def test_pe_can_execute_priv_command_sys_no_asmnt_on_role(
core_session, cleanup_servers, users_and_roles):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
role = users_and_roles.populate_role({
'Name': "can_exec_role" + guid(),
"Rights": ["Admin Portal Login"]
})
userobj = users_and_roles.populate_user({'Name': 'user' + guid()})
users_and_roles.add_user_to_role(userobj, role)
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=userobj.get_login_name(),
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be true: {results}"
def test_pe_can_execute_priv_command_user_not_exist(core_session,
cleanup_servers):
session = core_session
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Windows",
sessiontype="Rdp")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
args = Util.scrub_dict({
'User': "******",
'System': added_system_id,
'Command': "sc stop cagent"
})
response = session.apirequest(EndPoints.PRIVILEGE_ELEVATION_CAN_EXECUTE_PE,
args)
response_json = response.json()
logger.info(
f"Response from PE canExecutePrivilegeCommand: {response_json}")
assert not response_json[
'success'], f"CanExecutePrivilegeCommand failed, reason: {response_json}"
assert response_json[
'Message'] == "User userNotExist not found; they may have been deleted or the directory may be unavailable.", f"CanExecutePrivilegeCommand failed, reason: {response_json}"
def test_pe_can_execute_priv_command_sys_no_asmnt_on_adgroup(
core_session, setup_user_in_ad_group, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
aduser, _, adgroup = setup_user_in_ad_group
if adgroup is None:
pytest.skip("Cannot create adgroup")
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=aduser['SystemName'],
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be false: {results}"
def test_sys_admin_grant_to_adGroup(core_session, setup_adgroup):
adGroup = setup_adgroup
if adGroup is None:
pytest.skip("Cannot retreive ad group info")
# Add System
sys_name = "test_pe_can_manage_priv_elev" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions to the ad group
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, adGroup['DisplayName'],
adGroup['InternalName'], "Group", added_system_id)
assert success, f"Unable to assign system permissions to adgroup: {result}"
def test_pe_can_execute_priv_command_sys_asmnt_no_user_in_non_sysadmin_role(
core_session, setup_generic_pe_command_with_no_rules_all_OS,
users_and_roles, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_cmd123" + guid()
sys_fqdn = "fqdn123" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Windows",
sessiontype="Rdp")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
commandName, commandID = setup_generic_pe_command_with_no_rules_all_OS
role = users_and_roles.populate_role({
'Name': "can_exec_role123" + guid(),
"Rights": ["Admin Portal Login"]
})
# Get User
userobj1 = users_and_roles.populate_user(
{'Name': 'can_exec_user123' + guid()})
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principalId=role['ID'],
scopeType="System",
scope=added_system_id,
principal=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principalID=asmnt_info['PrincipalId'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=userobj1.get_login_name(),
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be false: {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_pe_can_execute_priv_command_sys_asmnt_no_aduser_in_adgroup(
core_session, setup_generic_pe_command_with_no_rules,
setup_user_in_ad_group, setup_aduser, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
commandName, commandID = setup_generic_pe_command_with_no_rules
aduser, _, adgroup = setup_user_in_ad_group
if adgroup is None:
pytest.skip("Cannot create adgroup")
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Group",
principal=adgroup['DisplayName'],
scopeType="System",
scope=added_system_id,
principalId=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principal=asmnt_info['Principal'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
aduser1, _ = setup_aduser
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=aduser1['SystemName'],
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be false: {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_add_managed_proxy_account_on_system_setting_page(
core_session, unix_machine_environment_config, ssh_session_as_root,
create_unix_users, cleanup_resources_with_admin):
"""
:param core_session: Authenticated Centrify session.
:param create_unix_users: add unix users
Note: previously two test cases exist here
1. add manage proxy account in unix system
2. un manage proxy account in unix system now only one test cases doing two things.
"""
systems_list = cleanup_resources_with_admin
conf = unix_machine_environment_config
hostname = conf['host'] + "_" + Util.random_string(5)
# add users on target system
users = create_unix_users(ssh_session_as_root, "manage-unix", 1)
logger.info("Users created " + str(len(users)))
accountuser = users[0]
new_system_id, add_system_success = ResourceManager.add_system(
core_session, hostname, conf["ipaddress"], "Unix", "Ssh",
"Unix system")
assert add_system_success, "Add System Failed"
logger.info(f"Added system Id {new_system_id}")
systems_list.append(new_system_id)
# Add manage proxy account
result, success = ResourceManager.update_system(
core_session,
new_system_id,
hostname,
conf["ipaddress"],
"Unix",
proxyuser=accountuser['Name'],
proxyuserpassword=accountuser['Password'],
proxyuserismanaged=True)
assert success, f"Unable to add a managed proxy user for {hostname}. API response result: {result}"
logger.info(
f"Managed proxy account {accountuser['Name']} added to Unix system: {hostname}"
)
# Changing managed proxy account to un managed
unmanaged_result, unmanaged_success = ResourceManager.update_system(
core_session,
new_system_id,
hostname,
conf["ipaddress"],
"Unix",
proxyuser=accountuser['Name'],
proxyuserpassword=accountuser['Password'],
proxyuserismanaged=False)
assert unmanaged_success, f"Unable to changed managed proxy user to un managed for Unix: {hostname}. API " \
f"response result: {result}"
logger.info(
f"Managed proxy account {accountuser['Name']} changed to 'Un managed' for {hostname}"
)
def test_delete_accounts(core_session, pas_config, remote_users_qty1,
cleanup_resources):
"""
TC C283234: Delete accounts.
:param cleanup_resources: cleanup for systems.
:param core_session: Authenticates API session
:param pas_config: returns yaml object
:param remote_users_qty1: Creates account in target system.
:param cleanup_resources:clean up system.
"""
# Clean up system
systems_list = cleanup_resources[0]
# Getting system details.
sys_name = f"{'Win-2012'}{guid()}"
sys_details = pas_config
sys_fqdn = sys_details['Windows_infrastructure_data']['FQDN']
add_user_in_target_system = remote_users_qty1
user_password = '******'
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, sys_fqdn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
systems_list.append(add_sys_result)
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
# Delete Account.
del_account_result, del_account_success = ResourceManager.del_account(
core_session, acc_result)
assert del_account_success, f'Failed to delete account:API response result:{del_account_result}'
logger.info(f"Successfully deleted account:{del_account_result}")
# Getting deletion activity.
sys_activity = ResourceManager.get_system_activity(core_session,
add_sys_result)
assert f'{core_session.auth_details["User"]} deleted local account "{add_user_in_target_system[0]}" for' \
f' "{sys_name}"({sys_fqdn}) with credential type Password' in \
sys_activity[0]['Detail'], f"Failed to get the delete account activity:API response result:{sys_activity}"
logger.info(
f"Successfully found deletion activity in system activity:{sys_activity}"
)
def test_add_system_with_root_with_managed_proxy_account(
core_session, unix_machine_environment_config,
cleanup_resources_with_admin, cleanup_accounts, create_unix_users,
ssh_session_as_root):
"""
Test case : C279340
:param ssh_session_as_root: session to create a user_account in unix
:param cleanup_accounts: to delete all accounts
:param cleanup_resources_with_admin: to delete the all the systems from portal
:param unix_machine_environment_config: to get the unix system details
:param core_session: Centrify session manager
:param create_unix_users: fixture that provide created unix system data
"""
systems_list = cleanup_resources_with_admin
accounts_list = cleanup_accounts[0]
conf = unix_machine_environment_config
hostname = conf['host'] + "_" + Util.random_string(5)
# add users on target system
users = create_unix_users(ssh_session_as_root, "manage-unix", 2)
logger.info("Users created " + str(len(users)))
proxy_user = users[0]
accountuser = users[1]
new_system_id, add_system_success = ResourceManager.add_system(
core_session, hostname, conf["ipaddress"], "Unix", "Ssh",
"Unix system")
assert add_system_success, "Add System Failed"
logger.info(f"Added system Id {new_system_id}")
systems_list.append(new_system_id)
# Update system with proxy user
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
new_system_id,
hostname,
conf["ipaddress"],
'Unix',
proxyuser=proxy_user['Name'],
proxyuserpassword=proxy_user['Password'],
proxyuserismanaged=True)
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
admin_account_id, add_account_success = ResourceManager.add_account(
core_session, accountuser['Name'], accountuser['Password'],
new_system_id)
assert add_account_success, "Failed to create Account user: root"
logger.info(f"Added root Account. Id {admin_account_id}")
accounts_list.append(admin_account_id)
# Get computer details for update
result = RedrockController.get_system(core_session, new_system_id)
system = result[0]["Row"]
is_managed = system['ProxyUserIsManaged']
assert is_managed, f"Added account is not managed account"
def test_add_managed_account(core_session, unix_machine_environment_config,
ssh_session_as_root, create_unix_users,
cleanup_resources_with_admin, cleanup_accounts):
"""
Test case: C279345
:param core_session: Centrify session
:param ssh_session_as_root: session to create a user_account in unix
:param cleanup_accounts: to delete all accounts
:param cleanup_resources_with_admin: to delete the all the systems from portal
:param unix_machine_environment_config: to get the unix system details
:param create_unix_users: add system with account and yeild system ID, account ID, and system information
"""
systems_list = cleanup_resources_with_admin
accounts_list = cleanup_accounts[0]
conf = unix_machine_environment_config
hostname = conf['host'] + "_" + Util.random_string(5)
# add users on target system
users = create_unix_users(ssh_session_as_root, "manage-unix", 1)
logger.info("Users created " + str(len(users)))
accountuser = users[0]
new_system_id, add_system_success = ResourceManager.add_system(
core_session, hostname, conf["ipaddress"], "Unix", "Ssh",
"Unix system")
assert add_system_success, "Add System Failed"
logger.info(f"Added system Id {new_system_id}")
systems_list.append(new_system_id)
admin_account_id, add_account_success = ResourceManager.add_account(
core_session,
accountuser['Name'],
accountuser['Password'],
new_system_id,
ismanaged=True)
assert add_account_success, "Failed to create Account user: root"
logger.info(f"Added root Account. Id {admin_account_id}")
accounts_list.append(admin_account_id)
# Fetching account information to validate desired account is managed or not
result, status = ResourceManager.get_account_information(
core_session, admin_account_id)
assert status, f"failed to retrieve account information, returned result is {result}"
is_managed = result['VaultAccount']['Row']['IsManaged']
assert is_managed, "Added account is not managed account"
def test_add_account_without_configuration_proxy_account(
core_session, pas_config):
"""
TC:C2212 Add account without configuration proxy account.
:param core_session: Returns a API session.
:param pas_config: Read yaml data.
"""
# Adding a system without proxy.
payload_data = pas_config['Windows_infrastructure_data']
system_name = f'{payload_data["system_name"]}{guid()}'
added_system_id, system_success_status = ResourceManager.add_system(
core_session, system_name, payload_data['FQDN'],
payload_data['system_class'], payload_data['session_type'],
payload_data['description'])
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.info(f'Successfully created system:{added_system_id}')
# Validating that no proxy account has added to the system.
system_details = RedrockController.get_computer_with_ID(
core_session, added_system_id)
assert system_details['ProxyUser'] is None, \
f'Expect proxy account none in computer info but found one: {system_details} '
logger.info(
"Successfully do not found 'Use proxy account' in on pop-up box.")
def test_cloud_admin_login_from_my_system_account(core_session, pas_config,
core_admin_ui,
cleanup_accounts,
cleanup_resources,
remote_users_qty1):
"""
Test case: C14831
:param core_session: centrify session
:param core_admin_ui: Centrify UI session
"""
maximum_event_wait_time = 120
account_list = cleanup_accounts[0]
system_list = cleanup_resources[0]
systems = ServerManager.get_all_resources(core_session)
accounts = ServerManager.get_all_accounts(core_session)
for system in systems:
system_list.append(system['ID'])
for account in accounts:
account_list.append(account['ID'])
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty1
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
ui = core_admin_ui
admin_user_uuid = UserManager.get_user_id(
core_session, ui.user.centrify_user["Username"])
# assigning cloud admin workspace login permission
rights = "View,Login,UserPortalLogin"
result, status = ResourceManager.assign_account_permissions(
core_session,
rights,
ui.user.centrify_user["Username"],
admin_user_uuid,
pvid=acc_result)
assert status, f'failed to assign {rights} permission to cloud admin {ui.user.centrify_user["Username"]}.' \
f'returned result is: {result}'
# Updating allow remote to enable RDP session for targeted system
result, success = ResourceManager.update_system(core_session,
add_sys_result,
sys_name,
fdqn,
"Windows",
allowremote=True)
assert success, f'failed to assign rdp policy to account {add_user_in_target_system[0]} of system {sys_name}'
ui.navigate(('Workspace', 'My System Accounts'))
ui.expect(
GridRow(sys_name),
f'Expected to find system {sys_name} in My System Account but did not')
ui.right_click_action(GridRow(sys_name), 'Login')
ui.switch_to_pop_up_window()
ui.expect_disappear(
LoadingMask(),
'Error occurred while launching workspace login session',
time_to_wait=250)
ui.switch_to_main_window()
# wait for manged password change event
filter = [['AccountName', add_user_in_target_system[0]]]
RedrockController.wait_for_event_by_type_filter(
core_session,
"Cloud.Server.LocalAccount.RDPSession.Start",
filter=filter,
maximum_wait_second=maximum_event_wait_time) # wait for 20 seonds
# Api call to get details of account active session
status, result = ResourceManager.get_my_active_sessions(
core_session, acc_result)
assert status, f'failed to retrieve details for active account session data, return result is {result}'
logger.info(
f'details for active account {add_user_in_target_system[0]} are {result}'
)
ui.navigate('Resources', 'Systems')
ui.search(sys_name)
ui.expect(GridRowByGuid(add_sys_result),
expectation_message=
f'failed to search for the system by id {add_sys_result}')
ui.click_row(GridRowByGuid(add_sys_result))
# fetching Active session value from system view page
ui.inner_text_of_element(ActiveSessionTextCount(),
expectation_message='1',
warning_message="RDP Not taken from user")
logger.info(f'Active session value incremented to 1: Active Sessions:1')
def test_settings_Policy_page(core_session, pas_config, remote_users_qty1,
cleanup_resources, cleanup_accounts,
core_admin_ui):
"""C2541 Settings on Policy page
trying to get rdp through system account with in 15 minute
Steps:
Pre: Create system with 1 account hand
1. Try to take rdp for system
-Assert Failure
2. Try to checkout password for account
-Assert Failure
"""
core_ui = core_admin_ui
user_name = core_ui.get_user().get_login_name()
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty1
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
success, response = ResourceManager.update_system(core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
allowremote=True,
defaultcheckouttime=15)
assert success, f"failed to change the management mode:API response result:{response}"
logger.info(f"Successfully updated the system:{add_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
core_ui.navigate('Resources', 'Accounts')
core_ui.search(add_user_in_target_system[0])
core_ui.right_click_action(GridRowByGuid(acc_result), 'Login')
core_ui.switch_to_pop_up_window()
core_ui.expect_disappear(
LoadingMask(),
f'RDP session never exited loading state for system {sys_name}',
time_to_wait=50)
core_ui.switch_to_main_window()
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} logged into system "{sys_name}"({fdqn}) from "web" using local account ' \
f'"{add_user_in_target_system[0]}"' in row[0]['Detail'], "user not able to take rdp"
password_checkout_result, password_checkout_success = \
ResourceManager.check_out_password(core_session, 1, accountid=acc_result)
new_cid = password_checkout_result['COID']
assert password_checkout_result['Password'] is not user_password, \
f"expected password equal to actual password: {password_checkout_result}"
logger.info(f"password successfully checkout Account password: {new_cid}")
def test_system_local_account_level(core_session, pas_config,
remote_users_qty1, cleanup_accounts,
cleanup_resources):
"""
TC C282671: System Local Account Level.
:param cleanup_resources: cleanup for systems.
:param core_session: Authenticates API session
:param pas_config: returns yaml object
:param remote_users_qty1: Creates account in target system.
:param cleanup_accounts: cleanup for account.
"""
systems_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f"{'Win-2012'}{guid()}"
sys_details = pas_config
sys_fqdn = sys_details['Windows_infrastructure_data']['FQDN']
add_user_in_target_system = remote_users_qty1
user_password = '******'
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, sys_fqdn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
systems_list.append(add_sys_result)
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
# Setting the lifetime checkout for account to 15 min.
default_checkout_lifetime = 15
updated_account_result, update_account_success = \
ResourceManager.update_account(core_session,
acc_result,
add_user_in_target_system[0],
host=add_sys_result,
default_checkout_time=default_checkout_lifetime)
assert update_account_success, f"Failed to add default checkout time: API response result:{updated_account_result}"
logger.info(
f'Successfully added default checkout time: {updated_account_result}"')
# Setting the lifetime checkout for system to 60 min.
updated_sys_result, update_sys_success = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
sys_fqdn,
'Windows',
defaultcheckouttime=60)
assert update_sys_success, f"Failed to add default checkout time: API response result:{updated_account_result}"
logger.info(
f'Successfully added default checkout time: {updated_sys_result}"')
# Checking the default account password set to default ie 60 min.
default_account_password_chk_lifetime = 60
results, success = ServerManager.get_server_settings(core_session,
key='policy')
assert results['DefaultCheckoutTime'] == default_account_password_chk_lifetime, \
f"account password checkout lifetime is not {default_account_password_chk_lifetime} "
# Checkout account.
checkout_result, checkout_success = ResourceManager.check_out_password(
core_session, 15, acc_result)
assert checkout_success, f"Fail to checkout account : {acc_result} : API response " \
f"result: {checkout_result}"
logger.info(f"Successfully checked account : {checkout_result}")
# Checking the checkout in the workspace and validating the checkout lifetime.
checkout_remaining_time = str(default_checkout_lifetime - 1)
checkout_accounts = RedrockController.get_password_checkout_from_workspace(
core_session, core_session.auth_details['UserId'])
for checkout_account in checkout_accounts:
if checkout_account['ID'] == checkout_result['COID']:
assert checkout_account['Remaining'].split()[0] == checkout_remaining_time,\
f"Fail to find the remaining checkout time equal to {checkout_remaining_time} "
logger.info(
" Successfully found the checkout activity in workspace.")
# Trying to checkout once again,expecting a null checkout ID.
failed_checkout_result, failed_checkout_success = ResourceManager.check_out_password(
core_session, 15, acc_result)
assert failed_checkout_result['COID'] is None, f"checkout account ID generated for : " \
f"{add_user_in_target_system[0]}:" \
f"API response result: {failed_checkout_result}"
logger.info(f"Check in option is action enable : {failed_checkout_result}")
# Checking out checkout activity.
acc_activity = RedrockController.get_account_activity(
core_session, acc_result)
assert f'{core_session.auth_details["User"]} checked out local account "{add_user_in_target_system[0]}" password ' \
f'for system "{sys_name}"({sys_fqdn})' in \
acc_activity[0]['Detail'], f"no activity of checkout found for account {add_user_in_target_system[0]}"
logger.info(
f"There is a checkout record for the account {add_user_in_target_system[0]} in activity"
)
def test_add_account_existing_system(core_session, pas_config,
remote_users_qty1, test_proxy,
cleanup_resources, cleanup_accounts):
"""
TC: C2575 - Add managed account to existing system
trying to Add managed account to existing system
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to checkout password
-Assert Failure
2. Try to check activity of manage account
-Assert Failure
"""
user_details = core_session.__dict__['auth_details']
user_name = core_session.get_user().get_login_name()
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty1
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
rights = "Owner,View,Manage,Delete,Login,Naked,RotatePassword,FileTransfer"
result, success = ResourceManager.assign_account_permissions(
core_session,
rights,
user_details['User'],
user_details['UserId'],
pvid=acc_result)
assert success, f"Did not rotate password, API response: {result}"
# Update system with management mode 'Smb'.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
managementmode='Smb')
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
res, success = ResourceManager.rotate_password(core_session, acc_result)
assert success, f"Failed to add account in the portal: {res}"
result, success = ResourceManager.check_out_password(
core_session, 1, acc_result)
assert result['Password'] != "Hello123", \
f"password checkout Failed. API response result: {result}"
logger.info(
f"password successfully checkout Account password: {result['COID']}")
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \
f'password for system "{sys_name}"({fdqn})' in row[0]['Detail'], \
"Did not retrieve the activity of rotate password"
logger.info(f"User able to get the activity logs: {row[0]['Detail']}")
accounts_list.append(acc_result)
def test_pe_can_execute_priv_command_sys_asmnt_on_user(
core_session, setup_generic_pe_command_with_no_rules, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
commandName, commandID = setup_generic_pe_command_with_no_rules
# Get Admin info
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=admin_user_name,
scopeType="System",
scope=added_system_id,
principalId=admin_user_id,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principalID=asmnt_info['PrincipalId'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
asmnt_info['ID'] = asmntID
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=admin_user_name,
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert len(results['PrivilegeElevationCommands']
) == 1, f"Only single command should exist {results}"
results_assignments = results['PrivilegeElevationCommands'][0][
'Assignments']
assert len(results_assignments
) == 1 and results['Granted'], f"Granted should be true"
PrivilegeElevation.check_can_execute_priv_command_results(
asmnt_info, results['PrivilegeElevationCommands']
[0]), f"All params not matching {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_rotate_password(core_session, pas_config, remote_users_qty3,
test_proxy, cleanup_resources, cleanup_accounts):
"""
TC: C2577 - Rotate Password for managed account
trying to Rotate Password for managed account
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to rotate password
-Assert Failure
2. Try to check activity of manage account
-Assert Failure
"""
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
user_name = core_session.get_user().get_login_name()
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty3
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Update system with proxy user
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
proxyuser=add_user_in_target_system[1],
proxyuserpassword=user_password,
proxyuserismanaged=True)
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
# Update system with management mode 'Smb'.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
managementmode='Smb')
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
result, success = ResourceManager.rotate_password(core_session, acc_result)
assert success, f"Did not rotate password, API response: {result}"
logger.info(f"User able to rotate the password: {result}")
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} rotated local account "{add_user_in_target_system[0]}" credential for "{sys_name}"({fdqn})' \
in row[0]['Detail'], "Did not retrieve the activity of rotate password"
logger.info(f"User able to get the activity: {row[0]['Detail']}")
accounts_list.append(acc_result)
def test_update_manage_account_win_rm(pas_config, winrm_engine, core_session,
remote_users_qty1, cleanup_accounts,
test_proxy, cleanup_resources):
"""
:param pas_config: to get the data from yaml files.
:param remote_users_qty1: to create a manage account in windows system
:param cleanup_resources: cleanup the system from portal
:param cleanup_accounts: cleanup the accounts from portal
:param winrm_engine: session to update manage account
:param core_session: Authenticated Centrify Session.
TC: C2551 - Update managed account password with winRM https configured
trying to Update managed account password with winRM https configured
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to update invalid password for manage account
-Assert Failure
"""
sys_details = pas_config
system_data_values = sys_details['Windows_infrastructure_data']
add_user_in_target_system = remote_users_qty1
password = "******"
# set a different password for the user
update_user_password(winrm_engine, add_user_in_target_system[0], password)
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, system_data_values['FQDN'], 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Update system with management mode 'WinRMOverHttp'.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
system_data_values['FQDN'],
'Windows',
managementmode='WinRMOverHttps')
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
managementMode = RedrockController.get_computer_with_ID(
core_session, add_sys_result)
assert managementMode['ManagementMode'] == "WinRMOverHttps", \
f"management mode is failed because of system doesnt have proxy account. API response result: {managementMode}"
logger.info(
f"Fetch management mode successfully: {managementMode['ManagementMode']}"
)
Result, success = ResourceManager.update_password(core_session, acc_result,
guid())
assert success is False, f"Did not update password {Result}"
logger.info(f"user not able to update password API response: {Result}")
def test_Change_Account_managed(core_session, pas_config, remote_users_qty1,
detect_proxy):
"""
:param core_session: Authenticated Centrify Session.
:param pas_config: fixture reading data from resources_data.yaml file.
TC: C2544 - Change Account to be a managed account and verify password changed in 5 minutes
trying to validate the added manage Account password Activity log's
Steps:
1. Try to add a system along with an manage account
-Assert Failure
2. Try to check in the account password is rotated
-Assert Failure
3. Try to validate account activity log's
"""
user = core_session.get_user()
user_name = user.get_login_name()
sys_name = f"Automatedsystem{guid()}"
res_data = pas_config
user = remote_users_qty1
sys_result, status = ResourceManager.add_system(
core_session, sys_name,
res_data['Windows_infrastructure_data']['FQDN'], 'Windows', "Rdp")
assert status, f"failed to add system"
success, response = ResourceManager.update_system(
core_session,
sys_result,
sys_name,
res_data['Windows_infrastructure_data']['FQDN'],
'Windows',
managementmode='RpcOverTcp')
assert success, f"failed to change the management mode:API response result:{response}"
logger.info(f"Successfully updated the system:{response}")
account_id, status = ResourceManager.add_account(core_session, user[0],
'Hello123', sys_result)
assert status, f'failed to add account'
success, response = ResourceManager.update_account(core_session,
account_id,
user[0],
host=sys_result,
ismanaged=True)
assert success, f'Updating account failed. API response: {response}'
server_id = ResourceManager.wait_for_server_to_exist_return_id(
core_session, sys_name)
acc_id = ResourceManager.wait_for_account_to_exist_return_id(
core_session, user[0])
assert server_id == sys_result, "Server was not created"
assert acc_id == account_id, "Account was not created"
res, success = ResourceManager.rotate_password(core_session, account_id)
assert success, f"Failed to add account in the portal: {res}"
checkout_password, response = ResourceManager.check_out_password(
core_session, 1, accountid=account_id)
assert checkout_password[
'Password'] != 'Hello123', f'Checkout Password Failed. API response: {response}'
row = ResourceManager.get_system_activity(core_session, sys_result)
checkout_activity = row[0]['Detail']
created_date_json = str(row[0]['When'])
ResourceManager.get_date(created_date_json)
assert f'{user_name} checked out local account "{user[0]}" password for system "{sys_name}"' \
f'({res_data["Windows_infrastructure_data"]["FQDN"]})' == checkout_activity, "No system activity data "
logger.info(f"account activity list:{row}")
def test_update_manage_proxy_account(pas_config, core_session, winrm_engine,
remote_users_qty3, test_proxy,
cleanup_accounts, cleanup_resources):
"""
TC: C2549 - Update managed account with using proxy account
trying to Update managed account with using proxy account
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to update invalid password for proxy account
-Assert Failure
2. Try to update valid password for proxy account
-Assert Failure
3. Try to check activity log's
-Assert Failure
4. Try to check password history
"""
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
sys_details = pas_config
add_user_in_target_system = remote_users_qty3
user_password = '******'
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Update system with proxy user
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
proxyuser=add_user_in_target_system[1],
proxyuserpassword=user_password,
proxyuserismanaged=True)
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Update system with proxy user password.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
proxyuser=add_user_in_target_system[1],
proxyuserpassword=guid(),
proxyuserismanaged=True)
assert update_sys_result is False, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
# set a different password for the user
update_user_password(winrm_engine, add_user_in_target_system[1],
user_password)
user_name = core_session.get_user().get_login_name()
# rotate password for manage account
result, success = ResourceManager.rotate_password(core_session, acc_result)
assert success, f"Did not Rotate Password {result}"
logger.info(
f'account activity logs for un manage account API response:{result}')
result, success = ResourceManager.check_out_password(
core_session, 1, acc_result)
assert success, f"Did not retrieve password {result}"
logger.info(
f'account activity logs for un manage account API response:{result}')
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \
f'password for system "{sys_name}"({fdqn})' in \
row[0]['Detail'], "user not able to update un managed account password"
logger.info(
f'account activity logs for un manage account API response:{row}')
query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \
f"'{acc_result}' and StateUpdatedBy='{user_name}' and State='Retired'"
password_history = RedrockController.get_result_rows(
RedrockController.redrock_query(core_session, query))[0]
assert len(
password_history
) > 0, f"Password history table did not update {password_history}"
logger.info(f'Password history table API response:{password_history}')
def test_pe_can_execute_priv_command_set_asmnt_on_non_sysadmin_role(
core_session, setup_generic_pe_command_with_no_rules,
create_manual_set, users_and_roles, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.debug(
f"Successfully created a set and added system to that set: {set_id}")
commandName, commandID = setup_generic_pe_command_with_no_rules
role = users_and_roles.populate_role({
'Name': "can_exec_role" + guid(),
"Rights": ["Admin Portal Login"]
})
# Get User
userobj = users_and_roles.populate_user({'Name': 'user' + guid()})
#Add user to role
users_and_roles.add_user_to_role(userobj, role)
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principal=role['Name'],
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principal=asmnt_info['Principal'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
asmnt_info['ID'] = asmntID
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=userobj.get_login_name(),
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert len(results['PrivilegeElevationCommands']
) == 1, f"Only single command should exist {results}"
results_assignments = results['PrivilegeElevationCommands'][0][
'Assignments']
assert len(results_assignments
) == 1 and results['Granted'], f"Granted should be true"
PrivilegeElevation.check_can_execute_priv_command_results(
asmnt_info, results['PrivilegeElevationCommands']
[0]), f"All params not matching {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_add_manage_account_with_proxy_account(core_session, pas_config,
remote_users_qty3,
cleanup_resources,
cleanup_accounts, test_proxy):
"""
TC: C2574 - Add system with managed account using proxy account
trying to Add system with managed account using proxy account
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to checkout password
-Assert Failure
2. Try to check activity of manage account
-Assert Failure
"""
user_name = core_session.get_user().get_login_name()
logger.info(f'core sessoin user {core_session.get_user()}')
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty3
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Update system with proxy user
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
proxyuser=add_user_in_target_system[1],
proxyuserpassword=user_password,
proxyuserismanaged=True)
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Update system with management mode 'Smb'.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
managementmode='Smb')
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
server_id = ResourceManager.wait_for_server_to_exist_return_id(
core_session, sys_name)
acc_id = ResourceManager.wait_for_account_to_exist_return_id(
core_session, add_user_in_target_system[0])
assert server_id == add_sys_result, "Server was not created"
assert acc_id == acc_result, "Account was not created"
res, success = ResourceManager.rotate_password(core_session, acc_result)
assert success, f"Failed to add account in the portal: {res}"
result, success = ResourceManager.check_out_password(
core_session, 1, acc_result)
assert result['Password'] != "Hello123", \
f"password checkout Failed. API response result: {result}"
logger.info(
f"password successfully checkout Account password: {result['COID']}")
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \
f'password for system "{sys_name}"({fdqn})' in row[0]['Detail'], \
"Did not retrieve the activity of rotate password"
logger.info(f"User able to get the activity logs: {row[0]['Detail']}")
accounts_list.append(acc_result)
def test_pe_can_execute_priv_command_set_asmnt_on_adgroup(
core_session, setup_user_in_ad_group,
setup_generic_pe_command_with_no_rules_all_OS, create_manual_set,
users_and_roles, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Windows",
sessiontype="Rdp")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.debug(
f"Successfully created a set and added system to that set: {set_id}")
commandName, commandID = setup_generic_pe_command_with_no_rules_all_OS
aduser, _, adgroup = setup_user_in_ad_group
if adgroup is None:
pytest.skip("Cannot create adgroup")
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Group",
principal=adgroup['DisplayName'],
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principal=asmnt_info['Principal'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
asmnt_info['ID'] = asmntID
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=aduser['SystemName'],
system=sys_name,
command="sc stop cagent")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert len(results['PrivilegeElevationCommands']
) == 1, f"Only single command should exist {results}"
results_assignments = results['PrivilegeElevationCommands'][0][
'Assignments']
assert len(results_assignments
) == 1 and results['Granted'], f"Granted should be true"
PrivilegeElevation.check_can_execute_priv_command_results(
asmnt_info, results['PrivilegeElevationCommands']
[0]), f"All params not matching {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_add_root_using_managed_password(
core_session, unix_machine_environment_config, ssh_session_as_root,
create_unix_users, cleanup_resources_with_admin, cleanup_accounts):
"""
Test case C283102: Add system with root using managed proxy account
:param core_session: Authorised centrify session.
:param ssh_session_as_root: session to create a user_account in unix
:param cleanup_accounts: cleanup all accounts
:param cleanup_resources_with_admin: to delete the all the systems from portal
:param unix_machine_environment_config: to get the unix system details
:param create_unix_users: add system with account and yield system ID, account ID, and system information
"""
# Getting yaml data.
systems_list = cleanup_resources_with_admin
accounts_list = cleanup_accounts[0]
conf = unix_machine_environment_config
hostname = conf['host'] + "_" + Util.random_string(5)
# add users on target system.
users = create_unix_users(ssh_session_as_root, "manage-unix", 1)
logger.info("Users created " + str(len(users)))
proxy_user = users[0]
# Adding system with managed proxy.
new_system_id, add_system_success = ResourceManager.add_system(
core_session,
hostname,
conf["ipaddress"],
"Unix",
"Ssh",
"Unix system",
proxyuserismanaged=True,
proxyuser=proxy_user['Name'],
proxyuserpassword=proxy_user['Password'])
assert add_system_success, f"Failed to add system with managed proxy:API response result:{new_system_id}"
logger.info(f"Successfully added with managed proxy: {new_system_id}")
systems_list.append(new_system_id)
# Adding local account to the system.
admin_account_id, add_account_success = ResourceManager.add_account(
core_session,
'root',
conf['rootpassword'],
new_system_id,
ismanaged=False)
assert add_account_success, f"Failed to add root user:API response result:{admin_account_id}"
logger.info(
f"Successfully added root account to the system: {admin_account_id}")
accounts_list.append(admin_account_id)
# checking added system in the system list.
computer_lists = RedrockController.get_computers(core_session)
for computer_detail in computer_lists:
if computer_detail['ID'] == new_system_id:
assert computer_detail['Name'] == hostname, f'Failed to found created system in the list:' \
f'API response result:{computer_lists}'
logger.info(
f"Successfully found created system in the list:{computer_lists}"
)
break
def test_checkout_password(core_session, pas_config, cleanup_resources,
cleanup_accounts, remote_users_qty1):
"""TC C2554 - Checkout password for a windows managed account from Accounts page
trying to Checkout password for a windows managed account from Accounts page
Steps:
Pre: Create system with 1 manage account hand
1. Try to Checkout password for an account
-Assert Failure
2. Try to check my password checkouts in workspace
-Assert Failure
"""
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty1
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
success, response = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
managementmode='RpcOverTcp')
assert success, f"failed to change the management mode:API response result:{response}"
logger.info(f"Successfully updated the system:{add_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
server_id = ResourceManager.wait_for_server_to_exist_return_id(
core_session, sys_name)
acc_id = ResourceManager.wait_for_account_to_exist_return_id(
core_session, add_user_in_target_system[0])
assert server_id == add_sys_result, "Server was not created"
assert acc_id == acc_result, "Account was not created"
res, success = ResourceManager.rotate_password(core_session, acc_result)
assert success, f"Failed to add account in the portal: {res}"
password_checkout_result, password_checkout_success = \
ResourceManager.check_out_password(core_session, 1, accountid=acc_result)
assert password_checkout_result['Password'] != user_password, \
f"expected password equal to actual password: {password_checkout_result}"
logger.info(
f"password successfully checkout Account password: {password_checkout_result}"
)
my_password_checkout = RedrockController.get_total_checkouts(core_session)
created_date_json = str(my_password_checkout[0]['LoanDate'])
ResourceManager.get_date(created_date_json)
check_out_details = []
for i in my_password_checkout:
if i['Summary'] in f'{add_user_in_target_system[0]} ({sys_name})':
check_out_details.append(i['Summary'])
assert check_out_details[0] == f'{add_user_in_target_system[0]} ({sys_name})',\
"fail to checkout password from workspace"
logger.info(
f"password successfully checkout Account password::{my_password_checkout}"
)
accounts_list.append(acc_result)
password_check_in_result, password_check_in_success = ResourceManager.check_in_password(
core_session, coid=password_checkout_result['COID'])
assert password_check_in_success, f"password check-in Failed. API response result: {password_check_in_result}"
logger.info(
f"password successfully check in for account: {add_user_in_target_system[0]}"
)
