def test_mfa_on_closest_parent_should_override_mfa_on_higher_levels(
core_session, pas_general_secrets, cleanup_secrets_and_folders,
clean_up_policy, core_session_unauthorized):
"""
C2982: MFA on closest parent should override MFA on higher levels
1) Create a multilevel folder "Folder/Subfolder/secretName"
2) Assign different MFA to parent(Folder) & Nested Folder(Subfolder)
3) Verify secretName inherits challenge of subfolder
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created
:param clean_up_policy: Fixture to cleanup the policy created
:param core_session_unauthorized: Fixture to start authentication MFA
"""
folder_list = cleanup_secrets_and_folders[1]
secrets_list = cleanup_secrets_and_folders[0]
folder_params = pas_general_secrets
suffix = guid()
folder_name = folder_params['folder_name_with_frwdslashes'] + suffix
# creating multilevel folder "Folder/Subfolder/secretName"
added_secret_success, details, secret_id = create_text_secret(
core_session, folder_name, folder_params['secret_text'])
assert added_secret_success, "Added Multilevel folder Failed,API response result: {secret_id} "
logger.info(f'Added Multilevel folder info: {details, secret_id}')
secrets_list.append(secret_id)
# Getting details of the secret
found_secret = get_secret(core_session, secret_id)
assert found_secret['success'], \
f'Failed to get the details of the secret, API response result:{found_secret["Message"]}'
logger.info(f'Getting details of the secret: {found_secret}')
nested_folder_id = found_secret['Result']['FolderId']
nested_folder_path = found_secret['Result']['ParentPath']
parent_folder_list = nested_folder_path.split('\\')
parent_folder_name = parent_folder_list[0]
# Getting details of Parent Folder
parent_folder = get_folder(core_session, nested_folder_id)
parent_folder_id = parent_folder["Result"]["Results"][0]["Row"]["Parent"]
nested_folder_name = parent_folder["Result"]["Results"][0]["Row"][
"SecretName"]
logger.info(f'Parent Folder details: {parent_folder}')
if folder_list != []:
folder_list[0] = nested_folder_id
folder_list[1] = parent_folder_id
else:
folder_list.append(nested_folder_id)
folder_list.append(parent_folder_id)
challenges = ["UP", ""]
challenges_v2 = ["UP,EMAIL", ""]
# Creating new policy with Password
policy_result = PolicyManager.create_new_auth_profile(
core_session, folder_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Creating new policy with Password & Email
policy_result_email = PolicyManager.create_new_auth_profile(
core_session, folder_params['policy_name'] + "V2" + suffix,
challenges_v2, 0, 0)
assert policy_result_email, f'Failed to create another policy, API response result:{policy_result_email}'
logger.info(f' Creating another policy:{policy_result_email}')
clean_up_policy.append(policy_result_email)
# Applying MFA on Nested Folder
result = update_folder(core_session,
nested_folder_id,
nested_folder_name,
nested_folder_name,
description=folder_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA on Nested folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Nested Folder: {result}')
# Applying MFA on Parent Folder
result = update_folder(core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=folder_params['mfa_folder_description'],
policy_id=policy_result_email)
assert result[
'success'], f'Not Able to apply MFA on parent folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Parent Folder: {result}')
user = core_session.get_user()
user_name = user.get_login_name()
password = user.get_password()
# MFA Authentication starts on the secret to be replaced
mfa_authentication = core_session_unauthorized.start_authentication(
user_name)
result = mfa_authentication.json()['Result']
success = mfa_authentication.json()['success']
assert success, f'Failed to start MFA Authentication on the secret to be replaced, API response result:{result}'
challenge_value = result['Challenges'][0]['Mechanisms'][0]['Name']
assert challenge_value == 'UP', f'Challenge "Password" is not set, API response result:{result}'
logger.info(
f'MFA Authentication applies for closest parent,Password Only:{mfa_authentication.json()}'
)
# Advance MFA Authentication starts on the secret to be replaced
up_result = core_session_unauthorized.advance_authentication(
password, challenge_index=0, mechanism_name='UP')
mfa_result = up_result.json()
assert mfa_result[
'success'], f'Failed to respond to challenge, API response result:{mfa_result["Result"]}'
logger.info(
f'MFA applies for closest parent,popups before secret gets replaced: {mfa_result}'
)
# Replacing the text of the secret
result = update_secret(core_session,
secret_id,
folder_params['mfa_secret_name_update'] + suffix,
secret_text=folder_params['secret_text_replaced'])
assert result[
'success'], f'Not Able to replace the text of the secret, API response result:{result["Message"]} '
logger.info(f'Secret gets replaced: {result}')
# Removing MFA from Nested folder
result = update_folder(core_session,
nested_folder_id,
nested_folder_name,
nested_folder_name,
description=folder_params['mfa_folder_description'])
assert result[
'success'], f'Not Able to remove mfa from folder, API response result:: {result["Message"]} '
logger.info(f'Removing mfa from folder: {result}')
# Removing MFA from Parent folder
result = update_folder(core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=folder_params['mfa_folder_description'])
assert result[
'success'], f'Not Able to remove mfa from folder, API response result:: {result["Message"]} '
logger.info(f'Removing mfa from folder: {result}')
# Getting details of the Secret Replaced
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, secret_id)
assert get_secret_text == folder_params['secret_text_replaced'], \
f'Failed to replace the secret, API response result: {get_secret_success}'
logger.info(f'Details of the secret Replaced: {get_secret_details}')
def test_user_type_parameter(core_session, cleanup_accounts, cleanup_reports):
"""
TCID: C6341 Create report with User type parameter required
:param core_session: Centrify Authentication session
"""
user_list = cleanup_accounts[2]
session_user = core_session.__dict__
display_name_1 = session_user['auth_details']['DisplayName']
user_create_data = Configs.get_test_node('platform_report_data',
'automation_main')
prefix = user_create_data['prefix']
user_alias = core_session.auth_details['User'].split('@')[1]
user_name_2 = prefix + guid() + "@" + user_alias
user_props = {
"Mail": user_create_data['user_email'],
"Password": user_create_data['password'],
"PasswordNeverExpire": True,
"DisplayName": user_create_data['display_name'],
"Username": user_name_2,
"Name": user_name_2
}
success, result_user_2 = UserManager.create_user_with_args(
core_session, user_props)
assert success, f'Failed to create an user:{result_user_2}'
logger.info(f'Successfully created an user:{result_user_2}')
reports = Reports(core_session, pop_prefix_base)
report = reports.create_report({
"Name":
"report_A",
"Query":
"select Username, LastLogin from user where DisplayName= @userNM",
"Parameters": [{
"Type": "User",
"Name": "userNM",
"Label": "Input searched username",
"ObjectProperty": "DisplayName"
}]
})
assert report, f'Failed to create the report:{report}'
logger.info(f'Successfully Created report: {report}')
# Actual result for all user list with display name same as session user display name.
# and this details will compare all the user from reports page
actual_script_1 = f'Select Username, LastLogin from user where DisplayName = "{display_name_1}"'
actual_user_list_1 = []
actual_result_1 = RedrockController.redrock_query(core_session,
actual_script_1)
for user in actual_result_1:
actual_user_list_1.append(user['Row'])
# Expected result for all users which user name same as session user display name and will assert the list
# of users of actual session user display name list
expected_result_1 = RedrockController.get_report_result_list_of_user(
core_session, "userNM", display_name_1, "Input searched username")
expected_user_list_1 = []
for expected_result in expected_result_1:
expected_user_list_1.append(expected_result['Row'])
assert expected_user_list_1 == actual_user_list_1, f'The report result list all users whose DisplayName is not ' \
f'same with selected users DisplayName:{actual_user_list_1}'
logger.info(f'The report result list all users whose DisplayName is '
f'same with selected users displayname:{expected_user_list_1}')
# Actual result for all user list with display name same as another user display name.
# and this details will compare all the user from reports page
actual_script_2 = f'Select Username, LastLogin from user where DisplayName = "{user_create_data["display_name"]}"'
actual_user_list_2 = []
actual_result_2 = RedrockController.redrock_query(core_session,
actual_script_2)
for user in actual_result_2:
actual_user_list_2.append(user['Row'])
# Expected result for all users which user name same as another user display name and will assert the list
# of users of actual another user display name list
expected_result_2 = RedrockController.get_report_result_list_of_user(
core_session, "userNM", user_create_data['display_name'],
"Input searched username")
expected_user_list_2 = []
for user in expected_result_2:
expected_user_list_2.append(user['Row'])
assert expected_user_list_2 == actual_user_list_2, f'The report result list all users whose DisplayName is not ' \
f'same with selected users DisplayName:{actual_user_list_2}'
logger.info(f'The report result list all users whose DisplayName is '
f'same with selected users displayname:{expected_user_list_2}')
# Delete the created user
user_list.append(result_user_2)
found_report = reports.get_report_by_name(core_session,
report['Name'] + ".report")
cleanup_reports.append(found_report['Path'])
def test_string_type_parameter(core_session, created_suffix, suffix_cleaner,
cleanup_accounts, cleanup_reports):
"""
TCID: C6340 Create report with String type parameter required
:param created_suffix: centrify Authentication Session
:param core_session: Fixture to add the suffix
:param suffix_cleaner: Fixture to delete the created suffix
:param cleanup_accounts: Fixture to delete the created user
:param cleanup_reports: Fixture to delete the created report
"""
user_list = cleanup_accounts[2]
user_create_data = Configs.get_test_node('platform_report_data',
'automation_main')
prefix = user_create_data['prefix']
user_alias = core_session.auth_details['User'].split('@')[1]
user_name_1 = prefix + guid() + "@" + user_alias
user_props = {
"Mail": user_create_data['user_email'],
"Password": user_create_data['password'],
"PasswordNeverExpire": True,
"Username": user_name_1,
"Name": user_name_1
}
success, result_user_1 = UserManager.create_user_with_args(
core_session, user_props)
assert success, f'Failed to create an user:{result_user_1}'
logger.info(f'Successfully created an user:{result_user_1}')
suffix_alias = created_suffix
user_name_2 = prefix + guid() + "@" + suffix_alias['alias']
user_props = {
"Mail": user_create_data['user_email'],
"Password": user_create_data['password'],
"PasswordNeverExpire": True,
"Username": user_name_2,
"Name": user_name_2
}
success, result_user_2 = UserManager.create_user_with_args(
core_session, user_props)
assert success, f'Failed to create an user:{result_user_2}'
logger.info(f'Successfully created an user:{result_user_2}')
reports = Reports(core_session, pop_prefix_base)
report = reports.create_report({
"Name":
"report_A",
"Query":
"select Username, "
"lastlogin from user where Username like @userNM",
"Parameters": [{
"Type": "string",
"Name": "userNM",
"Label": "Input searched username"
}]
})
assert report, f'Failed to create the report:{report}'
logger.info(f'Successfully Created report: {report}')
# All users whose username starts with prefix
sript_1 = f"select Username, lastlogin from user where Username like '{prefix}%'"
result_prefix = RedrockController.redrock_query(core_session, sript_1)
username_with_prefix = []
for username in result_prefix:
username_with_prefix.append(username['Row']['Username'])
for i in username_with_prefix:
assert i.startswith(
prefix
), f'The report result user list are not starting with {prefix}'
logger.info(
f'The report result list all users whose Username starts with: {username_with_prefix}'
)
# All users whose username ends with suffix
sript_2 = f"select Username, lastlogin from user where Username like '%{suffix_alias['alias']}'"
result_suffix = RedrockController.redrock_query(core_session, sript_2)
username_with_suffix = []
for username_suffix in result_suffix:
username_with_suffix.append(username_suffix['Row']['Username'])
for i in username_with_suffix:
assert i.endswith(
suffix_alias['alias']
), f'The report result user list are not ending with:{suffix_alias["alias"]}'
logger.info(
f'The report result list all users whose Username ends with: {username_with_prefix}'
)
# Delete created report, user and suffix
found_report = reports.get_report_by_name(core_session,
report['Name'] + ".report")
cleanup_reports.append(found_report['Path'])
user_list.append(result_user_2)
user_list.append(result_user_1)
suffix_cleaner.append(suffix_alias['alias'])
def test_both_source_and_destination_have_mfa(core_session,
pas_general_secrets,
create_secret_inside_folder,
create_secret_folder,
clean_up_policy):
"""
C284028: Both source and destination have MFA
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param create_secret_folder: Fixture to create Folder & yields folder related details
:param clean_up_policy: Fixture to clean up the policy created
"""
user_detail = core_session.__dict__
user_name = user_detail['auth_details']['User']
secrets_params = pas_general_secrets
suffix = guid()
folder_id_source, folder_name_source, secret_list = create_secret_inside_folder
secret_folder_details = create_secret_folder
folder_id_destination = secret_folder_details['ID']
folder_name_destination = secret_folder_details['Name']
challenges = ["UP", ""]
challenges_v2 = ["SQ", ""]
# creating a new Authentication profile
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# creating a new Authentication profile
policy_result_v2 = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + "v2" + suffix,
challenges_v2, 0, 0)
assert policy_result_v2, f'Failed to create policy, API response result:{policy_result_v2}'
logger.info(f' Creating new policy:{policy_result_v2}')
clean_up_policy.append(policy_result_v2)
# Applying MFA on Folder
result = update_folder(
core_session,
folder_id_source[0],
folder_name_source,
folder_name_source,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Applying MFA on Folder
result = update_folder(
core_session,
folder_id_destination,
folder_name_destination,
folder_name_destination,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result_v2)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Move Folder with Mfa Authentication
result_folder_result = move_folder(core_session, folder_id_source[0],
folder_id_destination)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, result_folder_result['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
# After Authenticating of MFA move source folder with mfa to destination folder with mfa.
moved_success, moved_result = move_folder_by_using_mfa(
core_session,
folder_id_source[0],
target_folder_info=folder_id_destination,
ChallengeStateId=result_folder_result['Result']['ChallengeId'])
assert moved_success, f'Failed to verify Mfa challenged by source folder, API response result:{mfa_result} '
logger.info(
f'Successfully verified Mfa challenged by source folder: {moved_result}'
)
# Removing MFA on Folder
result = update_folder(
core_session,
folder_id_source[0],
folder_name_source,
folder_name_source,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Successfully removed MFA for folder: {result}')
# Removing MFA on Folder
result = update_folder(
core_session,
folder_id_destination,
folder_name_destination,
folder_name_destination,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Successfully removed MFA for folder: {result}')
def _make_one_server_get_name(session, mutable_list, ssh=False):
server_prefix = "bsd_tst_sys" + "-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid()
if ssh:
batch1 = ResourceManager.add_multiple_ssh_systems_with_accounts(session, 1, 2, mutable_list, system_prefix=server_prefix)
else:
batch1 = ResourceManager.add_multiple_systems_with_accounts(session, 1, 2, mutable_list, system_prefix=server_prefix)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1])
names_of_servers = list(ResourceManager.get_multi_added_system_ids(session, all_systems).keys())
return server_prefix, names_of_servers, batch1.keys()
def test_pe_can_execute_priv_command_set_asmnt_on_adgroup(
core_session, setup_user_in_ad_group,
setup_generic_pe_command_with_no_rules_all_OS, create_manual_set,
users_and_roles, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Windows",
sessiontype="Rdp")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.debug(
f"Successfully created a set and added system to that set: {set_id}")
commandName, commandID = setup_generic_pe_command_with_no_rules_all_OS
aduser, _, adgroup = setup_user_in_ad_group
if adgroup is None:
pytest.skip("Cannot create adgroup")
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Group",
principal=adgroup['DisplayName'],
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principal=asmnt_info['Principal'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
asmnt_info['ID'] = asmntID
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=aduser['SystemName'],
system=sys_name,
command="sc stop cagent")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert len(results['PrivilegeElevationCommands']
) == 1, f"Only single command should exist {results}"
results_assignments = results['PrivilegeElevationCommands'][0][
'Assignments']
assert len(results_assignments
) == 1 and results['Granted'], f"Granted should be true"
PrivilegeElevation.check_can_execute_priv_command_results(
asmnt_info, results['PrivilegeElevationCommands']
[0]), f"All params not matching {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_pe_can_execute_priv_command_sys_asmnt_on_user(
core_session, setup_generic_pe_command_with_no_rules, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
commandName, commandID = setup_generic_pe_command_with_no_rules
# Get Admin info
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=admin_user_name,
scopeType="System",
scope=added_system_id,
principalId=admin_user_id,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principalID=asmnt_info['PrincipalId'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
asmnt_info['ID'] = asmntID
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=admin_user_name,
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert len(results['PrivilegeElevationCommands']
) == 1, f"Only single command should exist {results}"
results_assignments = results['PrivilegeElevationCommands'][0][
'Assignments']
assert len(results_assignments
) == 1 and results['Granted'], f"Granted should be true"
PrivilegeElevation.check_can_execute_priv_command_results(
asmnt_info, results['PrivilegeElevationCommands']
[0]), f"All params not matching {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_mfa_policy_parent_folder_and_secret_verify_not_challenged_on_settings_update(
core_session,
pas_general_secrets,
users_and_roles,
create_secret_inside_folder,
clean_up_policy):
"""
test method to verify that mfa does not exist on updating the settings & policy for an existing
parent folder "MFAOnParentFolder" & secret "MFAOnSecrets" with already assigned
mfa for that folder & secret
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
prefix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
pas_power_user = users_and_roles.get_user('Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Edit',
user_id,
secret_list[0])
assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}'
logger.info(f'setting permissions for text type secret: : {text_type_secret_success}')
# Api to create new policy
policy_result_sq = PolicyManager.create_new_auth_profile(core_session,
prefix + secrets_params['policy_name'],
["SQ",
None],
None,
"30")
assert policy_result_sq is not None, f'Failed to create policy:{policy_result_sq}'
logger.info(f' Creating new policy:{policy_result_sq}')
clean_up_policy.append(policy_result_sq)
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(core_session,
prefix + secrets_params['policy_name_new'],
["UP", None],
None,
"30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Update settings & policy for Folder
result = update_folder(core_session,
folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + prefix,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result_sq)
assert result['success'], f'Not Able to update the settings: {result["Message"]} '
logger.info(f'Update settings for secret: {result}')
# Update settings for secret
result = update_secret(core_session,
secret_list[0],
prefix + secrets_params['mfa_secret_name_update'],
description=secrets_params['mfa_secret_description'],
policy_id=policy_result)
assert result['success'], f'Not Able to update the settings: {result["Message"]} '
logger.info(f'Update settings for secret: {result}')
# Removing policy for Folder
result = update_folder(core_session,
folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + prefix,
description=secrets_params['mfa_folder_description'])
assert result['success'], f'Not Able to update the settings: {result["Message"]} '
logger.info(f'Update settings for secret: {result}')
# Removing policy for secret
result = update_secret(core_session,
secret_list[0],
prefix + secrets_params['mfa_secret_name_update'],
description=secrets_params['mfa_secret_description'])
assert result['success'], f'Not Able to update the settings: {result["Message"]} '
logger.info(f'Update settings for secret: {result}')
# Getting details of the Folder updated
result_folder = get_folder(core_session, folder_list[0])
logger.info(f'Updated Folder details: {result_folder}')
description_updated = result_folder["Result"]["Results"][0]["Row"]["Description"]
name_updated = result_folder["Result"]["Results"][0]["Row"]["Name"]
assert 'MFAOnParentFolderUpdate' in name_updated, \
f'Failed to update the name{result_folder["Result"]["Results"][0]["Row"]["Name"]}'
assert 'mfa_description' in description_updated, \
f'Failed to update the description{result_folder["Result"]["Results"][0]["Row"]["Description"]}'
# Getting details of the Secret updated
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session,
secret_list[0])
description_updated = get_secret_details['Description']
name_updated = get_secret_details['SecretName']
assert 'MFAOnSecretUpdate' in name_updated, f'Failed to update the name{get_secret_success}'
assert 'mfa_description' in description_updated, f'Failed to update the description{get_secret_success}'
logger.info(f'Details of the secret updated: {get_secret_details}')
def test_pe_can_execute_priv_command_set_asmnt_on_non_sysadmin_role(
core_session, setup_generic_pe_command_with_no_rules,
create_manual_set, users_and_roles, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.debug(
f"Successfully created a set and added system to that set: {set_id}")
commandName, commandID = setup_generic_pe_command_with_no_rules
role = users_and_roles.populate_role({
'Name': "can_exec_role" + guid(),
"Rights": ["Admin Portal Login"]
})
# Get User
userobj = users_and_roles.populate_user({'Name': 'user' + guid()})
#Add user to role
users_and_roles.add_user_to_role(userobj, role)
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principal=role['Name'],
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principal=asmnt_info['Principal'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
asmnt_info['ID'] = asmntID
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=userobj.get_login_name(),
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert len(results['PrivilegeElevationCommands']
) == 1, f"Only single command should exist {results}"
results_assignments = results['PrivilegeElevationCommands'][0][
'Assignments']
assert len(results_assignments
) == 1 and results['Granted'], f"Granted should be true"
PrivilegeElevation.check_can_execute_priv_command_results(
asmnt_info, results['PrivilegeElevationCommands']
[0]), f"All params not matching {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_union_of_all_its_permissions(core_session,
pas_general_secrets,
cleanup_secrets_and_folders,
users_and_roles):
"""
C3056: test method Union of all its permissions
1)create multilevel folder /alpha/beta/charlie/delta
2) Login as Admin, set folder permissions "View" for alpha,"Edit" for beta, "Delete" for charlie,"Add" for delta
3) Login as pas user
4) verify sub folder permissions will have a union of all parent folders
:param core_session: Authenticated Centrify session
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
:param users_and_roles: Fixture to create random user with PAS User Rights
"""
params = pas_general_secrets
folder_prefix = guid()
folders_list = cleanup_secrets_and_folders[1]
secrets_list = cleanup_secrets_and_folders[0]
# creating multilevel folder /alpha/beta/charlie/delta
child_folder_success, child_folder_parameters, child_folder_id = create_folder(
core_session,
folder_prefix + params['multi_level_folder_name'],
params['description'])
assert child_folder_success, f'Failed to create multilevel folder, API response result: {child_folder_id}'
logger.info(f'Multilevel Folder created successfully: {child_folder_success} & details are {child_folder_id}')
# Getting details of Folder Charlie
charlie_folder = get_folder(core_session, child_folder_id)
assert charlie_folder['success'], \
f'Failed to retrieve charlie folder details, API response result:{charlie_folder["Message"]}'
logger.info(f'charlie folder details:{charlie_folder}')
charlie_id = charlie_folder['Result']['Results'][0]['Row']['Parent']
# Getting details of parent folder
parent_path = charlie_folder['Result']['Results'][0]['Row']['ParentPath']
parent_folder_name = parent_path.split('\\')
parent_folder_sliced = parent_folder_name[0]
# Getting id of parent folder
parent_folder = get_folder(core_session, parent_folder_sliced)
assert parent_folder['success'], \
f'Failed to retrieve parent folder details, API response result:{parent_folder["Message"]}'
logger.info(f'Parent folder details:{parent_folder}')
parent_folder_id = parent_folder['Result']['Results'][0]['Row']['ID']
# Getting details of Folder alpha
alpha_folder = get_secrets_and_folders_in_folders(core_session, parent_folder_id)
assert alpha_folder['success'], f'Failed to retrieve alpha folder id, API response result: {alpha_folder["Result"]}'
logger.info(f'Details of Alpha Folder Retrieved:{alpha_folder}')
alpha_folder_id = alpha_folder["Result"]["Results"][0]["Entities"][0]["Key"]
# Getting details of Folder beta
folder_beta = get_secrets_and_folders_in_folders(core_session, alpha_folder_id)
assert folder_beta['success'], f'Failed to retrieve beta folder id, API response result: {folder_beta["Result"]}'
logger.info(f'Details of Beta Folder Retrieved:{folder_beta}')
folder_beta_id = folder_beta["Result"]["Results"][0]["Entities"][0]["Key"]
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Adding secrets inside child folder
added_secret_success, added_secret_id = create_text_secret_within_folder(core_session,
params['mfa_secret_name'] + folder_prefix,
params['secret_text'],
params['secret_description'],
child_folder_id)
assert added_secret_success, f"Added Secret Failed, API response result {added_secret_id}"
logger.info(f'Added secrets info: {added_secret_id}')
# Api to give user permissions to folder alpha
user_permissions_alpha = give_user_permissions_to_folder(core_session, user_name, user_id, alpha_folder_id, 'View')
assert user_permissions_alpha['success'], \
f'Not Able to set user permissions to folder, API response result: {user_permissions_alpha["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_alpha}')
# Api to give user permissions to folder beta
user_permissions_beta = give_user_permissions_to_folder(core_session, user_name, user_id, folder_beta_id, 'Edit')
assert user_permissions_beta['success'], \
f'Not Able to set user permissions to folder, API response result: {user_permissions_beta["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_beta}')
# Api to give member permissions(View, Edit) to folder beta
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View, Edit',
user_id,
folder_beta_id)
assert member_perm_success,\
f'Not Able to set "View" member permissions to Folder, API response result: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to give member permissions(Delete, Retrieve) to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'Delete,Retrieve',
user_id,
charlie_id)
assert member_perm_success,\
f'Not Able to set "View" member permissions to Folder, API response result: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Updating the secret name & description
result = update_secret(pas_power_user_session,
added_secret_id,
folder_prefix + params['mfa_secret_name_update'],
description=params['mfa_secret_description'])
assert result['success'], f'Not Able to update the secret, API response result: {result["Message"]} '
logger.info(f'Secret Updated Details: {result}')
# Getting details of the Secret updated
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
pas_power_user_session,
added_secret_id)
description_updated = get_secret_details['Description']
name_updated = get_secret_details['SecretName']
assert 'MFAOnSecretUpdate' in name_updated,\
f'Failed to update the name, API response result:{get_secret_success}'
assert 'mfa_description' in description_updated,\
f'Failed to update the description, API response result:{get_secret_success}'
logger.info(f'Details of the secret updated: {get_secret_details}')
# Deleting newly created secrets
del_success, del_result = del_secret(pas_power_user_session, added_secret_id)
assert del_success, f'Failed to delete the secret with pas user, API response result: {del_result}'
logger.info(f'Secret deleted successfully with pas user:{del_result}')
folders_list.append(child_folder_id)
folders_list.append(charlie_id)
folders_list.append(folder_beta_id)
folders_list.append(alpha_folder_id)
folders_list.append(parent_folder_id)
logger.info(f'Added Folders are deleted successfully: {folders_list}')
logger.info(f'Added Secrets deleted successfully: {secrets_list}')
def test_add_duplicate_names_with_different_folder_names(
core_session, cleanup_secrets_and_folders, pas_general_secrets):
"""test method to add duplicate names with different subfolder names using forwardslashes """
secrets_list = cleanup_secrets_and_folders[0]
folder_list = cleanup_secrets_and_folders[1]
secrets_params = pas_general_secrets
secret_prefix = guid()
secret_parameters = {
'SecretName': secret_prefix + secrets_params['nested_secret_name_new'],
'SecretText': secrets_params['secret_text'],
'Type': 'Text',
'Description': secrets_params['secret_description'],
'FolderId': ''
}
"""Api to add secret """
secret_added_result = core_session.post(EndPoints.SECRET_ADD,
secret_parameters).json()
assert secret_added_result[
'success'], f'Not able to create secret with {secret_added_result["Result"]}'
logger.info(
f'Secret Created successfully: {secret_added_result["success"]}{secret_added_result["Result"]}'
)
secrets_list.append(secret_added_result["Result"])
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, secret_added_result["Result"])
child_id = get_secret_details['FolderId']
logger.info(f'child id :{child_id}')
parent_path = get_secret_details['ParentPath']
parent_folder_name = parent_path.split('\\')
parent_folder_sliced = parent_folder_name[0]
secret_parameters = {
'SecretName':
parent_folder_sliced +
secrets_params['nested_secret_name_new_duplicate'],
'SecretText':
secrets_params['secret_text'],
'Type':
'Text',
'Description':
secrets_params['secret_description'],
'FolderId':
''
}
"""Api to add duplicate secret """
duplicate_secret_added_result = core_session.post(
EndPoints.SECRET_ADD, secret_parameters).json()
assert duplicate_secret_added_result["success"], \
f'Adding Duplicate Secret Failed:{duplicate_secret_added_result["Result"]}'
logger.info(
f'Duplicate Secret Created successfully: {duplicate_secret_added_result["success"]}'
f'{duplicate_secret_added_result["Result"]}')
secrets_list.append(duplicate_secret_added_result["Result"])
"""Api to get id of parent folder """
parent_folder = get_folder(core_session, parent_folder_sliced)
parent_folder_id = parent_folder["Result"]["Results"][0]["Row"]["ID"]
assert parent_folder_id is not None, f'Failed to retrieve super parent id :{parent_folder_id}'
logger.info(f'Super parent folder id:{parent_folder_id}')
"""Api to nested folder details"""
nested_folder = get_secrets_and_folders_in_folders(
core_session, parent_folder["Result"]["Results"][0]["Row"]["ID"])
nested_folder_id = nested_folder["Result"]["Results"][0]["Row"]["ID"]
assert nested_folder_id is not None, f'Failed to retrieve nested folder id'
logger.info(f'Nested Folder id:{nested_folder_id}')
"""Api to get child folder details"""
child_folder = get_secrets_and_folders_in_folders(
core_session, nested_folder["Result"]["Results"][0]["Row"]["ID"])
child_folder_id = child_folder["Result"]["Results"][0]["Row"]["ID"]
assert child_folder_id is not None, f'Failed to retrieve child folder id'
logger.info(f'child Folder id:{child_folder_id}')
folder_list.append(child_id)
folder_list.append(child_folder_id)
folder_list.append(nested_folder_id)
folder_list.append(parent_folder_id)
logger.info(f'Secret deleted successfully:{secrets_list}')
logger.info(f'Folder deleted successfully:{folder_list}')
def test_update_manage_proxy_account(pas_config, core_session, winrm_engine,
remote_users_qty3, test_proxy,
cleanup_accounts, cleanup_resources):
"""
TC: C2549 - Update managed account with using proxy account
trying to Update managed account with using proxy account
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to update invalid password for proxy account
-Assert Failure
2. Try to update valid password for proxy account
-Assert Failure
3. Try to check activity log's
-Assert Failure
4. Try to check password history
"""
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
sys_details = pas_config
add_user_in_target_system = remote_users_qty3
user_password = '******'
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Update system with proxy user
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
proxyuser=add_user_in_target_system[1],
proxyuserpassword=user_password,
proxyuserismanaged=True)
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Update system with proxy user password.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
fdqn,
'Windows',
proxyuser=add_user_in_target_system[1],
proxyuserpassword=guid(),
proxyuserismanaged=True)
assert update_sys_result is False, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
# set a different password for the user
update_user_password(winrm_engine, add_user_in_target_system[1],
user_password)
user_name = core_session.get_user().get_login_name()
# rotate password for manage account
result, success = ResourceManager.rotate_password(core_session, acc_result)
assert success, f"Did not Rotate Password {result}"
logger.info(
f'account activity logs for un manage account API response:{result}')
result, success = ResourceManager.check_out_password(
core_session, 1, acc_result)
assert success, f"Did not retrieve password {result}"
logger.info(
f'account activity logs for un manage account API response:{result}')
row = ResourceManager.get_system_activity(core_session, add_sys_result)
assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \
f'password for system "{sys_name}"({fdqn})' in \
row[0]['Detail'], "user not able to update un managed account password"
logger.info(
f'account activity logs for un manage account API response:{row}')
query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \
f"'{acc_result}' and StateUpdatedBy='{user_name}' and State='Retired'"
password_history = RedrockController.get_result_rows(
RedrockController.redrock_query(core_session, query))[0]
assert len(
password_history
) > 0, f"Password history table did not update {password_history}"
logger.info(f'Password history table API response:{password_history}')
def test_update_manage_account_win_rm(pas_config, winrm_engine, core_session,
remote_users_qty1, cleanup_accounts,
test_proxy, cleanup_resources):
"""
:param pas_config: to get the data from yaml files.
:param remote_users_qty1: to create a manage account in windows system
:param cleanup_resources: cleanup the system from portal
:param cleanup_accounts: cleanup the accounts from portal
:param winrm_engine: session to update manage account
:param core_session: Authenticated Centrify Session.
TC: C2551 - Update managed account password with winRM https configured
trying to Update managed account password with winRM https configured
Steps:
Pre: Create system with 1 proxy and manage account hand
1. Try to update invalid password for manage account
-Assert Failure
"""
sys_details = pas_config
system_data_values = sys_details['Windows_infrastructure_data']
add_user_in_target_system = remote_users_qty1
password = "******"
# set a different password for the user
update_user_password(winrm_engine, add_user_in_target_system[0], password)
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, system_data_values['FQDN'], 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Update system with management mode 'WinRMOverHttp'.
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
add_sys_result,
sys_name,
system_data_values['FQDN'],
'Windows',
managementmode='WinRMOverHttps')
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=password,
host=add_sys_result,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
managementMode = RedrockController.get_computer_with_ID(
core_session, add_sys_result)
assert managementMode['ManagementMode'] == "WinRMOverHttps", \
f"management mode is failed because of system doesnt have proxy account. API response result: {managementMode}"
logger.info(
f"Fetch management mode successfully: {managementMode['ManagementMode']}"
)
Result, success = ResourceManager.update_password(core_session, acc_result,
guid())
assert success is False, f"Did not update password {Result}"
logger.info(f"user not able to update password API response: {Result}")
def test_retrieve_mfa_on_closest_parent_should_override_mfa(
core_session, pas_general_secrets, cleanup_secrets_and_folders,
clean_up_policy):
"""
C283926: MFA on closest parent should override MFA on higher levels
1) Create a multilevel folder "Folder/Subfolder/secretName"
2) Assign different MFA to parent(Folder) & Nested Folder(Subfolder)
3) Verify secretName inherits challenge of subfolder
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created
:param clean_up_policy: Fixture to cleanup the policy created
"""
folder_list = cleanup_secrets_and_folders[1]
secrets_list = cleanup_secrets_and_folders[0]
folder_params = pas_general_secrets
suffix = guid()
secret_name = folder_params['folder_name_with_frwdslashes'] + suffix
user_name = core_session.auth_details['User']
# creating multilevel folder "Folder/Subfolder/secretName"
added_secret_success, details, secret_id = create_text_secret(
core_session, secret_name, folder_params['secret_text'])
assert added_secret_success, "Added Multilevel folder Failed,API response result: {secret_id} "
logger.info(f'Added Multilevel folder info: {details, secret_id}')
secrets_list.append(secret_id)
# Getting details of the secret
found_secret = get_secret(core_session, secret_id)
assert found_secret['success'], \
f'Failed to get the details of the secret, API response result:{found_secret["Message"]}'
logger.info(f'Getting details of the secret: {found_secret}')
nested_folder_id = found_secret['Result']['FolderId']
nested_folder_path = found_secret['Result']['ParentPath']
parent_folder_list = nested_folder_path.split('\\')
parent_folder_name = parent_folder_list[0]
# Getting details of Parent Folder
parent_folder = get_folder(core_session, nested_folder_id)
parent_folder_id = parent_folder["Result"]["Results"][0]["Row"]["Parent"]
nested_folder_name = parent_folder["Result"]["Results"][0]["Row"][
"SecretName"]
logger.info(f'Parent Folder details: {parent_folder}')
if folder_list != []:
folder_list[0] = nested_folder_id
folder_list[1] = parent_folder_id
else:
folder_list.append(nested_folder_id)
folder_list.append(parent_folder_id)
challenges = ["UP", ""]
challenges_v2 = ["UP,EMAIL", ""]
# Creating new policy with Password
policy_result = PolicyManager.create_new_auth_profile(
core_session, folder_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Creating new policy with Password & Email
policy_result_email = PolicyManager.create_new_auth_profile(
core_session, folder_params['policy_name'] + "V2" + suffix,
challenges_v2, 0, 0)
assert policy_result_email, f'Failed to create another policy, API response result:{policy_result_email}'
logger.info(f' Creating another policy:{policy_result_email}')
clean_up_policy.append(policy_result_email)
# Applying MFA on Nested Folder
result = update_folder(core_session,
nested_folder_id,
nested_folder_name,
nested_folder_name,
description=folder_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Failed to apply MFA on Nested folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Nested Folder: {result}')
# Applying MFA on Parent Folder
result = update_folder(core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=folder_params['mfa_folder_description'],
policy_id=policy_result_email)
assert result[
'success'], f'Failed to apply MFA on parent folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Parent Folder: {result}')
# Move Secret with Mfa Authentication
retrieve_success, retrieve_result = retrieve_secret_contents(
core_session, secret_id)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, retrieve_result['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info(
f'Successfully applied password authentication with closest parent: {mfa_result}'
)
# After Authenticating of MFA move secret with challenge password
retrieve_secret_success, retrieve_secret_result = retrieve_secret_contents_with_mfa(
core_session,
secret_id,
ChallengeStateId=retrieve_result['ChallengeId'])
assert retrieve_secret_success, f'Failed to retrieve secret with closest parent challenge: {retrieve_secret_result}'
logger.info(
f'Successfully retrieved secret with closest parent challenge: {retrieve_secret_result}'
)
# Removing MFA on Nested Folder
result = update_folder(core_session,
nested_folder_id,
nested_folder_name,
nested_folder_name,
description=folder_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA on Nested folder, API response result: {result["Message"]} '
logger.info(f'MFA removed on Nested Folder: {result}')
# Removing MFA on Parent Folder
result = update_folder(core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=folder_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA on parent folder, API response result: {result["Message"]} '
logger.info(f'MFA removed on Parent Folder: {result}')
def test_delete_sub_folder_with_mfa_on_parent(core_session,
create_folder_inside_folder,
pas_general_secrets,
clean_up_policy,
cleanup_secrets_and_folders):
"""
C284043: Delete sub folder that has MFA on parent
:param core_session: Authenticated Centrify Session.
:param create_folder_inside_folder : Fixture to create nested folder & yields folder related details
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param clean_up_policy: Fixture to clean up the policy created
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
"""
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
parent_folder_id = parent_folder_info['ID']
parent_folder_name = parent_folder_info['Name']
params = pas_general_secrets
suffix = guid()
challenges1 = ["UP", ""]
user_name = core_session.auth_details['User']
folders_list = cleanup_secrets_and_folders[1]
# creating a new Authentication profile for folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, params['policy_name'] + suffix, challenges1, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Updating the Parent Folder(Applying MFA)
result = update_folder(core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f' Failed to apply MFA on parent folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Parent Folder: {result}')
# Delete sub folder with Mfa Authentication
del_result = del_folder(core_session, nested_folder_id)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, del_result['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
assert result, "Password Authentication Failed"
# After Authentication of MFA delete sub folder
del_secret_result = del_folder_mfa(
core_session,
nested_folder_id,
ChallengeStateId=del_result['Result']['ChallengeId'])
assert del_secret_result[
'success'], f'Failed to delete sub folder with mfa,API response result:{del_secret_result}'
logger.info(
f'Successfully deleted sub folder with MFA & get challenged: {del_secret_result}'
)
folders_list.remove(nested_folder_id)
# Updating the Folder(Removing MFA)
result = update_folder(core_session, parent_folder_id, parent_folder_name,
parent_folder_name)
assert result[
'success'], f' Failed to remove MFA on parent folder, API response result: {result["Message"]} '
logger.info(f'MFA Removed on Parent Folder: {result}')
def test_replace_mfa_policy_on_parent_folder_verify_challenged(
core_session,
pas_general_secrets,
create_secret_inside_folder,
core_session_unauthorized,
clean_up_policy,
users_and_roles):
"""
C2980: test method to MFA policy on Parent folder, verify challenged
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param core_session_unauthorized: Fixture to start authentication MFA
:param clean_up_policy: Fixture to clean up the policy created
:param users_and_roles: Fixture to create random user with pas user rights
"""
secrets_params = pas_general_secrets
suffix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
challenges = ["UP", ""]
policy_result = PolicyManager.create_new_auth_profile(core_session, secrets_params['policy_name'] + suffix,
challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(core_session, folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + suffix,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result['success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'{pas_power_user_session.auth_details}')
logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Getting password for MFA
password = users_and_roles.get_default_user_password()
# Api to give user permissions to folder
user_permissions_alpha = give_user_permissions_to_folder(core_session, user_name, user_id, folder_list[0], 'View')
assert user_permissions_alpha['success'], \
f'Not Able to set user permissions to folder{user_permissions_alpha["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_alpha}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View, Edit',
user_id,
folder_list[0])
assert member_perm_success, f'Not Able to set member permissions to Folder: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# MFA Authentication starts on the secret to be replaced
mfa_authentication = pas_power_user_session.start_authentication(user_name)
result = mfa_authentication.json()['Result']
success = mfa_authentication.json()['success']
assert success, f'Failed to start MFA Authentication on the secret to be replaced, API response result:{result}'
challenge_value = result['Challenges'][0]['Mechanisms'][0]['Name']
assert challenge_value == 'UP', f'Challenge "Password" is not set, API response result:{result}'
logger.info(f'MFA Authentication with "Password" starts on the secret to be replaced:{mfa_authentication.json()}')
# Advance MFA Authentication starts on the secret to be replaced
up_result = pas_power_user_session.advance_authentication(password, challenge_index=0, mechanism_name='UP')
mfa_result = up_result.json()
assert mfa_result['success'], f'Failed to respond to challenge, API response result:{mfa_result["Result"]}'
logger.info(f'MFA popups before secret gets replaced:{mfa_result}')
# Replacing the text of the secret
result = update_secret(pas_power_user_session,
secret_list[0],
secrets_params['mfa_secret_name_update'] + suffix,
secret_text=secrets_params['secret_text_replaced'],
policy_id=policy_result)
assert result['success'], f'Not Able to replace the text of the secret, API response result:{result["Message"]} '
logger.info(f'Secret gets replaced: {result}')
# Removing MFA from secret
result = update_secret(pas_power_user_session,
secret_list[0],
secrets_params['mfa_secret_name_update'] + suffix,
secret_text=secrets_params['secret_text_replaced']
)
assert result['success'], f'Not Able to remove MFA, API response result:{result["Message"]} '
logger.info(f'Removing MFA from secret: {result}')
# Removing MFA from folder
result = update_folder(core_session, folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + suffix
)
assert result['success'], f'Not Able to remove MFA, API response result:: {result["Message"]} '
logger.info(f'Removing MFA from folder: {result}')
# Getting details of the Secret Replaced
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session,
secret_list[0])
assert get_secret_text == secrets_params['secret_text_replaced'], \
f'Failed to replace the secret, API response result: {get_secret_success}'
logger.info(f'Details of the secret Replaced: {get_secret_details}')