def test_delete_assignment(core_session, setup_generic_pe_command_with_no_rules): logger.info("test_delete_assignment") commandName, commandID = setup_generic_pe_command_with_no_rules # Add 2 assignments principalType = "Role" principal = "System Administrator" scopeType = "Global" ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Delete rule2 result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID2) assert isSuccess, f" Deleting rule assignment 2 failed: {result}" result, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {result}" # Make sure result doesn't have rule2 but has rule1 assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID1, result, True), \ f"ruleID1 not present in list of pe assignments response" assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID2, result, False), \ f"ruleID2 present in list of pe assignments response"
def test_commandID_commandName_not_provided(core_session, setup_generic_pe_command_with_no_rules, create_resources): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Give all permissions to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result, success = ResourceManager.assign_system_permissions(core_session, permission_string, admin_user_name, admin_user_id, "User", added_system_id) assert success, f"Did not set admin system permissions: {result}" # Add assignment rule_info1 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal="System Administrator", scopeType="System", scope=added_system_id, principalId=None, bypassChallenge=False) ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info1['ScopeType'], scope=rule_info1['Scope'], principalType=rule_info1['PrincipalType'], principal=rule_info1['Principal']) assert isSuccess, f" Adding rule assignment 1 failed" rule_info1['ID'] = ruleID1 #Add assignment 2 rule_info2 = rule_info1 ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info2['ScopeType'], scope=rule_info2['Scope'], principalType=rule_info2['PrincipalType'], principal=rule_info2['Principal']) assert isSuccess, f" Adding rule assignment 2 failed" rule_info2['ID'] = ruleID2 results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System", scope=added_system_id) assert isSuccess, f"GetAssignmentsByScope failed when commandID and " \ f"commandName not provided. reason: {results}" rule_info_list = [rule_info1, rule_info2] assert len(results['Result']) == 2 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"GetAssignmentsByScope complete check failed: {ruleID1} : {ruleID2}"
def test_delete_command_with_assignments(core_session, setup_generic_pe_command_with_no_rules): logger.info("test_delete_command_with_assignments") commandName, commandID = setup_generic_pe_command_with_no_rules # Add assignment principalType = "Role" principal = "System Administrator" scopeType = "Global" ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {results}" logger.debug(f"List pe assignments response: {results}") assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \ f"ruleID not present in list of pe assignments response" # Delete the command with name, should succeed result, isSuccess = PrivilegeElevation.del_pe_command(core_session, name=commandName) assert isSuccess, f"Deleting command failed: {result}" # Make sure list assignment fails results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert not isSuccess, f"List assignments API call not failed after deleting associated command: {results}" logger.debug(f"List pe assignments response: {results}")
def test_pe_user_has_access(core_session, setup_generic_pe_command_with_no_rules, users_and_roles): commandName, commandID = setup_generic_pe_command_with_no_rules # Get User requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(user_info) rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal="System Administrator", scopeType="Global", scope=None, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info['ScopeType'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal']) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # This user inherited View permission, so should be able to see the rule results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(requester_session, scopeType="Global", commandID=commandID) assert isSuccess, f"GetAssignmentsByScope for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"GetAssignmentsByScope complete check failed: {ruleID}"
def test_update_assignment_sysadmin_without_ma_permission_on_system( core_session, create_resources, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.info(f"Successfully added a System: {added_system_id}") # Give all permissions but MA to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result, success = ResourceManager.assign_system_permissions( core_session, permission_string, admin_user_name, admin_user_id, "User", added_system_id) assert success, f"Unable to set system permissions for admin: {result}" # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="System", scope=added_system_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal'], byPassChallenge=False) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # Update rules rule_info['BypassChallenge'] = True # This sysadmin user doesn't have MA permission, should still pass results, isSuccess = PrivilegeElevation.update_pe_assignment( core_session, ruleID=ruleID, bypassChallenge=True) assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \ f"a set failed, reason: {results}" # Make sure assignments are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for sysadmin user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_regular_user_on_system_set(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources, create_manual_set): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Get User requester_session = users_and_roles.get_session_for_user() response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set( core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") assert result['success'], "setting admin collection permissions failed: " + result # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=user_info['Name'], scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal']) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # This user does not have view permission on DB, so should fail results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(requester_session, scopeType="Collection", commandID=commandID, scope=set_id) assert not isSuccess and results['Message'] == \ "You are not authorized to perform this operation. Please contact your IT helpdesk.", \ f"GetAssignmentsByScope for regular user with no view permissions on a collection passed, reason: {results}" # GetAssignmentByScope should succeed if admin does the API request results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="Collection", commandID=commandID, scope=set_id) assert isSuccess, f"GetAssignmentsByScope for admin user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and \ PrivilegeElevation.check_rules_info_in_api_response(rule_info_list, results), \ f"GetAssignmentsByScope complete check failed: {ruleID}"
def test_pe_can_execute_priv_command_sys_asmnt_no_user_in_non_sysadmin_role( core_session, setup_generic_pe_command_with_no_rules_all_OS, users_and_roles, cleanup_servers): # Add System sys_name = "test_pe_can_execute_priv_cmd123" + guid() sys_fqdn = "fqdn123" + guid() added_system_id, system_success_status = ResourceManager.add_system( core_session, name=sys_name, fqdn=sys_fqdn, computerclass="Windows", sessiontype="Rdp") assert system_success_status, f'Adding system failed returned status {system_success_status}' logger.debug(f"Successfully added a System: {added_system_id}") cleanup_servers.append(added_system_id) commandName, commandID = setup_generic_pe_command_with_no_rules_all_OS role = users_and_roles.populate_role({ 'Name': "can_exec_role123" + guid(), "Rights": ["Admin Portal Login"] }) # Get User userobj1 = users_and_roles.populate_user( {'Name': 'can_exec_user123' + guid()}) # Add assignment asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principalId=role['ID'], scopeType="System", scope=added_system_id, principal=None, bypassChallenge=True) asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=asmnt_info['ScopeType'], scope=asmnt_info['Scope'], principalType=asmnt_info['PrincipalType'], principalID=asmnt_info['PrincipalId'], byPassChallenge=True, starts=asmnt_info['Starts'], expires=asmnt_info['Expires']) assert isSuccess, f"Adding assignment failed" results, isSuccess = PrivilegeElevation.can_execute_priv_command( core_session, user=userobj1.get_login_name(), system=sys_name, command="sudo date") assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}" assert not results['Granted'], f"Granted should be false: {results}" #clean up errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment( core_session, asmntID) assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_pe_del_command_scenario2(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources, create_manual_set): commandName, commandID = setup_generic_pe_command_with_no_rules requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(f"del_command_scenario2 user_info: {user_info}") admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set( core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to admin user on this set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") assert result['success'], "setting collection permissions failed: " + result # Add assignment principalType = "User" principal = user_info['Name'] scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {results}" logger.debug(f"List pe assignments response: {results}") assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \ f"ruleID not present in list of pe assignments response" # Deleting command should be successful, assignments too result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName) assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}" # Deleting assignmnent explicitly should fail result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID) assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}" assert re.findall('Privilege Elevation Assignment not found', result), \ f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_pe_can_execute_priv_command_sys_asmnt_no_aduser_in_adgroup( core_session, setup_generic_pe_command_with_no_rules, setup_user_in_ad_group, setup_aduser, cleanup_servers): # Add System sys_name = "test_pe_can_execute_priv_command" + guid() sys_fqdn = "fqdn" + guid() added_system_id, system_success_status = ResourceManager.add_system( core_session, name=sys_name, fqdn=sys_fqdn, computerclass="Unix", sessiontype="Ssh") assert system_success_status, f'Adding system failed returned status {system_success_status}' logger.debug(f"Successfully added a System: {added_system_id}") cleanup_servers.append(added_system_id) commandName, commandID = setup_generic_pe_command_with_no_rules aduser, _, adgroup = setup_user_in_ad_group if adgroup is None: pytest.skip("Cannot create adgroup") # Add assignment asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Group", principal=adgroup['DisplayName'], scopeType="System", scope=added_system_id, principalId=None, bypassChallenge=True) asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=asmnt_info['ScopeType'], scope=asmnt_info['Scope'], principalType=asmnt_info['PrincipalType'], principal=asmnt_info['Principal'], byPassChallenge=True, starts=asmnt_info['Starts'], expires=asmnt_info['Expires']) assert isSuccess, f"Adding assignment failed" aduser1, _ = setup_aduser results, isSuccess = PrivilegeElevation.can_execute_priv_command( core_session, user=aduser1['SystemName'], system=sys_name, command="sudo date") assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}" assert not results['Granted'], f"Granted should be false: {results}" #clean up errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment( core_session, asmntID) assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_multiple_rules(core_session, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules # First Rule assignment rule_info1 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal="System Administrator", scopeType="Global", scope=None, principalId=None, bypassChallenge=False) ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info1['ScopeType'], principalType=rule_info1['PrincipalType'], principal=rule_info1['Principal']) assert isSuccess, f" Adding rule assignment 1 failed" rule_info1['ID'] = ruleID1 # Get Admin info admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add second rule assignment rule_info2 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Global", scope=None, principalId=admin_user_id, bypassChallenge=True) ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info2['ScopeType'], principalType=rule_info2['PrincipalType'], principalID=rule_info2['PrincipalId'], byPassChallenge=True, starts=rule_info2['Starts'], expires=rule_info2['Expires']) assert isSuccess, f" Adding rule assignment 2 failed" rule_info2['ID'] = ruleID2 # Get both assignments results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, commandID=commandID) assert isSuccess, f"List Assignments for two assignments failed, reason: {results}" rule_info_list = [rule_info1, rule_info2] assert len(results['Result']) == 2 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID1} : {ruleID2}"
def test_pe_del_assignment_on_set_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_name = "set_" + Util.random_string() is_create, set_id = SetsManager.create_manual_collection( core_session, set_name, "Server", object_ids=[added_system_id]) assert is_create, f"Successfully created a set and added system to that set: {set_id}" # Give all permissions to admin user on this set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") logger.info(result) assert result['success'], "setting collection permissions failed: " + result # Add assignment principalType = "User" principal = admin_user_name scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}" logger.info(results) # Delete Set isSuccess, results = SetsManager.delete_collection(core_session, set_id) assert isSuccess, f"Deleting set failed: {results}" # Make sure rule assignment is not available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}" logger.info(results)
def test_regular_user_with_no_view_permissions_on_system_set(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources, create_manual_set): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Get User requester_session = users_and_roles.get_session_for_user() response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(user_info) # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set( core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") logger.info(result) assert result['success'], "setting admin collection permissions failed: " + result # Add assignment principalType = "User" principal = user_info['Name'] scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # This user does not have view permission, so should fail results, isSuccess = PrivilegeElevation.list_pe_assignments(requester_session, commandID=commandID) assert not isSuccess and results['Message'] == \ "You are not authorized to perform this operation. Please contact your IT helpdesk.", \ f"List Assignments for regular user with no view permissions on a set passed/ failed with " \ f"unknown exception, reason: {results}"
def test_no_bypassChallenge(core_session, setup_generic_pe_command_with_no_rules, users_and_roles): commandName, commandID = setup_generic_pe_command_with_no_rules rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal="System Administrator", scopeType="Global", scope=None, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal']) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # updated rules starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z" expires = (datetime.datetime.now() + datetime.timedelta(minutes=10) ).replace(microsecond=0).isoformat() + "Z" rule_info['Starts'] = starts rule_info['Expires'] = expires # With sysadmin should pass results, isSuccess = PrivilegeElevation.update_pe_assignment( core_session, ruleID=ruleID, starts=rule_info['Starts'], expires=rule_info['Expires']) assert isSuccess, f"Update Assignment for sysadmin user failed for Global rule, reason: {results}" # Make sure rules are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_pe_del_assignment_scenario1(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources): commandName, commandID = setup_generic_pe_command_with_no_rules requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(f"del_assignment_scenario1 user_info: {user_info}") admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Give all permissions but the manage assignments permission to admin user on this system permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result, success = ResourceManager.assign_system_permissions(core_session, permission_string, admin_user_name, admin_user_id, "User", added_system_id) assert success, f"Did not set system permissions: {result}" # Add assignment principalType = "User" principal = user_info['Name'] scopeType = "System" scope = added_system_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {results}" logger.debug(f"List pe assignments response: {results}") assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \ f"ruleID not present in list of pe assignments response" # Deleting assignment explicitly should fail result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID) assert not isSuccess, f"Deleting rule assignment with no manage permission on system passed: {ruleID}" assert re.findall('unauthorized', result), \ f"Deleting rule assignment with no manage permission on system did not fail with unauthorized exception: {ruleID}" \ f": {result}"
def test_global_scenario(core_session, setup_generic_pe_command_with_no_rules, users_and_roles): commandName, commandID = setup_generic_pe_command_with_no_rules rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal="System Administrator", scopeType="Global", scope=None, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal']) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # Get User requester_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') rule_info['BypassChallenge'] = True # Since not sys admin should fail results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=True) assert not isSuccess, f"Update Assignment for PAS power user passed for Global rule, reason: {results}" # With sysadmin should pass results, isSuccess = PrivilegeElevation.update_pe_assignment( core_session, ruleID=ruleID, bypassChallenge=True) assert isSuccess, f"Update Assignment for sysadmin user failed for Global rule, reason: {results}" # Make sure rules are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_delete_assignment_sysadmin_without_ma_permission_on_system_set(core_session, create_manual_set, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create Set and the system to this set set_id = create_manual_set( core_session, "Server")['ID'] logger.info(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) logger.info(result) assert result['success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permissions but MA to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result['success'], "assigning collection permissions on the resource set for the user failed: " + result # Add assignment principalType = "User" principal = admin_user_name scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}" # Deleting assignment explicitly should pass result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID) assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_pe_del_assignment_on_system_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Give all permissions but the manager assignments permission to admin user on this system permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result, success = ResourceManager.assign_system_permissions(core_session, permission_string, admin_user_name, admin_user_id, "User", added_system_id) assert success, "Did not set system permissions " + result # Add assignment principalType = "User" principal = admin_user_name scopeType = "System" scope = added_system_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}" logger.debug(results) # Delete System result, isSuccess = ResourceManager.del_system(core_session, added_system_id) assert isSuccess, f"deleting System failed: {result}" # Make sure rule assignment is not available anymore results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}" logger.info(results)
def test_commandID_case(core_session, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal="System Administrator", scopeType="Global", scope=None, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info['ScopeType'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal']) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, commandID=commandID) assert isSuccess, f"List Assignments failed for commandID: {commandID}, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and \ PrivilegeElevation.check_rules_info_in_api_response(rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_delete_assignment_sysadmin_without_ma_permission_on_system(core_session, create_resources, setup_generic_pe_command_with_no_rules, operating_system): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, operating_system)[0]['ID'] logger.info(f"Successfully added a System: {added_system_id}") # Give all permissions but MA to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result, success = ResourceManager.assign_system_permissions(core_session, permission_string, admin_user_name, admin_user_id, "User", added_system_id) assert success, f"Unable to set system permissions for admin: {result}" # Add assignment principalType = "User" principal = admin_user_name scopeType = "System" scope = added_system_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}" # Deleting assignment explicitly should pass result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID) assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_system_scenario(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Get User requester_session = users_and_roles.get_session_for_user( 'Privilege Elevation Management') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Give all permissions to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result, success = ResourceManager.assign_system_permissions( core_session, permission_string, admin_user_name, admin_user_id, "User", added_system_id) assert success, f"Did not set admin system permissions: {result}" # Give all permission but the ManageAssignment permission to the PE User permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result, success = ResourceManager.assign_system_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], "User", added_system_id) assert success, f"Did not set PE user system permissions: {result}" # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="System", scope=added_system_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal'], byPassChallenge=False) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # This user does not have ManageAssignment permission, so should fail results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=False) assert not isSuccess, f"Update Assignment for PE user with no MA permissions on a " \ f"system passed, reason: {results}" # Add MA permission to the user on the system permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result, success = ResourceManager.assign_system_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], "User", added_system_id) assert success, f"Did not set PE user system permissions: {result}" # Should pass now results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=False) assert isSuccess, f"Update Assignment for PE user with MA permissions on a " \ f"system failed, reason: {results}" # Make sure rules are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_pe_can_execute_priv_command_sys_asmnt_on_user( core_session, setup_generic_pe_command_with_no_rules, cleanup_servers): # Add System sys_name = "test_pe_can_execute_priv_command" + guid() sys_fqdn = "fqdn" + guid() added_system_id, system_success_status = ResourceManager.add_system( core_session, name=sys_name, fqdn=sys_fqdn, computerclass="Unix", sessiontype="Ssh") assert system_success_status, f'Adding system failed returned status {system_success_status}' logger.debug(f"Successfully added a System: {added_system_id}") cleanup_servers.append(added_system_id) commandName, commandID = setup_generic_pe_command_with_no_rules # Get Admin info admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add assignment asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="System", scope=added_system_id, principalId=admin_user_id, bypassChallenge=True) asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=asmnt_info['ScopeType'], scope=asmnt_info['Scope'], principalType=asmnt_info['PrincipalType'], principalID=asmnt_info['PrincipalId'], byPassChallenge=True, starts=asmnt_info['Starts'], expires=asmnt_info['Expires']) assert isSuccess, f"Adding assignment failed" asmnt_info['ID'] = asmntID results, isSuccess = PrivilegeElevation.can_execute_priv_command( core_session, user=admin_user_name, system=sys_name, command="sudo date") assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}" assert len(results['PrivilegeElevationCommands'] ) == 1, f"Only single command should exist {results}" results_assignments = results['PrivilegeElevationCommands'][0][ 'Assignments'] assert len(results_assignments ) == 1 and results['Granted'], f"Granted should be true" PrivilegeElevation.check_can_execute_priv_command_results( asmnt_info, results['PrivilegeElevationCommands'] [0]), f"All params not matching {results}" #clean up errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment( core_session, asmntID) assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_scope_system(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources, create_manual_set): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Add System 2 added_system_id2 = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id2}") # Create Set and the system 1 to this set set_id = create_manual_set( core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug(f"Successfully created a set and added system to that set: {set_id}") # Create Set2 and add both systems to this set set_id2 = create_manual_set( core_session, "Server", object_ids=[added_system_id, added_system_id2])['ID'] logger.debug(f"Successfully created a set and added both system to that set: {set_id2}") # Create Set3 and the system 2 to this set set_id3 = create_manual_set( core_session, "Server", object_ids=[added_system_id2])['ID'] logger.debug(f"Successfully created a set and added system 2 to that set: {set_id3}") # Give all permissions to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") assert result['success'], "setting admin collection permissions failed: " + result # same for set 2 result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id2, "User") assert result['success'], "setting admin collection permissions failed: " + result #same for set 3 result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id3, "User") assert result['success'], "setting admin collection permissions failed: " + result # Adding rules # First add global assignment rule_info1 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal="System Administrator", scopeType="Global", scope=None, principalId=None, bypassChallenge=False) ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info1['ScopeType'], principalType=rule_info1['PrincipalType'], principal=rule_info1['Principal']) assert isSuccess, f" Adding rule assignment 1 failed" rule_info1['ID'] = ruleID1 # Add Assignment for system1 rule_info2 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="System", scope=added_system_id, principalId=admin_user_id, bypassChallenge=True) ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info2['ScopeType'], scope=rule_info2['Scope'], principalType=rule_info2['PrincipalType'], principalID=rule_info2['PrincipalId'], byPassChallenge=True, starts=rule_info2['Starts'], expires=rule_info2['Expires']) assert isSuccess, f" Adding rule assignment for system 1 failed" rule_info2['ID'] = ruleID2 # Add Assignment for system2 rule_info3 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="System", scope=added_system_id2, principalId=admin_user_id, bypassChallenge=True) ruleID3, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info3['ScopeType'], scope=rule_info3['Scope'], principalType=rule_info3['PrincipalType'], principalID=rule_info3['PrincipalId'], byPassChallenge=True, starts=rule_info3['Starts'], expires=rule_info3['Expires']) assert isSuccess, f" Adding rule assignment on system 2 failed" rule_info3['ID'] = ruleID3 # Add assignment for set 1 rule_info4 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Collection", scope=set_id, principalId=admin_user_id, bypassChallenge=True) ruleID4, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info4['ScopeType'], scope=rule_info4['Scope'], principalType=rule_info4['PrincipalType'], principalID=rule_info4['PrincipalId'], byPassChallenge=True, starts=rule_info4['Starts'], expires=rule_info4['Expires']) assert isSuccess, f" Adding rule assignment on set 1 failed" rule_info4['ID'] = ruleID4 # Add assignment for set 2 rule_info5 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Collection", scope=set_id2, principalId=admin_user_id, bypassChallenge=True) ruleID5, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info5['ScopeType'], scope=rule_info5['Scope'], principalType=rule_info5['PrincipalType'], principalID=rule_info5['PrincipalId'], byPassChallenge=True, starts=rule_info5['Starts'], expires=rule_info5['Expires']) assert isSuccess, f" Adding rule assignment on set 2 failed" rule_info5['ID'] = ruleID5 # Add assignment for set 3 rule_info6 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Collection", scope=set_id3, principalId=admin_user_id, bypassChallenge=True) ruleID6, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info6['ScopeType'], scope=rule_info6['Scope'], principalType=rule_info6['PrincipalType'], principalID=rule_info6['PrincipalId'], byPassChallenge=True, starts=rule_info6['Starts'], expires=rule_info6['Expires']) assert isSuccess, f" Adding rule assignment on set 3 failed" rule_info6['ID'] = ruleID6 # Since inherit is off, we should get only 1 assignment, although there are 6 assignments in total results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System", inherit=False, scope=added_system_id) assert isSuccess, f"GetAssignmentsByScope for system with inheritance off failed, " \ f"reason: {results}" rule_info_list = [rule_info2] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"GetAssignmentsByScope complete check failed: {ruleID2}" # With inheritance on, we should get 4 assignments, although there are 6 assignments in total results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System", inherit=True, scope=added_system_id) assert isSuccess, f"GetAssignmentsByScope for system with inheritance off failed, " \ f"reason: {results}" rule_info_list = [rule_info1, rule_info2, rule_info4, rule_info5] # >= for parallel runs, since we don't know how many global assignments would be present in the results assert len(results['Result']) >= 4 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"GetAssignmentsByScope complete check failed: {ruleID1} : {ruleID2} : {ruleID3} : {ruleID4}"
def test_collection_scenario(core_session, users_and_roles, create_resources, create_manual_set, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Get User requester_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set(core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "setting admin collection permissions on the set failed: " + result # Give all permissions to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "setting admin collection permissions on the resourceSet failed: " + result # Give all permission for the user on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions on the set failed: " + result # Give all permission but the MA permission to the PAS user on the resource Set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions on the resourceSet failed: " + result # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=user_info['Name'], scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal'], byPassChallenge=False) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # This user does not have MA permission, so should fail results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=False) assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \ f"UpdateAssignment for PAS power user with no MA permissions on a set passed, reason: {results}" # Now assign MA permission but not Edit permission to the user permission_string = 'Grant,View,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions failed: " + result # This user does not have Edit permission, so should fail results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=False) assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \ f"UpdateAssignment for PAS power user with no Edit permissions on a set passed, reason: {results}" # Now assign MA permission and Edit permission to the user permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], set_id, "User") assert result[ 'success'], "setting PAS power user collection permissions failed: " + result permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions failed: " + result # updated rules starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z" expires = (datetime.datetime.now() + datetime.timedelta(minutes=10) ).replace(microsecond=0).isoformat() + "Z" rule_info['Starts'] = starts rule_info['Expires'] = expires rule_info['BypassChallenge'] = True # This user has Edit and MA permissions on the set, should pass results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=rule_info['BypassChallenge'], starts=rule_info['Starts'], expires=rule_info['Expires']) assert isSuccess, f"UpdateAssignment for PAS power user with Edit and MA permissions on " \ f"a set failed, reason: {results}" # Make sure rules are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}" # Update rules rule_info['BypassChallenge'] = False # This sysadmin user does have MA permission, so should pass results, isSuccess = PrivilegeElevation.update_pe_assignment( core_session, ruleID=ruleID, bypassChallenge=False) assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \ f"a set failed, reason: {results}" # Make sure rules are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_pe_can_execute_priv_command_set_asmnt_on_adgroup( core_session, setup_user_in_ad_group, setup_generic_pe_command_with_no_rules_all_OS, create_manual_set, users_and_roles, cleanup_servers): # Add System sys_name = "test_pe_can_execute_priv_command" + guid() sys_fqdn = "fqdn" + guid() added_system_id, system_success_status = ResourceManager.add_system( core_session, name=sys_name, fqdn=sys_fqdn, computerclass="Windows", sessiontype="Rdp") assert system_success_status, f'Adding system failed returned status {system_success_status}' logger.debug(f"Successfully added a System: {added_system_id}") cleanup_servers.append(added_system_id) # Create Set and the system to this set set_id = create_manual_set(core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug( f"Successfully created a set and added system to that set: {set_id}") commandName, commandID = setup_generic_pe_command_with_no_rules_all_OS aduser, _, adgroup = setup_user_in_ad_group if adgroup is None: pytest.skip("Cannot create adgroup") # Add assignment asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Group", principal=adgroup['DisplayName'], scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=True) asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=asmnt_info['ScopeType'], scope=asmnt_info['Scope'], principalType=asmnt_info['PrincipalType'], principal=asmnt_info['Principal'], byPassChallenge=True, starts=asmnt_info['Starts'], expires=asmnt_info['Expires']) assert isSuccess, f"Adding assignment failed" asmnt_info['ID'] = asmntID results, isSuccess = PrivilegeElevation.can_execute_priv_command( core_session, user=aduser['SystemName'], system=sys_name, command="sc stop cagent") assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}" assert len(results['PrivilegeElevationCommands'] ) == 1, f"Only single command should exist {results}" results_assignments = results['PrivilegeElevationCommands'][0][ 'Assignments'] assert len(results_assignments ) == 1 and results['Granted'], f"Granted should be true" PrivilegeElevation.check_can_execute_priv_command_results( asmnt_info, results['PrivilegeElevationCommands'] [0]), f"All params not matching {results}" #clean up errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment( core_session, asmntID) assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_update_assignment_sysadmin_without_ma_permission_on_system_set( core_session, create_manual_set, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create Set and the system to this set set_id = create_manual_set(core_session, "Server")['ID'] logger.info( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permissions but MA to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "assigning collection permissions on the resource set for the user failed: " + result # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal'], byPassChallenge=False) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # Update rules rule_info['BypassChallenge'] = True # This sysadmin user doesn't have MA permission, should still pass results, isSuccess = PrivilegeElevation.update_pe_assignment( core_session, ruleID=ruleID, bypassChallenge=True) assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \ f"a set failed, reason: {results}" # Make sure assignments are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for sysadmin user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_pe_can_execute_priv_command_set_asmnt_on_non_sysadmin_role( core_session, setup_generic_pe_command_with_no_rules, create_manual_set, users_and_roles, cleanup_servers): # Add System sys_name = "test_pe_can_execute_priv_command" + guid() sys_fqdn = "fqdn" + guid() added_system_id, system_success_status = ResourceManager.add_system( core_session, name=sys_name, fqdn=sys_fqdn, computerclass="Unix", sessiontype="Ssh") assert system_success_status, f'Adding system failed returned status {system_success_status}' logger.debug(f"Successfully added a System: {added_system_id}") cleanup_servers.append(added_system_id) # Create Set and the system to this set set_id = create_manual_set(core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug( f"Successfully created a set and added system to that set: {set_id}") commandName, commandID = setup_generic_pe_command_with_no_rules role = users_and_roles.populate_role({ 'Name': "can_exec_role" + guid(), "Rights": ["Admin Portal Login"] }) # Get User userobj = users_and_roles.populate_user({'Name': 'user' + guid()}) #Add user to role users_and_roles.add_user_to_role(userobj, role) # Add assignment asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal=role['Name'], scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=True) asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=asmnt_info['ScopeType'], scope=asmnt_info['Scope'], principalType=asmnt_info['PrincipalType'], principal=asmnt_info['Principal'], byPassChallenge=True, starts=asmnt_info['Starts'], expires=asmnt_info['Expires']) assert isSuccess, f"Adding assignment failed" asmnt_info['ID'] = asmntID results, isSuccess = PrivilegeElevation.can_execute_priv_command( core_session, user=userobj.get_login_name(), system=sys_name, command="sudo date") assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}" assert len(results['PrivilegeElevationCommands'] ) == 1, f"Only single command should exist {results}" results_assignments = results['PrivilegeElevationCommands'][0][ 'Assignments'] assert len(results_assignments ) == 1 and results['Granted'], f"Granted should be true" PrivilegeElevation.check_can_execute_priv_command_results( asmnt_info, results['PrivilegeElevationCommands'] [0]), f"All params not matching {results}" #clean up errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment( core_session, asmntID) assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'