def test_user_cannot_create_secret_without_add_permission( core_session, users_and_roles, create_secret_folder, pas_general_secrets): """ test method user cannot create secret in the folder without add permission """ application_management_user = users_and_roles.get_user( 'Privileged Access Service Power User') application_management_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') user_name = application_management_user.get_login_name() user_id = application_management_user.get_id() folder_id = create_secret_folder['ID'] assert application_management_session.auth_details is not None, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {application_management_user.get_login_name()}' f' & Password: {application_management_user.get_password()} ') give_user_permissions_to_folder(core_session, user_name, user_id, folder_id, 'View') secrets_params = pas_general_secrets added_text_secret_success, added_text_secret_result = create_text_secret_within_folder( application_management_session, secrets_params['secret_name'], secrets_params['secret_text'], secrets_params['secret_description'], folder_id) assert added_text_secret_success is False, \ f'Able to create a secret in another user\'s folder. {added_text_secret_result}' logger.info(f'Secret Created successfully: {added_text_secret_success}') logger.info( f'Creating secret in other user folder with no Add permissions: {added_text_secret_success}' )
def test_move_permissions(core_session, get_admin_user_function, cleanup_secrets_and_folders, secret_folder): """Tests moving folders with permissions Steps: 1. Have the admin add a folder -Verify Succes 2.Have core set permissions on seperate folder -Verify Success 3. Try to let admin move an item into that folder -Verify Failure (No Edit Permission yet) 4. Give user Edit Permission -Verify Success 5. Let admin try to move them folders -Verify Success """ admin_sesh, admin_user = get_admin_user_function fol_name = 'test_folder' + guid() add_folder_success, folder_params, folder_id = create_secret_folder( core_session, fol_name) assert add_folder_success, f"User was able to create a folder in a folder they did not create, should have failed, response {json.dumps(folder_params)}" cleanup_secrets_and_folders[1].append(folder_id) give_perm_result = give_user_permissions_to_folder( core_session, admin_user.get_login_name(), admin_user.get_id(), secret_folder['ID'], "View,Edit,Grant") assert give_perm_result[ 'success'], f"Core Session Should have been able to give User Permission to folder {secret_folder['Name']}" move_result = move_folder(admin_sesh, secret_folder['ID'], folder_id) assert not move_result['success'] give_perm_result = give_user_permissions_to_folder( core_session, admin_user.get_login_name(), admin_user.get_id(), secret_folder['ID'], "View,Edit,Grant") assert give_perm_result[ 'success'], f"Core Session Should have been able to give User Permission to folder {secret_folder['Name']}" give_perm_result = give_user_permissions_to_folder( core_session, admin_user.get_login_name(), admin_user.get_id(), folder_id, "View,Add") assert give_perm_result[ 'success'], f"Core Session Should have been able to give User Permission to folder {secret_folder['Name']}" move_result = move_folder(admin_sesh, secret_folder['ID'], folder_id) assert move_result[ 'success'], f"User should have been able to move folder {secret_folder['ID']} to {folder_id}, response {json.dumps(move_result)}"
def test_delete_permission_on_folder_you_can_delete_folder(core_session, create_secret_folder, users_and_roles, cleanup_secrets_and_folders): """ C3043: test method to Login as cloud admin 1) Disable "Delete" permission on a folder for UserA Then Login as UserA verify Delete is unavailable for that folder 2) Enable "Delete" permission on a folder for UserA Then Login as UserA verify Delete is available & successful for that folder :param core_session: Authenticated Centrify session :param create_secret_folder: Fixture to create secret inside folder & yields secret & folder details :param users_and_roles: Fixture to create random user with PAS Power Rights :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created """ secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] folders_list = cleanup_secrets_and_folders[1] # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info(f'User with PAS Power User Rights login successfully: user_Name: {user_name}') # Api to give user permissions to folder(DELETE Disabled) user_permissions_result = give_user_permissions_to_folder(core_session, user_name, user_id, folder_id, 'View') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Delete folder for User A should fail del_result = del_folder(pas_power_user_session, folder_id) assert del_result['success'] is False, f'Able to delete the folder:{del_result["Result"]}' logger.info(f'Failed to delete the folder(DELETE Disabled):{del_result}') # Api to give user permissions to folder(DELETE Enabled) user_permissions_result = give_user_permissions_to_folder(core_session, user_name, user_id, folder_id, 'View,Delete') assert user_permissions_result, f'Not Able to set user permissions to folder: {user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Delete folder for User A should pass del_result = del_folder(pas_power_user_session, folder_id) assert del_result["success"], f'Failed to delete the folder(DELETE): {del_result["Result"]}' logger.info(f'Deleting the folder successfully (DELETE):{del_result}') folders_list.remove(folder_id)
def test_move_secret_to_different_folder_with_member_permission_edit_on_source_folder_for_user_a( core_session, users_and_roles, create_secret_inside_folder, pas_general_secrets, cleanup_secrets_and_folders): """ test method to move a secret to another folder with "EDIT" member permissions on source folder for User A :param core_session: Authenticated Centrify Session. :param users_and_roles: Fixture to create New user with PAS Power Rights :param create_secret_inside_folder: Fixture to create text type secret inside folder & yields folder & secret details. :param pas_general_secrets: Fixture to read secret data from yaml file. :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created. """ folder_id_list, folder_name, secret_id_list = create_secret_inside_folder folders_list = cleanup_secrets_and_folders[1] params = pas_general_secrets prefix = guid() pas_power_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = pas_power_user.get_login_name() user_id = pas_power_user.get_id() # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {user_name}' f' & Password: {pas_power_user.get_password()} ') # Api to give user permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id_list[0], 'View,Grant') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to give member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'View,Grant,Edit', user_id, folder_id_list[0]) assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Api to create secret folder for User A secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder( pas_power_user_session, prefix + params['name'], params['description']) logger.info( f' Folder created successfully: {secret_folder_success} & details are {secret_folder_parameters}' ) assert secret_folder_success is True, f'Failed to create a folder {secret_folder_id}' folders_list.append(secret_folder_id) # Api to move secret into another Folder result_move = move_secret(pas_power_user_session, secret_id_list[0], secret_folder_id) assert result_move[ 'success'], f'Not Able to move the secret into Folder: {result_move["Result"]}' logger.info( f'Moving secret with edit permissions to another folder:{result_move}')
def test_view_on_folders_but_not_members(core_session, create_secret_inside_folder, pas_general_secrets, users_and_roles, cleanup_secrets_and_folders): """ C3054: test method to View on folders, but not members 1) create multiple secrets & folders inside parent folder 2) Login as Admin, set folder permissions "View" for parent folder 3) Login as pas user 4) Verify can view folder but not secrets :param core_session: Authenticated Centrify session :param create_secret_inside_folder: Fixture to create secret inside folder :param pas_general_secrets: Fixture to read secrets related data from yaml file :param users_and_roles: Fixture to create random user with PAS User Rights :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created """ folder_id_list, folder_name, secret_id = create_secret_inside_folder folders_list = cleanup_secrets_and_folders[1] params = pas_general_secrets # creating nested folder child_folder_success, child_folder_parameters, child_folder_id = create_folder( core_session, params['name'], params['description'], parent=folder_id_list[0]) assert child_folder_success, f'Failed to create nested folder, API response result: {child_folder_id}' logger.info( f'Nested Folder created successfully, details are: {child_folder_parameters}' ) folders_list.insert(0, child_folder_id) # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS User Rights login successfully: user_Name:{user_name}') # Api to give user permissions to parent folder user_permissions_alpha = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id_list[1], 'View') assert user_permissions_alpha['success'], \ f'Not Able to set user permissions to folder, API response result:{user_permissions_alpha["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_alpha}') # Getting the secret for pas user should fail found_secret = get_secret(pas_power_user_session, secret_id[0]) verify_msg = 'You are not authorized to perform this operation.' assert found_secret['success'] is False and verify_msg in found_secret["Message"], \ f'Able to find the secret without view permissions, API response result:{found_secret["Message"]}' logger.info( f'Not able to find th secret with pas user: {found_secret["Message"]}')
def test_add_folder_permission_on_destination_folder_to_move_into_it( core_session, users_and_roles, create_secret_folder, pas_general_secrets, cleanup_secrets_and_folders): """ C3033:test method to Login as Cloud admin 1) Disable "ADD" permissions for user A 2) Login As User A 3) Move an existing folder to a destination folder(without ADD permissions) should Fail :param core_session: Authenticated Centrify Session :param users_and_roles: Fixture to create New user with PAS Power Rights :param create_secret_folder: Fixture to create secret Folder & yield folder related details :param pas_general_secrets: Fixture to read secrets related data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created. """ folders_list = cleanup_secrets_and_folders[1] secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] folder_params = pas_general_secrets folder_prefix = guid() # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Api to set permissions with folder permissions = give_user_permissions_to_folder(core_session, user_name, user_id, folder_id, 'View,Edit') assert permissions[ 'success'], f'Not able to set permissions to folder:{permissions["Result"]}' logger.info(f'Permissions to folder: {permissions}') # Creating new folder with pas_power_user_session secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder( pas_power_user_session, folder_params['name'] + folder_prefix, folder_params['description']) assert secret_folder_success, f'Failed to create a folder{secret_folder_parameters["Message"]} ' logger.info( f' Folder created successfully: {secret_folder_success} & details are {secret_folder_parameters}' ) folders_list.append(secret_folder_id) # Api to move Folder(without ADD permissions) into Folder result_move = move_folder(pas_power_user_session, secret_folder_id, folder_id) assert result_move[ 'success'] is False, f'Able to move the secret into Folder: {result_move["Result"]}' logger.info( f'Moving Folder without ADD permissions:{result_move["Message"]}')
def test_edit_folder_permission_to_rename_folder(core_session, create_secret_folder, pas_general_secrets, users_and_roles, cleanup_secrets_and_folders): """ C3031:test method to login with cloud admin 2) Enable Edit folder permission for UserA, Login with User A 3) Edit the name of the folder created 4) Verify the folder name is edited successfully. :param core_session: Authenticated Centrify session :param create_secret_folder: Fixture to create secret inside folder & yields secret & folder details :param pas_general_secrets: Fixture to read secrets related data from yaml file :param users_and_roles: Fixture to create random user with PAS Power Rights :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created """ secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] folder_name = secret_folder_details['Name'] folder_prefix = guid() folder_params = pas_general_secrets # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Api to give user permissions to folder(EDIT Enabled) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id, 'View,Edit') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Edit the name of the folder created result = update_folder( pas_power_user_session, folder_id, folder_name, folder_prefix + folder_params['mfa_folder_name_update']) assert result[ 'success'], f'Folder name is not updated: {result["Message"]} ' logger.info( f'Folder name is updated: {result["success"]} {result["Message"]}') # Getting details of the Folder updated result_folder = get_folder(core_session, folder_id) logger.info(f'Updated Folder details: {result_folder}') name_updated = result_folder["Result"]["Results"][0]["Row"]["Name"] assert 'MFAOnParentFolderUpdate' in name_updated, \ f'Failed to update the name{result_folder["Result"]["Results"][0]["Row"]["Name"]}'
def test_cant_add_folder_if_you_dont_have_add_permission_on_parent_folder( core_session, create_secret_folder, pas_general_secrets, users_and_roles): """ test method to not able to add a child Folder inside a Parent Folder when ADD permissions are not enabled for the Parent Folder :param core_session: Authenticated Centrify Session :param create_secret_folder: Fixture to create a folder & yields folder related details :param pas_general_secrets: Fixture to read secret data from yaml file :param users_and_roles: Fixture to create a random user with PAS Power Rights """ secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] folder_params = pas_general_secrets # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Api to give user permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id, 'View') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to give member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'View,Grant', user_id, folder_id) assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') folder_prefix = guid() # Creating ChildFolder for PAS Power User folder_success, folder_parameters, child_folder_id = create_folder( pas_power_user_session, folder_prefix + folder_params['name'], folder_params['description'], parent=folder_id) assert folder_success is False, \ f'Added subfolder without ADD permissions for the folder:{child_folder_id}' logger.info( f'Add Folder without ADD permissions: {folder_success}{folder_parameters}' )
def test_should_not_able_to_move_secret_into_folder_that_do_not_have_add_permissions_on( core_session, users_and_roles, added_secrets, create_secret_folder): """ test method to not able to move a secret(with EDIT permissions) to a folder( with no ADD permissions) :param core_session: Authenticated Centrify Session :param users_and_roles: Fixture to create New user with PAS Power Rights :param added_secrets: Fixture to create text type secret & yield secret id, secret_name :param create_secret_folder: Fixture to create secret Folder & yield folder related details """ added_text_secret_id, added_text_secret_name = added_secrets secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] application_management_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = application_management_user.get_login_name() user_id = application_management_user.get_id() # Api to set Edit permissions to secret text_type_secret_result, text_type_secret_success = set_users_effective_permissions( core_session, user_name, 'View,Grant,Edit', user_id, added_text_secret_id[0]) assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}' logger.info( f'setting permissions for text type secret: : {text_type_secret_success}' ) # Api to set permissions with folder permissions = give_user_permissions_to_folder(core_session, user_name, user_id, folder_id, 'View,Grant') assert permissions[ 'success'], f'Not able to set permissions to folder:{permissions["Result"]}' logger.info(f'Permissions to folder: {permissions}') # API to get new session for User A application_management_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert application_management_session.auth_details is not None, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {application_management_user.get_login_name()}' f' & Password: {application_management_user.get_password()} ') # Api to move secret into Folder result_move = move_secret(application_management_session, added_text_secret_id[0], folder_id) assert result_move[ 'success'] is False, f'Able to move the secret into Folder: {result_move["Result"]}' logger.info( f'Moving secret with edit permissions:{result_move["Message"]}')
def test_create_secret_in_folder_with_permissions(core_session, users_and_roles, secret_folder, secret_cleaner): # secret folder was created by administrator account so should not # be able to add a secret to it as a different user. application_management_user = users_and_roles.get_user( 'Privileged Access Service Power User') application_management_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') user_name = application_management_user.get_login_name() user_id = application_management_user.get_id() folder_id = secret_folder['ID'] give_user_permissions_to_folder(core_session, user_name, user_id, folder_id, 'View,Add') secret_prefix = guid() secret_parameters = { 'SecretName': secret_prefix + '_test_text_secret', 'SecretText': secret_prefix + ' my secret', 'Type': 'Text', 'Description': secret_prefix + ' my secret description', 'FolderId': folder_id } logger.info( f'Creating secret in other user\'s folder with no permissions {secret_parameters["SecretName"]}' ) result = application_management_session.post(EndPoints.SECRET_ADD, secret_parameters).json() assert result[ 'success'] is True, f'Unable to create a secret in another user\'s folder when given permissions to. {json.dumps(secret_parameters)} {json.dumps(result)}' secret_cleaner.append(result['Result'])
def test_have_delete_permission_on_parent_should_be_able_to_delete_child_members( core_session, users_and_roles, create_secret_inside_folder, pas_general_secrets): """ C3000: Have delete permission on parent, should be able to delete child members :param core_session: Authenticated Centrify Session. :param users_and_roles: Fixture to create New user with PAS Power Rights :param create_secret_inside_folder: Fixture to create text type secret inside folder & yields folder & secret details. :param pas_general_secrets: Fixture to read secret data from yaml file. """ folder_id_list, folder_name, secret_id_list = create_secret_inside_folder pas_power_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = pas_power_user.get_login_name() user_id = pas_power_user.get_id() # Getting new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {user_name}' f' & Password: {pas_power_user.get_password()} ') # Api to give user permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id_list[0], 'View,Grant') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to give member permissions(Delete) to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'View,Grant,Delete,Retrieve', user_id, folder_id_list[0]) assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Api to delete the child secret del_success, del_result = del_secret(pas_power_user_session, secret_id_list[0]) assert del_success, f'Not Able to delete the child secret: {del_result}' for secret_id in secret_id_list: secret_id_list.remove(secret_id) logger.info(f'Able to delete the child secret:{del_result}')
def test_create_secrets_with_Add_permission(core_session, users_and_roles, create_secret_folder, pas_general_secrets, cleanup_secrets_and_folders): """ C283792: Users can create secrets at the root or inside a folder if they have Add permission on the folder :param core_session: Authenticated Centrify Session :param users_and_roles: Fixture to create random user with rights :param create_secret_folder: Fixture to create secret folder :param pas_general_secrets: Fixture to read secrets data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created """ secrets_params = pas_general_secrets folder_id = create_secret_folder['ID'] secrets_list = cleanup_secrets_and_folders[0] # Getting new session for UserB with PAS Power User Rights pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'UserB with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Setting folder permissions(Add, Edit & View) for UserB user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id, 'View, Add, Edit') assert user_permissions_result, f'Failed to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Creating secrets inside folder of UserB added_text_secret_success, added_text_secret_result = create_text_secret_within_folder( pas_power_user_session, secrets_params['secret_name'], secrets_params['secret_text'], secrets_params['secret_description'], folder_id) assert added_text_secret_success, f'Failed to create secret in another user\'s folder.{added_text_secret_result}' logger.info(f'Secret Created successfully: {added_text_secret_success}') logger.info( f'successfully added secret in userB folder with Add permissions: {added_text_secret_result}' ) secrets_list.append(added_text_secret_result) logger.info(f'Added Secret deleted successfully: {secrets_list}')
def test_delete_permission_on_parent_folder_but_not_on_sub_folder( core_session, create_folder_inside_folder, users_and_roles, cleanup_secrets_and_folders): """ C3044: test method to Login as cloud admin 1) Enable "Delete" folder permissions on a parent folder for UserA 2) Login as UserA 3) Verify sub folders should be deleted :param core_session: Authenticated Centrify session :param create_folder_inside_folder: Fixture to create folder inside folder & yields nested_folder, parent_folder details :param users_and_roles: Fixture to create random user with PAS Power Rights :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created """ parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder parent_folder_id = parent_folder_info['ID'] folders_list = cleanup_secrets_and_folders[1] # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Api to give user permissions to folder(DELETE Enabled) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, parent_folder_id, 'View,Delete') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Delete folder for User A should pass del_result = del_folder(pas_power_user_session, nested_folder_id) del_success = del_result['success'] result = del_result['Result'] assert del_success, f'Failed to delete Sub folder :{result}' logger.info(f'Able to delete Sub folder successfully:{del_result}') folders_list.remove(nested_folder_id)
def test_delete_permission_on_secret_but_not_on_folder( core_session, create_secret_inside_folder, users_and_roles): """ test method to Delete permission on secret but not on folder :param core_session: Authenticated Centrify Session. :param create_secret_inside_folder: Fixture to create text type secret inside folder & yields folder id , folder name & secret id :param users_and_roles: Fixture to create New user with PAS Power Rights """ folder_id_list, folder_name, secret_id_list = create_secret_inside_folder pas_power_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = pas_power_user.get_login_name() user_id = pas_power_user.get_id() pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {user_name}' f' & Password: {pas_power_user.get_password()} ') # Api to give user permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id_list[0], 'View') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to set DELETE permissions to secret text_type_secret_result, text_type_secret_success = set_users_effective_permissions( core_session, user_name, 'View,Delete,Retrieve', user_id, secret_id_list[0]) assert text_type_secret_success, f'Failed to Set Member permissions to secret:{text_type_secret_result}' logger.info( f'Setting Member permissions for secret: {text_type_secret_success}') # Api to delete the child secret del_success, del_result = del_secret(pas_power_user_session, secret_id_list[0]) assert del_success, f'Not Able to delete the child secret: {del_result}' secret_id_list.remove(secret_id_list[0]) logger.info(f'Able to delete the child secret: {del_result}')
def test_delete_folder_with_child(core_session, create_folder_inside_folder, users_and_roles, cleanup_secrets_and_folders): """ C30821: test method to Login as cloud admin 1) Enable "Delete" folder permissions on a folder for UserA 2) Login as UserA 3) Verify you cannot delete folder with a child inside it :param core_session: Authenticated Centrify session :param create_folder_inside_folder: Fixture to create folder inside folder & yields nested_folder & parent_folder details :param users_and_roles: Fixture to create random user with PAS Power Rights :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created """ parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder parent_folder_id = parent_folder_info['ID'] # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Api to give user permissions to folder(DELETE Enabled) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, parent_folder_id, 'View,Delete') assert user_permissions_result['success'], \ f'Not Able to set user permissions to folder{user_permissions_result["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Delete parent folder with child for User A should fail del_result = del_folder(pas_power_user_session, parent_folder_id) assert del_result[ 'success'] is False, f'Failed to delete Sub folder:{del_result["Message"]}' logger.info(f'Able to delete Sub folder:{del_result}')
def test_inherited_permissions_after_move(core_session, create_secret_inside_folder, create_secret_folder, cleanup_secrets_and_folders, users_and_roles): """ C3058:Inherited permissions after move :param core_session: Authenticated Centrify Session :param create_secret_inside_folder: Fixture to create secret inside Folder & yields folder & secret related details :param create_secret_folder: Fixture to create Folder & yields folder related details :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created :param users_and_roles: Fixture to create random user """ folder_id_list, folder_name, secret_list = create_secret_inside_folder secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info(f'User with PAS Power User Rights login successfully: user_Name: {user_name}') # Api to set permissions with folder permissions_folder = give_user_permissions_to_folder(core_session, user_name, user_id, folder_id_list[0], 'View') assert permissions_folder['success'], f'Not able to set permissions to folder:{permissions_folder["Result"]}' logger.info(f'Permissions to folder: {permissions_folder}') # Api to set permissions with folder folder_permissions = give_user_permissions_to_folder(core_session, user_name, user_id, folder_id, 'View,Add') assert folder_permissions['success'], f'Not able to set permissions to folder:{folder_permissions["Result"]}' logger.info(f'Permissions to folder: {folder_permissions}') # Api to give member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session, user_name, 'View,Edit', user_id, folder_id_list[0]) assert member_perm_success, \ f'Not Able to set member permissions to Folder, API response result: {member_perm_result}' logger.info(f'Member permissions to folder:{member_perm_result}') # Api to give member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session, user_name, 'View,Edit,Grant,Retrieve,Delete', user_id, folder_id) assert member_perm_success, \ f'Not Able to set member permissions to Folder, API response result: {member_perm_result}' logger.info(f'Member permissions to folder:{member_perm_result}') # Api to move secret into new Folder result_move = move_secret(pas_power_user_session, secret_list[0], folder_id) assert result_move['success'], \ f'Not Able to move secret into new Folder. API response result: {result_move["Result"]}' logger.info(f'Able to move the secret into new folder:{result_move["Message"]}') # Api to get secret permissions get_permission_result = get_users_effective_secret_permissions(core_session, secret_list[0]) verify_permissions = ['View', 'Edit', 'Delete', 'Grant', 'Retrieve'] assert get_permission_result == verify_permissions,\ f'Failed to inherit secret permissions from new parent folder. API response result: {get_permission_result}' logger.info(f'Secret permissions are inherited from new parent folder.: {get_permission_result}')
def test_user_need_retrieve_secret_permission_to_delete( core_session, pas_general_secrets, cleanup_secrets_and_folders, users_and_roles): """ C283961: User needs Retrieve Secret permission to retrieve secret contents :param core_session: Authenticated Centrify Session :param users_and_roles: Fixture to create random user with pas user rights :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created. :param pas_general_secrets: Fixture to read secrets data from yaml file """ folder_params = pas_general_secrets folder_prefix = guid() folders_list = cleanup_secrets_and_folders[1] secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder( core_session, folder_params['name'] + folder_prefix, folder_params['description']) assert secret_folder_success, f'Failed to create a folder{secret_folder_id} ' logger.info(f' Folder created successfully: {secret_folder_success} & details are {secret_folder_parameters}') folders_list.append(secret_folder_id) added_text_secret_success, added_text_secret_result = create_text_secret_within_folder( core_session, folder_prefix + folder_params['secret_name'], folder_params['secret_text'], folder_params['secret_description'], secret_folder_id) logger.info(f'Secret Created successfully: {added_text_secret_success}') assert added_text_secret_success, f'Unable to create secret {added_text_secret_result}' # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info(f'{pas_power_user_session.auth_details}') logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}') # Api to give user permissions to folder user_permissions = give_user_permissions_to_folder(core_session, user_name, user_id, secret_folder_id, 'View') assert user_permissions['success'], \ f'Not Able to set user permissions to folder{user_permissions["Result"]}' logger.info(f'User Permissions to folder: {user_permissions}') # Api to disable member permissions Retrieve in folder member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session, user_name, 'View,Delete', user_id, secret_folder_id) assert member_perm_success, f'Not Able to set member permissions to Folder: {member_perm_result}' logger.info(f'Member permissions to folder:{member_perm_result}') # Deleting secret without Retrieve permission in folder. retrieve_success, retrieve_result, retrieve_message = retrieve_secret(pas_power_user_session, added_text_secret_result) assert retrieve_success is False, f'Users {user_name} have permission to retrieve the secret: {retrieve_result}' logger.info(f'No longer to delete as you have "Retrieve" ' f'permission which is required prior to delete:{retrieve_message}') # Api to give member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session, user_name, 'View,Delete,Retrieve', user_id, secret_folder_id) assert member_perm_success, f'Not Able to set member permissions to Folder: {member_perm_result}' logger.info(f'Member permissions to folder:{member_perm_result}') del_success, del_result = del_secret(pas_power_user_session, added_text_secret_result) assert del_success, f'Not Able to delete the child secret: {del_result}' logger.info(f'Secret is Successfully deleted:{del_result}')
def test_delete_mfa_policy_on_secret(core_session, pas_general_secrets, clean_up_policy, users_and_roles): """ C283962: MFA policy on Secret, verify challenged :param core_session: Authenticated Centrify session :param pas_general_secrets: Fixture to read secrets data from yaml file :param clean_up_policy: Fixture to cleanup the policy created :param users_and_roles: Fixture to create new user with restricted rights """ secrets_params = pas_general_secrets suffix = guid() # Create a folder A secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder( core_session, secrets_params['mfa_folder_name'] + suffix, secrets_params['description']) assert secret_folder_success, f'Failed to create a folder {secret_folder_id}' logger.info(f' Folder created successfully: {secret_folder_success} ') secret_folder_parameters['ID'] = secret_folder_id # Create a secret under A folder added_secret_success, added_secret_id = create_text_secret_within_folder( core_session, secrets_params['mfa_secret_name'] + suffix, secrets_params['secret_text'], secrets_params['secret_description'], secret_folder_id) assert added_secret_success, f"Added Secret Failed {added_secret_id}" logger.info(f'Added secrets info {added_secret_success, added_secret_id}') # Getting details of the secret found_secret = get_secret(core_session, added_secret_id) assert found_secret['success'], \ f'Failed to get the details of the secret , API response result:{found_secret["Message"]}' logger.info(f'Getting details of the secret: {found_secret}') secret_name = found_secret['Result']['SecretName'] challenges = ["UP", ""] # Creating new policy policy_result = PolicyManager.create_new_auth_profile( core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0) assert policy_result, f'Failed to create policy, API response result:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Applying MFA on Secret result = update_secret( core_session, added_secret_id, secret_name, description=secrets_params['mfa_secret_description'], policy_id=policy_result) assert result[ 'success'], f' Failed to apply MFA on the secret, API response result:{result["Message"]} ' logger.info(f'MFA Applied on the secret: {result}') # Getting new session for User pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Api to give user permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, secret_folder_id, 'Grant,View,Delete') assert user_permissions_result, f'Failed to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to set DELETE permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'Grant,View,Delete,Retrieve', user_id, secret_folder_id) assert member_perm_success, f'Failed to set member permissions to Folder{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Delete secret with Mfa Authentication del_success, del_result = del_secret(pas_power_user_session, added_secret_id) # StartChallenge MFA Authentication session, mechanism = pas_power_user_session.start_mfa_authentication( user_name, del_result['ChallengeId']) # AdvanceAuthentication MFA to Password result = pas_power_user_session.advance_authentication( answer=pas_power_user_session.user.user_input.password, session_id=session, mechanism_id=mechanism) assert result, "Password Authentication Failed" logger.info(f'Advance authentication: {result}') # After Authentication of MFA delete the secret under folder del_secret_success, del_secret_result = del_secret_mfa( pas_power_user_session, added_secret_id, ChallengeStateId=del_result['ChallengeId']) assert del_secret_success, f'User: {user_name} failed to delete secret from this folder: {secret_folder_id}' logger.info( f'User: {user_name} deleted secret: ' f'{added_secret_id} successfully from this folder: {secret_folder_id}') # Delete folder del_folder_res = del_folder(core_session, secret_folder_id) assert del_folder_res, f'User: {user_name} failed to delete folder: {secret_folder_id}' logger.info( f'User: {user_name} successfully deleted folder: {secret_folder_id}')
def test_delete_secret_with_mfa_on_parent(core_session, pas_general_secrets, clean_up_policy, users_and_roles, create_secret_inside_folder, cleanup_secrets_and_folders): """ C283963: MFA policy on Parent folder, verify challenged :param core_session: Authenticated Centrify Session :param pas_general_secrets: fixture to read secrets related data from yaml file :param clean_up_policy: Fixture to cleanup the policy created :param users_and_roles: Fixture to create new user with restricted rights :param create_secret_inside_folder: Fixture to create secrets inside folder & yields secrets & folders data :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created """ secrets_params = pas_general_secrets suffix = guid() folder_id_list, folder_name, secret_id_list = create_secret_inside_folder secrets_list = cleanup_secrets_and_folders[0] challenges = ["UP", ""] # Creating new policy policy_result = PolicyManager.create_new_auth_profile( core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0) assert policy_result, f'Failed to create policy, API response result:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Updating the Folder(Applying MFA) result = update_folder( core_session, folder_id_list[0], folder_name, folder_name, description=secrets_params['mfa_folder_description'], policy_id=policy_result) assert result[ 'success'], f' Failed to apply MFA on folder, API response result: {result["Message"]} ' logger.info(f'MFA Applied on Folder: {result}') # Getting new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Api to give user permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id_list[0], 'View') assert user_permissions_result, f'Failed to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to set DELETE permissions folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'Grant,View,Delete,Retrieve', user_id, folder_id_list[0]) assert member_perm_success, f'Failed to set member permissions to Folder{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Delete secret with Mfa Authentication del_success, del_result = del_secret(pas_power_user_session, secret_id_list[0]) # StartChallenge MFA Authentication session, mechanism = pas_power_user_session.start_mfa_authentication( user_name, del_result['ChallengeId']) # AdvanceAuthentication MFA to Password result = pas_power_user_session.advance_authentication( answer=pas_power_user_session.user.user_input.password, session_id=session, mechanism_id=mechanism) assert result, "Password Authentication Failed" # After Authentication of MFA delete the secret under folder del_secret_success, del_secret_result = del_secret_mfa( pas_power_user_session, secret_id_list[0], ChallengeStateId=del_result['ChallengeId']) assert del_secret_success, f'Failed to delete secret with MFA {del_secret_result} with User: {user_name}' logger.info( f'Successfully deleted secret with MFA {del_secret_result} for User: {user_name} ' ) secrets_list.remove(secret_id_list[0]) # Updating the Folder(Removing MFA) result = update_folder( core_session, folder_id_list[0], folder_name, folder_name, description=secrets_params['mfa_folder_description']) assert result[ 'success'], f'Failed to remove MFA on folder, API response result: {result["Message"]} ' logger.info(f'Successfully Removed MFA on Folder: {result}')
def test_inherited_folder_permissions_should_be_removed_if_you_move_away_from_parent( core_session, create_folder_inside_folder, pas_general_secrets, cleanup_secrets_and_folders, users_and_roles): """ C3052: Inherited folder permissions should be removed if you move away from parent :param core_session: Authenticated Centrify Session :param create_folder_inside_folder: Fixture to create folder inside parent folder :param pas_general_secrets: Fixture to read secret data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created :param users_and_roles: Fixture to create random user with PAS User rights """ parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder parent_folder_id = parent_folder_info['ID'] folder_prefix = guid() params = pas_general_secrets folders_list = cleanup_secrets_and_folders[1] child_folder_success, child_folder_parameters, child_folder_id = create_folder( core_session, folder_prefix + params['name'], params['description'], parent=nested_folder_id) assert child_folder_success, f'Failed to create child folder, API response result:: {child_folder_id}' logger.info( f'Child Folder created successfully: {child_folder_success} & details are {child_folder_id}' ) folders_list.insert(0, child_folder_id) # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS User Rights login successfully: user_Name:{user_name}') # Api to give user permissions to parent folder(View,Delete,Edit) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, parent_folder_id, 'View,Delete,Edit') assert user_permissions_result['success'], \ f'Not Able to set user permissions to folder, API response result:{user_permissions_result["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to give user permissions to nested folder(View,Add ) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, nested_folder_id, 'View,Add') assert user_permissions_result['success'], \ f'Not Able to set user permissions to , API response result: {user_permissions_result["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Getting permissions of child folder(should inherit from parent) permissions_yellow = SetsManager.get_collection_rights( pas_power_user_session, child_folder_id) verify_permissions_all = 'View, Edit, Delete, Add' assert verify_permissions_all == permissions_yellow["Result"], \ f'Failed to verify permissions for the folder, API response result:{permissions_yellow["Result"]}' logger.info(f'Permissions of the folder created: {permissions_yellow}') # Moving Nested Folder into Top Level Secrets result_move = move_folder(pas_power_user_session, nested_folder_id) assert result_move[ 'success'], f'Not Able to Move Folder B1 into B11, API response result:: {result_move["Result"]}' logger.info(f'Moving Folder into Sub Folder:{result_move}') # Getting permissions of child folder(should inherit from nested folder) permissions_yellow = SetsManager.get_collection_rights( pas_power_user_session, child_folder_id) verify_permissions_all = 'View, Add' assert verify_permissions_all == permissions_yellow["Result"], \ f'Failed to verify permissions for the folder, API response result:{permissions_yellow["Result"]}' logger.info(f'Permissions of the folder created: {permissions_yellow}')
def test_move_mfa_on_closest_parent_should_override( core_session, pas_general_secrets, create_folder_inside_folder, cleanup_secrets_and_folders, clean_up_policy, users_and_roles): """ C283938: MFA on closest parent should override MFA on higher levels :param core_session: Authenticated Centrify Session :param pas_general_secrets: Fixture to read secret data from yaml file :param create_folder_inside_folder: Fixture to create nested Folder & yields folder & sub folder related details :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created. :param clean_up_policy: Fixture to clean up the policy created :param users_and_roles: Fixture to create New user with PAS Power Rights """ secrets_params = pas_general_secrets suffix = guid() parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder parent_folder_id = parent_folder_info['ID'] parent_folder_name = parent_folder_info['Name'] secret_list = cleanup_secrets_and_folders[0] challenges1 = ["UP", ""] challenges2 = ["SQ", ""] # Api to create secret within folder added_text_secret_success, secret_id = create_text_secret_within_folder( core_session, secrets_params['secret_name'] + suffix, secrets_params['secret_text'], secrets_params['secret_description'], nested_folder_id) assert added_text_secret_success, f'Unable to create secret {secret_id}' logger.info(f'Secret Created successfully: {added_text_secret_success}') secret_list.append(secret_id) # creating a new Authentication profile for nested folder policy_result = PolicyManager.create_new_auth_profile( core_session, secrets_params['policy_name'] + suffix, challenges1, 0, 0) assert policy_result, f'Failed to create policy, API response result:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # creating another Authentication profile for parent folder policy_result_v1 = PolicyManager.create_new_auth_profile( core_session, secrets_params['policy_name'] + "V1" + suffix, challenges2, 0, 0) assert policy_result_v1, f'Failed to create policy, API response result:{policy_result_v1}' logger.info(f' Creating new policy:{policy_result_v1}') clean_up_policy.append(policy_result_v1) # Applying MFA on Nested Folder result = update_folder( core_session, nested_folder_id, nested_folder_info['Name'], nested_folder_info['Name'], description=secrets_params['mfa_folder_description'], policy_id=policy_result) assert result[ 'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} ' logger.info(f'Applying MFA for folder: {result}') # Applying MFA on Parent Folder result = update_folder( core_session, parent_folder_id, parent_folder_name, parent_folder_name, description=secrets_params['mfa_folder_description'], policy_id=policy_result_v1) assert result[ 'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} ' logger.info(f'Applying MFA for folder: {result}') # Getting User with PAS Power User rights pas_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_user_session.auth_details['User'] user_id = pas_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name:{user_name}' ) # Api to give user permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, parent_folder_id, 'View') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to give member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'View, Edit', user_id, parent_folder_id) assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Move Secret with Mfa Authentication result_secret = move_secret(pas_user_session, secret_id) # StartChallenge MFA Authentication session, mechanism = pas_user_session.start_mfa_authentication( user_name, result_secret['Result']['ChallengeId']) # AdvanceAuthentication MFA to Password advance_auth_result = pas_user_session.advance_authentication( answer=pas_user_session.user.user_input.password, session_id=session, mechanism_id=mechanism) mfa_result = advance_auth_result.json() assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}' logger.info(f'successfully applied password authentication: {mfa_result}') # After Authenticating of MFA move secret with challenge password moved_success, moved_result = move_secret_by_using_mfa( pas_user_session, secret_id, ChallengeStateId=result_secret['Result']['ChallengeId']) assert moved_success, f'User: {user_name} Failed to move secret with closest parent challenge: {moved_result}' logger.info( f'User: {user_name} successfully moved secret with closest parent challenge: {moved_result}' ) # Removing MFA on Nested Folder result = update_folder( core_session, nested_folder_id, nested_folder_info['Name'], nested_folder_info['Name'], description=secrets_params['mfa_folder_description']) assert result[ 'success'], f'Failed to remove MFA, API response result: {result["Message"]} ' logger.info(f'Removing MFA for Nested folder: {result}') # Removing MFA on Parent Folder result = update_folder( core_session, parent_folder_id, parent_folder_name, parent_folder_name, description=secrets_params['mfa_folder_description']) assert result[ 'success'], f'Failed to remove MFA, API response result: {result["Message"]} ' logger.info(f'Removing MFA for Parent folder: {result}')
def test_member_permission_from_parent_or_higher_should_propagate(core_session, pas_general_secrets, cleanup_secrets_and_folders, users_and_roles): """ C3053: test method Member permission from parent or higher should propagate all the way down hierarchy 1) create multilevel folder /alpha/beta/charlie/delta 2) Login as Admin, set folder permissions "View" & member permissions "View, Retrieve" for parent folder 3) Add new folder inside delta 4) Login as pas user 5) Verify you can view and retrieve secret under the "delta" folder :param core_session: Authenticated Centrify session :param pas_general_secrets: Fixture to read secrets related data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created :param users_and_roles: Fixture to create random user with PAS User Rights """ params = pas_general_secrets folder_prefix = guid() folders_list = cleanup_secrets_and_folders[1] secrets_list = cleanup_secrets_and_folders[0] # creating multilevel folder /alpha/beta/charlie/delta child_folder_success, child_folder_parameters, child_folder_id = create_folder( core_session, folder_prefix + params['multi_level_folder_name'], params['description']) assert child_folder_success, f'Failed to create multilevel folder, API response result {child_folder_id}' logger.info(f'Multilevel Folder created successfully: {child_folder_success} & details are {child_folder_id}') # Getting details of Folder Charlie charlie_folder = get_folder(core_session, child_folder_id) assert charlie_folder['success'],\ f'Failed to retrieve charlie folder details, API response result:{charlie_folder["Message"]}' logger.info(f'charlie folder details:{charlie_folder}') charlie_id = charlie_folder['Result']['Results'][0]['Row']['Parent'] # Getting details of parent folder parent_path = charlie_folder['Result']['Results'][0]['Row']['ParentPath'] parent_folder_name = parent_path.split('\\') parent_folder_sliced = parent_folder_name[0] # Getting id of parent folder parent_folder = get_folder(core_session, parent_folder_sliced) assert parent_folder['success'],\ f'Failed to retrieve parent folder details, API response result:{parent_folder["Message"]}' logger.info(f'Parent folder details:{parent_folder}') parent_folder_id = parent_folder['Result']['Results'][0]['Row']['ID'] # Getting details of Folder alpha alpha_folder = get_secrets_and_folders_in_folders(core_session, parent_folder_id) assert alpha_folder['success'], f'Failed to retrieve alpha folder id, API response result: {alpha_folder["Result"]}' logger.info(f'Details of Alpha Folder Retrieved:{alpha_folder}') alpha_folder_id = alpha_folder["Result"]["Results"][0]["Entities"][0]["Key"] # Getting details of Folder beta folder_beta = get_secrets_and_folders_in_folders(core_session, alpha_folder_id) assert folder_beta['success'], f'Failed to retrieve beta folder id, API response result: {folder_beta["Result"]}' logger.info(f'Details of Beta Folder Retrieved:{folder_beta}') folder_beta_id = folder_beta["Result"]["Results"][0]["Entities"][0]["Key"] # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}') # Api to give user permissions to parent folder user_permissions_alpha = give_user_permissions_to_folder(core_session, user_name, user_id, parent_folder_id, 'View') assert user_permissions_alpha['success'], \ f'Not Able to set user permissions to folder, API response result: {user_permissions_alpha["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_alpha}') # Api to give member permissions(View, Retrieve) to folder member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session, user_name, 'View,Retrieve', user_id, parent_folder_id) assert member_perm_success,\ f'Not Able to set "View" member permissions to Folder, API response result: {member_perm_result}' logger.info(f'Member permissions to folder:{member_perm_result}') # Adding secrets inside child folder added_secret_success, added_secret_id = create_text_secret_within_folder(core_session, params['mfa_secret_name'] + folder_prefix, params['secret_text'], params['secret_description'], child_folder_id) assert added_secret_success, f"Added Secret Failed, API response result: {added_secret_id}" logger.info(f'Added secrets info: {added_secret_id}') secrets_list.append(added_secret_id) # Getting details of the Secret Added get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( pas_power_user_session, added_secret_id) secret_name_pas = get_secret_details['SecretName'] assert 'MFAOnSecret' in secret_name_pas, f'Failed to view the secret, API response result: {get_secret_success}' logger.info(f'Details of the secret Retrieved: {get_secret_details}') folders_list.append(child_folder_id) folders_list.append(charlie_id) folders_list.append(folder_beta_id) folders_list.append(alpha_folder_id) folders_list.append(parent_folder_id) logger.info(f'Added Folders are deleted successfully: {folders_list}') logger.info(f'Added Secret deleted successfully: {secrets_list}')
def test_edit_folder_permission_to_update_folder(core_session, create_secret_folder, pas_general_secrets, users_and_roles, cleanup_secrets_and_folders): """ C3030:test method to login with cloud admin 1) Disable Edit folder permission for UserA, Login with User A and verify that "Edit" is not visible 2) Enable Edit folder permission for UserA, Login with User A and verify that "Edit" is visible :param core_session: Authenticated Centrify session :param create_secret_folder: Fixture to create secret inside folder & yields secret & folder details :param pas_general_secrets: Fixture to read secrets related data from yaml file :param users_and_roles: Fixture to create random user with PAS Power Rights :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created """ secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] folder_name = secret_folder_details['Name'] folder_prefix = guid() folder_params = pas_general_secrets folders_list = cleanup_secrets_and_folders[1] # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Api to give user permissions to folder(EDIT Disabled) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id, 'View') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Checking EDIT permission is Disabled result = update_folder(pas_power_user_session, folder_id, folder_name, folder_params['mfa_folder_name_update'], description=folder_params['mfa_folder_description']) assert result['success'] is False, f'Edit is Enabled: {result["Message"]} ' logger.info( f'Edit is Not Visible: {result["success"]} {result["Message"]}') secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder( core_session, folder_params['name'] + folder_prefix, folder_params['description']) assert secret_folder_success is True, f'Failed to create a folder{secret_folder_id} ' logger.info( f' Folder created successfully: {secret_folder_success} & details are {secret_folder_parameters}' ) folders_list.append(secret_folder_id) secret_folder_name = secret_folder_parameters['Name'] # Api to give user permissions to folder(EDIT Enabled) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, secret_folder_id, 'View,Edit') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Checking EDIT permission is Enabled result = update_folder(pas_power_user_session, secret_folder_id, secret_folder_name, folder_prefix + folder_params['mfa_folder_name_update'], description=folder_params['mfa_folder_description']) assert result['success'], f'Edit is not enabled: {result["Message"]} ' logger.info(f'Edit is Visible: {result["success"]} {result["Message"]}')
def test_edit_folder_permission_to_update_settings_and_policy( core_session, create_secret_folder, pas_general_secrets, users_and_roles, cleanup_secrets_and_folders, clean_up_policy): """ C3032:test method to login with cloud admin 1) Enable Edit folder permission for UserA, 2) Login with User A 3) Update the Settings and Policy on the folder and 4) Verify that you can edit settings and policy :param core_session: Authenticated Centrify session :param create_secret_folder: Fixture to create secret inside folder & yields secret & folder details :param pas_general_secrets: Fixture to read secrets related data from yaml file :param users_and_roles: Fixture to create random user with PAS Power Rights :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created :param clean_up_policy: Fixture to cleanup the policy created """ secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] folder_name = secret_folder_details['Name'] folder_prefix = guid() folder_params = pas_general_secrets # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name: {user_name}' ) # Api to create new policy policy_result = PolicyManager.create_new_auth_profile( core_session, folder_prefix + folder_params['policy_name_new'], ["UP", None], None, "30") assert policy_result is not None, f'Failed to create policy:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Api to give user permissions to folder(EDIT Enabled) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id, 'View,Edit') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Updating settings & policy of the folder created result = update_folder(pas_power_user_session, folder_id, folder_name, folder_params['mfa_folder_name_update'] + folder_prefix, description=folder_params['mfa_folder_description'], policy_id=policy_result) assert result[ 'success'], f'Updating settings & policy Failed: {result["Message"]} ' logger.info(f'Updating settings & policy: {result["success"]} {result}') # Getting details of the Folder updated result_folder = get_folder(core_session, folder_id) logger.info(f'Updated Folder details: {result_folder}') description_updated = result_folder["Result"]["Results"][0]["Row"][ "Description"] name_updated = result_folder["Result"]["Results"][0]["Row"]["Name"] assert 'MFAOnParentFolderUpdate' in name_updated, \ f'Failed to update the name{result_folder["Result"]["Results"][0]["Row"]["Name"]}' assert 'mfa_description' in description_updated, \ f'Failed to update the description{result_folder["Result"]["Results"][0]["Row"]["Description"]}' # Removing policy of the folder result = update_folder(pas_power_user_session, folder_id, folder_name, folder_params['mfa_folder_name_update'] + folder_prefix, description=folder_params['mfa_folder_description']) assert result[ 'success'], f'Updating settings & policy Failed: {result["Message"]}' logger.info(f'Updating settings & policy: {result["success"]} {result}')
def test_needs_retrieve_permission_to_secret(core_session, users_and_roles, create_secret_inside_folder, pas_general_secrets): """ C283961: User needs Retrieve Secret permission to retrieve and delete secret :param core_session: Authenticated Centrify Session. :param users_and_roles: Fixture to create New user with PAS Power Rights :param create_secret_inside_folder: Fixture to create secret inside foledr & yield secrets & folders details. :param pas_general_secrets: Fixture to read secret data from yaml file. """ folder_id_list, folder_name, secret_id = create_secret_inside_folder params = pas_general_secrets suffix = guid() # Getting new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name:{user_name}' ) # Create text type secret within folder added_text_secret_success, added_text_secret_result = create_text_secret_within_folder( core_session, params['secret_name'] + suffix, params['secret_text'], params['secret_description'], folder_id_list[0]) assert added_text_secret_success, f'Failed to create secret {added_text_secret_result}' logger.info(f'Secret Created successfully: {added_text_secret_success}') # Setting user permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id_list[0], 'View') assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Setting member permissions(Delete, Retrieve) to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'View,Grant,Delete,Retrieve', user_id, folder_id_list[0]) assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Deleting child secret should work del_success, del_result = del_secret(pas_power_user_session, added_text_secret_result) assert del_success, f'Failed to delete child secret: {del_result}' logger.info( f'Successfully deleted child secret: {del_success}{del_result}') # Setting member permissions(Delete) to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'View,Grant,Delete', user_id, folder_id_list[0]) assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Deleting child secret should work(without Retrieve) del_success, del_result = del_secret(pas_power_user_session, secret_id[0]) assert del_success, f'Failed to delete child secret: {del_result}' logger.info(f'Successfully deleted child secret: {del_result}') secret_id.remove(secret_id[0])
def test_sub_folders_will_have_a_union_of_all_permissions( core_session, pas_general_secrets, cleanup_secrets_and_folders, users_and_roles): """ C3048: test method Sub folders will have a union of all it’s permissions 1)create multilevel folder /alpha/beta/charlie/delta 2) Login as Admin, set folder permissions "View" for alpha,"Edit" for beta, "Delete" for charlie,"Add" for delta 3) Login as pas user 4) verify sub folder permissions will have a union of all parent folders :param core_session: Authenticated Centrify session :param pas_general_secrets: Fixture to read secrets related data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created :param users_and_roles: Fixture to create random user with PAS User Rights """ params = pas_general_secrets folder_prefix = guid() folders_list = cleanup_secrets_and_folders[1] # creating multilevel folder /alpha/beta/charlie/delta child_folder_success, child_folder_parameters, child_folder_id = create_folder( core_session, folder_prefix + params['multi_level_folder_name'], params['description']) assert child_folder_success, f'Failed to create multilevel folder, API response result: {child_folder_id}' logger.info( f'Multilevel Folder created successfully: {child_folder_success} & details are {child_folder_id}' ) # Getting details of Folder Charlie charlie_folder = get_folder(core_session, child_folder_id) assert charlie_folder['success'], \ f'Failed to retrieve charlie folder details, API response result:{charlie_folder["Message"]}' logger.info(f'charlie folder details:{charlie_folder}') charlie_id = charlie_folder['Result']['Results'][0]['Row']['Parent'] child_folder_name = charlie_folder['Result']['Results'][0]['Row'][ 'SecretName'] # Getting details of parent folder parent_path = charlie_folder['Result']['Results'][0]['Row']['ParentPath'] parent_folder_name = parent_path.split('\\') parent_folder_sliced = parent_folder_name[0] # Getting id of parent folder parent_folder = get_folder(core_session, parent_folder_sliced) assert parent_folder['success'], \ f'Failed to retrieve parent folder details, API response result:{parent_folder["Message"]}' logger.info(f'Parent folder details:{parent_folder}') parent_folder_id = parent_folder['Result']['Results'][0]['Row']['ID'] # Getting details of Folder alpha alpha_folder = get_secrets_and_folders_in_folders(core_session, parent_folder_id) assert alpha_folder['success'], \ f'Failed to retrieve alpha folder id, API response result: {alpha_folder["Result"]}' logger.info(f'Details of Alpha Folder Retrieved:{alpha_folder}') alpha_folder_id = alpha_folder["Result"]["Results"][0]["Entities"][0][ "Key"] # Getting details of Folder beta folder_beta = get_secrets_and_folders_in_folders(core_session, alpha_folder_id) assert folder_beta['success'], \ f'Failed to retrieve beta folder id, API response result: {folder_beta["Result"]}' logger.info(f'Details of Beta Folder Retrieved:{folder_beta}') folder_beta_id = folder_beta["Result"]["Results"][0]["Entities"][0]["Key"] # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS User Rights login successfully: user_Name:{user_name}') # Api to give user permissions to folder alpha user_permissions_alpha = give_user_permissions_to_folder( core_session, user_name, user_id, alpha_folder_id, 'View') assert user_permissions_alpha['success'], \ f'Not Able to set user permissions to folder, API response result:{user_permissions_alpha["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_alpha}') # Api to give user permissions to folder beta user_permissions_beta = give_user_permissions_to_folder( core_session, user_name, user_id, folder_beta_id, 'Edit') assert user_permissions_beta['success'], \ f'Not Able to set user permissions to folder, API response result:{user_permissions_beta["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_beta}') # Api to give user permissions to folder charlie user_permissions_charlie = give_user_permissions_to_folder( core_session, user_name, user_id, charlie_id, 'Delete') assert user_permissions_charlie['success'], \ f'Not Able to set user permissions to folder, API response result:{user_permissions_charlie["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_charlie}') # Api to give user permissions to folder delta(child folder) user_permissions_child = give_user_permissions_to_folder( core_session, user_name, user_id, child_folder_id, 'Add') assert user_permissions_child['success'], \ f'Not Able to set user permissions to folder, API response result:{user_permissions_child["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_child}') # Updating the Folder delta result = update_folder(pas_power_user_session, child_folder_id, child_folder_name, updated_name=folder_prefix + params['delta_folder_name_new'], description=params['mfa_folder_description']) assert result[ 'success'], f'Failed to update the folder, API response result: {result["Message"]} ' logger.info(f'Folder updated successfully: {result}') # Getting details of the Folder updated result_folder = get_folder(pas_power_user_session, child_folder_id) logger.info(f'Updated Folder details: {result_folder}') description_updated = result_folder["Result"]["Results"][0]["Row"][ "Description"] name_updated = result_folder["Result"]["Results"][0]["Row"]["Name"] assert 'delta_updated_v1' in name_updated, \ f'Failed to update the name, API response result:{result_folder["Result"]["Results"][0]["Row"]["Name"]}' assert 'mfa_description' in description_updated, \ f'Failed to update the description, ' \ f'API response result:{result_folder["Result"]["Results"][0]["Row"]["Description"]}' # Adding new folder inside delta new_folder_success, new_folder_parameters, new_folder_id = create_folder( pas_power_user_session, folder_prefix + params['name'], params['description'], parent=child_folder_id) assert new_folder_success, f'Failed to create multilevel folder, API response result: {new_folder_id}' logger.info( f'Multilevel Folder created successfully: {new_folder_success} & details are {new_folder_id}' ) # Delete newly created folder del_result = del_folder(pas_power_user_session, new_folder_id) assert del_result[ "success"], f'Failed to delete the folder(DELETE), API response result: {del_result["Result"]}' logger.info(f'Deleting the folder successfully (DELETE):{del_result}') folders_list.append(child_folder_id) folders_list.append(charlie_id) folders_list.append(folder_beta_id) folders_list.append(alpha_folder_id) folders_list.append(parent_folder_id) logger.info(f'Added Folders are deleted successfully: {folders_list}')
def test_set_update_policy_verify_displayed_on_activity( core_session, create_secret_folder, users_and_roles, pas_general_secrets, clean_up_policy): """ C3069: test method to Set/Update policy verify it’s displayed on Activity :param core_session: Authenticated Centrify Session :param create_secret_folder: Fixture to create secret folder & yields folder details :param users_and_roles: Fixture to create a random user with PAS Power rights :param pas_general_secrets: Fixture to read secrets related data from yaml :param clean_up_policy: Fixture to cleanup the policy created """ secrets_params = pas_general_secrets suffix = guid() secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] folder_name = secret_folder_details['Name'] challenges = ["UP", ""] policy_result = PolicyManager.create_new_auth_profile( core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0) assert policy_result, f'Failed to create policy, API response result:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Updating the Folder(Applying MFA) result = update_folder( core_session, folder_id, folder_name, folder_name, description=secrets_params['mfa_folder_description'], policy_id=policy_result) assert result[ 'success'], f'Not Able to apply MFA on folder, API response result: {result["Message"]} ' logger.info(f'MFA Applied on Folder: {result}') # API to get new session for User A pas_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service User') assert pas_user_session.auth_details, 'Failed to Login with PAS User' user_name_user = pas_user_session.auth_details['User'] user_id_user = pas_user_session.auth_details['UserId'] logger.info( f'User with PAS User Rights login successfully: user_Name:{user_name_user}' ) # Api to give user permissions to folder permissions_user = give_user_permissions_to_folder(core_session, user_name_user, user_id_user, folder_id, 'View') assert permissions_user['success'], \ f'Not Able to set user permissions to folder, API response result:{permissions_user["Result"]}' logger.info(f'User Permissions to folder: {permissions_user}') # API to get new session for User A pas_admin_session = users_and_roles.get_session_for_user( 'Privileged Access Service Administrator') assert pas_admin_session.auth_details, 'Failed to Login with PAS Admin' user_name_admin = pas_admin_session.auth_details['User'] user_id_admin = pas_admin_session.auth_details['UserId'] logger.info( f'User with PAS Admin Rights login successfully: user_Name:{user_name_admin}' ) # Api to give user permissions to folder permissions_admin = give_user_permissions_to_folder( core_session, user_name_admin, user_id_admin, folder_id, 'View') assert permissions_admin['success'], \ f'Not Able to set user permissions to folder, API response result:{permissions_admin["Result"]}' logger.info(f'User Permissions to folder: {permissions_admin}') # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name_power_user = pas_power_user_session.auth_details['User'] user_id_power_user = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name:{user_name_power_user}' ) # Api to give user permissions to folder permissions_admin = give_user_permissions_to_folder( core_session, user_name_power_user, user_id_power_user, folder_id, 'View') assert permissions_admin['success'], \ f'Not Able to set user permissions to folder, API response result:{permissions_admin["Result"]}' logger.info(f'User Permissions to folder: {permissions_admin}') # Updating the Folder(Removing MFA) result = update_folder(core_session, folder_id, folder_name, folder_name) assert result[ 'success'], f'Not Able to apply MFA on folder, API response result: {result["Message"]} ' logger.info(f'MFA Applied on Folder: {result}') # Getting activity of the folder(updating folder permissions multiple times) activity_rows = get_folder_activity(core_session, folder_id) verify_folder_update = 'updated the folder' verify_folder_permissions_user = f'granted User "{user_name_user}" to have "View" permissions on' verify_folder_permissions_power_user = f'granted User "{user_name_power_user}" to have "View" permissions on' verify_folder_permissions_admin = f'granted User "{user_name_admin}" to have "View" permissions on' assert verify_folder_permissions_user in activity_rows[3]['Detail'], \ f'Failed to verify the activity, API response result::{activity_rows}' assert verify_folder_permissions_power_user in activity_rows[1]['Detail'], \ f'Failed to verify the activity:{activity_rows}' assert verify_folder_permissions_admin in activity_rows[2]['Detail'], \ f'Failed to verify the activity, API response result::{activity_rows}' assert verify_folder_update in activity_rows[0]['Detail'], \ f'Failed to verify the activity, API response result::{activity_rows}' logger.info( f'Replace activity found for secret, API response result: {activity_rows}' )
def test_view_permission_on_folder_then_removed(core_session, create_folder_inside_folder, users_and_roles, pas_general_secrets, cleanup_secrets_and_folders): """ C3047: test method to create a multilevel folder Case I 1) As an admin disable "View" folder permission for a pas user. 2) Login as pas user & verify Should not be able to view folders Case II 1) As an admin enable "View" folder permission for a pas user. 2) Login as pas user & verify Should be able to view folders & sub folders. :param core_session: Authenticated Centrify session :param create_folder_inside_folder: Fixture to create folder inside folder & yields nested_folder & parent_folder details :param users_and_roles: Fixture to create random user with PAS User Rights :param pas_general_secrets: Fixture to read secrets related data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created """ parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder parent_folder_id = parent_folder_info['ID'] params = pas_general_secrets folder_prefix = guid() folders_list = cleanup_secrets_and_folders[1] child_folder_success, child_folder_parameters, child_folder_id = create_folder( core_session, folder_prefix + params['nested_folder_name'], params['description'], parent=nested_folder_id) assert child_folder_success, f'Failed to create nested folder: {child_folder_id}' logger.info( f'Nested Folder created successfully: {child_folder_success} & details are {child_folder_id}' ) folders_list.insert(0, child_folder_id) # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS User Rights login successfully: user_Name:{user_name}') # Getting details of Parent Folder with PAS User (with View Disabled) result_folder = get_folder(pas_power_user_session, parent_folder_id) assert result_folder[ 'success'] is False, f'Able to find Parent folder:{result_folder["Message"]}' logger.info( f'Unable to find Parent Folder with (View Disabled):{result_folder}') # Api to give user permissions to folder(View Enabled) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, parent_folder_id, 'View') assert user_permissions_result['success'], \ f'Not Able to set user permissions to folder{user_permissions_result["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to get pas user nested folder details pas_nested_folder = get_secrets_and_folders_in_folders( pas_power_user_session, parent_folder_id) pas_nested_folder_id = pas_nested_folder["Result"]["Results"][0]["Row"][ "ID"] assert pas_nested_folder_id == nested_folder_id, \ f'Failed to retrieve nested folder with PAS User:{pas_nested_folder_id}' logger.info( f'Able to find Nested Folder with (View Enabled):{pas_nested_folder_id}' ) # Api to get pas user child folder details pas_child_folder = get_secrets_and_folders_in_folders( pas_power_user_session, nested_folder_id) pas_child_folder_id = pas_child_folder["Result"]["Results"][0]["Row"]["ID"] assert pas_child_folder_id == child_folder_id, \ f'Failed to retrieve child folder with PAS User:{pas_child_folder_id}' logger.info( f'Able to find child Folder with (View Enabled):{pas_child_folder_id}')
def test_move_secret_without_edit_member_permission_on_source_folder_should_not_be_allowed( core_session, users_and_roles, create_secret_folder, pas_general_secrets, cleanup_secrets_and_folders): """ test method to move a secret to another folder without "EDIT" member permissions & Folder permissions on source folder for User A should not be allowed :param core_session: Authenticated Centrify Session. :param users_and_roles: Fixture to create New user with PAS Power Rights :param create_secret_folder: Fixture to create secret folder & yields folder details. :param pas_general_secrets: Fixture to read secret data from yaml file. :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created. """ secret_folder_details = create_secret_folder secret_list = cleanup_secrets_and_folders[0] folders_list = cleanup_secrets_and_folders[1] params = pas_general_secrets prefix = guid() folder_id = secret_folder_details['ID'] pas_power_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = pas_power_user.get_login_name() user_id = pas_power_user.get_id() # Api to create text type secret within folder added_text_secret_success, added_text_secret_result = create_text_secret_within_folder( core_session, prefix + params['secret_name'], params['secret_text'], params['secret_description'], folder_id) assert added_text_secret_success, f'Unable to create secret {added_text_secret_result}' logger.info(f'Secret Created successfully: {added_text_secret_success}') secret_list.append(added_text_secret_result) # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {user_name}' f' & Password: {pas_power_user.get_password()} ') # Api to give user permissions to folder(without EDIT) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id, 'View,Grant') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to give member permissions to folder(without EDIT) member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'View,Grant', user_id, folder_id) assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Api to create secret folder for User A secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder( pas_power_user_session, prefix + params['name'], params['description']) assert secret_folder_success, f'Failed to create a folder:{secret_folder_id}' logger.info( f' Folder created successfully: {secret_folder_success} & details are {secret_folder_id}' ) folders_list.append(secret_folder_id) # Api to move secret into another Folder result_move = move_secret(pas_power_user_session, added_text_secret_result, secret_folder_id) assert result_move[ 'success'] is False, f'Able to move the secret into Folder: {result_move["Result"]}' logger.info( f'Not Able to move the secret into another folder without Edit permissions:{result_move["Message"]}' )
def test_inherited_member_permissions(core_session, create_secret_folder, pas_general_secrets, users_and_roles, cleanup_secrets_and_folders): """ C284058: Inherited member permissions :param core_session: Authenticated Centrify session :param create_secret_folder: Fixture to create secret folder & yields folder details :param pas_general_secrets: Fixture to read secret data from yaml file :param users_and_roles: Fixture to create New user with PAS Power User & PAS User Rights :param cleanup_secrets_and_folders: Fixture to clean-up the secrets & folders created. """ secrets_list = cleanup_secrets_and_folders[0] secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] secret_params = pas_general_secrets suffix = guid() # Getting new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name:{user_name}' ) # Setting user A permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id, 'View, Add') assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Setting member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'View,Grant,Edit', user_id, folder_id) assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Getting new session for User B pas_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service User') assert pas_user_session.auth_details, 'Failed to Login with PAS Power User' user_name_pas = pas_user_session.auth_details['User'] user_id_pas = pas_user_session.auth_details['UserId'] logger.info( f'User with PAS User Rights login successfully: user_Name:{user_name}') # Setting user B permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name_pas, user_id_pas, folder_id, 'View, Add') assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Setting member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name_pas, 'View,Grant,Edit', user_id_pas, folder_id) assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Creating set for UserA success, set_id = SetsManager.create_manual_collection( pas_power_user_session, secret_params['set_name'] + suffix, 'DataVault') logger.info(f'creating manual set:{success} with set id as: {set_id}') assert success, f'Failed to create manual set for User A: {set_id}' # Create text type secret within folder for User A added_text_secret_success, added_text_secret_result = create_text_secret_within_folder( pas_power_user_session, secret_params['secret_name'] + suffix, secret_params['secret_text'], secret_params['secret_description'], folder_id, set_id) assert added_text_secret_success, f'Failed to create secret for User A:{added_text_secret_result}' logger.info(f'Secret Created successfully: {added_text_secret_success}') # Verifying inherited permissions for User B get_permission_result = get_rows_acl(pas_power_user_session, added_text_secret_result) assert get_permission_result, f'Failed to inherit permissions for User B:{get_permission_result}' logger.info( f' Successfully inherited permissions for User B: {get_permission_result}' ) secrets_list.append(added_text_secret_result) rows_returned = get_permission_result['Result'] for rows in rows_returned: if rows['PrincipalName'] == user_name_pas: assert rows[ 'Inherited'], "Failed to verify the inherited permissions"