def test_global_scenario(core_session, users_and_roles):
# Get User
requester_session = users_and_roles.get_session_for_user()
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Since not sys admin should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(requester_session,
scopeType="Global")
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for normal user passed for Global scopeType, " \
f"reason: {canManage}"
# Get PAS power User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Since not sys admin should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(requester_session,
scopeType="Global")
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PAS Power user passed for Global " \
f"scopeType, reason: {canManage}"
# With sysadmin should pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(core_session,
scopeType="Global")
assert isSuccess and canManage, f"Can Manage Privilege Elevation for sysadmin user failed for Global scopeType, " \
f"reason: {canManage}"
def test_delete_command_with_assignments(core_session, setup_generic_pe_command_with_no_rules):
logger.info("test_delete_command_with_assignments")
commandName, commandID = setup_generic_pe_command_with_no_rules
# Add assignment
principalType = "Role"
principal = "System Administrator"
scopeType = "Global"
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Delete the command with name, should succeed
result, isSuccess = PrivilegeElevation.del_pe_command(core_session, name=commandName)
assert isSuccess, f"Deleting command failed: {result}"
# Make sure list assignment fails
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert not isSuccess, f"List assignments API call not failed after deleting associated command: {results}"
logger.debug(f"List pe assignments response: {results}")
def test_pe_user_has_access(core_session, setup_generic_pe_command_with_no_rules, users_and_roles):
commandName, commandID = setup_generic_pe_command_with_no_rules
# Get User
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(user_info)
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role",
principal="System Administrator", scopeType="Global",
scope=None, principalId=None, bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info['ScopeType'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# This user inherited View permission, so should be able to see the rule
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(requester_session, scopeType="Global",
commandID=commandID)
assert isSuccess, f"GetAssignmentsByScope for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"GetAssignmentsByScope complete check failed: {ruleID}"
def test_invalid_starts_expires(core_session, setup_pe_one_command_one_rule):
commandName, commandID, ruleID = setup_pe_one_command_one_rule
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, starts="abc_xyz", expires="abc_xyz")
assert not isSuccess and re.findall("The string was not recognized as a valid DateTime.", results['Message']), \
f"Update Assignment passed when invalid starts/expires provided, ruleID: {ruleID}, reason: {results}"
timeNow = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z"
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, starts=timeNow)
assert not isSuccess and results['Message'] == "Parameter 'Starts/Expires' must be specified.", \
f"Update Assignment passed when only starts provided, ruleID: {ruleID}, reason: {results}"
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, expires=timeNow)
assert not isSuccess and results['Message'] == "Parameter 'Starts/Expires' must be specified.", \
f"Update Assignment passed when only expires provided, ruleID: {ruleID}, reason: {results}"
starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z"
expires = (datetime.datetime.now() - datetime.timedelta(minutes=10)
).replace(microsecond=0).isoformat() + "Z"
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session,
ruleID=ruleID,
bypassChallenge=False,
starts=starts,
expires=expires)
assert not isSuccess and results['Message'] == "Parameter 'Starts/Expires' is invalid.", \
f"Update Assignment passed when invalid starts/expires provided, ruleID: {ruleID}, reason: {results}"
def test_update_assignment_sysadmin_without_ma_permission_on_system(
core_session, create_resources,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions but MA to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
"User", added_system_id)
assert success, f"Unable to set system permissions for admin: {result}"
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=admin_user_name,
scopeType="System",
scope=added_system_id,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'],
byPassChallenge=False)
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# Update rules
rule_info['BypassChallenge'] = True
# This sysadmin user doesn't have MA permission, should still pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=True)
assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \
f"a set failed, reason: {results}"
# Make sure assignments are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for sysadmin user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_regular_user_on_system_set(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user()
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting admin collection permissions failed: " + result
# Add assignment
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User",
principal=user_info['Name'], scopeType="Collection",
scope=set_id, principalId=None, bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info['ScopeType'],
scope=rule_info['Scope'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# This user does not have view permission on DB, so should fail
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(requester_session, scopeType="Collection",
commandID=commandID, scope=set_id)
assert not isSuccess and results['Message'] == \
"You are not authorized to perform this operation. Please contact your IT helpdesk.", \
f"GetAssignmentsByScope for regular user with no view permissions on a collection passed, reason: {results}"
# GetAssignmentByScope should succeed if admin does the API request
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="Collection",
commandID=commandID, scope=set_id)
assert isSuccess, f"GetAssignmentsByScope for admin user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and \
PrivilegeElevation.check_rules_info_in_api_response(rule_info_list, results), \
f"GetAssignmentsByScope complete check failed: {ruleID}"
def test_pe_del_command_scenario2(core_session, setup_generic_pe_command_with_no_rules, users_and_roles,
create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_command_scenario2 user_info: {user_info}")
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting command should be successful, assignments too
result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName)
assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}"
# Deleting assignmnent explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}"
assert re.findall('Privilege Elevation Assignment not found', result), \
f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_pe_can_execute_priv_command_sys_asmnt_no_user_in_non_sysadmin_role(
core_session, setup_generic_pe_command_with_no_rules_all_OS,
users_and_roles, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_cmd123" + guid()
sys_fqdn = "fqdn123" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Windows",
sessiontype="Rdp")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
commandName, commandID = setup_generic_pe_command_with_no_rules_all_OS
role = users_and_roles.populate_role({
'Name': "can_exec_role123" + guid(),
"Rights": ["Admin Portal Login"]
})
# Get User
userobj1 = users_and_roles.populate_user(
{'Name': 'can_exec_user123' + guid()})
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principalId=role['ID'],
scopeType="System",
scope=added_system_id,
principal=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principalID=asmnt_info['PrincipalId'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=userobj1.get_login_name(),
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be false: {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_pe_can_execute_priv_command_sys_asmnt_no_aduser_in_adgroup(
core_session, setup_generic_pe_command_with_no_rules,
setup_user_in_ad_group, setup_aduser, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
commandName, commandID = setup_generic_pe_command_with_no_rules
aduser, _, adgroup = setup_user_in_ad_group
if adgroup is None:
pytest.skip("Cannot create adgroup")
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Group",
principal=adgroup['DisplayName'],
scopeType="System",
scope=added_system_id,
principalId=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principal=asmnt_info['Principal'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
aduser1, _ = setup_aduser
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=aduser1['SystemName'],
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be false: {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_commandID_commandName_not_provided(core_session, setup_generic_pe_command_with_no_rules, create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
admin_user_name, admin_user_id, "User",
added_system_id)
assert success, f"Did not set admin system permissions: {result}"
# Add assignment
rule_info1 = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role",
principal="System Administrator", scopeType="System",
scope=added_system_id, principalId=None, bypassChallenge=False)
ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info1['ScopeType'],
scope=rule_info1['Scope'],
principalType=rule_info1['PrincipalType'],
principal=rule_info1['Principal'])
assert isSuccess, f" Adding rule assignment 1 failed"
rule_info1['ID'] = ruleID1
#Add assignment 2
rule_info2 = rule_info1
ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=rule_info2['ScopeType'],
scope=rule_info2['Scope'],
principalType=rule_info2['PrincipalType'],
principal=rule_info2['Principal'])
assert isSuccess, f" Adding rule assignment 2 failed"
rule_info2['ID'] = ruleID2
results, isSuccess = PrivilegeElevation.get_pe_assignments_by_scope(core_session, scopeType="System",
scope=added_system_id)
assert isSuccess, f"GetAssignmentsByScope failed when commandID and " \
f"commandName not provided. reason: {results}"
rule_info_list = [rule_info1, rule_info2]
assert len(results['Result']) == 2 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"GetAssignmentsByScope complete check failed: {ruleID1} : {ruleID2}"
def test_pe_del_assignment_on_set_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_name = "set_" + Util.random_string()
is_create, set_id = SetsManager.create_manual_collection(
core_session, set_name, "Server", object_ids=[added_system_id])
assert is_create, f"Successfully created a set and added system to that set: {set_id}"
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
logger.info(result)
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
logger.info(results)
# Delete Set
isSuccess, results = SetsManager.delete_collection(core_session, set_id)
assert isSuccess, f"Deleting set failed: {results}"
# Make sure rule assignment is not available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}"
logger.info(results)
def test_system_scenario(core_session, users_and_roles, create_resources):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
"User", added_system_id)
assert success, f"Unable to set system permissions for admin: {result}"
# Give all permission but the ManageAssignment permission to the PE User
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
"User", added_system_id)
assert success, f"Unable to set system permissions for user: {result}"
# This user does not have ManageAssignment permission, so should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="System", scope=added_system_id)
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PE user with no MA permissions on a " \
f"system passed, reason: {canManage}"
# Add MA permission to the user on the system
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
"User", added_system_id)
assert success, f"Unable to set system permissions for user: {result}"
# Should pass now
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="System", scope=added_system_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for PE user with MA permissions on a " \
f"system failed, reason: {canManage}"
def test_pe_del_command_nonadmin_with_pe_permission(users_and_roles, core_session,
setup_generic_pe_command_with_no_rules):
logger.info("test_pe_command_non_admin_user_with_no_pe_permission")
commandName, commandID = setup_generic_pe_command_with_no_rules
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
# Trying to add a new Command with same name should fail
_, isSuccess = PrivilegeElevation.add_pe_command(core_session, commandName, "*", "Windows")
assert not isSuccess, "Creating duplicate privilege command succeeded"
# Delete the command as a non-admin user with pe permission should succeed
result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName)
assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}"
def test_regular_user_with_no_view_permissions_on_system_set(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles, create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user()
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(user_info)
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
logger.info(result)
assert result['success'], "setting admin collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# This user does not have view permission, so should fail
results, isSuccess = PrivilegeElevation.list_pe_assignments(requester_session, commandID=commandID)
assert not isSuccess and results['Message'] == \
"You are not authorized to perform this operation. Please contact your IT helpdesk.", \
f"List Assignments for regular user with no view permissions on a set passed/ failed with " \
f"unknown exception, reason: {results}"
def test_delete_command_basic(core_session, setup_generic_pe_command_with_no_rules):
logger.info("test_delete_command_basic")
commandName, commandID = setup_generic_pe_command_with_no_rules
# Trying to add a new Command with same name should fail
_, isSuccess = PrivilegeElevation.add_pe_command(core_session, commandName, "*", "Windows")
assert not isSuccess, "Creating duplicate privilege command succeeded"
# Delete the command
result, isSuccess = PrivilegeElevation.del_pe_command(core_session, ident=commandID)
assert isSuccess, f"Deleting command failed: {result}"
# Creating command with same name should now succeed
_, isSuccess = PrivilegeElevation.add_pe_command(core_session, commandName, "*", "Linux")
assert isSuccess, f"Creating command with same name after deleting it, failed"
def test_nonServer_collection_scenario(core_session, users_and_roles,
create_resources, create_manual_set):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create nonServer Set
set_id = create_manual_set(core_session, "VaultDatabase").get("ID", None)
assert set_id is not None, f"set_id cannot be empty"
logger.info(f"Successfully created a set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the set for the admin user, failed: " + result
# Not a server collection, should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="Collection", scope=set_id)
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for nonServer set passed, reason: {canManage}"
def test_privilege_elevation_add_command_all_required_params(core_session):
"""
Test case: Test for all required params
"""
session = core_session
result, success = PrivilegeElevation.add_pe_command(
session, "All commands" + Util.random_string(), "*", "Linux,Windows")
assert success is True, f'PrivilegeElevation add command has failed {result}'
#Clean up
resp, success = PrivilegeElevation.del_pe_command(
session, ident=result['Result']['ID'])
assert success is True, f'PrivilegeElevation add command cleanup has failed {resp}'
def test_pe_can_execute_priv_command_sys_no_asmnt_on_adgroup(
core_session, setup_user_in_ad_group, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
aduser, _, adgroup = setup_user_in_ad_group
if adgroup is None:
pytest.skip("Cannot create adgroup")
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=aduser['SystemName'],
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be false: {results}"
def test_pe_can_execute_priv_command_sys_no_asmnt_on_role(
core_session, cleanup_servers, users_and_roles):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
role = users_and_roles.populate_role({
'Name': "can_exec_role" + guid(),
"Rights": ["Admin Portal Login"]
})
userobj = users_and_roles.populate_user({'Name': 'user' + guid()})
users_and_roles.add_user_to_role(userobj, role)
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=userobj.get_login_name(),
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be true: {results}"
def test_sysadmin_without_explicit_pe_assignment_system_set(
core_session, users_and_roles, create_manual_set):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(core_session, "Server")['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
# This sysadmin user does not have ManageAssignment permission, should still pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="Collection", scope=set_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for sysadmin user without MA permissions on a " \
f"system set failed, reason: {canManage}"
def test_global_system_permissions(core_session, users_and_roles,
create_resources):
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Assign global system permissions to the PAS power User
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
"User")
assert success, f"Unable to set global system permissions: {result}"
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
result, success = PrivilegeElevation.can_manage_pe(requester_session,
scopeType="System",
scope=added_system_id)
assert success and result, f"Can Manage Privilege Elevation for PAS power user with MA permissions failed:" \
f"{result}"
def test_only_bypassChallenge_passed(core_session,
setup_pe_one_command_one_rule):
commandName, commandID, ruleID = setup_pe_one_command_one_rule
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=False)
assert isSuccess, f"Update Assignment failed when only bypassChallenge provided, ruleID: {ruleID}, " \
f"reason: {results}"
def test_delete_command_passing_id_and_name(core_session, setup_generic_pe_command_with_no_rules):
logger.info("test_delete_command_passing_id_and_name")
commandName, commandID = setup_generic_pe_command_with_no_rules
# Delete the command with name, should succeed
result, isSuccess = PrivilegeElevation.del_pe_command(core_session, ident=commandID, name=commandName)
assert not isSuccess, f"Deleting command with ID and name passed: {result}"
def test_no_bypassChallenge(core_session,
setup_generic_pe_command_with_no_rules,
users_and_roles):
commandName, commandID = setup_generic_pe_command_with_no_rules
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principal="System Administrator",
scopeType="Global",
scope=None,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# updated rules
starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z"
expires = (datetime.datetime.now() + datetime.timedelta(minutes=10)
).replace(microsecond=0).isoformat() + "Z"
rule_info['Starts'] = starts
rule_info['Expires'] = expires
# With sysadmin should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session,
ruleID=ruleID,
starts=rule_info['Starts'],
expires=rule_info['Expires'])
assert isSuccess, f"Update Assignment for sysadmin user failed for Global rule, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_pe_del_assignment_scenario1(core_session, setup_generic_pe_command_with_no_rules, users_and_roles,
create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_assignment_scenario1 user_info: {user_info}")
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Give all permissions but the manage assignments permission to admin user on this system
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
admin_user_name, admin_user_id, "User",
added_system_id)
assert success, f"Did not set system permissions: {result}"
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "System"
scope = added_system_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting assignment explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting rule assignment with no manage permission on system passed: {ruleID}"
assert re.findall('unauthorized', result), \
f"Deleting rule assignment with no manage permission on system did not fail with unauthorized exception: {ruleID}" \
f": {result}"
def test_global_scenario(core_session, setup_generic_pe_command_with_no_rules,
users_and_roles):
commandName, commandID = setup_generic_pe_command_with_no_rules
rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principal="System Administrator",
scopeType="Global",
scope=None,
principalId=None,
bypassChallenge=False)
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=rule_info['ScopeType'],
principalType=rule_info['PrincipalType'],
principal=rule_info['Principal'])
assert isSuccess, f" Adding rule assignment failed"
rule_info['ID'] = ruleID
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
rule_info['BypassChallenge'] = True
# Since not sys admin should fail
results, isSuccess = PrivilegeElevation.update_pe_assignment(
requester_session, ruleID=ruleID, bypassChallenge=True)
assert not isSuccess, f"Update Assignment for PAS power user passed for Global rule, reason: {results}"
# With sysadmin should pass
results, isSuccess = PrivilegeElevation.update_pe_assignment(
core_session, ruleID=ruleID, bypassChallenge=True)
assert isSuccess, f"Update Assignment for sysadmin user failed for Global rule, reason: {results}"
# Make sure rules are actually updated
results, isSuccess = PrivilegeElevation.list_pe_assignments(
core_session, commandID=commandID)
assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}"
rule_info_list = [rule_info]
assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response(
rule_info_list,
results), \
f"List Assignments complete check failed: {ruleID}"
def test_privilege_elevation_add_command_winlinux(core_session):
"""
Test case: Test for all valid params for ApplyTo as Windows,Linux
"""
session = core_session
result, success = PrivilegeElevation.add_pe_command(
session, "All commands" + Util.random_string(), "*", "Linux,Windows",
"Run all commands", 0, "*", {}, {})
assert success is True, f'PrivilegeElevation add command has failed {result}'
#Clean up
resp, success = PrivilegeElevation.del_pe_command(
session, ident=result['Result']['ID'])
assert success is True, f'PrivilegeElevation add command cleanup has failed {resp}'
def test_privilege_elevation_add_command_win(core_session):
"""
Test case: Test for all valid params for ApplyTo as Windows
"""
session = core_session
result, success = PrivilegeElevation.add_pe_command(
session, "Restart any windows service" + Util.random_string(), "netsh",
"Windows", "Restart any windows service", 3, "netsh", {}, {})
assert success is True, f'PrivilegeElevation add command has failed {result}'
#Clean up
resp, success = PrivilegeElevation.del_pe_command(
session, ident=result['Result']['ID'])
assert success is True, f'PrivilegeElevation add command cleanup has failed {resp}'
def test_privilege_elevation_add_command_linux(core_session):
"""
Test case: Test for all valid params for ApplyTo as Linux
"""
session = core_session
result, success = PrivilegeElevation.add_pe_command(
session, "Restart any linux service" + Util.random_string(),
"systemctl restart", "Linux", "Restart any linux service", 6,
"usr/sbin/systemctl", {}, {})
assert success is True, f'PrivilegeElevation add command has failed {result}'
#Clean up
resp, success = PrivilegeElevation.del_pe_command(
session, ident=result['Result']['ID'])
assert success is True, f'PrivilegeElevation add command cleanup has failed {resp}'
def test_delete_assignment_sysadmin_without_ma_permission_on_system_set(core_session, create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server")['ID']
logger.info(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
logger.info(result)
assert result['success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
assert result['success'], "assigning collection permissions on the resource set for the user failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
# Deleting assignment explicitly should pass
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID)
assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
