def test_add_delete_database_permission_port_specified(core_session, database_config, users_and_roles, cleanup_resources): """ C281976 Add/delete database permissions if database port has been specified. :param core_session: Authenticated Centrify session. :param database_config:fixture to create database with accounts. :param users_and_roles: Fixture to manage roles and user. :param cleanup_resources:cleans up resources """ # Creating a database without defined port. database_list = cleanup_resources[2] db_data = database_config['sql_db_config'] db_name = f"{db_data['db_name']}{guid()}" db_result, db_success = ResourceManager.add_database( core_session, name=db_name, port=None, fqdn=db_data['hostname'], databaseclass=db_data['databaseclass'], description=db_data['description'], instancename=db_data['instancename'], servicename=db_data['servicename']) assert db_success, f'Failed to create database without defined port:API response result:{db_result}' logger.info( f'Successfully created database without defined port :{db_result}') database_list.append(db_result) # Updating the database setting. update_db_res, update_db_success = ResourceManager.update_database( core_session, db_result, db_name, db_data['hostname'], db_data['port'], db_data['description'], db_data['instancename']) assert update_db_success, f"Fail to update database: API response result:{update_db_res}" logger.info(f"Successfully updated database with port:{update_db_res}") # Cloud user session with "Privileged Access Service Administrator"rights. cloud_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Administrator') assert cloud_user_session.auth_details, f'Failed to create with PAS administrator:{cloud_user_session}' cloud_user = cloud_user_session.auth_details['User'] cloud_user_id = cloud_user_session.auth_details['UserId'] logger.info( f'User with Privileged Access Service Administrator Rights login successfully: user_Name:{cloud_user}' ) # Assigning "Delete" permission to Cloud user. db_perm_result, db_perm_success = ResourceManager.assign_database_permissions( core_session, "Delete", cloud_user, cloud_user_id, pvid=db_result) assert db_perm_success, f'Failed to "Delete rights:API response result:{db_perm_result}' logger.info( f'successfully assigned "Delete" rights to user: {db_perm_result}')
def test_check_account_view_permission_under_system_domain_database(core_session, pas_setup, create_databases_with_accounts, create_domains_with_accounts, get_limited_no_view_user_function, users_and_roles): """ Test case: C2127 :param core_session: Authenticated centrify session :param pas_setup: fixture to create system with account :param create_databases_with_accounts: fixture to create database with account :param create_domains_with_accounts: fixture to create domain with account """ system_id, account_id, sys_info = pas_setup database = create_databases_with_accounts(core_session, databasecount=1, accountcount=1) domain = create_domains_with_accounts(core_session, domaincount=1, accountcount=1) db_name, db_id, db_account, db_account_id = database[0]['Name'], database[0]['ID'], \ database[0]['Accounts'][0]['User'], database[0]['Accounts'][0]['ID'] domain_name, domain_id, domain_account, domain_account_id = domain[0]['Name'], domain[0]['ID'], \ domain[0]['Accounts'][0]['User'], \ domain[0]['Accounts'][0]['ID'] # Step3 : Get user has "Privilege Service Administrator" right cloud_user_session, cloud_user = get_limited_no_view_user_function cloud_user, user_id, user_password = \ cloud_user.get_login_name(), cloud_user.get_id(), cloud_user.get_password() user = {"Username": cloud_user, "Password": user_password} # Assigning permissions to system excluding "View" Permission result, status = ResourceManager.assign_system_permissions(core_session, "Grant", cloud_user, user_id, pvid=system_id) assert status, f'failed to assign rights of system to user {cloud_user}' logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission') # Assigning permissions to system account including "View" Permission result, status = ResourceManager.assign_account_permissions(core_session, "View", cloud_user, user_id, pvid=account_id) assert status, f'failed to assign rights of accounts to user {cloud_user}' logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission') # Assigning permissions to domain excluding "View" Permission result, status = ResourceManager.set_domain_account_permissions(core_session, "Grant", cloud_user, user_id, pvid=domain_id) assert status, f'failed to assign rights of domain to user {cloud_user}' logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission') # Assigning permissions to domain account including "View" Permission result, status = ResourceManager.assign_account_permissions(core_session, "View", cloud_user, user_id, pvid=domain_account_id) assert status, f'failed to assign rights of domain account to user {cloud_user}' logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission') # Assigning permissions to database excluding "View" Permission result, status = ResourceManager.assign_database_permissions(core_session, "Grant", cloud_user, user_id, pvid=db_id) assert status, f'failed to assign rights of database to user {cloud_user}' logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission') # Assigning permissions to database account including "View" Permission result, status = ResourceManager.assign_account_permissions(core_session, "View", cloud_user, user_id, pvid=db_account_id) assert status, f'failed to assign rights of database account to user {cloud_user}' logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission') query = "@/lib/server/get_accounts.js(mode:'AllAccounts', newcode:true, localOnly:true, " \ "colmemberfilter:'Select ID from VaultAccount WHERE Host IS NOT NULL')" result = RedrockController.redrock_query(cloud_user_session, query, args={"PageNumber": 1, "PageSize": 100, "Limit": 100000, "SortBy": "Name", "Ascending": True, "FilterBy": ["Name", "User"], "FilterValue": f'{sys_info[0]}', "FilterQuery": None, "Caching": 0}) assert len(result) == 0, f'User able to see the account details under account records user ' \ f'have different rights: {get_limited_no_view_user_function}' logger.info(f'Local account {sys_info[4]} of system {sys_info[0]} is not visible to user {cloud_user}') query = "SELECT * FROM (SELECT VaultAccount.ID, VaultAccount.User, VaultAccount.OwnerName, " \ "VaultAccount.Description, VaultAccount.LastChange, VaultAccount.Status, " \ "VaultAccount.DefaultCheckoutTime, VaultAccount.MissingPassword, VaultAccount.ActiveCheckouts, " \ "VaultAccount.NeedsPasswordReset, VaultAccount.PasswordResetRetryCount, " \ "VaultAccount.PasswordResetLastError, VaultAccount.IsManaged, VaultAccount.Host, VaultAccount.DomainID, " \ "VaultAccount.DatabaseID, VaultAccount.IsFavorite, VaultAccount.UseWheel, VaultAccount.CredentialType, " \ "SshKeys.Name as CredentialName, VaultAccount.WorkflowEnabled, COALESCE(NULLIF(" \ "VaultAccount.WorkflowApprovers, ''),NULLIF(VaultAccount.WorkflowApprover, '')) as WorkflowApprovers, " \ "VaultAccount.DiscoveredTime as AccountDiscoveredTime, VaultAccount.Name, VaultAccount.FQDN, " \ "VaultAccount.SessionType, VaultAccount.ComputerClass, VaultDatabase.DatabaseClass, " \ "VaultAccount.ProxyUser, VaultAccount.LastHealthCheck FROM VaultAccount LEFT OUTER JOIN VaultDatabase ON " \ "DatabaseID = VaultDatabase.ID LEFT OUTER JOIN SshKeys ON CredentialId = SshKeys.ID WHERE IFNULL(" \ "VaultAccount.Name, '') <> '') WHERE DomainID is not null AND IFNULL(Name, \"\") <> \"\" " result = RedrockController.redrock_query(cloud_user_session, query, args={"PageNumber": 1, "PageSize": 100, "Limit": 100000, "SortBy": "Name", "Ascending": True, "FilterBy": ["Name", "User"], "FilterValue": f"{domain_account}", "FilterQuery": None, "Caching": 0}) assert len(result) == 1, f'User able to see the account details under account records user ' \ f'have different rights: {get_limited_no_view_user_function}' logger.info(f'user {cloud_user} can see domain account {domain_account}') query = "SELECT * FROM (SELECT VaultAccount.ID, VaultAccount.User, VaultAccount.OwnerName, " \ "VaultAccount.Description, VaultAccount.LastChange, VaultAccount.Status, " \ "VaultAccount.DefaultCheckoutTime, VaultAccount.MissingPassword, VaultAccount.ActiveCheckouts, " \ "VaultAccount.NeedsPasswordReset, VaultAccount.PasswordResetRetryCount, " \ "VaultAccount.PasswordResetLastError, VaultAccount.IsManaged, VaultAccount.Host, VaultAccount.DomainID, " \ "VaultAccount.DatabaseID, VaultAccount.IsFavorite, VaultAccount.UseWheel, VaultAccount.CredentialType, " \ "SshKeys.Name as CredentialName, VaultAccount.WorkflowEnabled, COALESCE(NULLIF(" \ "VaultAccount.WorkflowApprovers, ''),NULLIF(VaultAccount.WorkflowApprover, '')) as WorkflowApprovers, " \ "VaultAccount.DiscoveredTime as AccountDiscoveredTime, VaultAccount.Name, VaultAccount.FQDN, " \ "VaultAccount.SessionType, VaultAccount.ComputerClass, VaultDatabase.DatabaseClass, " \ "VaultAccount.ProxyUser, VaultAccount.LastHealthCheck FROM VaultAccount LEFT OUTER JOIN VaultDatabase ON " \ "DatabaseID = VaultDatabase.ID LEFT OUTER JOIN SshKeys ON CredentialId = SshKeys.ID WHERE IFNULL(" \ "VaultAccount.Name, '') <> '') WHERE DatabaseID IS NOT NULL AND IFNULL(Name, \"\") <> \"\" " result = RedrockController.redrock_query(cloud_user_session, query, args={"PageNumber": 1, "PageSize": 100, "Limit": 100000, "SortBy": "Name", "Ascending": True, "FilterBy": ["Name", "User"], "FilterValue": f"{db_account}", "FilterQuery": None, "Caching": 0}) assert len(result) == 0, f'User able to see the account details under account records user ' \ f'have different rights: {get_limited_no_view_user_function}' logger.info(f'database account {db_account} is not visible to user {cloud_user}.')