def test_global_scenario(core_session, users_and_roles):
# Get User
requester_session = users_and_roles.get_session_for_user()
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Since not sys admin should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(requester_session,
scopeType="Global")
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for normal user passed for Global scopeType, " \
f"reason: {canManage}"
# Get PAS power User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Since not sys admin should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(requester_session,
scopeType="Global")
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PAS Power user passed for Global " \
f"scopeType, reason: {canManage}"
# With sysadmin should pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(core_session,
scopeType="Global")
assert isSuccess and canManage, f"Can Manage Privilege Elevation for sysadmin user failed for Global scopeType, " \
f"reason: {canManage}"
def test_system_scenario(core_session, users_and_roles, create_resources):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
"User", added_system_id)
assert success, f"Unable to set system permissions for admin: {result}"
# Give all permission but the ManageAssignment permission to the PE User
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
"User", added_system_id)
assert success, f"Unable to set system permissions for user: {result}"
# This user does not have ManageAssignment permission, so should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="System", scope=added_system_id)
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PE user with no MA permissions on a " \
f"system passed, reason: {canManage}"
# Add MA permission to the user on the system
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
"User", added_system_id)
assert success, f"Unable to set system permissions for user: {result}"
# Should pass now
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="System", scope=added_system_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for PE user with MA permissions on a " \
f"system failed, reason: {canManage}"
def test_sysadmin_without_explicit_pe_assignment_system_set(
core_session, users_and_roles, create_manual_set):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(core_session, "Server")['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
# This sysadmin user does not have ManageAssignment permission, should still pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="Collection", scope=set_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for sysadmin user without MA permissions on a " \
f"system set failed, reason: {canManage}"
def test_nonServer_collection_scenario(core_session, users_and_roles,
create_resources, create_manual_set):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create nonServer Set
set_id = create_manual_set(core_session, "VaultDatabase").get("ID", None)
assert set_id is not None, f"set_id cannot be empty"
logger.info(f"Successfully created a set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the set for the admin user, failed: " + result
# Not a server collection, should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="Collection", scope=set_id)
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for nonServer set passed, reason: {canManage}"
def test_global_system_permissions(core_session, users_and_roles,
create_resources):
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Assign global system permissions to the PAS power User
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
"User")
assert success, f"Unable to set global system permissions: {result}"
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
result, success = PrivilegeElevation.can_manage_pe(requester_session,
scopeType="System",
scope=added_system_id)
assert success and result, f"Can Manage Privilege Elevation for PAS power user with MA permissions failed:" \
f"{result}"
def test_adUser_permission_through_adGroup_system(core_session, setup_aduser,
setup_user_in_ad_group,
create_resources):
adUser, adUserPwd, adGroup = setup_user_in_ad_group
if adGroup is None:
pytest.skip("Cannot retreive ad group info")
# Setup another ad user that's not part of above adGroup
adUser2, adUserPwd2 = setup_aduser
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions to the ad group
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, adGroup['DisplayName'],
adGroup['InternalName'], "Group", added_system_id)
assert success, f"Unable to assign system permissions to adgroup: {result}"
ad_user_session = CentrifySessionManager(core_session.url,
core_session.tenant_id)
ad_user_session.security_login(core_session.tenant_id,
adUser['SystemName'], adUserPwd)
# Should pass
result, success = PrivilegeElevation.can_manage_pe(ad_user_session,
scopeType="System",
scope=added_system_id)
assert success and result, f"Can Manage Privilege Elevation for adUser within an adgroup with MA permissions failed:" \
f"{result}"
ad_user_session = CentrifySessionManager(core_session.url,
core_session.tenant_id)
ad_user_session.security_login(core_session.tenant_id,
adUser2['SystemName'], adUserPwd2)
# Should fail
result, success = PrivilegeElevation.can_manage_pe(ad_user_session,
scopeType="System",
scope=added_system_id)
assert success and not result, f"Can Manage Privilege Elevation for adUser not within an adgroup with MA " \
f"permissions passed: {result}"
def test_sysadmin_without_explicit_pe_assignment_system(
core_session, users_and_roles, create_resources):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions but MA to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
"User", added_system_id)
assert success, f"Unable to set system permissions for admin: {result}"
# This sysadmin user does not have ManageAssignment permission, should still pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="System", scope=added_system_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for sysadmin user without MA permissions on a " \
f"system failed, reason: {canManage}"
def test_missing_scope(core_session):
canManage, isSuccess = PrivilegeElevation.can_manage_pe(core_session,
scopeType="System")
assert not isSuccess, f"Can Manage Privilege Elevation passed when scope not provided, " \
f"reason: {canManage}"
def test_missing_scopeType(core_session):
canManage, isSuccess = PrivilegeElevation.can_manage_pe(core_session)
assert not isSuccess, f"Can Manage Privilege Elevation passed when no params provided, reason: {canManage}"
def test_adUser_permission_through_adGroup_system_set(core_session,
setup_aduser,
setup_user_in_ad_group,
create_resources,
create_manual_set):
adUser, adUserPwd, adGroup = setup_user_in_ad_group
if adGroup is None:
pytest.skip("Cannot retreive ad group info")
# Setup another ad user that's not part of above adGroup
adUser2, adUserPwd2 = setup_aduser
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the ad group on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
adGroup['DisplayName'],
adGroup['InternalName'],
set_id,
ptype="Group")
logger.info(result)
assert result[
'success'], "assigning admin collection permissions on the set failed: " + result
# Give all permissions to the ad group on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session,
permission_string,
adGroup['DisplayName'],
adGroup['InternalName'],
set_id,
ptype="Group")
logger.info(result)
assert result[
'success'], "assigning admin collection permissions on the resourceSet failed: " + result
ad_user_session = CentrifySessionManager(core_session.url,
core_session.tenant_id)
ad_user_session.security_login(core_session.tenant_id,
adUser['SystemName'], adUserPwd)
# should pass
result, success = PrivilegeElevation.can_manage_pe(ad_user_session,
scopeType="Collection",
scope=set_id)
assert success and result, f"Can Manage Privilege Elevation for adUser within an adgroup with MA permissions failed:" \
f"{result}"
ad_user_session = CentrifySessionManager(core_session.url,
core_session.tenant_id)
ad_user_session.security_login(core_session.tenant_id,
adUser2['SystemName'], adUserPwd2)
# Should fail
result, success = PrivilegeElevation.can_manage_pe(ad_user_session,
scopeType="System",
scope=added_system_id)
assert success and not result, f"Can Manage Privilege Elevation for adUser not within an adgroup with MA " \
f"permissions passed: {result}"
def test_invalid_scope(core_session):
scope = "abc_xyz"
canManage, isSuccess = PrivilegeElevation.can_manage_pe(core_session,
scopeType="System",
scope=scope)
assert not isSuccess, f"Can Manage Privilege Elevation passed with invalid scope: {scope}, reason: {canManage}"
def test_invalid_scopeType(core_session):
canManage, isSuccess = PrivilegeElevation.can_manage_pe(core_session,
scopeType="test")
assert not isSuccess, f"Can Manage Privilege Elevation passed with invalid scopeType, reason: {canManage}"
def test_collection_scenario(core_session, users_and_roles, create_resources,
create_manual_set):
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Get User
requester_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.info(user_info)
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.info(
f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
admin_user_name,
admin_user_id, set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, admin_user_name, admin_user_id,
set_id)
logger.info(result)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
# Give all permission for the user on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permission but the MA permission to the PAS user on the resource Set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id)
assert result[
'success'], "assigning collection permissions on the resource set for the user failed: " + result
new_set = SetsManager.get_collection(requester_session, set_id)
logger.info(new_set)
# This user does not have MA permission, so should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="Collection", scope=set_id)
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PAS power user with no MA permissions on " \
f"a set passed, reason: {canManage}"
# Now assign MA permission but not Edit permission to the user
permission_string = 'Grant,View,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "assigning collection permissions for the user failed: " + result
# This user does not have Edit permission, so should fail
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="Collection", scope=set_id)
assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PAS power user with no Edit permissions on " \
f"a set passed, reason: {canManage}"
# Now assign MA permission and Edit permission to the user
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(
core_session, permission_string, user_info['Name'], user_info['Id'],
set_id, "User")
assert result[
'success'], "assigning collection permissions for the user failed: " + result
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session,
permission_string,
user_info['Name'],
user_info['Id'], set_id)
assert result[
'success'], "assigning collection permissions for the user failed: " + result
# This user has Edit and MA permissions on the set, should pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
requester_session, scopeType="Collection", scope=set_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for PAS power user with Edit and MA permissions on " \
f"a set failed, reason: {canManage}"
# This sysadmin user does have MA permission, so should pass
canManage, isSuccess = PrivilegeElevation.can_manage_pe(
core_session, scopeType="Collection", scope=set_id)
assert isSuccess and canManage, f"Can Manage Privilege Elevation for sys admin user with MA permissions on " \
f"a set failed, reason: {canManage}"
