
starts=rule_info2['Starts'],
expires=rule_info2['Expires'])
assert isSuccess, f" Adding rule assignment for system 1 failed"
rule_info2['ID'] = ruleID2
# Add Assignment for system2
rule_info3 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="System",
scope=added_system_id2, principalId=admin_user_id,
bypassChallenge=True)
ruleID3, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info3['ScopeType'],
scope=rule_info3['Scope'],
principalType=rule_info3['PrincipalType'],
principalID=rule_info3['PrincipalId'],
byPassChallenge=True,
starts=rule_info3['Starts'],
expires=rule_info3['Expires'])
assert isSuccess, f" Adding rule assignment on system 2 failed"
rule_info3['ID'] = ruleID3
# Add assignment for set 1
rule_info4 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="Collection",
scope=set_id, principalId=admin_user_id,
bypassChallenge=True)
ruleID4, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info4['ScopeType'],
scope=rule_info4['Scope'],
principalType=rule_info4['PrincipalType'],
principalID=rule_info4['PrincipalId'],
byPassChallenge=True,
starts=rule_info4['Starts'],
expires=rule_info4['Expires'])
assert isSuccess, f" Adding rule assignment on set 1 failed"
rule_info4['ID'] = ruleID4
# Add assignment for set 2
rule_info5 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="Collection",
scope=set_id2, principalId=admin_user_id,
bypassChallenge=True)
ruleID5, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info5['ScopeType'],
scope=rule_info5['Scope'],
principalType=rule_info5['PrincipalType'],
principalID=rule_info5['PrincipalId'],
byPassChallenge=True,
starts=rule_info5['Starts'],
expires=rule_info5['Expires'])
assert isSuccess, f" Adding rule assignment on set 2 failed"
rule_info5['ID'] = ruleID5
# Add assignment for set 3
rule_info6 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="Collection",
scope=set_id3, principalId=admin_user_id,
bypassChallenge=True)
ruleID6, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info6['ScopeType'],
scope=rule_info6['Scope'],
principalType=rule_info6['PrincipalType'],
principalID=rule_info6['PrincipalId'],
byPassChallenge=True,
starts=rule_info6['Starts'],
expires=rule_info6['Expires'])
assert isSuccess, f" Adding rule assignment on set 3 failed"
rule_info6['ID'] = ruleID6
# Since inherit is off, we should get only 1 assignment, although there are 6 assignments in total
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System",
inherit=False, scope=added_system_id)
assert isSuccess, f"GetAssignmentsByScope for system with inheritance off failed, " \
f"reason: {results}"
rule_info_list = [rule_info2]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"GetAssignmentsByScope complete check failed: {ruleID2}"
# With inheritance on, we should get 4 assignments, although there are 6 assignments in total
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System",
inherit=True, scope=added_system_id)
assert isSuccess, f"GetAssignmentsByScope for system with inheritance off failed, " \
f"reason: {results}"
rule_info_list = [rule_info1, rule_info2, rule_info4, rule_info5]
# >= for parallel runs, since we don't know how many global assignments would be present in the results
assert len(results['Result']) >= 4 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"GetAssignmentsByScope complete check failed: {ruleID1} : {ruleID2} : {ruleID3} : {ruleID4}"
def test_adUser_permission_through_adGroup_system_set(core_session,
setup_aduser,
setup_user_in_ad_group,
create_resources,
create_manual_set):
adUser, adUserPwd, adGroup = setup_user_in_ad_group
if adGroup is None:
pytest.skip("Cannot retreive ad group info")
# Setup another ad user that's not part of above adGroup
adUser2, adUserPwd2 = setup_aduser
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the ad group on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
adGroup['DisplayName'],
adGroup['InternalName'],
set_id,
ptype="Group")
logger.info(result)
assert result[
'success'], "assigning admin collection permissions on the set failed: " + result
# Give all permissions to the ad group on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session,
permission_string,
adGroup['DisplayName'],
adGroup['InternalName'],
set_id,
ptype="Group")
logger.info(result)
assert result[
'success'], "assigning admin collection permissions on the resourceSet failed: " + result
ad_user_session = CentrifySessionManager(core_session.url,
core_session.tenant_id)
ad_user_session.security_login(core_session.tenant_id,
adUser['SystemName'], adUserPwd)
# should pass
result, success = PrivilegeElevation.can_manage_pe(ad_user_session,
scopeType="Collection",
scope=set_id)
assert success and result, f"Can Manage Privilege Elevation for adUser within an adgroup with MA permissions failed:" \
f"{result}"
ad_user_session = CentrifySessionManager(core_session.url,
core_session.tenant_id)
ad_user_session.security_login(core_session.tenant_id,
adUser2['SystemName'], adUserPwd2)
# Should fail
result, success = PrivilegeElevation.can_manage_pe(ad_user_session,
scopeType="System",
scope=added_system_id)
assert success and not result, f"Can Manage Privilege Elevation for adUser not within an adgroup with MA " \
f"permissions passed: {result}"
def test_collection_scenario(core_session, users_and_roles, create_resources,
create_manual_set):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
# Give all permission for the user on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permission but the MA permission to the PAS user on the resource Set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
new_set = SetsManager.get_collection(requester_session, set_id)
logger.info(new_set)
# This user does not have MA permission, so should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="Collection", scope=set_id)
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PAS power user with no MA permissions on " \
f"a set passed, reason: {canManage}"
# Now assign MA permission but not Edit permission to the user
permission_string = 'Grant,View,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "assigning collection permissions for the user failed: " + result
# This user does not have Edit permission, so should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="Collection", scope=set_id)
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PAS power user with no Edit permissions on " \
f"a set passed, reason: {canManage}"
# Now assign MA permission and Edit permission to the user
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id, "User")
assert result[
'success'], "assigning collection permissions for the user failed: " + result
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "assigning collection permissions for the user failed: " + result
# This user has Edit and MA permissions on the set, should pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="Collection", scope=set_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for PAS power user with Edit and MA permissions on " \
f"a set failed, reason: {canManage}"
# This sysadmin user does have MA permission, so should pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="Collection", scope=set_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for sys admin user with MA permissions on " \
f"a set failed, reason: {canManage}"