def test_secret_added_to_set(core_session, text_secret, set_cleaner): set_1_name = guid() + ' Secret Set' set_2_name = guid() + ' Secret Set' success, set_1_id = SetsManager.create_manual_collection( core_session, set_1_name, 'DataVault', object_ids=[text_secret['ID']]) assert success is True, f'Failed to create manual set with one initial member {set_1_id}' set_cleaner.append(set_1_id) success, set_2_id = SetsManager.create_manual_collection( core_session, set_2_name, 'DataVault', object_ids=[text_secret['ID']]) assert success is True, f'Failed to create manual set with one initial member {set_2_id}' set_cleaner.append(set_2_id) results = SetsManager.search_object_in_set(core_session, set_1_name, text_secret['SecretName'], 'DataVault', search_columns=['SecretName']) assert results[0]['Row']['ID'] == text_secret[ 'ID'], 'Searching for new secret in set 1 and could not find it. {json.dumps(results)}' results = SetsManager.search_object_in_set(core_session, set_2_name, text_secret['SecretName'], 'DataVault', search_columns=['SecretName']) assert results[0]['Row']['ID'] == text_secret['ID'], \ f'Searching for new secret in set 2 and could not find it. {json.dumps(results)}'
def test_sysadmin_without_explicit_pe_assignment_system_set( core_session, users_and_roles, create_manual_set): admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create Set and the system to this set set_id = create_manual_set(core_session, "Server")['ID'] logger.info( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) logger.info(result) assert result[ 'success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permissions but MA to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "assigning collection permissions on the resource set for the user failed: " + result # This sysadmin user does not have ManageAssignment permission, should still pass canManage, isSuccess = PrivilegeElevation.can_manage_pe( core_session, scopeType="Collection", scope=set_id) assert isSuccess and canManage, f"Can Manage Privilege Elevation for sysadmin user without MA permissions on a " \ f"system set failed, reason: {canManage}"
def test_check_ui_after_changing_setting(core_session, pas_setup, clean_up_collections): """ Test case: C2206 Check permission for set :param core_session: Authenticated centrify session :param pas_setup: Creating a new system with accounts """ # Adding Systems for test execution created_system_id, created_account_id, system_details = pas_setup user_details = core_session.__dict__ collection_name = "testManualCollection" + guid() # Get list of permission get_sys_result, get_sys_success = ResourceManager.get_system_permissions( core_session, created_system_id) assert get_sys_success, f"Failed to get system permissions for resource, API result:{get_sys_result}" permission = get_sys_result[0]['Rights'] permission_list = list(chain(*zip(permission.split())))[:-1] permission_index_value = [ list((i, permission_list[i])) for i in range(len(permission_list)) ] assert (permission_index_value[3][0] < permission_index_value[4][0] ), f"Failed to get permission 'Grant' is in front of 'View'" logger.info( f'Grant is successfully shows in front of View. as Grant index is {permission_index_value[3][0]} and View index is {permission_index_value[4][0]}' ) # Create set add_set_success, new_set_id = SetsManager.create_manual_collection( core_session, collection_name, "Server") assert add_set_success, "Collection " + new_set_id + " Failed to Create" # Set cleanup list clean_up_collections.append(new_set_id) # Assign permission to the set set_permissions_result = SetsManager.set_collection_permissions( core_session, "Grant,View,Edit,Delete", user_details["auth_details"]["User"], user_details['auth_details']['UserId'], new_set_id) logger.info( f'Successfully set collection Permissions for the set page :{set_permissions_result}' ) # Get collection permission rights get_permissions_result = SetsManager.get_collection_rights( core_session, new_set_id) set_permission = get_permissions_result['Result'] # Actual set permission rights list actual_set_permission_list = 'View, Edit, Delete, Grant' assert set_permission == actual_set_permission_list, f'Failed to verify permissions:{actual_set_permission_list}' logger.info( f'Successfully verify Permissions for the set page created:{actual_set_permission_list}' )
def test_pe_del_assignment_on_set_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_name = "set_" + Util.random_string() is_create, set_id = SetsManager.create_manual_collection( core_session, set_name, "Server", object_ids=[added_system_id]) assert is_create, f"Successfully created a set and added system to that set: {set_id}" # Give all permissions to admin user on this set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") logger.info(result) assert result['success'], "setting collection permissions failed: " + result # Add assignment principalType = "User" principal = admin_user_name scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}" logger.info(results) # Delete Set isSuccess, results = SetsManager.delete_collection(core_session, set_id) assert isSuccess, f"Deleting set failed: {results}" # Make sure rule assignment is not available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}" logger.info(results)
def test_option_all_system_admins_option_has_no_effect_on_non_admins(core_session, cds_session, set_cleaner, global_option, _modifying_setting_mutex): update_result, update_success = ServerManager.update_server_security_settings(core_session, all_system_admin_see_all_sets_created_by_sys_admin=global_option) assert update_success, f"Failed to update security Settings {update_result}" results, success = ServerManager.get_server_settings(core_session, key='policy') assert success, f"Failed to retrieve policy settings {results}" assert results["AllSystemAdminSeeAllSetsCreatedBySysAdmin"] is global_option, f"Policy key AllSystemAdminSeeAllSetsCreatedBySysAdmin should be {global_option} {results}" non_admin_session, api_user = cds_session admin1_session = core_session set_name1 = f"test_visibility_{guid()}" set_name2 = f"test_visibility_{guid()}" success, set_id1 = SetsManager.create_manual_collection(admin1_session, set_name1, 'DataVault', object_ids=None) assert success is True, f'Failed to create manual set {set_id1}' set_cleaner.append(set_id1) success, set_id2 = SetsManager.create_manual_collection(non_admin_session, set_name2, 'DataVault', object_ids=None) assert success is True, f'Failed to create manual set {set_id2}' set_cleaner.append(set_id2) assert SetsManager.get_collection_id(admin1_session, set_name1, "DataVault", reduce_sys_admin=True) is not None, "Admin 1 should be able to see own set" assert SetsManager.get_collection_id(non_admin_session, set_name2, "DataVault", reduce_sys_admin=True) is not None, "Non admin should be able to see own set" assert SetsManager.get_collection_id(non_admin_session, set_name1, "DataVault", reduce_sys_admin=True) is None, "Non admin should NOT be able to see Admin 1 set" assert SetsManager.get_collection_id(admin1_session, set_name2, "DataVault", reduce_sys_admin=True) is None, "Admin 1 should NOT be able to see non admin set" assert SetsManager.get_collection_id(non_admin_session, set_name1, "DataVault", reduce_sys_admin=False) is None, "Non admin should not be able to see Admin 1 set when reduce_sys_admin is False (because lacking permission)" assert SetsManager.get_collection_id(admin1_session, set_name2, "DataVault", reduce_sys_admin=False) is not None, "Admin 1 should be able to see Admin 2 set when reduce_sys_admin is False"
def test_bulk_system_unenroll_by_api_set_correct_systems_fast_track(core_session, test_four_virtual_aapm_agents): agents, _ = test_four_virtual_aapm_agents all_agent_ids, all_server_ids = _setup_agents(core_session, agents) unenroll_agent_ids = all_agent_ids[:2] unenroll_server_ids = all_server_ids[:2] keep_agent_ids = all_agent_ids[2:] _validate_aapm_agent_details(core_session, all_agent_ids, True) some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "Server", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server") SetsManager.update_members_collection(core_session, 'add', list(unenroll_server_ids), 'Server', set_id) collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server") filters = collection_and_filters['Filters'] logger.info(f'Manual set {collection_and_filters} - members - {unenroll_server_ids}') _, success = ResourceManager.unenroll_multiple_systems_by_query(core_session, filters, wait_time=0, SkipIfAgentReconciliationEnabled=True, run_sync=True) assert success, f'Unenroll systems job failed when expected success: {unenroll_server_ids}' SetsManager.delete_collection(core_session, set_id) _validate_aapm_agent_details(core_session, unenroll_agent_ids, False) _validate_aapm_agent_details(core_session, keep_agent_ids, True)
def test_bulk_system_by_api_set_correct_systems_and_accounts_fast_track(clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems): batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 4, list_of_created_systems) batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 2, list_of_created_systems, sys_type="Unix") batch3 = ResourceManager.add_multiple_systems_with_accounts(core_session, 5, 1, list_of_created_systems, sys_type="Unix") delete_system_ids, delete_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch2]) keep_system_ids, keep_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch1, batch3]) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3]) some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "Server", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server") SetsManager.update_members_collection(core_session, 'add', list(delete_system_ids), 'Server', set_id) collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server") filters = collection_and_filters['Filters'] logger.info(f'Manual set {collection_and_filters} - members - {delete_system_ids}') result, success = ResourceManager.del_multiple_systems_by_query(core_session, filters, savepasswords=False, secretname="", run_sync=True) assert success is True, f'Delete systems job failed when expected success' SetsManager.delete_collection(core_session, set_id) assert set(ResourceManager.get_multi_added_system_ids(core_session, all_systems).values()) == keep_system_ids, "Set of expected remaining systems did not match search" assert set(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == keep_account_ids, "Set of expected remaining accounts did not match search"
def test_bulk_account_delete_job_fails_due_to_invalid_request_missing_secret( clean_bulk_delete_systems_and_accounts, core_session, simulate_failure, list_of_created_systems): batch = ResourceManager.add_multiple_systems_with_accounts( core_session, 1, 1, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch]) some_set_name = "ApiSet" + guid() success, set_id = SetsManager.create_manual_collection( core_session, some_set_name, "VaultAccount", None) assert success, "Did not create collection" SetsManager.update_members_collection(core_session, 'add', list(all_accounts), 'VaultAccount', set_id) params = Util.scrub_dict({ 'Ids': list(all_accounts), 'SaveToSecrets': simulate_failure, 'SecretName': "Bulk Account Delete", 'SetQuery': "", 'SkipIfHasAppsOrServices': simulate_failure }) if simulate_failure: request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE, params) request_json = request.json() result, success = request_json['Result'], request_json['success'] ResourceManager.wait_for_job_state_succeeded(core_session, result) assert simulate_failure == success, f"Query success was unexpected value, with message {result}" else: request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE, params) request_json = request.json() result, success = request_json['Result'], request_json['success'] ResourceManager.wait_for_job_state_succeeded(core_session, result) assert not simulate_failure == success, f"Query success was unexpected value, with message {result}" total_account = RedrockController.get_accounts(core_session) SetsManager.delete_collection(core_session, set_id) list_account = [] for get_account in total_account: if get_account['ID'] == all_accounts: list_account.append(get_account['ID']) assert 0 == len( list_account ), "Number of remaining added accounts was unexpected number"
def test_add_a_new_top_level_stand_alone_folder(core_session, create_secret_folder, pas_general_secrets): """ Test method to create a Folder & verifying the rights of the folder created :param core_session: Authenticated Centrify Session :param create_secret_folder: Fixture to create a folder & yields folder related details :param pas_general_secrets: Fixture to read secret data from yaml file """ secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] # Getting the Id of the user. user_details = core_session.__dict__ user_id = user_details['auth_details']['UserId'] # Refreshing the page. refresh_result = UserManager.refresh_token(core_session, user_id) assert refresh_result["success"], f"Failed to reload:API response result:{refresh_result}" # Getting permissions of the folder created permissions = SetsManager.get_collection_rights(core_session, folder_id) verify_permissions = 'View, Edit, Delete, Grant, Add' assert verify_permissions == permissions["Result"], \ f'Failed to verify permissions for the folder{permissions["Result"]}' logger.info(f'Permissions of the folder created: {permissions}')
def test_nonServer_collection_scenario(core_session, users_and_roles, create_resources, create_manual_set): admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create nonServer Set set_id = create_manual_set(core_session, "VaultDatabase").get("ID", None) assert set_id is not None, f"set_id cannot be empty" logger.info(f"Successfully created a set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) logger.info(result) assert result[ 'success'], "assigning collection permissions on the set for the admin user, failed: " + result # Not a server collection, should fail canManage, isSuccess = PrivilegeElevation.can_manage_pe( core_session, scopeType="Collection", scope=set_id) assert isSuccess and not canManage, f"Can Manage Privilege Elevation for nonServer set passed, reason: {canManage}"
def test_select_more_than_one_domain(core_session, domain_setup, cleanup_resources, clean_up_collections): """ TC:C2215 Select more than one domains. :param core_session: Returns API session. :param domain_setup: Fixture for domain creation. :param cleanup_resources: cleaner for domain. """ # Creating a parent domain. parent_domain_id, domain_info = domain_setup set_list = clean_up_collections # Create a child domain. child_domain_name = f"{'child'}{guid()}" domain_cleanup_list = cleanup_resources[1] new_child_domain_id, add_child_domain_success = ResourceManager.add_child_domain(core_session, child_domain_name, description='test_child_domain', parent_id=parent_domain_id) assert add_child_domain_success, f'Failed to create child domain:API response result:{new_child_domain_id}' logger.info(f"Successfully created child domain:API response result: {new_child_domain_id}") domain_cleanup_list.append(new_child_domain_id) Result, success = ResourceManager.get_administrative_account(core_session, "administrator") logger.info(f" Successfully get Domain for adding Administrative account.") assert success, f'Failed to get Domain account {Result}' # set name created with guid and add it in the domain set set_name = f'set_name{guid()}' add_success, add_result = SetsManager.create_manual_collection(core_session, set_name, "VaultDomain", object_ids=[parent_domain_id]) assert add_success, f'Failed to create set and addition of member to set as: {add_result}' logger.info(f'Successfully created set with member:{add_result}') # cleanup the set and account set_list.append(add_result)
def test_regular_user_on_system_set(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources, create_manual_set): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Get User requester_session = users_and_roles.get_session_for_user() response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set( core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") assert result['success'], "setting admin collection permissions failed: " + result # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=user_info['Name'], scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal']) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # This user does not have view permission on DB, so should fail results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(requester_session, scopeType="Collection", commandID=commandID, scope=set_id) assert not isSuccess and results['Message'] == \ "You are not authorized to perform this operation. Please contact your IT helpdesk.", \ f"GetAssignmentsByScope for regular user with no view permissions on a collection passed, reason: {results}" # GetAssignmentByScope should succeed if admin does the API request results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="Collection", commandID=commandID, scope=set_id) assert isSuccess, f"GetAssignmentsByScope for admin user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and \ PrivilegeElevation.check_rules_info_in_api_response(rule_info_list, results), \ f"GetAssignmentsByScope complete check failed: {ruleID}"
def agent_get_set(core_session_global): """Creates a resource set to be used for agent enrollment :return: set name """ session = core_session_global set_name = "set_" + Util.random_string() is_create, set_id = SetsManager.create_manual_collection( session, set_name, "Server", None) if is_create: logger.debug("Resource set created: " + set_name) yield set_name else: logger.error("Error in creating resource set: " + set_name) is_create, response = SetsManager.delete_collection(session, set_id) if is_create: logger.debug("Resource set deleted: " + set_name)
def test_a_secret_can_belong_to_multiple_sets(core_session, create_set_manual, added_secrets, pas_general_secrets, cleanup_secrets_and_folders, set_cleaner): """test method to check that a secret belongs to multiple set""" added_secret_id, added_secret_name = added_secrets set_params = pas_general_secrets prefix = guid() set_success, set_id = create_set_manual """Api to create another set manually""" success, setid = SetsManager.create_manual_collection( core_session, prefix + set_params['set_name'], 'DataVault') logger.info(f'creating manual set:{success} with setid as: {setid}') assert success is True, f'Failed to create manual set with one initial member {setid}' text_secret_id = added_secret_id[0] """Api to add set to existing secret""" added_to_set_success, added_to_set_result = SetsManager.update_members_collection( core_session, 'add', [text_secret_id], "DataVault", set_id) assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}' logger.info(f'Adding secret to one set: {added_to_set_success}') """Api to add another set to same secret""" added_to_set_success, added_to_set_result = SetsManager.update_members_collection( core_session, 'add', [text_secret_id], "DataVault", setid) assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}' logger.info(f'Adding secret to another set: {added_to_set_success}') """Redrock query to fetch set related details""" get_set_1 = RedrockController.verify_set_secret(core_session, set_id, text_secret_id) logger.info(f'{get_set_1}') logger.info( f'Verifiying secret name {get_set_1[0]["Row"]["SecretName"]} in ' f'set 1 with ID {get_set_1[0]["Row"]["CollectionID"]} ') get_set_2 = RedrockController.verify_set_secret(core_session, setid, text_secret_id) logger.info( f'Verifiying secret name {get_set_2[0]["Row"]["SecretName"]} in another ' f'set with ID {get_set_2[0]["Row"]["CollectionID"]}') """to verify that same secret is added to multiple sets""" text_to_verify = 'secret1' assert (text_to_verify in get_set_1[0]["Row"]["SecretName"]) and ( text_to_verify in get_set_2[0]["Row"]["SecretName"] ), f'secret doesnt belong to multiple set' set_cleaner.append(setid)
def test_add_new_sub_folder_and_set_with_same_name(core_session, set_cleaner, create_secret_folder, pas_general_secrets, cleanup_secrets_and_folders): """ test method to add a set with same name as Sub Folder :param core_session: Authenticated Centrify Session :param set_cleaner: Fixture to cleanup the sets created :param create_secret_folder: Fixture to create a folder & yields folder related details :param pas_general_secrets: Fixture to read secret data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created """ secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] folder_params = pas_general_secrets folders_list = cleanup_secrets_and_folders[1] folder_prefix = guid() folder_success, folder_parameters, sub_folder_id = create_folder(core_session, folder_prefix + folder_params['name'], folder_params['description'], parent=folder_id) assert folder_success, f'Failed to add sub folder:{folder_parameters["Result"]}' logger.info(f'Folder added successfully: {folder_success}') folders_list.insert(0, sub_folder_id) success, set_id = SetsManager.create_manual_collection(core_session, folder_prefix + folder_params['name'], 'DataVault') assert success is True, f'Failed to create manual set with same name as Sub Folder {set_id}' logger.info(f'creating manual set:{success} with setid as: {set_id}') set_cleaner.append(set_id) logger.info(f'Added set deleted successfully:{set_cleaner}') # Getting permissions of the set created permissions = SetsManager.get_collection_rights(core_session, set_id) verify_permissions = 'View, Edit, Delete, Grant' assert verify_permissions == permissions["Result"], \ f'Failed to verify permissions for the set:{permissions["Result"]}' logger.info(f'Permissions of the set created: {permissions}')
def test_ends_with_search(core_session, core_admin_ui, cleanup_secrets_and_folders, pas_general_secrets): """ C3061: Ends with search :param core_session: Authenticated Centrify Session :param core_admin_ui: Fixture to launch the browser with cloud admin :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created :param pas_general_secrets: Fixture to read secret data from yaml file """ params = pas_general_secrets folder_list = cleanup_secrets_and_folders[1] secrets_list = cleanup_secrets_and_folders[0] suffix = guid() # Creating folder folder_success, folder_parameters, folder_id = create_folder( core_session, params['name'] + suffix, params['description']) assert folder_success, f'Failed to create folder, API response result: {folder_id}' logger.info( f'Folder created successfully: {folder_id} & details are {folder_parameters}' ) folder_list.append(folder_id) folder_name = folder_parameters['Name'] # Creating secret added_secret_success, details, added_secret_id = create_text_secret( core_session, params['secret_name'] + suffix, params['secret_text']) assert added_secret_success, f"Added Secret Failed, API response result: {added_secret_id}" logger.info(f'Added secrets info: {details, added_secret_id}') secrets_list.append(added_secret_id) ui = core_admin_ui ui.navigate('Resources', 'Secrets') # Searching for secrets & folder ui.search(suffix) ui.expect(GridRow(folder_name), f' Expect to find folder {folder_name} but could not') ui.expect( GridRowByGuid(added_secret_id), f' Expect to find secret with id as {added_secret_id} but could not') logger.info( f'Both folder {folder_name} & secret {added_secret_id} are successfully visible' ) # Getting permissions of folder permissions = SetsManager.get_collection_rights(core_session, folder_id) assert permissions["Result"], \ f'Failed to get permissions for folder, API response result:{permissions["Result"]}' logger.info(f'Permissions of the folder created: {permissions}') # Getting permissions of secret permissions_secret = get_users_effective_secret_permissions( core_session, added_secret_id) assert permissions_secret,\ f'Failed to get permissions for secret, API response result: {permissions_secret}' logger.info(f' Permissions for Secret: {permissions_secret}')
def test_pe_del_command_scenario2(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources, create_manual_set): commandName, commandID = setup_generic_pe_command_with_no_rules requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(f"del_command_scenario2 user_info: {user_info}") admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set( core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to admin user on this set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") assert result['success'], "setting collection permissions failed: " + result # Add assignment principalType = "User" principal = user_info['Name'] scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {results}" logger.debug(f"List pe assignments response: {results}") assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \ f"ruleID not present in list of pe assignments response" # Deleting command should be successful, assignments too result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName) assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}" # Deleting assignmnent explicitly should fail result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID) assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}" assert re.findall('Privilege Elevation Assignment not found', result), \ f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_delete_assignment_sysadmin_without_ma_permission_on_system_set(core_session, create_manual_set, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create Set and the system to this set set_id = create_manual_set( core_session, "Server")['ID'] logger.info(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) logger.info(result) assert result['success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permissions but MA to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result['success'], "assigning collection permissions on the resource set for the user failed: " + result # Add assignment principalType = "User" principal = admin_user_name scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}" # Deleting assignment explicitly should pass result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID) assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_set_visibility_of_non_admin_set_from_ui(cds_session, set_cleaner, core_ui): non_admin_session, api_user = cds_session ui = core_ui set_name = f"test_visibility_{guid()}" success, set_id = SetsManager.create_manual_collection(non_admin_session, set_name, 'Server', object_ids=None) assert success is True, f'Failed to create manual set {set_id}' set_cleaner.append(set_id) ui.navigate('Resources', 'Systems') # this will ensure that the set container is visible and updated ui.expect(SetRow("All Systems"), "All systems set should be visible") ui.missing(SetRow(set_name), f"{set_name} should not be visible") assert ui.check_exists( Button("Show All Sets")), "Show All Sets link should be visible" assert not ui.check_exists( Button("Show My Sets"), time_to_wait=0), "Show My Sets button should be hidden" ui.button("Show All Sets") ui.expect_disappear(SetRow(set_name), f'{set_name} did not disappear when it should have') assert ui.check_exists(Button("Show My Sets"), 10), "Show My Sets button should be visible" ui.button("Show My Sets") assert ui.check_exists(Button("Show All Sets"), 10), "Show All Sets button should be visible" ui.missing(SetRow(set_name), f"{set_name} should not be visible") # ensure button does not erroneously appear ui.navigate('Access', 'Users') show_all_button = Button("Show All Sets").inside(ActiveMainContentArea()) show_my_button = Button("Show My Sets").inside(ActiveMainContentArea()) ui.missing(show_all_button, f'Show All Sets Button should not be present on users tab') ui.missing(show_my_button, f'Show My Sets Button should not be present on users tab')
def test_regular_user_with_no_view_permissions_on_system_set(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources, create_manual_set): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Get User requester_session = users_and_roles.get_session_for_user() response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(user_info) # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set( core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") logger.info(result) assert result['success'], "setting admin collection permissions failed: " + result # Add assignment principalType = "User" principal = user_info['Name'] scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # This user does not have view permission, so should fail results, isSuccess = PrivilegeElevation.list_pe_assignments(requester_session, commandID=commandID) assert not isSuccess and results['Message'] == \ "You are not authorized to perform this operation. Please contact your IT helpdesk.", \ f"List Assignments for regular user with no view permissions on a set passed/ failed with " \ f"unknown exception, reason: {results}"
def test_bulk_manage_works_with_different_methods_of_specifying_systems( core_session, remote_unmanaged_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method): account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3 job_result = None if change_method == "ids": job_result, success = ResourceManager.manage_multiple_accounts( core_session, account_ids) assert success, "Did not bulk manage account" elif change_method == "ids_with_invalid": job_result, success = ResourceManager.manage_multiple_accounts( core_session, ["foo"] + list(account_ids)) assert success, "Did not bulk manage account" elif change_method == "sql": sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join( ('VaultAccount.ID = "' + str(n) + '"' for n in account_ids)) job_result, success = ResourceManager.manage_multiple_accounts( core_session, [], set_query=sql_query) assert success, "Did not bulk manage accounts" elif change_method == "group": some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount") SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id) filters = SetsManager.get_object_collection_and_filter_by_name( core_session, some_set_name, "VaultAccount")['Filters'] job_result, success = ResourceManager.manage_multiple_accounts( core_session, [], set_query=filters) assert success, "Did not bulk manage accounts" else: raise Exception(f"Bad input variable change_method {change_method}") _validate_accounts_are_managed(core_session, account_ids, job_result) user_info = core_session.get_current_session_user_info().json()['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Success.Multi' start_message = f'{username} initiated management of {len(account_ids)} accounts' end_message = f'{username} successfully managed {len(account_ids)} accounts' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_rotate_works_with_different_methods_of_specifying_systems( core_session, remote_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method): remote_ip = windows_test_machine_config['ip_address'] account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3) passwords_fetched = BulkOperations.checkout_users(core_session, accounts) BulkOperations.validate_users_with_login(remote_ip, passwords_fetched) if change_method == "checkin": # disabled, out of scope BulkOperations.check_in_users(core_session, passwords_fetched) elif change_method == "ids": result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids) assert success, "Did not bulk rotate passwords" elif change_method == "ids_with_invalid": result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids) assert success, "Did not bulk rotate passwords" elif change_method == "sql": sql_query = 'SELECT * FROM VaultAccount ' \ 'WHERE ' + ' OR '.join(('VaultAccount.ID = "' + str(n) + '"' for n in account_ids)) result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=sql_query) assert success, "Did not bulk rotate passwords" elif change_method == "group": some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount") SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id) filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "VaultAccount")['Filters'] result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=filters) assert success, "Did not bulk rotate passwords" else: raise Exception(f"Bad input variable change_method {change_method}") BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [False] * len(passwords_fetched), change_method) # Verify passwords are no longer right user_info = core_session.get_current_session_user_info().json()['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Success.Multi' start_message = f'{username} initiated password rotation of {len(account_ids)} accounts' end_message = f'{username} successfully rotated {len(account_ids)} account passwords' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_account_by_api_set_correct_accounts( clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems, core_admin_ui): batch = ResourceManager.add_multiple_systems_with_accounts( core_session, 2, 2, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch]) delete_ids, keep_ids = DataManipulation.shuffle_and_split_into_two_lists( all_accounts) some_set_name = "ApiSet" + guid() success, set_id = SetsManager.create_manual_collection( core_session, some_set_name, "VaultAccount", None) assert success, "Did not create collection" SetsManager.update_members_collection(core_session, 'add', list(delete_ids), 'VaultAccount', set_id) filters = SetsManager.get_object_collection_and_filter_by_name( core_session, some_set_name, "VaultAccount")['Filters'] result, success = ResourceManager.del_multiple_accounts_by_query( core_session, filters) assert success, "del_multiple_accounts_by_query failed " + result SetsManager.delete_collection(core_session, set_id) assert set( ResourceManager.get_multi_added_system_ids( core_session, all_systems).values()) == set( all_systems), "Wrong set of added systems found" assert set( ResourceManager.get_multi_added_account_ids( core_session, all_systems)) == set(keep_ids), "Wrong set of added accounts found"
def test_bulk_system_unenrolls_manually_from_set(core_session, core_admin_ui, create_manual_set, test_four_virtual_aapm_agents): agents, server_prefix = test_four_virtual_aapm_agents agent_ids, server_ids, names_of_servers = _setup_agents(core_session, agents) # Make sure aapm is enabled _wait_for_systems_validation(core_session, agent_ids, True) # enable paswdRecon on first system and last system result = RedrockController.get_system(core_session, server_ids[0]) assert len(result) != 0 system = result[0]["Row"] ResourceManager.update_system(core_session, server_ids[0], system["Name"], system["FQDN"], system["ComputerClass"], allowautomaticlocalaccountmaintenance=True) result = RedrockController.get_system(core_session, server_ids[3]) assert len(result) != 0 system = result[0]["Row"] ResourceManager.update_system(core_session, server_ids[3], system["Name"], system["FQDN"], system["ComputerClass"], allowautomaticlocalaccountmaintenance=True) # Non-ui stuff, create a custom set, and all the new systems to that set. manual_set = create_manual_set(core_session, "Server") update_success, update_result = SetsManager.update_members_collection(core_session, 'add', server_ids, 'Server', manual_set['ID']) assert update_success, f"Failed to add resources {server_ids} to Set {manual_set['Name']}" ui = core_admin_ui ui.navigate('Resources', 'Systems') ui.search(server_prefix) ui.set_action(manual_set['Name'], "Unenroll Systems") ui.switch_context(Modal('Bulk System Unenroll')) ui.button('Unenroll') ui.switch_context(NoTitleModal()) ui.button('Close') _wait_for_systems_validation(core_session, agent_ids[1:3], False) _validate_aapm_agent_details(core_session, agent_ids[:1], True) _validate_aapm_agent_details(core_session, agent_ids[3:], True) # Now lets re-enroll and enable aapm on 1 and 2 systems and run the unenroll operation # with SkipIfAgentReconciliationEnabled unchecked # Expected: Both systems should successfully unenroll _setup_agents(core_session, agents) # Make sure aapm is enabled on all systems _validate_aapm_agent_details(core_session, agent_ids, True) ui = core_admin_ui ui.navigate('Resources', 'Systems') ui.search(server_prefix) ui.set_action(manual_set['Name'], "Unenroll Systems") ui.switch_context(Modal('Bulk System Unenroll')) ui.uncheck("SkipIfAgentReconciliationEnabled") ui.button('Unenroll') ui.switch_context(NoTitleModal()) ui.button('Close') # Make sure aapm is disabled on both systems _wait_for_systems_validation(core_session, agent_ids, False)
def test_privilege_elevation_command_assignment_works_at_all_three_scopes( test_agent, pe_global_command_assignment_cleaner_by_user, create_manual_set, cds_ui, cds_session, core_session): ui, user = cds_ui session, _ = cds_session main_admin_session = core_session main_admin_user = main_admin_session.get_user() # Make sure the users global assignments will be cleaned up pe_global_command_assignment_cleaner_by_user.append(user.get_id()) server_id = test_agent.computerUuid logger.info(f'Server guid for vritual agent {server_id}') permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' agent_server_set = create_manual_set(session, 'Server', object_ids=[server_id]) # Give all permissions to the admin result = SetsManager.set_collection_resource_permissions( session, permission_string, user.get_login_name(), user.get_id(), agent_server_set["ID"], "User") assert result[ 'success'], "setting admin collection permissions failed: " + result set_name = agent_server_set['Name'] # Create an assignment at global scope ui.navigate('Settings', 'Resources', 'Security', 'Global Privilege Elevation') ui.launch_modal('Add', 'Select User, Group, or Role') ui.search(user.get_login_name()) ui.check_row(user.get_login_name()) ui.close_modal('Add') ui.save() global_assignment_selector = GridCell('Global').inside( GridRow(user.get_login_name())) # Create an assignment at collection scope ui.navigate('Resources', 'Systems') ui.set_action(set_name, "Modify") ui.tab('Member Privilege Elevation') ui.expect( global_assignment_selector, 'Inherited command from global is not present even though we just created it.' ) ui.launch_modal('Add', 'Select User, Group, or Role') ui.search(user.get_login_name()) ui.check_row(user.get_login_name()) ui.close_modal('Add') ui.save() collection_assignment_selector = GridCell(f'{set_name}').inside( GridRow(user.get_login_name())) # Look at the PE tab on the server, make sure inherited assignments are there and add another. ui.navigate('Resources', 'Systems') ui.click_row_by_guid(server_id) ui.tab('Privilege Elevation') ui.expect( global_assignment_selector, 'Inherited command from global is not present even though we just created it.' ) ui.expect( collection_assignment_selector, 'Inherited command from collection is not present even though we just created it.' ) ui.launch_modal('Add', 'Select User, Group, or Role') ui.search(main_admin_user.get_login_name()) ui.check_row(main_admin_user.get_login_name()) ui.close_modal('Add') ui.save() system_direct_selector = GridRow(main_admin_user.get_login_name()) # Look at the server directly, make sure all assignments still there. ui.navigate('Resources', 'Systems') ui.click_row_by_guid(server_id) ui.tab('Privilege Elevation') ui.expect( global_assignment_selector, 'Inherited command from global is not present even though we just created it.' ) ui.expect( collection_assignment_selector, 'Inherited command from collection is not present even though we just created it.' ) ui.expect( system_direct_selector, 'Command assignment directly on system not present even though we just created it.' )
def test_login_stored_account(core_session, setup_pas_system_for_unix, set_cleaner, core_admin_ui): """ Test Case ID: C2087 Test Case Description: Login as stored account after proxy account enabled :param core_session: Returns API session :param setup_pas_system_for_unix: Creates Unix System and Account :param set_cleaner: Delete Set :param core_admin_ui: Authenticates Centrify UI session """ system_id, account_id, sys_info = setup_pas_system_for_unix system_name = sys_info[0] FQDN = sys_info[1] computer_class = sys_info[2] account_name = sys_info[4] systems_data = Configs.get_environment_node('resources_data', 'automation_main') expected_system_class = systems_data['Unix_infrastructure_data'] result, success = ResourceManager.update_system( core_session, system_id, system_name, FQDN, computer_class, proxyuser=expected_system_class['proxy_user'], proxyuserpassword=expected_system_class['proxy_password'], proxyuserismanaged=False, allowremote=True) assert success, 'Failed to update system' logger.info(f'System successfully updated with result: {result}') ui = core_admin_ui name_of_set = f'Set{guid()}' ui.navigate('Resources', 'Systems') ui.launch_add('Add', 'Create Set') ui.input('Name', name_of_set) ui.tab('Members') ui.launch_modal('Add', 'Add System') ui.search(system_name) ui.check_row(system_name) ui.close_modal('Add') ui.save() id_of_set = SetsManager.get_collection_id(core_session, name_of_set, 'Server') assert id_of_set, 'Set creation Failed' logger.info(f"Set: '{name_of_set}' created successfully") set_cleaner.append(id_of_set) # Login into Stored Account ui._waitUntilSettled() ui.switch_context(ActiveMainContentArea()) ui.right_click_action(Div(system_name), 'Select/Request Account') ui.switch_context(Modal(system_name + ' Login')) ui.expect_disappear(LoadingMask(), 'Expected to find account but it did not', 30) ui.search(account_name) ui.expect(GridCell(account_name), 'Expected to find account name but it did not.').try_click() ui.close_modal('Select') ui.switch_to_pop_up_window() ui.expect_disappear(LoadingMask(), 'Expected to login in account but it did not', 30) logger.info(f'Successfully logged in Account:{account_name}.') ui.switch_to_main_window()
def test_scope_system(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources, create_manual_set): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Add System 2 added_system_id2 = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id2}") # Create Set and the system 1 to this set set_id = create_manual_set( core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug(f"Successfully created a set and added system to that set: {set_id}") # Create Set2 and add both systems to this set set_id2 = create_manual_set( core_session, "Server", object_ids=[added_system_id, added_system_id2])['ID'] logger.debug(f"Successfully created a set and added both system to that set: {set_id2}") # Create Set3 and the system 2 to this set set_id3 = create_manual_set( core_session, "Server", object_ids=[added_system_id2])['ID'] logger.debug(f"Successfully created a set and added system 2 to that set: {set_id3}") # Give all permissions to the admin permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") assert result['success'], "setting admin collection permissions failed: " + result # same for set 2 result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id2, "User") assert result['success'], "setting admin collection permissions failed: " + result #same for set 3 result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id3, "User") assert result['success'], "setting admin collection permissions failed: " + result # Adding rules # First add global assignment rule_info1 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal="System Administrator", scopeType="Global", scope=None, principalId=None, bypassChallenge=False) ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info1['ScopeType'], principalType=rule_info1['PrincipalType'], principal=rule_info1['Principal']) assert isSuccess, f" Adding rule assignment 1 failed" rule_info1['ID'] = ruleID1 # Add Assignment for system1 rule_info2 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="System", scope=added_system_id, principalId=admin_user_id, bypassChallenge=True) ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info2['ScopeType'], scope=rule_info2['Scope'], principalType=rule_info2['PrincipalType'], principalID=rule_info2['PrincipalId'], byPassChallenge=True, starts=rule_info2['Starts'], expires=rule_info2['Expires']) assert isSuccess, f" Adding rule assignment for system 1 failed" rule_info2['ID'] = ruleID2 # Add Assignment for system2 rule_info3 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="System", scope=added_system_id2, principalId=admin_user_id, bypassChallenge=True) ruleID3, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info3['ScopeType'], scope=rule_info3['Scope'], principalType=rule_info3['PrincipalType'], principalID=rule_info3['PrincipalId'], byPassChallenge=True, starts=rule_info3['Starts'], expires=rule_info3['Expires']) assert isSuccess, f" Adding rule assignment on system 2 failed" rule_info3['ID'] = ruleID3 # Add assignment for set 1 rule_info4 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Collection", scope=set_id, principalId=admin_user_id, bypassChallenge=True) ruleID4, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info4['ScopeType'], scope=rule_info4['Scope'], principalType=rule_info4['PrincipalType'], principalID=rule_info4['PrincipalId'], byPassChallenge=True, starts=rule_info4['Starts'], expires=rule_info4['Expires']) assert isSuccess, f" Adding rule assignment on set 1 failed" rule_info4['ID'] = ruleID4 # Add assignment for set 2 rule_info5 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Collection", scope=set_id2, principalId=admin_user_id, bypassChallenge=True) ruleID5, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info5['ScopeType'], scope=rule_info5['Scope'], principalType=rule_info5['PrincipalType'], principalID=rule_info5['PrincipalId'], byPassChallenge=True, starts=rule_info5['Starts'], expires=rule_info5['Expires']) assert isSuccess, f" Adding rule assignment on set 2 failed" rule_info5['ID'] = ruleID5 # Add assignment for set 3 rule_info6 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Collection", scope=set_id3, principalId=admin_user_id, bypassChallenge=True) ruleID6, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=rule_info6['ScopeType'], scope=rule_info6['Scope'], principalType=rule_info6['PrincipalType'], principalID=rule_info6['PrincipalId'], byPassChallenge=True, starts=rule_info6['Starts'], expires=rule_info6['Expires']) assert isSuccess, f" Adding rule assignment on set 3 failed" rule_info6['ID'] = ruleID6 # Since inherit is off, we should get only 1 assignment, although there are 6 assignments in total results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System", inherit=False, scope=added_system_id) assert isSuccess, f"GetAssignmentsByScope for system with inheritance off failed, " \ f"reason: {results}" rule_info_list = [rule_info2] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"GetAssignmentsByScope complete check failed: {ruleID2}" # With inheritance on, we should get 4 assignments, although there are 6 assignments in total results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System", inherit=True, scope=added_system_id) assert isSuccess, f"GetAssignmentsByScope for system with inheritance off failed, " \ f"reason: {results}" rule_info_list = [rule_info1, rule_info2, rule_info4, rule_info5] # >= for parallel runs, since we don't know how many global assignments would be present in the results assert len(results['Result']) >= 4 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"GetAssignmentsByScope complete check failed: {ruleID1} : {ruleID2} : {ruleID3} : {ruleID4}"
def test_collection_scenario(core_session, users_and_roles, create_resources, create_manual_set, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Get User requester_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set(core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "setting admin collection permissions on the set failed: " + result # Give all permissions to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "setting admin collection permissions on the resourceSet failed: " + result # Give all permission for the user on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions on the set failed: " + result # Give all permission but the MA permission to the PAS user on the resource Set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions on the resourceSet failed: " + result # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=user_info['Name'], scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal'], byPassChallenge=False) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # This user does not have MA permission, so should fail results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=False) assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \ f"UpdateAssignment for PAS power user with no MA permissions on a set passed, reason: {results}" # Now assign MA permission but not Edit permission to the user permission_string = 'Grant,View,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions failed: " + result # This user does not have Edit permission, so should fail results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=False) assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \ f"UpdateAssignment for PAS power user with no Edit permissions on a set passed, reason: {results}" # Now assign MA permission and Edit permission to the user permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], set_id, "User") assert result[ 'success'], "setting PAS power user collection permissions failed: " + result permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions failed: " + result # updated rules starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z" expires = (datetime.datetime.now() + datetime.timedelta(minutes=10) ).replace(microsecond=0).isoformat() + "Z" rule_info['Starts'] = starts rule_info['Expires'] = expires rule_info['BypassChallenge'] = True # This user has Edit and MA permissions on the set, should pass results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=rule_info['BypassChallenge'], starts=rule_info['Starts'], expires=rule_info['Expires']) assert isSuccess, f"UpdateAssignment for PAS power user with Edit and MA permissions on " \ f"a set failed, reason: {results}" # Make sure rules are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}" # Update rules rule_info['BypassChallenge'] = False # This sysadmin user does have MA permission, so should pass results, isSuccess = PrivilegeElevation.update_pe_assignment( core_session, ruleID=ruleID, bypassChallenge=False) assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \ f"a set failed, reason: {results}" # Make sure rules are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_update_assignment_sysadmin_without_ma_permission_on_system_set( core_session, create_manual_set, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create Set and the system to this set set_id = create_manual_set(core_session, "Server")['ID'] logger.info( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permissions but MA to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "assigning collection permissions on the resource set for the user failed: " + result # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal'], byPassChallenge=False) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # Update rules rule_info['BypassChallenge'] = True # This sysadmin user doesn't have MA permission, should still pass results, isSuccess = PrivilegeElevation.update_pe_assignment( core_session, ruleID=ruleID, bypassChallenge=True) assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \ f"a set failed, reason: {results}" # Make sure assignments are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for sysadmin user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_inherited_folder_permissions_should_be_removed_if_you_move_away_from_parent( core_session, create_folder_inside_folder, pas_general_secrets, cleanup_secrets_and_folders, users_and_roles): """ C3052: Inherited folder permissions should be removed if you move away from parent :param core_session: Authenticated Centrify Session :param create_folder_inside_folder: Fixture to create folder inside parent folder :param pas_general_secrets: Fixture to read secret data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created :param users_and_roles: Fixture to create random user with PAS User rights """ parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder parent_folder_id = parent_folder_info['ID'] folder_prefix = guid() params = pas_general_secrets folders_list = cleanup_secrets_and_folders[1] child_folder_success, child_folder_parameters, child_folder_id = create_folder( core_session, folder_prefix + params['name'], params['description'], parent=nested_folder_id) assert child_folder_success, f'Failed to create child folder, API response result:: {child_folder_id}' logger.info( f'Child Folder created successfully: {child_folder_success} & details are {child_folder_id}' ) folders_list.insert(0, child_folder_id) # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS User Rights login successfully: user_Name:{user_name}') # Api to give user permissions to parent folder(View,Delete,Edit) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, parent_folder_id, 'View,Delete,Edit') assert user_permissions_result['success'], \ f'Not Able to set user permissions to folder, API response result:{user_permissions_result["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to give user permissions to nested folder(View,Add ) user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, nested_folder_id, 'View,Add') assert user_permissions_result['success'], \ f'Not Able to set user permissions to , API response result: {user_permissions_result["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Getting permissions of child folder(should inherit from parent) permissions_yellow = SetsManager.get_collection_rights( pas_power_user_session, child_folder_id) verify_permissions_all = 'View, Edit, Delete, Add' assert verify_permissions_all == permissions_yellow["Result"], \ f'Failed to verify permissions for the folder, API response result:{permissions_yellow["Result"]}' logger.info(f'Permissions of the folder created: {permissions_yellow}') # Moving Nested Folder into Top Level Secrets result_move = move_folder(pas_power_user_session, nested_folder_id) assert result_move[ 'success'], f'Not Able to Move Folder B1 into B11, API response result:: {result_move["Result"]}' logger.info(f'Moving Folder into Sub Folder:{result_move}') # Getting permissions of child folder(should inherit from nested folder) permissions_yellow = SetsManager.get_collection_rights( pas_power_user_session, child_folder_id) verify_permissions_all = 'View, Add' assert verify_permissions_all == permissions_yellow["Result"], \ f'Failed to verify permissions for the folder, API response result:{permissions_yellow["Result"]}' logger.info(f'Permissions of the folder created: {permissions_yellow}')