def test_delete_assignment(core_session, setup_generic_pe_command_with_no_rules): logger.info("test_delete_assignment") commandName, commandID = setup_generic_pe_command_with_no_rules # Add 2 assignments principalType = "Role" principal = "System Administrator" scopeType = "Global" ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Delete rule2 result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID2) assert isSuccess, f" Deleting rule assignment 2 failed: {result}" result, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {result}" # Make sure result doesn't have rule2 but has rule1 assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID1, result, True), \ f"ruleID1 not present in list of pe assignments response" assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID2, result, False), \ f"ruleID2 present in list of pe assignments response"
def test_delete_command_with_assignments(core_session, setup_generic_pe_command_with_no_rules): logger.info("test_delete_command_with_assignments") commandName, commandID = setup_generic_pe_command_with_no_rules # Add assignment principalType = "Role" principal = "System Administrator" scopeType = "Global" ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {results}" logger.debug(f"List pe assignments response: {results}") assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \ f"ruleID not present in list of pe assignments response" # Delete the command with name, should succeed result, isSuccess = PrivilegeElevation.del_pe_command(core_session, name=commandName) assert isSuccess, f"Deleting command failed: {result}" # Make sure list assignment fails results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert not isSuccess, f"List assignments API call not failed after deleting associated command: {results}" logger.debug(f"List pe assignments response: {results}")
def test_pe_del_command_scenario2(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources, create_manual_set): commandName, commandID = setup_generic_pe_command_with_no_rules requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(f"del_command_scenario2 user_info: {user_info}") admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set( core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to admin user on this set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") assert result['success'], "setting collection permissions failed: " + result # Add assignment principalType = "User" principal = user_info['Name'] scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {results}" logger.debug(f"List pe assignments response: {results}") assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \ f"ruleID not present in list of pe assignments response" # Deleting command should be successful, assignments too result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName) assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}" # Deleting assignmnent explicitly should fail result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID) assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}" assert re.findall('Privilege Elevation Assignment not found', result), \ f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_pe_del_assignment_scenario1(core_session, setup_generic_pe_command_with_no_rules, users_and_roles, create_resources): commandName, commandID = setup_generic_pe_command_with_no_rules requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(f"del_assignment_scenario1 user_info: {user_info}") admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Give all permissions but the manage assignments permission to admin user on this system permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result, success = ResourceManager.assign_system_permissions(core_session, permission_string, admin_user_name, admin_user_id, "User", added_system_id) assert success, f"Did not set system permissions: {result}" # Add assignment principalType = "User" principal = user_info['Name'] scopeType = "System" scope = added_system_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {results}" logger.debug(f"List pe assignments response: {results}") assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \ f"ruleID not present in list of pe assignments response" # Deleting assignment explicitly should fail result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID) assert not isSuccess, f"Deleting rule assignment with no manage permission on system passed: {ruleID}" assert re.findall('unauthorized', result), \ f"Deleting rule assignment with no manage permission on system did not fail with unauthorized exception: {ruleID}" \ f": {result}"
def test_pe_del_assignment_scenario3(core_session, setup_pe_one_command_one_rule, users_and_roles): commandName, commandID, ruleID = setup_pe_one_command_one_rule requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(f"del_assignment_scenario3: {user_info}") # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {results}" logger.debug(f"List pe assignments response: {results}") assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \ f"ruleID not present in list of pe assignments response" # Deleting assignment explicitly should fail result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID) assert not isSuccess, f"Deleting rule assignment with no manage permission on system passed: {ruleID}" assert re.findall('unauthorized', result), \ f"Deleting rule assignment with no manage permission on system did not fail with unauthorized exception: {ruleID}"
def test_pe_del_command_scenario3(core_session, setup_pe_one_command_one_rule, users_and_roles): commandName, commandID, ruleID = setup_pe_one_command_one_rule requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.debug(f"del_command_scenario3 - user_info: {user_info}") # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess, f"List assignments API call failed: {results}" logger.debug(f"List pe assignments response: {results}") assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \ f"ruleID not present in list of pe assignments response" # Deleting command should be successful, along with assignments result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName) assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}" # Deleting assignment explicitly should fail, as assignment is already deleted result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID) assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}" assert re.findall('Privilege Elevation Assignment not found', result), \ f"Deleting an already deleted assignment failed with unknown exception: {result}"