def test_delete_permission_on_folder_you_can_delete_folder(core_session,
create_secret_folder,
users_and_roles,
cleanup_secrets_and_folders):
"""
C3043: test method to Login as cloud admin
1) Disable "Delete" permission on a folder for UserA Then Login as UserA
verify Delete is unavailable for that folder
2) Enable "Delete" permission on a folder for UserA Then Login as UserA
verify Delete is available & successful for that folder
:param core_session: Authenticated Centrify session
:param create_secret_folder: Fixture to create secret inside folder & yields secret & folder details
:param users_and_roles: Fixture to create random user with PAS Power Rights
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
"""
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
folders_list = cleanup_secrets_and_folders[1]
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'User with PAS Power User Rights login successfully: user_Name: {user_name}')
# Api to give user permissions to folder(DELETE Disabled)
user_permissions_result = give_user_permissions_to_folder(core_session, user_name, user_id, folder_id,
'View')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Delete folder for User A should fail
del_result = del_folder(pas_power_user_session, folder_id)
assert del_result['success'] is False, f'Able to delete the folder:{del_result["Result"]}'
logger.info(f'Failed to delete the folder(DELETE Disabled):{del_result}')
# Api to give user permissions to folder(DELETE Enabled)
user_permissions_result = give_user_permissions_to_folder(core_session, user_name, user_id, folder_id,
'View,Delete')
assert user_permissions_result, f'Not Able to set user permissions to folder: {user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Delete folder for User A should pass
del_result = del_folder(pas_power_user_session, folder_id)
assert del_result["success"], f'Failed to delete the folder(DELETE): {del_result["Result"]}'
logger.info(f'Deleting the folder successfully (DELETE):{del_result}')
folders_list.remove(folder_id)
def test_heirachy_delete(core_session, nested_secret_folder):
"""Ensures that a parent cannot be deleted with a child inside
Steps:
Pre:.Get a folder in a folder
1. Try to delete outer folder
-Verify Failure
"""
parent_folder, child_folder = nested_secret_folder
del_folder_res = del_folder(core_session, parent_folder['ID'])
assert not del_folder_res['success'], f"Deleted Folder {parent_folder['Name']} with Child inside, should be impossible, " \
f"response {json.dumps(del_folder_res['response'])}"
def test_delete_permission_on_parent_folder_but_not_on_sub_folder(
core_session, create_folder_inside_folder, users_and_roles,
cleanup_secrets_and_folders):
"""
C3044: test method to Login as cloud admin
1) Enable "Delete" folder permissions on a parent folder for UserA
2) Login as UserA
3) Verify sub folders should be deleted
:param core_session: Authenticated Centrify session
:param create_folder_inside_folder: Fixture to create folder inside folder & yields nested_folder,
parent_folder details
:param users_and_roles: Fixture to create random user with PAS Power Rights
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
"""
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
parent_folder_id = parent_folder_info['ID']
folders_list = cleanup_secrets_and_folders[1]
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name: {user_name}'
)
# Api to give user permissions to folder(DELETE Enabled)
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, parent_folder_id, 'View,Delete')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Delete folder for User A should pass
del_result = del_folder(pas_power_user_session, nested_folder_id)
del_success = del_result['success']
result = del_result['Result']
assert del_success, f'Failed to delete Sub folder :{result}'
logger.info(f'Able to delete Sub folder successfully:{del_result}')
folders_list.remove(nested_folder_id)
def test_delete_folder_with_child(core_session, create_folder_inside_folder,
users_and_roles,
cleanup_secrets_and_folders):
"""
C30821: test method to Login as cloud admin
1) Enable "Delete" folder permissions on a folder for UserA
2) Login as UserA
3) Verify you cannot delete folder with a child inside it
:param core_session: Authenticated Centrify session
:param create_folder_inside_folder: Fixture to create folder inside folder & yields nested_folder &
parent_folder details
:param users_and_roles: Fixture to create random user with PAS Power Rights
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
"""
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
parent_folder_id = parent_folder_info['ID']
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name: {user_name}'
)
# Api to give user permissions to folder(DELETE Enabled)
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, parent_folder_id, 'View,Delete')
assert user_permissions_result['success'], \
f'Not Able to set user permissions to folder{user_permissions_result["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Delete parent folder with child for User A should fail
del_result = del_folder(pas_power_user_session, parent_folder_id)
assert del_result[
'success'] is False, f'Failed to delete Sub folder:{del_result["Message"]}'
logger.info(f'Able to delete Sub folder:{del_result}')
def test_delete_folder_with_mfa_enabled(core_session, create_secret_folder,
pas_general_secrets, clean_up_policy,
cleanup_secrets_and_folders):
"""
C284042: Delete folder that has an MFA enabled
:param core_session: Authenticated Centrify Session.
:param create_secret_folder: Fixture to create folder & yields folder related details
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param clean_up_policy: Fixture to clean up the policy created
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
"""
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
folder_name = secret_folder_details['Name']
params = pas_general_secrets
suffix = guid()
challenges1 = ["UP", ""]
user_name = core_session.auth_details['User']
folders_list = cleanup_secrets_and_folders[1]
# creating a new Authentication profile for folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, params['policy_name'] + suffix, challenges1, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Updating the Folder(Applying MFA)
result = update_folder(core_session,
folder_id,
folder_name,
folder_name,
description=params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f' Failed to apply MFA on folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Folder: {result}')
# Delete folder with Mfa Authentication
del_result = del_folder(core_session, folder_id)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, del_result['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
assert result, "Password Authentication Failed"
# After Authentication of MFA delete folder
del_secret_result = del_folder_mfa(
core_session,
folder_id,
ChallengeStateId=del_result['Result']['ChallengeId'])
assert del_secret_result[
'success'], f'Failed to delete folder with mfa, API response result: {del_secret_result}'
logger.info(
f'Successfully deleted folder with MFA & get challenged: {del_secret_result}'
)
folders_list.remove(folder_id)
def test_delete_mfa_policy_on_secret(core_session, pas_general_secrets,
clean_up_policy, users_and_roles):
"""
C283962: MFA policy on Secret, verify challenged
:param core_session: Authenticated Centrify session
:param pas_general_secrets: Fixture to read secrets data from yaml file
:param clean_up_policy: Fixture to cleanup the policy created
:param users_and_roles: Fixture to create new user with restricted rights
"""
secrets_params = pas_general_secrets
suffix = guid()
# Create a folder A
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(
core_session, secrets_params['mfa_folder_name'] + suffix,
secrets_params['description'])
assert secret_folder_success, f'Failed to create a folder {secret_folder_id}'
logger.info(f' Folder created successfully: {secret_folder_success} ')
secret_folder_parameters['ID'] = secret_folder_id
# Create a secret under A folder
added_secret_success, added_secret_id = create_text_secret_within_folder(
core_session, secrets_params['mfa_secret_name'] + suffix,
secrets_params['secret_text'], secrets_params['secret_description'],
secret_folder_id)
assert added_secret_success, f"Added Secret Failed {added_secret_id}"
logger.info(f'Added secrets info {added_secret_success, added_secret_id}')
# Getting details of the secret
found_secret = get_secret(core_session, added_secret_id)
assert found_secret['success'], \
f'Failed to get the details of the secret , API response result:{found_secret["Message"]}'
logger.info(f'Getting details of the secret: {found_secret}')
secret_name = found_secret['Result']['SecretName']
challenges = ["UP", ""]
# Creating new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Secret
result = update_secret(
core_session,
added_secret_id,
secret_name,
description=secrets_params['mfa_secret_description'],
policy_id=policy_result)
assert result[
'success'], f' Failed to apply MFA on the secret, API response result:{result["Message"]} '
logger.info(f'MFA Applied on the secret: {result}')
# Getting new session for User
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name: {user_name}'
)
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, secret_folder_id,
'Grant,View,Delete')
assert user_permissions_result, f'Failed to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to set DELETE permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'Grant,View,Delete,Retrieve', user_id,
secret_folder_id)
assert member_perm_success, f'Failed to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Delete secret with Mfa Authentication
del_success, del_result = del_secret(pas_power_user_session,
added_secret_id)
# StartChallenge MFA Authentication
session, mechanism = pas_power_user_session.start_mfa_authentication(
user_name, del_result['ChallengeId'])
# AdvanceAuthentication MFA to Password
result = pas_power_user_session.advance_authentication(
answer=pas_power_user_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
assert result, "Password Authentication Failed"
logger.info(f'Advance authentication: {result}')
# After Authentication of MFA delete the secret under folder
del_secret_success, del_secret_result = del_secret_mfa(
pas_power_user_session,
added_secret_id,
ChallengeStateId=del_result['ChallengeId'])
assert del_secret_success, f'User: {user_name} failed to delete secret from this folder: {secret_folder_id}'
logger.info(
f'User: {user_name} deleted secret: '
f'{added_secret_id} successfully from this folder: {secret_folder_id}')
# Delete folder
del_folder_res = del_folder(core_session, secret_folder_id)
assert del_folder_res, f'User: {user_name} failed to delete folder: {secret_folder_id}'
logger.info(
f'User: {user_name} successfully deleted folder: {secret_folder_id}')
def test_sub_folders_will_have_a_union_of_all_permissions(
core_session, pas_general_secrets, cleanup_secrets_and_folders,
users_and_roles):
"""
C3048: test method Sub folders will have a union of all it’s permissions
1)create multilevel folder /alpha/beta/charlie/delta
2) Login as Admin, set folder permissions "View" for alpha,"Edit" for beta, "Delete" for charlie,"Add" for delta
3) Login as pas user
4) verify sub folder permissions will have a union of all parent folders
:param core_session: Authenticated Centrify session
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
:param users_and_roles: Fixture to create random user with PAS User Rights
"""
params = pas_general_secrets
folder_prefix = guid()
folders_list = cleanup_secrets_and_folders[1]
# creating multilevel folder /alpha/beta/charlie/delta
child_folder_success, child_folder_parameters, child_folder_id = create_folder(
core_session, folder_prefix + params['multi_level_folder_name'],
params['description'])
assert child_folder_success, f'Failed to create multilevel folder, API response result: {child_folder_id}'
logger.info(
f'Multilevel Folder created successfully: {child_folder_success} & details are {child_folder_id}'
)
# Getting details of Folder Charlie
charlie_folder = get_folder(core_session, child_folder_id)
assert charlie_folder['success'], \
f'Failed to retrieve charlie folder details, API response result:{charlie_folder["Message"]}'
logger.info(f'charlie folder details:{charlie_folder}')
charlie_id = charlie_folder['Result']['Results'][0]['Row']['Parent']
child_folder_name = charlie_folder['Result']['Results'][0]['Row'][
'SecretName']
# Getting details of parent folder
parent_path = charlie_folder['Result']['Results'][0]['Row']['ParentPath']
parent_folder_name = parent_path.split('\\')
parent_folder_sliced = parent_folder_name[0]
# Getting id of parent folder
parent_folder = get_folder(core_session, parent_folder_sliced)
assert parent_folder['success'], \
f'Failed to retrieve parent folder details, API response result:{parent_folder["Message"]}'
logger.info(f'Parent folder details:{parent_folder}')
parent_folder_id = parent_folder['Result']['Results'][0]['Row']['ID']
# Getting details of Folder alpha
alpha_folder = get_secrets_and_folders_in_folders(core_session,
parent_folder_id)
assert alpha_folder['success'], \
f'Failed to retrieve alpha folder id, API response result: {alpha_folder["Result"]}'
logger.info(f'Details of Alpha Folder Retrieved:{alpha_folder}')
alpha_folder_id = alpha_folder["Result"]["Results"][0]["Entities"][0][
"Key"]
# Getting details of Folder beta
folder_beta = get_secrets_and_folders_in_folders(core_session,
alpha_folder_id)
assert folder_beta['success'], \
f'Failed to retrieve beta folder id, API response result: {folder_beta["Result"]}'
logger.info(f'Details of Beta Folder Retrieved:{folder_beta}')
folder_beta_id = folder_beta["Result"]["Results"][0]["Entities"][0]["Key"]
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Api to give user permissions to folder alpha
user_permissions_alpha = give_user_permissions_to_folder(
core_session, user_name, user_id, alpha_folder_id, 'View')
assert user_permissions_alpha['success'], \
f'Not Able to set user permissions to folder, API response result:{user_permissions_alpha["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_alpha}')
# Api to give user permissions to folder beta
user_permissions_beta = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_beta_id, 'Edit')
assert user_permissions_beta['success'], \
f'Not Able to set user permissions to folder, API response result:{user_permissions_beta["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_beta}')
# Api to give user permissions to folder charlie
user_permissions_charlie = give_user_permissions_to_folder(
core_session, user_name, user_id, charlie_id, 'Delete')
assert user_permissions_charlie['success'], \
f'Not Able to set user permissions to folder, API response result:{user_permissions_charlie["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_charlie}')
# Api to give user permissions to folder delta(child folder)
user_permissions_child = give_user_permissions_to_folder(
core_session, user_name, user_id, child_folder_id, 'Add')
assert user_permissions_child['success'], \
f'Not Able to set user permissions to folder, API response result:{user_permissions_child["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_child}')
# Updating the Folder delta
result = update_folder(pas_power_user_session,
child_folder_id,
child_folder_name,
updated_name=folder_prefix +
params['delta_folder_name_new'],
description=params['mfa_folder_description'])
assert result[
'success'], f'Failed to update the folder, API response result: {result["Message"]} '
logger.info(f'Folder updated successfully: {result}')
# Getting details of the Folder updated
result_folder = get_folder(pas_power_user_session, child_folder_id)
logger.info(f'Updated Folder details: {result_folder}')
description_updated = result_folder["Result"]["Results"][0]["Row"][
"Description"]
name_updated = result_folder["Result"]["Results"][0]["Row"]["Name"]
assert 'delta_updated_v1' in name_updated, \
f'Failed to update the name, API response result:{result_folder["Result"]["Results"][0]["Row"]["Name"]}'
assert 'mfa_description' in description_updated, \
f'Failed to update the description, ' \
f'API response result:{result_folder["Result"]["Results"][0]["Row"]["Description"]}'
# Adding new folder inside delta
new_folder_success, new_folder_parameters, new_folder_id = create_folder(
pas_power_user_session,
folder_prefix + params['name'],
params['description'],
parent=child_folder_id)
assert new_folder_success, f'Failed to create multilevel folder, API response result: {new_folder_id}'
logger.info(
f'Multilevel Folder created successfully: {new_folder_success} & details are {new_folder_id}'
)
# Delete newly created folder
del_result = del_folder(pas_power_user_session, new_folder_id)
assert del_result[
"success"], f'Failed to delete the folder(DELETE), API response result: {del_result["Result"]}'
logger.info(f'Deleting the folder successfully (DELETE):{del_result}')
folders_list.append(child_folder_id)
folders_list.append(charlie_id)
folders_list.append(folder_beta_id)
folders_list.append(alpha_folder_id)
folders_list.append(parent_folder_id)
logger.info(f'Added Folders are deleted successfully: {folders_list}')
