def test_secret_added_to_set(core_session, text_secret, set_cleaner):
set_1_name = guid() + ' Secret Set'
set_2_name = guid() + ' Secret Set'
success, set_1_id = SetsManager.create_manual_collection(
core_session, set_1_name, 'DataVault', object_ids=[text_secret['ID']])
assert success is True, f'Failed to create manual set with one initial member {set_1_id}'
set_cleaner.append(set_1_id)
success, set_2_id = SetsManager.create_manual_collection(
core_session, set_2_name, 'DataVault', object_ids=[text_secret['ID']])
assert success is True, f'Failed to create manual set with one initial member {set_2_id}'
set_cleaner.append(set_2_id)
results = SetsManager.search_object_in_set(core_session,
set_1_name,
text_secret['SecretName'],
'DataVault',
search_columns=['SecretName'])
assert results[0]['Row']['ID'] == text_secret[
'ID'], 'Searching for new secret in set 1 and could not find it. {json.dumps(results)}'
results = SetsManager.search_object_in_set(core_session,
set_2_name,
text_secret['SecretName'],
'DataVault',
search_columns=['SecretName'])
assert results[0]['Row']['ID'] == text_secret['ID'], \
f'Searching for new secret in set 2 and could not find it. {json.dumps(results)}'
def test_sysadmin_without_explicit_pe_assignment_system_set(
core_session, users_and_roles, create_manual_set):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(core_session, "Server")['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
# This sysadmin user does not have ManageAssignment permission, should still pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="Collection", scope=set_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for sysadmin user without MA permissions on a " \
f"system set failed, reason: {canManage}"
def test_check_ui_after_changing_setting(core_session, pas_setup,
clean_up_collections):
"""
Test case: C2206 Check permission for set
:param core_session: Authenticated centrify session
:param pas_setup: Creating a new system with accounts
"""
# Adding Systems for test execution
created_system_id, created_account_id, system_details = pas_setup
user_details = core_session.__dict__
collection_name = "testManualCollection" + guid()
# Get list of permission
get_sys_result, get_sys_success = ResourceManager.get_system_permissions(
core_session, created_system_id)
assert get_sys_success, f"Failed to get system permissions for resource, API result:{get_sys_result}"
permission = get_sys_result[0]['Rights']
permission_list = list(chain(*zip(permission.split())))[:-1]
permission_index_value = [
list((i, permission_list[i])) for i in range(len(permission_list))
]
assert (permission_index_value[3][0] < permission_index_value[4][0]
), f"Failed to get permission 'Grant' is in front of 'View'"
logger.info(
f'Grant is successfully shows in front of View. as Grant index is {permission_index_value[3][0]} and View index is {permission_index_value[4][0]}'
)
# Create set
add_set_success, new_set_id = SetsManager.create_manual_collection(
core_session, collection_name, "Server")
assert add_set_success, "Collection " + new_set_id + " Failed to Create"
# Set cleanup list
clean_up_collections.append(new_set_id)
# Assign permission to the set
set_permissions_result = SetsManager.set_collection_permissions(
core_session, "Grant,View,Edit,Delete",
user_details["auth_details"]["User"],
user_details['auth_details']['UserId'], new_set_id)
logger.info(
f'Successfully set collection Permissions for the set page :{set_permissions_result}'
)
# Get collection permission rights
get_permissions_result = SetsManager.get_collection_rights(
core_session, new_set_id)
set_permission = get_permissions_result['Result']
# Actual set permission rights list
actual_set_permission_list = 'View, Edit, Delete, Grant'
assert set_permission == actual_set_permission_list, f'Failed to verify permissions:{actual_set_permission_list}'
logger.info(
f'Successfully verify Permissions for the set page created:{actual_set_permission_list}'
)
def test_pe_del_assignment_on_set_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_name = "set_" + Util.random_string()
is_create, set_id = SetsManager.create_manual_collection(
core_session, set_name, "Server", object_ids=[added_system_id])
assert is_create, f"Successfully created a set and added system to that set: {set_id}"
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
logger.info(result)
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
logger.info(results)
# Delete Set
isSuccess, results = SetsManager.delete_collection(core_session, set_id)
assert isSuccess, f"Deleting set failed: {results}"
# Make sure rule assignment is not available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}"
logger.info(results)
def test_option_all_system_admins_option_has_no_effect_on_non_admins(core_session, cds_session, set_cleaner, global_option, _modifying_setting_mutex):
update_result, update_success = ServerManager.update_server_security_settings(core_session, all_system_admin_see_all_sets_created_by_sys_admin=global_option)
assert update_success, f"Failed to update security Settings {update_result}"
results, success = ServerManager.get_server_settings(core_session, key='policy')
assert success, f"Failed to retrieve policy settings {results}"
assert results["AllSystemAdminSeeAllSetsCreatedBySysAdmin"] is global_option, f"Policy key AllSystemAdminSeeAllSetsCreatedBySysAdmin should be {global_option} {results}"
non_admin_session, api_user = cds_session
admin1_session = core_session
set_name1 = f"test_visibility_{guid()}"
set_name2 = f"test_visibility_{guid()}"
success, set_id1 = SetsManager.create_manual_collection(admin1_session, set_name1, 'DataVault', object_ids=None)
assert success is True, f'Failed to create manual set {set_id1}'
set_cleaner.append(set_id1)
success, set_id2 = SetsManager.create_manual_collection(non_admin_session, set_name2, 'DataVault', object_ids=None)
assert success is True, f'Failed to create manual set {set_id2}'
set_cleaner.append(set_id2)
assert SetsManager.get_collection_id(admin1_session, set_name1, "DataVault", reduce_sys_admin=True) is not None, "Admin 1 should be able to see own set"
assert SetsManager.get_collection_id(non_admin_session, set_name2, "DataVault", reduce_sys_admin=True) is not None, "Non admin should be able to see own set"
assert SetsManager.get_collection_id(non_admin_session, set_name1, "DataVault", reduce_sys_admin=True) is None, "Non admin should NOT be able to see Admin 1 set"
assert SetsManager.get_collection_id(admin1_session, set_name2, "DataVault", reduce_sys_admin=True) is None, "Admin 1 should NOT be able to see non admin set"
assert SetsManager.get_collection_id(non_admin_session, set_name1, "DataVault", reduce_sys_admin=False) is None, "Non admin should not be able to see Admin 1 set when reduce_sys_admin is False (because lacking permission)"
assert SetsManager.get_collection_id(admin1_session, set_name2, "DataVault", reduce_sys_admin=False) is not None, "Admin 1 should be able to see Admin 2 set when reduce_sys_admin is False"
def test_bulk_system_unenroll_by_api_set_correct_systems_fast_track(core_session, test_four_virtual_aapm_agents):
agents, _ = test_four_virtual_aapm_agents
all_agent_ids, all_server_ids = _setup_agents(core_session, agents)
unenroll_agent_ids = all_agent_ids[:2]
unenroll_server_ids = all_server_ids[:2]
keep_agent_ids = all_agent_ids[2:]
_validate_aapm_agent_details(core_session, all_agent_ids, True)
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "Server", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server")
SetsManager.update_members_collection(core_session, 'add', list(unenroll_server_ids), 'Server', set_id)
collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server")
filters = collection_and_filters['Filters']
logger.info(f'Manual set {collection_and_filters} - members - {unenroll_server_ids}')
_, success = ResourceManager.unenroll_multiple_systems_by_query(core_session, filters, wait_time=0,
SkipIfAgentReconciliationEnabled=True,
run_sync=True)
assert success, f'Unenroll systems job failed when expected success: {unenroll_server_ids}'
SetsManager.delete_collection(core_session, set_id)
_validate_aapm_agent_details(core_session, unenroll_agent_ids, False)
_validate_aapm_agent_details(core_session, keep_agent_ids, True)
def test_bulk_system_by_api_set_correct_systems_and_accounts_fast_track(clean_bulk_delete_systems_and_accounts,
core_session, list_of_created_systems):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 2, list_of_created_systems,
sys_type="Unix")
batch3 = ResourceManager.add_multiple_systems_with_accounts(core_session, 5, 1, list_of_created_systems,
sys_type="Unix")
delete_system_ids, delete_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch2])
keep_system_ids, keep_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch1, batch3])
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3])
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "Server", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server")
SetsManager.update_members_collection(core_session, 'add', list(delete_system_ids), 'Server', set_id)
collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server")
filters = collection_and_filters['Filters']
logger.info(f'Manual set {collection_and_filters} - members - {delete_system_ids}')
result, success = ResourceManager.del_multiple_systems_by_query(core_session, filters, savepasswords=False,
secretname="", run_sync=True)
assert success is True, f'Delete systems job failed when expected success'
SetsManager.delete_collection(core_session, set_id)
assert set(ResourceManager.get_multi_added_system_ids(core_session,
all_systems).values()) == keep_system_ids, "Set of expected remaining systems did not match search"
assert set(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == keep_account_ids, "Set of expected remaining accounts did not match search"
def test_bulk_account_delete_job_fails_due_to_invalid_request_missing_secret(
clean_bulk_delete_systems_and_accounts, core_session, simulate_failure,
list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
some_set_name = "ApiSet" + guid()
success, set_id = SetsManager.create_manual_collection(
core_session, some_set_name, "VaultAccount", None)
assert success, "Did not create collection"
SetsManager.update_members_collection(core_session, 'add',
list(all_accounts), 'VaultAccount',
set_id)
params = Util.scrub_dict({
'Ids': list(all_accounts),
'SaveToSecrets': simulate_failure,
'SecretName': "Bulk Account Delete",
'SetQuery': "",
'SkipIfHasAppsOrServices': simulate_failure
})
if simulate_failure:
request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE,
params)
request_json = request.json()
result, success = request_json['Result'], request_json['success']
ResourceManager.wait_for_job_state_succeeded(core_session, result)
assert simulate_failure == success, f"Query success was unexpected value, with message {result}"
else:
request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE,
params)
request_json = request.json()
result, success = request_json['Result'], request_json['success']
ResourceManager.wait_for_job_state_succeeded(core_session, result)
assert not simulate_failure == success, f"Query success was unexpected value, with message {result}"
total_account = RedrockController.get_accounts(core_session)
SetsManager.delete_collection(core_session, set_id)
list_account = []
for get_account in total_account:
if get_account['ID'] == all_accounts:
list_account.append(get_account['ID'])
assert 0 == len(
list_account
), "Number of remaining added accounts was unexpected number"
def test_add_a_new_top_level_stand_alone_folder(core_session,
create_secret_folder,
pas_general_secrets):
"""
Test method to create a Folder &
verifying the rights of the folder created
:param core_session: Authenticated Centrify Session
:param create_secret_folder: Fixture to create a folder & yields folder related details
:param pas_general_secrets: Fixture to read secret data from yaml file
"""
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
# Getting the Id of the user.
user_details = core_session.__dict__
user_id = user_details['auth_details']['UserId']
# Refreshing the page.
refresh_result = UserManager.refresh_token(core_session, user_id)
assert refresh_result["success"], f"Failed to reload:API response result:{refresh_result}"
# Getting permissions of the folder created
permissions = SetsManager.get_collection_rights(core_session, folder_id)
verify_permissions = 'View, Edit, Delete, Grant, Add'
assert verify_permissions == permissions["Result"], \
f'Failed to verify permissions for the folder{permissions["Result"]}'
logger.info(f'Permissions of the folder created: {permissions}')
def test_nonServer_collection_scenario(core_session, users_and_roles,
create_resources, create_manual_set):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create nonServer Set
set_id = create_manual_set(core_session, "VaultDatabase").get("ID", None)
assert set_id is not None, f"set_id cannot be empty"
logger.info(f"Successfully created a set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the set for the admin user, failed: " + result
# Not a server collection, should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="Collection", scope=set_id)
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for nonServer set passed, reason: {canManage}"
def test_select_more_than_one_domain(core_session, domain_setup, cleanup_resources, clean_up_collections):
"""
TC:C2215 Select more than one domains.
:param core_session: Returns API session.
:param domain_setup: Fixture for domain creation.
:param cleanup_resources: cleaner for domain.
"""
# Creating a parent domain.
parent_domain_id, domain_info = domain_setup
set_list = clean_up_collections
# Create a child domain.
child_domain_name = f"{'child'}{guid()}"
domain_cleanup_list = cleanup_resources[1]
new_child_domain_id, add_child_domain_success = ResourceManager.add_child_domain(core_session, child_domain_name,
description='test_child_domain',
parent_id=parent_domain_id)
assert add_child_domain_success, f'Failed to create child domain:API response result:{new_child_domain_id}'
logger.info(f"Successfully created child domain:API response result: {new_child_domain_id}")
domain_cleanup_list.append(new_child_domain_id)
Result, success = ResourceManager.get_administrative_account(core_session, "administrator")
logger.info(f" Successfully get Domain for adding Administrative account.")
assert success, f'Failed to get Domain account {Result}'
# set name created with guid and add it in the domain set
set_name = f'set_name{guid()}'
add_success, add_result = SetsManager.create_manual_collection(core_session, set_name, "VaultDomain",
object_ids=[parent_domain_id])
assert add_success, f'Failed to create set and addition of member to set as: {add_result}'
logger.info(f'Successfully created set with member:{add_result}')
# cleanup the set and account
set_list.append(add_result)
def test_regular_user_on_system_set(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user()
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting admin collection permissions failed: " + result
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=user_info['Name'], scopeType="Collection",
scope=set_id, principalId=None, bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# This user does not have view permission on DB, so should fail
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(requester_session, scopeType="Collection",
commandID=commandID, scope=set_id)
assert not isSuccess and results['Message'] == \
"You are not authorized to perform this operation. Please contact your IT helpdesk.", \
f"GetAssignmentsByScope for regular user with no view permissions on a collection passed, reason: {results}"
# GetAssignmentByScope should succeed if admin does the API request
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="Collection",
commandID=commandID, scope=set_id)
assert isSuccess, f"GetAssignmentsByScope for admin user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and \
PrivilegeElevation.check_rules_info_in_api_response(rule_info_list, results), \
f"GetAssignmentsByScope complete check failed: {ruleID}"
def agent_get_set(core_session_global):
"""Creates a resource set to be used for agent enrollment
:return: set name
"""
session = core_session_global
set_name = "set_" + Util.random_string()
is_create, set_id = SetsManager.create_manual_collection(
session, set_name, "Server", None)
if is_create:
logger.debug("Resource set created: " + set_name)
yield set_name
else:
logger.error("Error in creating resource set: " + set_name)
is_create, response = SetsManager.delete_collection(session, set_id)
if is_create:
logger.debug("Resource set deleted: " + set_name)
def test_a_secret_can_belong_to_multiple_sets(core_session, create_set_manual,
added_secrets,
pas_general_secrets,
cleanup_secrets_and_folders,
set_cleaner):
"""test method to check that a secret belongs to multiple set"""
added_secret_id, added_secret_name = added_secrets
set_params = pas_general_secrets
prefix = guid()
set_success, set_id = create_set_manual
"""Api to create another set manually"""
success, setid = SetsManager.create_manual_collection(
core_session, prefix + set_params['set_name'], 'DataVault')
logger.info(f'creating manual set:{success} with setid as: {setid}')
assert success is True, f'Failed to create manual set with one initial member {setid}'
text_secret_id = added_secret_id[0]
"""Api to add set to existing secret"""
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(
core_session, 'add', [text_secret_id], "DataVault", set_id)
assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}'
logger.info(f'Adding secret to one set: {added_to_set_success}')
"""Api to add another set to same secret"""
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(
core_session, 'add', [text_secret_id], "DataVault", setid)
assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}'
logger.info(f'Adding secret to another set: {added_to_set_success}')
"""Redrock query to fetch set related details"""
get_set_1 = RedrockController.verify_set_secret(core_session, set_id,
text_secret_id)
logger.info(f'{get_set_1}')
logger.info(
f'Verifiying secret name {get_set_1[0]["Row"]["SecretName"]} in '
f'set 1 with ID {get_set_1[0]["Row"]["CollectionID"]} ')
get_set_2 = RedrockController.verify_set_secret(core_session, setid,
text_secret_id)
logger.info(
f'Verifiying secret name {get_set_2[0]["Row"]["SecretName"]} in another '
f'set with ID {get_set_2[0]["Row"]["CollectionID"]}')
"""to verify that same secret is added to multiple sets"""
text_to_verify = 'secret1'
assert (text_to_verify in get_set_1[0]["Row"]["SecretName"]) and (
text_to_verify in get_set_2[0]["Row"]["SecretName"]
), f'secret doesnt belong to multiple set'
set_cleaner.append(setid)
def test_add_new_sub_folder_and_set_with_same_name(core_session,
set_cleaner,
create_secret_folder,
pas_general_secrets,
cleanup_secrets_and_folders):
"""
test method to add a set with same name as Sub Folder
:param core_session: Authenticated Centrify Session
:param set_cleaner: Fixture to cleanup the sets created
:param create_secret_folder: Fixture to create a folder & yields folder related details
:param pas_general_secrets: Fixture to read secret data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created
"""
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
folder_params = pas_general_secrets
folders_list = cleanup_secrets_and_folders[1]
folder_prefix = guid()
folder_success, folder_parameters, sub_folder_id = create_folder(core_session,
folder_prefix + folder_params['name'],
folder_params['description'],
parent=folder_id)
assert folder_success, f'Failed to add sub folder:{folder_parameters["Result"]}'
logger.info(f'Folder added successfully: {folder_success}')
folders_list.insert(0, sub_folder_id)
success, set_id = SetsManager.create_manual_collection(core_session,
folder_prefix + folder_params['name'],
'DataVault')
assert success is True, f'Failed to create manual set with same name as Sub Folder {set_id}'
logger.info(f'creating manual set:{success} with setid as: {set_id}')
set_cleaner.append(set_id)
logger.info(f'Added set deleted successfully:{set_cleaner}')
# Getting permissions of the set created
permissions = SetsManager.get_collection_rights(core_session, set_id)
verify_permissions = 'View, Edit, Delete, Grant'
assert verify_permissions == permissions["Result"], \
f'Failed to verify permissions for the set:{permissions["Result"]}'
logger.info(f'Permissions of the set created: {permissions}')
def test_ends_with_search(core_session, core_admin_ui,
cleanup_secrets_and_folders, pas_general_secrets):
"""
C3061: Ends with search
:param core_session: Authenticated Centrify Session
:param core_admin_ui: Fixture to launch the browser with cloud admin
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
:param pas_general_secrets: Fixture to read secret data from yaml file
"""
params = pas_general_secrets
folder_list = cleanup_secrets_and_folders[1]
secrets_list = cleanup_secrets_and_folders[0]
suffix = guid()
# Creating folder
folder_success, folder_parameters, folder_id = create_folder(
core_session, params['name'] + suffix, params['description'])
assert folder_success, f'Failed to create folder, API response result: {folder_id}'
logger.info(
f'Folder created successfully: {folder_id} & details are {folder_parameters}'
)
folder_list.append(folder_id)
folder_name = folder_parameters['Name']
# Creating secret
added_secret_success, details, added_secret_id = create_text_secret(
core_session, params['secret_name'] + suffix, params['secret_text'])
assert added_secret_success, f"Added Secret Failed, API response result: {added_secret_id}"
logger.info(f'Added secrets info: {details, added_secret_id}')
secrets_list.append(added_secret_id)
ui = core_admin_ui
ui.navigate('Resources', 'Secrets')
# Searching for secrets & folder
ui.search(suffix)
ui.expect(GridRow(folder_name),
f' Expect to find folder {folder_name} but could not')
ui.expect(
GridRowByGuid(added_secret_id),
f' Expect to find secret with id as {added_secret_id} but could not')
logger.info(
f'Both folder {folder_name} & secret {added_secret_id} are successfully visible'
)
# Getting permissions of folder
permissions = SetsManager.get_collection_rights(core_session, folder_id)
assert permissions["Result"], \
f'Failed to get permissions for folder, API response result:{permissions["Result"]}'
logger.info(f'Permissions of the folder created: {permissions}')
# Getting permissions of secret
permissions_secret = get_users_effective_secret_permissions(
core_session, added_secret_id)
assert permissions_secret,\
f'Failed to get permissions for secret, API response result: {permissions_secret}'
logger.info(f' Permissions for Secret: {permissions_secret}')
def test_pe_del_command_scenario2(core_session, setup_generic_pe_command_with_no_rules, users_and_roles,
create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_command_scenario2 user_info: {user_info}")
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting command should be successful, assignments too
result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName)
assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}"
# Deleting assignmnent explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}"
assert re.findall('Privilege Elevation Assignment not found', result), \
f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_delete_assignment_sysadmin_without_ma_permission_on_system_set(core_session, create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server")['ID']
logger.info(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
logger.info(result)
assert result['success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
assert result['success'], "assigning collection permissions on the resource set for the user failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
# Deleting assignment explicitly should pass
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID)
assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_set_visibility_of_non_admin_set_from_ui(cds_session, set_cleaner,
core_ui):
non_admin_session, api_user = cds_session
ui = core_ui
set_name = f"test_visibility_{guid()}"
success, set_id = SetsManager.create_manual_collection(non_admin_session,
set_name,
'Server',
object_ids=None)
assert success is True, f'Failed to create manual set {set_id}'
set_cleaner.append(set_id)
ui.navigate('Resources', 'Systems')
# this will ensure that the set container is visible and updated
ui.expect(SetRow("All Systems"), "All systems set should be visible")
ui.missing(SetRow(set_name), f"{set_name} should not be visible")
assert ui.check_exists(
Button("Show All Sets")), "Show All Sets link should be visible"
assert not ui.check_exists(
Button("Show My Sets"),
time_to_wait=0), "Show My Sets button should be hidden"
ui.button("Show All Sets")
ui.expect_disappear(SetRow(set_name),
f'{set_name} did not disappear when it should have')
assert ui.check_exists(Button("Show My Sets"),
10), "Show My Sets button should be visible"
ui.button("Show My Sets")
assert ui.check_exists(Button("Show All Sets"),
10), "Show All Sets button should be visible"
ui.missing(SetRow(set_name), f"{set_name} should not be visible")
# ensure button does not erroneously appear
ui.navigate('Access', 'Users')
show_all_button = Button("Show All Sets").inside(ActiveMainContentArea())
show_my_button = Button("Show My Sets").inside(ActiveMainContentArea())
ui.missing(show_all_button,
f'Show All Sets Button should not be present on users tab')
ui.missing(show_my_button,
f'Show My Sets Button should not be present on users tab')
def test_regular_user_with_no_view_permissions_on_system_set(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user()
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(user_info)
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
logger.info(result)
assert result['success'], "setting admin collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# This user does not have view permission, so should fail
results, isSuccess = PrivilegeElevation.list_pe_assignments(requester_session, commandID=commandID)
assert not isSuccess and results['Message'] == \
"You are not authorized to perform this operation. Please contact your IT helpdesk.", \
f"List Assignments for regular user with no view permissions on a set passed/ failed with " \
f"unknown exception, reason: {results}"
def test_bulk_manage_works_with_different_methods_of_specifying_systems(
core_session,
remote_unmanaged_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, change_method):
account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3
job_result = None
if change_method == "ids":
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, account_ids)
assert success, "Did not bulk manage account"
elif change_method == "ids_with_invalid":
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, ["foo"] + list(account_ids))
assert success, "Did not bulk manage account"
elif change_method == "sql":
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in account_ids))
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, [], set_query=sql_query)
assert success, "Did not bulk manage accounts"
elif change_method == "group":
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name,
"VaultAccount", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name,
"VaultAccount")
SetsManager.update_members_collection(core_session, 'add', account_ids,
'VaultAccount', set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(
core_session, some_set_name, "VaultAccount")['Filters']
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, [], set_query=filters)
assert success, "Did not bulk manage accounts"
else:
raise Exception(f"Bad input variable change_method {change_method}")
_validate_accounts_are_managed(core_session, account_ids, job_result)
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Success.Multi'
start_message = f'{username} initiated management of {len(account_ids)} accounts'
end_message = f'{username} successfully managed {len(account_ids)} accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_bulk_rotate_works_with_different_methods_of_specifying_systems(
core_session,
remote_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method):
remote_ip = windows_test_machine_config['ip_address']
account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3)
passwords_fetched = BulkOperations.checkout_users(core_session, accounts)
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched)
if change_method == "checkin": # disabled, out of scope
BulkOperations.check_in_users(core_session, passwords_fetched)
elif change_method == "ids":
result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids)
assert success, "Did not bulk rotate passwords"
elif change_method == "ids_with_invalid":
result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids)
assert success, "Did not bulk rotate passwords"
elif change_method == "sql":
sql_query = 'SELECT * FROM VaultAccount ' \
'WHERE ' + ' OR '.join(('VaultAccount.ID = "' + str(n) + '"' for n in account_ids))
result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=sql_query)
assert success, "Did not bulk rotate passwords"
elif change_method == "group":
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount")
SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(core_session,
some_set_name, "VaultAccount")['Filters']
result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=filters)
assert success, "Did not bulk rotate passwords"
else:
raise Exception(f"Bad input variable change_method {change_method}")
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [False] * len(passwords_fetched), change_method)
# Verify passwords are no longer right
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Success.Multi'
start_message = f'{username} initiated password rotation of {len(account_ids)} accounts'
end_message = f'{username} successfully rotated {len(account_ids)} account passwords'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_account_by_api_set_correct_accounts(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, core_admin_ui):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 2, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
delete_ids, keep_ids = DataManipulation.shuffle_and_split_into_two_lists(
all_accounts)
some_set_name = "ApiSet" + guid()
success, set_id = SetsManager.create_manual_collection(
core_session, some_set_name, "VaultAccount", None)
assert success, "Did not create collection"
SetsManager.update_members_collection(core_session, 'add',
list(delete_ids), 'VaultAccount',
set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(
core_session, some_set_name, "VaultAccount")['Filters']
result, success = ResourceManager.del_multiple_accounts_by_query(
core_session, filters)
assert success, "del_multiple_accounts_by_query failed " + result
SetsManager.delete_collection(core_session, set_id)
assert set(
ResourceManager.get_multi_added_system_ids(
core_session, all_systems).values()) == set(
all_systems), "Wrong set of added systems found"
assert set(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == set(keep_ids), "Wrong set of added accounts found"
def test_bulk_system_unenrolls_manually_from_set(core_session, core_admin_ui, create_manual_set,
test_four_virtual_aapm_agents):
agents, server_prefix = test_four_virtual_aapm_agents
agent_ids, server_ids, names_of_servers = _setup_agents(core_session, agents)
# Make sure aapm is enabled
_wait_for_systems_validation(core_session, agent_ids, True)
# enable paswdRecon on first system and last system
result = RedrockController.get_system(core_session, server_ids[0])
assert len(result) != 0
system = result[0]["Row"]
ResourceManager.update_system(core_session, server_ids[0], system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
result = RedrockController.get_system(core_session, server_ids[3])
assert len(result) != 0
system = result[0]["Row"]
ResourceManager.update_system(core_session, server_ids[3], system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
# Non-ui stuff, create a custom set, and all the new systems to that set.
manual_set = create_manual_set(core_session, "Server")
update_success, update_result = SetsManager.update_members_collection(core_session, 'add', server_ids, 'Server',
manual_set['ID'])
assert update_success, f"Failed to add resources {server_ids} to Set {manual_set['Name']}"
ui = core_admin_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
ui.set_action(manual_set['Name'], "Unenroll Systems")
ui.switch_context(Modal('Bulk System Unenroll'))
ui.button('Unenroll')
ui.switch_context(NoTitleModal())
ui.button('Close')
_wait_for_systems_validation(core_session, agent_ids[1:3], False)
_validate_aapm_agent_details(core_session, agent_ids[:1], True)
_validate_aapm_agent_details(core_session, agent_ids[3:], True)
# Now lets re-enroll and enable aapm on 1 and 2 systems and run the unenroll operation
# with SkipIfAgentReconciliationEnabled unchecked
# Expected: Both systems should successfully unenroll
_setup_agents(core_session, agents)
# Make sure aapm is enabled on all systems
_validate_aapm_agent_details(core_session, agent_ids, True)
ui = core_admin_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
ui.set_action(manual_set['Name'], "Unenroll Systems")
ui.switch_context(Modal('Bulk System Unenroll'))
ui.uncheck("SkipIfAgentReconciliationEnabled")
ui.button('Unenroll')
ui.switch_context(NoTitleModal())
ui.button('Close')
# Make sure aapm is disabled on both systems
_wait_for_systems_validation(core_session, agent_ids, False)
def test_privilege_elevation_command_assignment_works_at_all_three_scopes(
test_agent, pe_global_command_assignment_cleaner_by_user,
create_manual_set, cds_ui, cds_session, core_session):
ui, user = cds_ui
session, _ = cds_session
main_admin_session = core_session
main_admin_user = main_admin_session.get_user()
# Make sure the users global assignments will be cleaned up
pe_global_command_assignment_cleaner_by_user.append(user.get_id())
server_id = test_agent.computerUuid
logger.info(f'Server guid for vritual agent {server_id}')
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
agent_server_set = create_manual_set(session,
'Server',
object_ids=[server_id])
# Give all permissions to the admin
result = SetsManager.set_collection_resource_permissions(
session, permission_string, user.get_login_name(), user.get_id(),
agent_server_set["ID"], "User")
assert result[
'success'], "setting admin collection permissions failed: " + result
set_name = agent_server_set['Name']
# Create an assignment at global scope
ui.navigate('Settings', 'Resources', 'Security',
'Global Privilege Elevation')
ui.launch_modal('Add', 'Select User, Group, or Role')
ui.search(user.get_login_name())
ui.check_row(user.get_login_name())
ui.close_modal('Add')
ui.save()
global_assignment_selector = GridCell('Global').inside(
GridRow(user.get_login_name()))
# Create an assignment at collection scope
ui.navigate('Resources', 'Systems')
ui.set_action(set_name, "Modify")
ui.tab('Member Privilege Elevation')
ui.expect(
global_assignment_selector,
'Inherited command from global is not present even though we just created it.'
)
ui.launch_modal('Add', 'Select User, Group, or Role')
ui.search(user.get_login_name())
ui.check_row(user.get_login_name())
ui.close_modal('Add')
ui.save()
collection_assignment_selector = GridCell(f'{set_name}').inside(
GridRow(user.get_login_name()))
# Look at the PE tab on the server, make sure inherited assignments are there and add another.
ui.navigate('Resources', 'Systems')
ui.click_row_by_guid(server_id)
ui.tab('Privilege Elevation')
ui.expect(
global_assignment_selector,
'Inherited command from global is not present even though we just created it.'
)
ui.expect(
collection_assignment_selector,
'Inherited command from collection is not present even though we just created it.'
)
ui.launch_modal('Add', 'Select User, Group, or Role')
ui.search(main_admin_user.get_login_name())
ui.check_row(main_admin_user.get_login_name())
ui.close_modal('Add')
ui.save()
system_direct_selector = GridRow(main_admin_user.get_login_name())
# Look at the server directly, make sure all assignments still there.
ui.navigate('Resources', 'Systems')
ui.click_row_by_guid(server_id)
ui.tab('Privilege Elevation')
ui.expect(
global_assignment_selector,
'Inherited command from global is not present even though we just created it.'
)
ui.expect(
collection_assignment_selector,
'Inherited command from collection is not present even though we just created it.'
)
ui.expect(
system_direct_selector,
'Command assignment directly on system not present even though we just created it.'
)
def test_login_stored_account(core_session, setup_pas_system_for_unix,
set_cleaner, core_admin_ui):
"""
Test Case ID: C2087
Test Case Description: Login as stored account after proxy account enabled
:param core_session: Returns API session
:param setup_pas_system_for_unix: Creates Unix System and Account
:param set_cleaner: Delete Set
:param core_admin_ui: Authenticates Centrify UI session
"""
system_id, account_id, sys_info = setup_pas_system_for_unix
system_name = sys_info[0]
FQDN = sys_info[1]
computer_class = sys_info[2]
account_name = sys_info[4]
systems_data = Configs.get_environment_node('resources_data',
'automation_main')
expected_system_class = systems_data['Unix_infrastructure_data']
result, success = ResourceManager.update_system(
core_session,
system_id,
system_name,
FQDN,
computer_class,
proxyuser=expected_system_class['proxy_user'],
proxyuserpassword=expected_system_class['proxy_password'],
proxyuserismanaged=False,
allowremote=True)
assert success, 'Failed to update system'
logger.info(f'System successfully updated with result: {result}')
ui = core_admin_ui
name_of_set = f'Set{guid()}'
ui.navigate('Resources', 'Systems')
ui.launch_add('Add', 'Create Set')
ui.input('Name', name_of_set)
ui.tab('Members')
ui.launch_modal('Add', 'Add System')
ui.search(system_name)
ui.check_row(system_name)
ui.close_modal('Add')
ui.save()
id_of_set = SetsManager.get_collection_id(core_session, name_of_set,
'Server')
assert id_of_set, 'Set creation Failed'
logger.info(f"Set: '{name_of_set}' created successfully")
set_cleaner.append(id_of_set)
# Login into Stored Account
ui._waitUntilSettled()
ui.switch_context(ActiveMainContentArea())
ui.right_click_action(Div(system_name), 'Select/Request Account')
ui.switch_context(Modal(system_name + ' Login'))
ui.expect_disappear(LoadingMask(),
'Expected to find account but it did not', 30)
ui.search(account_name)
ui.expect(GridCell(account_name),
'Expected to find account name but it did not.').try_click()
ui.close_modal('Select')
ui.switch_to_pop_up_window()
ui.expect_disappear(LoadingMask(),
'Expected to login in account but it did not', 30)
logger.info(f'Successfully logged in Account:{account_name}.')
ui.switch_to_main_window()
def test_scope_system(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Add System 2
added_system_id2 = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id2}")
# Create Set and the system 1 to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Create Set2 and add both systems to this set
set_id2 = create_manual_set(
core_session, "Server", object_ids=[added_system_id, added_system_id2])['ID']
logger.debug(f"Successfully created a set and added both system to that set: {set_id2}")
# Create Set3 and the system 2 to this set
set_id3 = create_manual_set(
core_session, "Server", object_ids=[added_system_id2])['ID']
logger.debug(f"Successfully created a set and added system 2 to that set: {set_id3}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting admin collection permissions failed: " + result
# same for set 2
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id2,
"User")
assert result['success'], "setting admin collection permissions failed: " + result
#same for set 3
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id3,
"User")
assert result['success'], "setting admin collection permissions failed: " + result
# Adding rules
# First add global assignment
rule_info1 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role",
principal="System Administrator", scopeType="Global",
scope=None, principalId=None, bypassChallenge=False)
ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info1['ScopeType'],
principalType=rule_info1['PrincipalType'],
principal=rule_info1['Principal'])
assert isSuccess, f" Adding rule assignment 1 failed"
rule_info1['ID'] = ruleID1
# Add Assignment for system1
rule_info2 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="System",
scope=added_system_id, principalId=admin_user_id,
bypassChallenge=True)
ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info2['ScopeType'],
scope=rule_info2['Scope'],
principalType=rule_info2['PrincipalType'],
principalID=rule_info2['PrincipalId'],
byPassChallenge=True,
starts=rule_info2['Starts'],
expires=rule_info2['Expires'])
assert isSuccess, f" Adding rule assignment for system 1 failed"
rule_info2['ID'] = ruleID2
# Add Assignment for system2
rule_info3 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="System",
scope=added_system_id2, principalId=admin_user_id,
bypassChallenge=True)
ruleID3, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info3['ScopeType'],
scope=rule_info3['Scope'],
principalType=rule_info3['PrincipalType'],
principalID=rule_info3['PrincipalId'],
byPassChallenge=True,
starts=rule_info3['Starts'],
expires=rule_info3['Expires'])
assert isSuccess, f" Adding rule assignment on system 2 failed"
rule_info3['ID'] = ruleID3
# Add assignment for set 1
rule_info4 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="Collection",
scope=set_id, principalId=admin_user_id,
bypassChallenge=True)
ruleID4, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info4['ScopeType'],
scope=rule_info4['Scope'],
principalType=rule_info4['PrincipalType'],
principalID=rule_info4['PrincipalId'],
byPassChallenge=True,
starts=rule_info4['Starts'],
expires=rule_info4['Expires'])
assert isSuccess, f" Adding rule assignment on set 1 failed"
rule_info4['ID'] = ruleID4
# Add assignment for set 2
rule_info5 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="Collection",
scope=set_id2, principalId=admin_user_id,
bypassChallenge=True)
ruleID5, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info5['ScopeType'],
scope=rule_info5['Scope'],
principalType=rule_info5['PrincipalType'],
principalID=rule_info5['PrincipalId'],
byPassChallenge=True,
starts=rule_info5['Starts'],
expires=rule_info5['Expires'])
assert isSuccess, f" Adding rule assignment on set 2 failed"
rule_info5['ID'] = ruleID5
# Add assignment for set 3
rule_info6 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=admin_user_name, scopeType="Collection",
scope=set_id3, principalId=admin_user_id,
bypassChallenge=True)
ruleID6, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info6['ScopeType'],
scope=rule_info6['Scope'],
principalType=rule_info6['PrincipalType'],
principalID=rule_info6['PrincipalId'],
byPassChallenge=True,
starts=rule_info6['Starts'],
expires=rule_info6['Expires'])
assert isSuccess, f" Adding rule assignment on set 3 failed"
rule_info6['ID'] = ruleID6
# Since inherit is off, we should get only 1 assignment, although there are 6 assignments in total
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System",
inherit=False, scope=added_system_id)
assert isSuccess, f"GetAssignmentsByScope for system with inheritance off failed, " \
f"reason: {results}"
rule_info_list = [rule_info2]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"GetAssignmentsByScope complete check failed: {ruleID2}"
# With inheritance on, we should get 4 assignments, although there are 6 assignments in total
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System",
inherit=True, scope=added_system_id)
assert isSuccess, f"GetAssignmentsByScope for system with inheritance off failed, " \
f"reason: {results}"
rule_info_list = [rule_info1, rule_info2, rule_info4, rule_info5]
# >= for parallel runs, since we don't know how many global assignments would be present in the results
assert len(results['Result']) >= 4 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"GetAssignmentsByScope complete check failed: {ruleID1} : {ruleID2} : {ruleID3} : {ruleID4}"
def test_collection_scenario(core_session, users_and_roles, create_resources,
create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.debug(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
assert result[
'success'], "setting admin collection permissions on the set failed: " + result
# Give all permissions to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "setting admin collection permissions on the resourceSet failed: " + result
# Give all permission for the user on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "setting PAS power user collection permissions on the set failed: " + result
# Give all permission but the MA permission to the PAS user on the resource Set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id)
assert result[
'success'], "setting PAS power user collection permissions on the resourceSet failed: " + result
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=user_info['Name'],
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'],
byPassChallenge=False)
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# This user does not have MA permission, so should fail
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=False)
assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \
f"UpdateAssignment for PAS power user with no MA permissions on a set passed, reason: {results}"
# Now assign MA permission but not Edit permission to the user
permission_string = 'Grant,View,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "setting PAS power user collection permissions failed: " + result
# This user does not have Edit permission, so should fail
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=False)
assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \
f"UpdateAssignment for PAS power user with no Edit permissions on a set passed, reason: {results}"
# Now assign MA permission and Edit permission to the user
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id, "User")
assert result[
'success'], "setting PAS power user collection permissions failed: " + result
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "setting PAS power user collection permissions failed: " + result
# updated rules
starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z"
expires = (datetime.datetime.now() + datetime.timedelta(minutes=10)
).replace(microsecond=0).isoformat() + "Z"
rule_info['Starts'] = starts
rule_info['Expires'] = expires
rule_info['BypassChallenge'] = True
# This user has Edit and MA permissions on the set, should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session,
ruleID=ruleID,
bypassChallenge=rule_info['BypassChallenge'],
starts=rule_info['Starts'],
expires=rule_info['Expires'])
assert isSuccess, f"UpdateAssignment for PAS power user with Edit and MA permissions on " \
f"a set failed, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
# Update rules
rule_info['BypassChallenge'] = False
# This sysadmin user does have MA permission, so should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=False)
assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \
f"a set failed, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_update_assignment_sysadmin_without_ma_permission_on_system_set(
core_session, create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(core_session, "Server")['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=admin_user_name,
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'],
byPassChallenge=False)
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# Update rules
rule_info['BypassChallenge'] = True
# This sysadmin user doesn't have MA permission, should still pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=True)
assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \
f"a set failed, reason: {results}"
# Make sure assignments are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for sysadmin user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_inherited_folder_permissions_should_be_removed_if_you_move_away_from_parent(
core_session, create_folder_inside_folder, pas_general_secrets,
cleanup_secrets_and_folders, users_and_roles):
"""
C3052: Inherited folder permissions should be removed if you move away from parent
:param core_session: Authenticated Centrify Session
:param create_folder_inside_folder: Fixture to create folder inside parent folder
:param pas_general_secrets: Fixture to read secret data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
:param users_and_roles: Fixture to create random user with PAS User rights
"""
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
parent_folder_id = parent_folder_info['ID']
folder_prefix = guid()
params = pas_general_secrets
folders_list = cleanup_secrets_and_folders[1]
child_folder_success, child_folder_parameters, child_folder_id = create_folder(
core_session,
folder_prefix + params['name'],
params['description'],
parent=nested_folder_id)
assert child_folder_success, f'Failed to create child folder, API response result:: {child_folder_id}'
logger.info(
f'Child Folder created successfully: {child_folder_success} & details are {child_folder_id}'
)
folders_list.insert(0, child_folder_id)
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Api to give user permissions to parent folder(View,Delete,Edit)
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, parent_folder_id, 'View,Delete,Edit')
assert user_permissions_result['success'], \
f'Not Able to set user permissions to folder, API response result:{user_permissions_result["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give user permissions to nested folder(View,Add )
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, nested_folder_id, 'View,Add')
assert user_permissions_result['success'], \
f'Not Able to set user permissions to , API response result: {user_permissions_result["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Getting permissions of child folder(should inherit from parent)
permissions_yellow = SetsManager.get_collection_rights(
pas_power_user_session, child_folder_id)
verify_permissions_all = 'View, Edit, Delete, Add'
assert verify_permissions_all == permissions_yellow["Result"], \
f'Failed to verify permissions for the folder, API response result:{permissions_yellow["Result"]}'
logger.info(f'Permissions of the folder created: {permissions_yellow}')
# Moving Nested Folder into Top Level Secrets
result_move = move_folder(pas_power_user_session, nested_folder_id)
assert result_move[
'success'], f'Not Able to Move Folder B1 into B11, API response result:: {result_move["Result"]}'
logger.info(f'Moving Folder into Sub Folder:{result_move}')
# Getting permissions of child folder(should inherit from nested folder)
permissions_yellow = SetsManager.get_collection_rights(
pas_power_user_session, child_folder_id)
verify_permissions_all = 'View, Add'
assert verify_permissions_all == permissions_yellow["Result"], \
f'Failed to verify permissions for the folder, API response result:{permissions_yellow["Result"]}'
logger.info(f'Permissions of the folder created: {permissions_yellow}')
