def test_app_management_user_can_create_job_but_not_delete_servers(clean_bulk_delete_systems_and_accounts, core_session, core_tenant, clean_users, users_and_roles, list_of_created_systems): batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 2, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch]) requestor_session = users_and_roles.get_session_for_user('Application Management') user_info = requestor_session.get_current_session_user_info().json()['Result'] all_systems = batch.keys() job_id, result = ResourceManager.del_multiple_systems(requestor_session, all_systems) result = ResourceManager.get_job_state(core_session, job_id) assert result == "Succeeded", "Job did not execute" assert len( ResourceManager.get_multi_added_system_ids(core_session, all_systems)) == 3, "Wrong number of remaining systems" assert len(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == 6, "Wrong number of remaining accounts" username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Failure.Multi' start_message = f'{username} initiated delete of {len(all_systems)} systems' end_message = f'{username} failed to delete {len(all_systems)} of {len(all_systems)} systems' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_system_delete_by_ids_only_deletes_correct_systems_and_accounts_fast_track( clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems): user_info = core_session.get_current_session_user_info().json()['Result'] batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 4, list_of_created_systems) batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 2, list_of_created_systems) batch3 = ResourceManager.add_multiple_systems_with_accounts(core_session, 4, 6, list_of_created_systems) batch4 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 8, list_of_created_systems) batch5 = ResourceManager.add_multiple_systems_with_accounts(core_session, 5, 1, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch1, batch2, batch3, batch4, batch5]) delete_system_ids, delete_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch2, batch4]) keep_system_ids, keep_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch1, batch3, batch5]) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch1, batch2, batch3, batch4, batch5]) ResourceManager.del_multiple_systems(core_session, delete_system_ids, savepasswords=True, wait_time=0, skip_if_has_apps_or_services=True, run_sync=True) assert set(ResourceManager.get_multi_added_system_ids(core_session, all_systems).values()) == keep_system_ids, "Set of expected remaining systems did not match search" assert set(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == keep_account_ids, "Set of expected remaining accounts did not match search" username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Success.Multi' start_message = f'{username} initiated delete of {len(delete_system_ids)} systems' end_message = f'{username} successfully deleted {len(delete_system_ids)} systems' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_account_delete_by_sql_query_only_deletes_correct_accounts_fast_track( clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems): batch = ResourceManager.add_multiple_systems_with_accounts( core_session, 2, 12, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch]) delete_ids, keep_ids = DataManipulation.shuffle_and_split_into_two_lists( all_accounts) sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join( ('VaultAccount.ID = "' + str(n) + '"' for n in list(delete_ids))) result, success = ResourceManager.del_multiple_accounts_by_query( core_session, sql_query, run_sync=True) assert success, "del_multiple_accounts_by_query failed " + result assert set(ResourceManager.get_multi_added_system_ids(core_session, all_systems).values()) == set(all_systems), \ "Wrong set of added systems found" assert set(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == set(keep_ids), \ "Wrong set of added accounts found" user_info = core_session.get_current_session_user_info().json()['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.StartQuery.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.Success.Multi' start_message = f'{username} initiated delete of multiple accounts' end_message = f'{username} successfully deleted {len(delete_ids)} accounts' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_system_unenroll_by_ids_only_unenrolls_correct_systems_fast_track(core_session, test_four_virtual_aapm_agents): user_info = core_session.get_current_session_user_info().json()['Result'] agents, _ = test_four_virtual_aapm_agents all_agent_ids, all_server_ids = _setup_agents(core_session, agents) unenroll_agent_ids = all_agent_ids[:2] unenroll_server_ids = all_server_ids[:2] keep_agent_ids = all_agent_ids[2:] _validate_aapm_agent_details(core_session, all_agent_ids, True) _, success = ResourceManager.unenroll_multiple_systems(core_session, unenroll_server_ids, wait_time=0, SkipIfAgentReconciliationEnabled=True, run_sync=True) assert success, f"Unenroll multiple systems failed: {unenroll_server_ids}" _validate_aapm_agent_details(core_session, unenroll_agent_ids, False) _validate_aapm_agent_details(core_session, keep_agent_ids, True) username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.StartQuery.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.Success.Multi' start_message = f'{username} initiated unenroll of multiple systems' end_message = f'{username} successfully unenrolled {len(unenroll_server_ids)} systems' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_system_unenroll_by_sql_query_only_unenrolls_correct_systems(core_session, test_four_virtual_aapm_agents): user_info = core_session.get_current_session_user_info().json()['Result'] agents, _ = test_four_virtual_aapm_agents all_agent_ids, all_server_ids = _setup_agents(core_session, agents) unenroll_agent_ids = all_agent_ids[:2] unenroll_server_ids = all_server_ids[:2] keep_agent_ids = all_agent_ids[2:] _validate_aapm_agent_details(core_session, all_agent_ids, True) sql_query = RedrockController.get_query_for_ids('Server', unenroll_server_ids) _, success = ResourceManager.unenroll_multiple_systems_by_query(core_session, sql_query) assert success, f"Unenroll Multiple systems by query failed: {sql_query}" _validate_aapm_agent_details(core_session, unenroll_agent_ids, False) _validate_aapm_agent_details(core_session, keep_agent_ids, True) username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.StartQuery.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.Success.Multi' start_message = f'{username} initiated unenroll of multiple systems' end_message = f'{username} successfully unenrolled {len(unenroll_server_ids)} systems' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_cannot_manage_accounts_without_permission( core_session, remote_unmanaged_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, users_and_roles): right_data = [ "Privileged Access Service Power User", "role_Privileged Access Service Power User" ] requestor_session = users_and_roles.get_session_for_user(right_data[0]) results_role = users_and_roles.get_role(right_data[0]) account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3 job_id, success = ResourceManager.manage_multiple_accounts( requestor_session, account_ids) assert success, "Did not kick off bulk manage accounts job" result = ResourceManager.get_job_state(core_session, job_id) assert result == "Succeeded", "Job did not execute" # Validates accounts are still not managed. _validate_accounts_are_not_managed(requestor_session, account_ids, job_id) permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin" account_id = account_ids[ 2] # Grant permission to only one of the accounts, the middle one result, success = ResourceManager.assign_account_permissions( core_session, permission_string, results_role['Name'], results_role['ID'], "Role", account_id) assert success, "Did not set account permissions " + str(result) job_id, success = ResourceManager.manage_multiple_accounts( requestor_session, account_ids) assert success, "Did not kick off bulk rotate passwords job" result = ResourceManager.get_job_state(core_session, job_id) assert result == "Succeeded", "Job did not execute" # Validate the one account is managed. _validate_accounts_are_not_managed(requestor_session, [account_ids[0], account_ids[1]], job_id) _validate_accounts_are_managed(requestor_session, [account_ids[2]], job_id) user_info = requestor_session.get_current_session_user_info().json( )['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Failure.Multi' start_message = f'{username} initiated management of {len(account_ids)} accounts' end_message = f'{username} failed to manage 2 of 3 accounts' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_manage_works_with_different_methods_of_specifying_systems( core_session, remote_unmanaged_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method): account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3 job_result = None if change_method == "ids": job_result, success = ResourceManager.manage_multiple_accounts( core_session, account_ids) assert success, "Did not bulk manage account" elif change_method == "ids_with_invalid": job_result, success = ResourceManager.manage_multiple_accounts( core_session, ["foo"] + list(account_ids)) assert success, "Did not bulk manage account" elif change_method == "sql": sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join( ('VaultAccount.ID = "' + str(n) + '"' for n in account_ids)) job_result, success = ResourceManager.manage_multiple_accounts( core_session, [], set_query=sql_query) assert success, "Did not bulk manage accounts" elif change_method == "group": some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount") SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id) filters = SetsManager.get_object_collection_and_filter_by_name( core_session, some_set_name, "VaultAccount")['Filters'] job_result, success = ResourceManager.manage_multiple_accounts( core_session, [], set_query=filters) assert success, "Did not bulk manage accounts" else: raise Exception(f"Bad input variable change_method {change_method}") _validate_accounts_are_managed(core_session, account_ids, job_result) user_info = core_session.get_current_session_user_info().json()['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Success.Multi' start_message = f'{username} initiated management of {len(account_ids)} accounts' end_message = f'{username} successfully managed {len(account_ids)} accounts' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_rotate_works_with_different_methods_of_specifying_systems( core_session, remote_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method): remote_ip = windows_test_machine_config['ip_address'] account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3) passwords_fetched = BulkOperations.checkout_users(core_session, accounts) BulkOperations.validate_users_with_login(remote_ip, passwords_fetched) if change_method == "checkin": # disabled, out of scope BulkOperations.check_in_users(core_session, passwords_fetched) elif change_method == "ids": result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids) assert success, "Did not bulk rotate passwords" elif change_method == "ids_with_invalid": result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids) assert success, "Did not bulk rotate passwords" elif change_method == "sql": sql_query = 'SELECT * FROM VaultAccount ' \ 'WHERE ' + ' OR '.join(('VaultAccount.ID = "' + str(n) + '"' for n in account_ids)) result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=sql_query) assert success, "Did not bulk rotate passwords" elif change_method == "group": some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount") SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id) filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "VaultAccount")['Filters'] result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=filters) assert success, "Did not bulk rotate passwords" else: raise Exception(f"Bad input variable change_method {change_method}") BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [False] * len(passwords_fetched), change_method) # Verify passwords are no longer right user_info = core_session.get_current_session_user_info().json()['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Success.Multi' start_message = f'{username} initiated password rotation of {len(account_ids)} accounts' end_message = f'{username} successfully rotated {len(account_ids)} account passwords' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_app_management_user_can_create_job_but_not_delete_accounts( clean_bulk_delete_systems_and_accounts, core_session, core_tenant, clean_users, users_and_roles, list_of_created_systems): batch = ResourceManager.add_multiple_systems_with_accounts( core_session, 2, 2, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch]) assert len( ResourceManager.get_multi_added_system_ids( core_session, all_systems)) == 2, "Added systems not reflected in search" assert len( ResourceManager.get_multi_added_account_ids( core_session, all_systems)) == 4, "Added accounts not reflected in search" requestor_session = users_and_roles.get_session_for_user( 'Application Management') job_id, result = ResourceManager.del_multiple_accounts( requestor_session, all_accounts) result = ResourceManager.get_job_state(core_session, job_id) assert result == "Succeeded", "Job did not execute" assert len(ResourceManager.get_multi_added_system_ids(core_session, all_systems)) == 2, \ "Expected 2 added systems to be found, but received different number" assert len(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == 4, \ "Expected 4 added accounts to be found, but received different number" user_info = requestor_session.get_current_session_user_info().json( )['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.Failure.Multi' start_message = f'{username} initiated delete of {len(all_accounts)} accounts' end_message = f'{username} failed to delete {len(all_accounts)} of {len(all_accounts)} accounts' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_account_delete_by_ids_only_deletes_correct_accounts( clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems): batch1 = ResourceManager.add_multiple_systems_with_accounts( core_session, 3, 4, list_of_created_systems) batch2 = ResourceManager.add_multiple_systems_with_accounts( core_session, 1, 2, list_of_created_systems) batch3 = ResourceManager.add_multiple_systems_with_accounts( core_session, 4, 6, list_of_created_systems) batch4 = ResourceManager.add_multiple_systems_with_accounts( core_session, 2, 8, list_of_created_systems) batch5 = ResourceManager.add_multiple_systems_with_accounts( core_session, 5, 2, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch1, batch2, batch3, batch4, batch5]) delete_ids, keep_ids = DataManipulation.shuffle_and_split_into_two_lists( all_accounts) result, success = ResourceManager.del_multiple_accounts( core_session, delete_ids) assert success, "Api did not complete successfully for bulk account delete MSG: " + result assert set( ResourceManager.get_multi_added_system_ids( core_session, all_systems).values()) == set( all_systems), "Wrong set of added systems found" assert set( ResourceManager.get_multi_added_account_ids( core_session, all_systems)) == set(keep_ids), "Wrong set of added accounts found" user_info = core_session.get_current_session_user_info().json()['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.Success.Multi' start_message = f'{username} initiated delete of {len(delete_ids)} accounts' end_message = f'{username} successfully deleted {len(delete_ids)} accounts' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_cannot_rotate_passwords_without_permission(core_session, remote_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, users_and_roles): right_data = ["Privileged Access Service Power User", "role_Privileged Access Service Power User"] requestor_session = users_and_roles.get_session_for_user(right_data[0]) results_role = users_and_roles.get_role(right_data[0]) remote_ip = windows_test_machine_config['ip_address'] account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3) passwords_fetched = BulkOperations.checkout_users(core_session, accounts) job_id, success = ResourceManager.rotate_multiple_passwords(requestor_session, account_ids) assert success, "Did not kick off bulk rotate passwords job" result = ResourceManager.get_job_state(core_session, job_id) assert result == "Succeeded", "Job did not execute" BulkOperations.validate_users_with_login(remote_ip, passwords_fetched) # Verify passwords are still right permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer," \ "UserPortalLogin " account_id = passwords_fetched[1][3] # Grant permission to only one of the accounts, the middle one result, success = ResourceManager.assign_account_permissions(core_session, permission_string, results_role['Name'], results_role['ID'], "Role", account_id) assert success, "Did not set account permissions " + str(result) job_id, success = ResourceManager.rotate_multiple_passwords(requestor_session, account_ids) assert success, "Did not kick off bulk rotate passwords job" result = ResourceManager.get_job_state(core_session, job_id) assert result == "Succeeded", "Job did not execute" BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [True, False, True]) user_info = requestor_session.get_current_session_user_info().json()['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Failure.Multi' start_message = f'{username} initiated password rotation of {len(account_ids)} accounts' end_message = f'{username} failed to rotate 2 of 3 account passwords' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_system_delete_by_sql_query_only_deletes_correct_systems_and_accounts( clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems): user_info = core_session.get_current_session_user_info().json()['Result'] assert len(ResourceManager.get_multi_added_system_ids(core_session, [ "x"])) == 0 # Use fake GUID string to ensure that filter is working properly, since empty list means no filter assert len(ResourceManager.get_multi_added_account_ids(core_session, ["x"])) == 0 batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 4, list_of_created_systems) batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 2, list_of_created_systems) batch3 = ResourceManager.add_multiple_systems_with_accounts(core_session, 4, 6, list_of_created_systems) batch4 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 8, list_of_created_systems) batch5 = ResourceManager.add_multiple_systems_with_accounts(core_session, 5, 1, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch1, batch2, batch3, batch4, batch5]) assert len(ResourceManager.get_multi_added_system_ids(core_session, all_systems)) == 15, "Found wrong number of added systems" assert len(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == 59, "Found wrong number of add accounts" delete_system_ids, delete_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch2, batch4]) keep_system_ids, keep_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch1, batch3, batch5]) sql_query = RedrockController.get_query_for_ids('Server', delete_system_ids) ResourceManager.del_multiple_systems_by_query(core_session, sql_query, False, "") assert set(ResourceManager.get_multi_added_system_ids(core_session, all_systems).values()) == keep_system_ids, "Set of expected remaining systems did not match search" assert set(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == keep_account_ids, "Set of expected remaining accounts did not match search" username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.StartQuery.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Success.Multi' start_message = f'{username} initiated delete of multiple systems' end_message = f'{username} successfully deleted {len(delete_system_ids)} systems' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_app_management_user_can_create_job_but_not_unenroll_servers(core_session, users_and_roles, test_four_virtual_aapm_agents): agents, _ = test_four_virtual_aapm_agents agent_ids, server_ids = _setup_agents(core_session, agents) requestor_session = users_and_roles.get_session_for_user('Application Management') user_info = requestor_session.get_current_session_user_info().json()['Result'] _, result = ResourceManager.unenroll_multiple_systems(requestor_session, server_ids) assert result, "Job did not execute" _validate_aapm_agent_details(core_session, agent_ids, True) username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.Failure.Multi' start_message = f'{username} initiated unenroll of {len(server_ids)} systems' end_message = f'{username} failed to unenroll {len(server_ids)} of {len(server_ids)} systems' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)