def test_other_user_cant_see_secret_created_by_first_user(core_session, users_and_roles, created_system_id_list,
swap_roles):
roles = ["Privileged Access Service Administrator", "Privileged Access Service Power User"]
if swap_roles:
roles_new = [roles[1], roles[0]]
roles = roles_new
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, created_system_id_list)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch])
deleter_user_0_session = users_and_roles.get_session_for_user(roles[0])
deleter_user_0_role = users_and_roles.get_role(roles[0])
deleter_user_0_role_name = deleter_user_0_role['Name']
deleter_user_0_role_id = deleter_user_0_role['ID']
other_user_1_session = users_and_roles.get_session_for_user(roles[1])
for account_id in all_accounts:
permission_string = 'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
deleter_user_0_role_name, deleter_user_0_role_id,
"Role", account_id)
assert success, "Did not set account permissions " + str(result)
for system_id in all_systems:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
deleter_user_0_role_name, deleter_user_0_role_id,
"Role", system_id)
assert success, "Did not set system permissions " + result
secret_name = f"secret{guid()}"
job_id, result = ResourceManager.del_multiple_systems(deleter_user_0_session, batch.keys(), secretname=secret_name)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
remaining_accounts = set(ResourceManager.get_multi_added_account_ids(core_session, created_system_id_list))
remaining_systems = set(ResourceManager.get_multi_added_system_ids(core_session, created_system_id_list).values())
assert remaining_accounts == set(), "Remaining accounts did not match expectation"
assert remaining_systems == set(), "Remaining systems did not match expectation"
secret_id = RedrockController.get_secret_id_by_name(deleter_user_0_session, secret_name)
assert secret_id is not None, f"Secret was not visible to creator '{roles[0]}' user, either because it wasn't created or because of a permissions issue"
secret_id = RedrockController.get_secret_id_by_name(other_user_1_session, secret_name)
assert secret_id is None, f"Secret should not be '{roles[1]}' user when created by '{roles[0]}' user"
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, f"Sys admin should be able to see secret created by {roles[0]}"
def test_bulk_account_delete_generates_secret(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner):
batch1 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 3, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1, batch2])
secret_name = "TestSecret-" + str(
ResourceManager.time_mark_in_hours()) + "-" + guid()
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in list(all_accounts)))
ResourceManager.del_multiple_accounts_by_query(core_session, sql_query,
True, secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "Secret not found"
secret_cleaner.append(secret_id)
assert len(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == 0, "Expected zero added accounts remain"
def test_bulk_account_delete_does_not_generate_secret_when_told_not_to(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems):
batch1 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 3, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1, batch2])
secret_name = "TestSecret-" + str(
ResourceManager.time_mark_in_hours()) + "-" + guid()
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in list(all_accounts)))
ResourceManager.del_multiple_accounts_by_query(core_session, sql_query,
False, secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session,
secret_name,
intervals_to_wait=60)
# set low intervals to wait, since secret should not be generated
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is None, "Secret not found!"
assert len(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == 0, \
"Expected zero remaining added accounts remain"
def test_bulk_system_deletes_manually_single_system_and_secret(clean_bulk_delete_systems_and_accounts, core_session, core_ui, list_of_created_systems, secret_cleaner):
server_prefix, names_of_servers, server_ids = _make_one_server_get_name(core_session, list_of_created_systems)
ui = core_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
for name in names_of_servers:
assert ui.check_exists(GridCell(name)), "Missing server from view " + name
ui.action('Delete', names_of_servers)
core_ui.switch_context(Modal('System Delete'))
secret_name = "secret_e2e_name_" + guid()
core_ui.input("SecretName", secret_name)
core_ui.button('Delete')
ResourceManager.wait_for_systems_to_delete_or_timeout(core_session, server_ids)
assert len(ResourceManager.get_multi_added_account_ids(core_session, server_ids)) == 0, "All added accounts not removed"
assert len(ResourceManager.get_multi_added_system_ids(core_session, server_ids)) == 0, "All added systems not removed"
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "Secret not found"
secret_cleaner.append(secret_id)
def test_bulk_account_delete_generates_secret_with_ssh_accounts(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_ssh_systems_with_accounts(
core_session,
2,
2,
list_of_created_systems,
system_prefix=f'test_ssh',
user_prefix=f'test_usr_ssh')
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1])
secret_name = "TestSecret-" + str(
ResourceManager.time_mark_in_hours()) + "-" + guid()
result, success = ResourceManager.del_multiple_accounts(
core_session,
all_accounts,
save_passwords=True,
secret_name=secret_name)
assert success, "Api did not complete successfully for bulk account delete MSG: " + result
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "Secret not found"
secret_cleaner.append(secret_id)
assert len(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == 0, "Expected zero added accounts remain"
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name,
"View,Edit,Retrieve",
user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.count("\n") == 1 + len(
all_accounts
), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("AutomationTestKey") == len(
all_accounts
), f"Secret file contained the wrong number of keys {secret_file_contents}"
for server_id in all_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_power_user_cant_see_secret_created_by_sysadmin_bsd(core_session, users_and_roles, created_system_id_list):
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, created_system_id_list)
secret_name = f"secret{guid()}"
job_id, result = ResourceManager.del_multiple_systems(core_session, batch.keys(), secretname=secret_name)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
remaining_accounts = set(ResourceManager.get_multi_added_account_ids(core_session, created_system_id_list))
remaining_systems = set(ResourceManager.get_multi_added_system_ids(core_session, created_system_id_list).values())
assert remaining_accounts == set(), "Remaining accounts did not match expectation"
assert remaining_systems == set(), "Remaining systems did not match expectation"
requester_session = users_and_roles.get_session_for_user("Privileged Access Service Power User")
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_id = RedrockController.get_secret_id_by_name(requester_session, secret_name)
assert secret_id is None, "Secret should not be visible to Privileged Access Service Power User"
def test_delete_cloud_provider_secret(core_session,
fake_cloud_provider_root_account,
fake_cloud_provider, secret_cleaner):
account_id, username, password, cloud_provider_id, test_did_cleaning = fake_cloud_provider_root_account
name, desc, cloud_provider_id, cloud_account_id, test_did_cleaning = fake_cloud_provider
account_name = f"acctname{guid()}"
account_id, success = ResourceManager.add_account_cloud_provider(
core_session, account_name, "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
key_secret = "kjshakjsakjasgfkjysgkjagfkjsakjgfakjsf"
result, success = CloudProviderManager.set_mfa_token(
core_session, account_id, key_secret)
assert success, f"Failed to set mfa token {result}"
secret_name = f"SecretName{guid()}"
result, success = CloudProviderManager.delete_cloud_providers(
core_session, [cloud_provider_id],
save_passwords=True,
secret_name=secret_name)
assert success, f"Failed to delete cloud provider with response {result}"
test_did_cleaning()
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user = core_session.get_user()
user_name = user.get_login_name()
user_id = user.get_id()
result, success = set_users_effective_permissions(core_session, user_name,
"View,Edit,Retrieve",
user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert username in secret_file_contents, f"username absent from secret file {secret_file_contents}"
assert password in secret_file_contents, f"password absent from secret file {secret_file_contents}"
assert cloud_provider_id in secret_file_contents, f"cloud_provider_id absent from secret file {secret_file_contents}"
assert account_name in secret_file_contents, f"account_name absent from secret file {secret_file_contents}"
assert key_secret in secret_file_contents, f"mfa secret absent from secret file {secret_file_contents}"
def test_bulk_account_stores_secret_when_deleting_using_ui(
clean_bulk_delete_systems_and_accounts, core_session, core_admin_ui,
list_of_created_systems, secret_cleaner):
server_prefix, account_prefix, all_systems, all_accounts, all_account_names = _make_four_accounts_get_names(
core_session, list_of_created_systems, ssh=True)
ui = core_admin_ui
ui.navigate('Resources', 'Accounts')
ui.search(server_prefix)
for name in all_account_names:
assert ui.check_exists(
GridCell(name)), f"Account not found in grid with name {name}"
delete_names, keep_names = DataManipulation.shuffle_and_split_into_two_lists(
all_account_names)
action_name = 'Delete accounts'
modal_name = 'Bulk Account Delete'
if len(delete_names) == 1:
action_name = 'Delete'
modal_name = 'Delete'
ui.action(action_name, delete_names)
ui.switch_context(Modal(modal_name))
secret_name = "secret_e2e_name_" + guid() + "_" + guid()
ui.input("SecretName", secret_name)
ui.button('Delete')
ui.switch_context(NoTitleModal())
ui.button('Close')
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "Failed to create secret!"
secret_cleaner.append(secret_id)
assert len(
ResourceManager.get_multi_added_account_ids(
core_session, all_systems)) == len(
keep_names), "Wrong number of remaining systems found"
def test_add_and_delete_system_with_multiple_benchmarks_per_test(
core_session, created_system_id_list, csv_benchmark):
"""
This test demonstrates measuring multiple things within the same pytest test
See example output at bottom of this file
"""
start, end, info = csv_benchmark
info(filenamesuffix="Bulk System Delete Time Test")
for i in range(3):
info(row=f"Test Run {i+1}")
info(column="Generate Systems")
start()
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 2, created_system_id_list)
end()
secret_name = f"secret{guid()}"
info(column="Delete Job")
start()
job_id, result = ResourceManager.del_multiple_systems(
core_session, batch.keys(), secretname=secret_name)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
end()
info(column="Query Systems and Accounts")
start()
remaining_accounts = set(
ResourceManager.get_multi_added_account_ids(
core_session, created_system_id_list))
remaining_systems = set(
ResourceManager.get_multi_added_system_ids(
core_session, created_system_id_list).values())
assert remaining_accounts == set(
), "Remaining accounts did not match expectation"
assert remaining_systems == set(
), "Remaining systems did not match expectation"
end()
info(column="Query Secret")
start()
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "No secret was created"
end()
def test_bulk_system_delete_generates_secret(clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 3, list_of_created_systems)
batch3 = ResourceManager.add_multiple_ssh_systems_with_accounts(core_session, 1, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3])
all_non_ssh_systems, all_non_shh_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2])
secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid()
sql_query = RedrockController.get_query_for_ids('Server', all_systems)
ResourceManager.del_multiple_systems_by_query(core_session, sql_query, True, secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.strip().count("\n") == len(
all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("thisIsaPAsSwO0rd") == len(
all_non_shh_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}"
# Commenting following assert as AutomationTestKey is not available in secret_file_contents, Tested on both AWS,
# Azure devdog tenants
# assert 'AutomationTestKey' in secret_file_contents, f"Name of SSH key did not appear in secret file {secret_file_contents}"
for server_id in all_non_ssh_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_non_shh_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_bulk_system_delete_generates_secret_with_garbage_in_list(clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2])
secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid()
clean_delete_system_ids = list(all_systems)
delete_system_ids = ["foo", "", clean_delete_system_ids[2]] + clean_delete_system_ids + ["!@#$%^&*()", "1", "?",
"Jason Alexander", "bar"]
ResourceManager.del_multiple_systems(core_session, delete_system_ids, savepasswords=True, secretname=secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.count("\n") == 1 + len(
all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("bsd_tst_usr_") == len(
all_accounts), f"Secret file contained the wrong number of accounts {secret_file_contents}"
assert secret_file_contents.count("thisIsaPAsSwO0rd") == len(
all_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}"
for server_id in all_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
