def test_move_secret_to_invalid_location(
core_session, text_secret,
secret_folder): # vv Should be name not id vv
"""Tests that movign a secret works
Steps:
1. Move Secret with invalid target id
-Verify Failure
2. Move folder using the name, but wrong call
-Verify Failure
3. Move to with a bogus secret it
-Verify Failure
"""
move_result = move_secret(core_session, text_secret['ID'],
secret_folder['ID'], True)
assert not move_result[
'success'], "Was able to move secret to folder using id in name parameter, should be impossible"
move_result = move_secret(core_session, text_secret['ID'],
secret_folder['Name'])
assert not move_result[
'success'], "Was able to move secret to folder using name in id parameter, should be impossible"
move_result = move_secret(core_session, "BogusSecretId",
secret_folder['ID'])
assert not move_result[
'success'], f"Was able to move BogusSecretId into folder {secret_folder['ID']}"
def test_move_secret_to_different_folder_with_member_permission_edit_on_source_folder_for_user_a(
core_session, users_and_roles, create_secret_inside_folder,
pas_general_secrets, cleanup_secrets_and_folders):
"""
test method to move a secret to another folder with "EDIT" member permissions on source folder for User A
:param core_session: Authenticated Centrify Session.
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param create_secret_inside_folder: Fixture to create text type secret inside folder &
yields folder & secret details.
:param pas_general_secrets: Fixture to read secret data from yaml file.
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
"""
folder_id_list, folder_name, secret_id_list = create_secret_inside_folder
folders_list = cleanup_secrets_and_folders[1]
params = pas_general_secrets
prefix = guid()
pas_power_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id_list[0], 'View,Grant')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant,Edit', user_id, folder_id_list[0])
assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to create secret folder for User A
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(
pas_power_user_session, prefix + params['name'], params['description'])
logger.info(
f' Folder created successfully: {secret_folder_success} & details are {secret_folder_parameters}'
)
assert secret_folder_success is True, f'Failed to create a folder {secret_folder_id}'
folders_list.append(secret_folder_id)
# Api to move secret into another Folder
result_move = move_secret(pas_power_user_session, secret_id_list[0],
secret_folder_id)
assert result_move[
'success'], f'Not Able to move the secret into Folder: {result_move["Result"]}'
logger.info(
f'Moving secret with edit permissions to another folder:{result_move}')
def test_move_secret_basic_name(core_session, secret_folder, text_secret):
"""Tests that movign a secret works into a deep folder
Steps:
1. Move a secret
-Verify Success
2. Get info
- Verify information is correct
"""
move_result = move_secret(core_session, text_secret['ID'],
secret_folder['Name'], True)
assert move_result[
'success'], f"Failed to move secret {text_secret['SecretName']} to folder {secret_folder['Name']}"
def test_move_secret_basic_id(core_session, secret_folder, text_secret):
"""Tests that movign a secret works
Steps:
1. Move a secret
-Verify Success
2. Get info
- Verify information is correct
"""
move_result = move_secret(core_session, text_secret['ID'],
secret_folder['ID'])
assert move_result[
'success'], f"Was unable to move secret {text_secret['SecretName']} to folder {secret_folder['Name']}"
def test_should_not_able_to_move_secret_into_folder_that_do_not_have_add_permissions_on(
core_session, users_and_roles, added_secrets, create_secret_folder):
"""
test method to not able to move a secret(with EDIT permissions) to a folder( with no ADD permissions)
:param core_session: Authenticated Centrify Session
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param create_secret_folder: Fixture to create secret Folder & yield folder related details
"""
added_text_secret_id, added_text_secret_name = added_secrets
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
application_management_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = application_management_user.get_login_name()
user_id = application_management_user.get_id()
# Api to set Edit permissions to secret
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant,Edit', user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}'
logger.info(
f'setting permissions for text type secret: : {text_type_secret_success}'
)
# Api to set permissions with folder
permissions = give_user_permissions_to_folder(core_session, user_name,
user_id, folder_id,
'View,Grant')
assert permissions[
'success'], f'Not able to set permissions to folder:{permissions["Result"]}'
logger.info(f'Permissions to folder: {permissions}')
# API to get new session for User A
application_management_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert application_management_session.auth_details is not None, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {application_management_user.get_login_name()}'
f' & Password: {application_management_user.get_password()} ')
# Api to move secret into Folder
result_move = move_secret(application_management_session,
added_text_secret_id[0], folder_id)
assert result_move[
'success'] is False, f'Able to move the secret into Folder: {result_move["Result"]}'
logger.info(
f'Moving secret with edit permissions:{result_move["Message"]}')
def test_ok_to_move_secret_to_root_level(core_session, create_secret_folder,
pas_general_secrets,
cleanup_secrets_and_folders):
"""
test method to move child secret into root folder
should work
:param core_session: Authenticated Centrify Session.
:param create_secret_folder: Fixture to create secret folder & yields folder_id
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param cleanup_secrets_and_folders: Fixture to clean up secrets & folders
"""
secrets_list = cleanup_secrets_and_folders[0]
folders_list = cleanup_secrets_and_folders[1]
secret_folder_details = create_secret_folder
root_folder_id = secret_folder_details['ID']
prefix = guid()
params = pas_general_secrets
# Creating nested folder inside root folder
nested_folder_success, nested_folder_parameters, nested_folder_id = create_folder(
core_session,
prefix + params['name'],
params['description'],
parent=root_folder_id)
assert nested_folder_success, f'Failed to create a folder:{nested_folder_id} '
logger.info(
f' Folder created successfully: {nested_folder_success} & details are:{nested_folder_parameters}'
)
folders_list.insert(0, nested_folder_id)
# Creating a secret inside nested folder
added_secret_success, added_secret_result = create_text_secret_within_folder(
core_session, params['secret_name'], params['secret_text'],
params['secret_description'], nested_folder_id)
assert added_secret_success, f"Unable to create secret{added_secret_result}"
logger.info(f'Secret Created successfully: {added_secret_success}')
secrets_list.append(added_secret_result)
# Moving secret into root Folder
result_move = move_secret(core_session, added_secret_result,
root_folder_id)
assert result_move[
'success'], f'Not Able to move the secret into Root Folder: {result_move["Result"]}'
logger.info(
f'Able to move the secret into root folder :{result_move["Message"]}')
def test_move_secret_without_edit_member_permission_on_source_folder_should_not_be_allowed(
core_session, users_and_roles, create_secret_folder,
pas_general_secrets, cleanup_secrets_and_folders):
"""
test method to move a secret to another folder without "EDIT" member permissions & Folder permissions
on source folder for User A should not be allowed
:param core_session: Authenticated Centrify Session.
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param create_secret_folder: Fixture to create secret folder & yields folder details.
:param pas_general_secrets: Fixture to read secret data from yaml file.
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
"""
secret_folder_details = create_secret_folder
secret_list = cleanup_secrets_and_folders[0]
folders_list = cleanup_secrets_and_folders[1]
params = pas_general_secrets
prefix = guid()
folder_id = secret_folder_details['ID']
pas_power_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
# Api to create text type secret within folder
added_text_secret_success, added_text_secret_result = create_text_secret_within_folder(
core_session, prefix + params['secret_name'], params['secret_text'],
params['secret_description'], folder_id)
assert added_text_secret_success, f'Unable to create secret {added_text_secret_result}'
logger.info(f'Secret Created successfully: {added_text_secret_success}')
secret_list.append(added_text_secret_result)
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to give user permissions to folder(without EDIT)
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id, 'View,Grant')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give member permissions to folder(without EDIT)
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant', user_id, folder_id)
assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to create secret folder for User A
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(
pas_power_user_session, prefix + params['name'], params['description'])
assert secret_folder_success, f'Failed to create a folder:{secret_folder_id}'
logger.info(
f' Folder created successfully: {secret_folder_success} & details are {secret_folder_id}'
)
folders_list.append(secret_folder_id)
# Api to move secret into another Folder
result_move = move_secret(pas_power_user_session, added_text_secret_result,
secret_folder_id)
assert result_move[
'success'] is False, f'Able to move the secret into Folder: {result_move["Result"]}'
logger.info(
f'Not Able to move the secret into another folder without Edit permissions:{result_move["Message"]}'
)
def test_move_mfa_on_parent_folder(core_session, pas_general_secrets,
create_secret_inside_folder,
cleanup_secrets_and_folders,
clean_up_policy):
"""
C283936: MFA policy on Parent folder, verify challenged
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret inside folder & yields folder & secret details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
:param clean_up_policy: Fixture to clean up the policy created
"""
user_detail = core_session.__dict__
user_name = user_detail['auth_details']['User']
secrets_params = pas_general_secrets
suffix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
challenges = ["UP", ""]
# creating a new Authentication profile
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(
core_session,
folder_list[0],
folder_name,
folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Failed to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Move Secret with Mfa Authentication
result_secret = move_secret(core_session, secret_list[0])
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, result_secret['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
# After Authenticating of move secret with mfa on parent folder
moved_success, moved_result = move_secret_by_using_mfa(
core_session,
secret_list[0],
ChallengeStateId=result_secret['Result']['ChallengeId'])
assert moved_success, f'Moving secret not challenged by mfa:{moved_result}'
logger.info(
f'Moving secret challenged by mfa on parent successfully:{moved_result} {moved_success}'
)
# Removing MFA on Folder
result = update_folder(
core_session,
folder_list[0],
folder_name,
folder_name,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result:: {result["Message"]} '
logger.info(f'Successfully removed MFA on folder: {result}')
def test_inherited_permissions_after_move(core_session,
create_secret_inside_folder,
create_secret_folder,
cleanup_secrets_and_folders,
users_and_roles):
"""
C3058:Inherited permissions after move
:param core_session: Authenticated Centrify Session
:param create_secret_inside_folder: Fixture to create secret inside Folder & yields folder & secret related details
:param create_secret_folder: Fixture to create Folder & yields folder related details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created
:param users_and_roles: Fixture to create random user
"""
folder_id_list, folder_name, secret_list = create_secret_inside_folder
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'User with PAS Power User Rights login successfully: user_Name: {user_name}')
# Api to set permissions with folder
permissions_folder = give_user_permissions_to_folder(core_session,
user_name,
user_id,
folder_id_list[0],
'View')
assert permissions_folder['success'], f'Not able to set permissions to folder:{permissions_folder["Result"]}'
logger.info(f'Permissions to folder: {permissions_folder}')
# Api to set permissions with folder
folder_permissions = give_user_permissions_to_folder(core_session,
user_name, user_id,
folder_id,
'View,Add')
assert folder_permissions['success'], f'Not able to set permissions to folder:{folder_permissions["Result"]}'
logger.info(f'Permissions to folder: {folder_permissions}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View,Edit',
user_id,
folder_id_list[0])
assert member_perm_success, \
f'Not Able to set member permissions to Folder, API response result: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View,Edit,Grant,Retrieve,Delete',
user_id,
folder_id)
assert member_perm_success, \
f'Not Able to set member permissions to Folder, API response result: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to move secret into new Folder
result_move = move_secret(pas_power_user_session, secret_list[0], folder_id)
assert result_move['success'], \
f'Not Able to move secret into new Folder. API response result: {result_move["Result"]}'
logger.info(f'Able to move the secret into new folder:{result_move["Message"]}')
# Api to get secret permissions
get_permission_result = get_users_effective_secret_permissions(core_session, secret_list[0])
verify_permissions = ['View', 'Edit', 'Delete', 'Grant', 'Retrieve']
assert get_permission_result == verify_permissions,\
f'Failed to inherit secret permissions from new parent folder. API response result: {get_permission_result}'
logger.info(f'Secret permissions are inherited from new parent folder.: {get_permission_result}')
def test_move_mfa_on_secrets_should_apply(core_session, pas_general_secrets,
create_secret_folder, added_secrets,
clean_up_policy):
"""
C283939: MFA on secret should still apply once moved to another folder
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_folder: Fixture to create secret folder & yields folder related details
:param added_secrets: Fixture to create text type secrets & yields secrets details
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
suffix = guid()
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
secret_id, secret_name = added_secrets
challenges1 = ["UP", ""]
user_name = core_session.auth_details['User']
# creating a new Authentication profile for nested folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges1, 0,
0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA to secret
result = update_secret(
core_session,
secret_id[0],
secret_name,
description=secrets_params['mfa_secret_description'],
policy_id=policy_result)
assert result[
'success'], f'Failed to apply mfa to secret, API response result: {result["Message"]} '
logger.info(f'Successfully applied MFA to Secret: {result}')
# Move Secret with Mfa Authentication
result_secret = move_secret(core_session,
secret_id[0],
folder_info=folder_id)
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, result_secret['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info(f'successfully applied password authentication: {mfa_result}')
# After Authenticating of MFA move secret with challenge password
moved_success, moved_result = move_secret_by_using_mfa(
core_session,
secret_id[0],
target_folder_info=folder_id,
ChallengeStateId=result_secret['Result']['ChallengeId'])
assert moved_success, f'User: {user_name} Failed to move secret to another folder: {moved_result}'
logger.info(
f'User: {user_name} successfully moved secret to another folder: {moved_result}'
)
# Move Secret with Mfa Authentication
result_secret = move_secret(core_session, secret_id[0])
assert result_secret['success'] is False, \
f'Failed to preserve MFA Policy,API Response result:{result_secret["Message"]}'
logger.info(f'MFA Policy is preserved successfully: {result_secret}')
# Removing mfa from secret
result = update_secret(
core_session,
secret_id[0],
secret_name,
description=secrets_params['mfa_secret_description'])
assert result[
'success'], f'Failed to remove mfa from secret, API response result: {result["Message"]} '
logger.info(f'Successfully removed mfa from secret: {result}')
def test_move_mfa_on_closest_parent_should_override(
core_session, pas_general_secrets, create_folder_inside_folder,
cleanup_secrets_and_folders, clean_up_policy, users_and_roles):
"""
C283938: MFA on closest parent should override MFA on higher levels
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_folder_inside_folder: Fixture to create nested Folder & yields folder & sub folder related details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
:param clean_up_policy: Fixture to clean up the policy created
:param users_and_roles: Fixture to create New user with PAS Power Rights
"""
secrets_params = pas_general_secrets
suffix = guid()
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
parent_folder_id = parent_folder_info['ID']
parent_folder_name = parent_folder_info['Name']
secret_list = cleanup_secrets_and_folders[0]
challenges1 = ["UP", ""]
challenges2 = ["SQ", ""]
# Api to create secret within folder
added_text_secret_success, secret_id = create_text_secret_within_folder(
core_session, secrets_params['secret_name'] + suffix,
secrets_params['secret_text'], secrets_params['secret_description'],
nested_folder_id)
assert added_text_secret_success, f'Unable to create secret {secret_id}'
logger.info(f'Secret Created successfully: {added_text_secret_success}')
secret_list.append(secret_id)
# creating a new Authentication profile for nested folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges1, 0,
0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# creating another Authentication profile for parent folder
policy_result_v1 = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + "V1" + suffix,
challenges2, 0, 0)
assert policy_result_v1, f'Failed to create policy, API response result:{policy_result_v1}'
logger.info(f' Creating new policy:{policy_result_v1}')
clean_up_policy.append(policy_result_v1)
# Applying MFA on Nested Folder
result = update_folder(
core_session,
nested_folder_id,
nested_folder_info['Name'],
nested_folder_info['Name'],
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Applying MFA on Parent Folder
result = update_folder(
core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result_v1)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Getting User with PAS Power User rights
pas_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_user_session.auth_details['User']
user_id = pas_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name:{user_name}'
)
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, parent_folder_id, 'View')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View, Edit', user_id, parent_folder_id)
assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Move Secret with Mfa Authentication
result_secret = move_secret(pas_user_session, secret_id)
# StartChallenge MFA Authentication
session, mechanism = pas_user_session.start_mfa_authentication(
user_name, result_secret['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = pas_user_session.advance_authentication(
answer=pas_user_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info(f'successfully applied password authentication: {mfa_result}')
# After Authenticating of MFA move secret with challenge password
moved_success, moved_result = move_secret_by_using_mfa(
pas_user_session,
secret_id,
ChallengeStateId=result_secret['Result']['ChallengeId'])
assert moved_success, f'User: {user_name} Failed to move secret with closest parent challenge: {moved_result}'
logger.info(
f'User: {user_name} successfully moved secret with closest parent challenge: {moved_result}'
)
# Removing MFA on Nested Folder
result = update_folder(
core_session,
nested_folder_id,
nested_folder_info['Name'],
nested_folder_info['Name'],
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Removing MFA for Nested folder: {result}')
# Removing MFA on Parent Folder
result = update_folder(
core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Removing MFA for Parent folder: {result}')
def test_mfa_of_target_folder_once_secret_is_moved(core_session,
pas_general_secrets,
create_secret_folder,
added_secrets,
clean_up_policy):
"""
C283940: MFA of the target folder will apply once secret is moved to it
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_folder: Fixture to create secret folder & yields folder related details
:param added_secrets: Fixture to create text type secrets & yields secrets details
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
suffix = guid()
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
secret_id, secret_name = added_secrets
challenges1 = ["UP", ""]
user_name = core_session.auth_details['User']
# creating a new Authentication profile for nested folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges1, 0,
0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(
core_session,
folder_id,
secret_folder_details['Name'],
secret_folder_details['Name'],
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Move Secret with Mfa Authentication
result_secret = move_secret(core_session,
secret_id[0],
folder_info=folder_id)
assert result_secret[
'success'], f'Failed to move secret into folder,API Response Result: {result_secret["Result"]}'
# Moving Secret with new parent inherited policies
secret_new_permissions = move_secret(core_session, secret_id[0])
# StartChallenge MFA Authentication
session, mechanism = core_session.start_mfa_authentication(
user_name, secret_new_permissions['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = core_session.advance_authentication(
answer=core_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info(f'successfully applied password authentication: {mfa_result}')
# After Authenticating of MFA move secret with challenge password
moved_success, moved_result = move_secret_by_using_mfa(
core_session,
secret_id[0],
ChallengeStateId=secret_new_permissions['Result']['ChallengeId'])
assert moved_success, f'Failed to move secret with new parent inherited policies: {moved_result}'
logger.info(
f'User: {user_name} successfully moved secret with new parent inherited policies: {moved_result}'
)
# Applying MFA on Folder
result = update_folder(core_session, folder_id,
secret_folder_details['Name'],
secret_folder_details['Name'])
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
def test_user_needs_edit_permission_on_secret_move_a_secret(core_session,
users_and_roles,
added_secrets,
added_secrets_file,
pas_general_secrets,
cleanup_secrets_and_folders):
"""
test method to set permissions to secret for User A(With Edit/Without Edit) &
then to check Secret is movable to folder(Should movable/Not able to move)
:param core_session: Authenticated centrify session
:param users_and_roles: Fixture to create new user with specified roles
:param added_secrets: Fixture to add text type secret & yields secret id, secret name
:param added_secrets_file: Fixture to add file type secret & yields secret id
:param pas_general_secrets: Fixture to read secrets data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
"""
added_text_secret_id, added_text_secret_name = added_secrets
added_secret_id = added_secrets_file
folder_params = pas_general_secrets
prefix = guid()
folder_list = cleanup_secrets_and_folders[1]
pas_power_user = users_and_roles.get_user('Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
logger.info(f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to create secret folder
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(pas_power_user_session,
prefix + folder_params['name'],
folder_params['description'])
folder_list.append(secret_folder_id)
# Api to set permissions to secret (without Edit)
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant',
user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'Failed to set permissions for text type secret:{text_type_secret_result}'
logger.info(f'Setting permissions for text type secret: {text_type_secret_success}')
# Api to move secret without Edit permissions
result_move = move_secret(pas_power_user_session, added_text_secret_id[0], secret_folder_id)
assert result_move['success'] is False, f'Able to move the secret without edit permissions{result_move["Result"]}'
logger.info(f'Moving secret without edit permissions:{result_move["Message"]}')
# Api to set Edit permissions to secret
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant,Edit',
user_id,
added_secret_id)
assert text_type_secret_success, f'Failed to set permissions for file type secret:{text_type_secret_result}'
logger.info(f'Setting permissions for file type secret: : {text_type_secret_success}')
# Api to move secret with Edit permissions
result_move = move_secret(pas_power_user_session, added_secret_id, secret_folder_id)
assert result_move['success'], f'Not Able to move the secret with edit permissions{result_move["Result"]}'
logger.info(f'Moving secret with edit permissions:{result_move}')
