def test_need_to_have_edit_permission_on_secret_to_update_permissions_case(
core_session, users_and_roles, added_secrets_file, added_secrets,
pas_general_secrets):
"""
test method to create 2 secrets with and without edit permissions for UserA & verify the permissions for User A
"""
added_file_secret_id = added_secrets_file
added_text_secret_id, added_text_secret_name = added_secrets
application_management_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = application_management_user.get_login_name()
user_id = application_management_user.get_id()
"""API to set user permissions for file_type_secret"""
file_type_secret_result, file_type_secret_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant,Edit', user_id,
added_file_secret_id)
assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}'
logger.info(
f'setting permissions for file type secret: {file_type_secret_success}'
)
"""API to set user permissions for text_type_secret"""
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant', user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}'
logger.info(
f'setting permissions for text type secret: : {text_type_secret_success}'
)
"""API to get new session for User A"""
application_management_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert application_management_session.auth_details is not None, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {application_management_user.get_password()} ')
"""API to get "Edit" secret permissions for User A """
get_permission_result = get_users_effective_secret_permissions(
application_management_session, added_file_secret_id)
assert "Edit" in f'{get_permission_result}', f'verification failed for file type secret{get_permission_result}'
logger.info(
f' Get permission for file type Secret: {get_permission_result}')
"""API to get secret permissions(without Edit for User A)"""
get_text_permission_result = get_users_effective_secret_permissions(
application_management_session, added_text_secret_id[0])
assert "Edit" not in f'{get_text_permission_result}', \
f'verification failed for Text type secret{get_text_permission_result}'
logger.info(
f'Get permission for text type Secret: {get_text_permission_result}')
def test_bulk_account_delete_generates_secret_with_ssh_accounts(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_ssh_systems_with_accounts(
core_session,
2,
2,
list_of_created_systems,
system_prefix=f'test_ssh',
user_prefix=f'test_usr_ssh')
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1])
secret_name = "TestSecret-" + str(
ResourceManager.time_mark_in_hours()) + "-" + guid()
result, success = ResourceManager.del_multiple_accounts(
core_session,
all_accounts,
save_passwords=True,
secret_name=secret_name)
assert success, "Api did not complete successfully for bulk account delete MSG: " + result
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "Secret not found"
secret_cleaner.append(secret_id)
assert len(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == 0, "Expected zero added accounts remain"
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name,
"View,Edit,Retrieve",
user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.count("\n") == 1 + len(
all_accounts
), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("AutomationTestKey") == len(
all_accounts
), f"Secret file contained the wrong number of keys {secret_file_contents}"
for server_id in all_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_delete_cloud_provider_secret(core_session,
fake_cloud_provider_root_account,
fake_cloud_provider, secret_cleaner):
account_id, username, password, cloud_provider_id, test_did_cleaning = fake_cloud_provider_root_account
name, desc, cloud_provider_id, cloud_account_id, test_did_cleaning = fake_cloud_provider
account_name = f"acctname{guid()}"
account_id, success = ResourceManager.add_account_cloud_provider(
core_session, account_name, "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
key_secret = "kjshakjsakjasgfkjysgkjagfkjsakjgfakjsf"
result, success = CloudProviderManager.set_mfa_token(
core_session, account_id, key_secret)
assert success, f"Failed to set mfa token {result}"
secret_name = f"SecretName{guid()}"
result, success = CloudProviderManager.delete_cloud_providers(
core_session, [cloud_provider_id],
save_passwords=True,
secret_name=secret_name)
assert success, f"Failed to delete cloud provider with response {result}"
test_did_cleaning()
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user = core_session.get_user()
user_name = user.get_login_name()
user_id = user.get_id()
result, success = set_users_effective_permissions(core_session, user_name,
"View,Edit,Retrieve",
user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert username in secret_file_contents, f"username absent from secret file {secret_file_contents}"
assert password in secret_file_contents, f"password absent from secret file {secret_file_contents}"
assert cloud_provider_id in secret_file_contents, f"cloud_provider_id absent from secret file {secret_file_contents}"
assert account_name in secret_file_contents, f"account_name absent from secret file {secret_file_contents}"
assert key_secret in secret_file_contents, f"mfa secret absent from secret file {secret_file_contents}"
def test_should_not_able_to_move_secret_into_folder_that_do_not_have_add_permissions_on(
core_session, users_and_roles, added_secrets, create_secret_folder):
"""
test method to not able to move a secret(with EDIT permissions) to a folder( with no ADD permissions)
:param core_session: Authenticated Centrify Session
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param create_secret_folder: Fixture to create secret Folder & yield folder related details
"""
added_text_secret_id, added_text_secret_name = added_secrets
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
application_management_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = application_management_user.get_login_name()
user_id = application_management_user.get_id()
# Api to set Edit permissions to secret
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant,Edit', user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}'
logger.info(
f'setting permissions for text type secret: : {text_type_secret_success}'
)
# Api to set permissions with folder
permissions = give_user_permissions_to_folder(core_session, user_name,
user_id, folder_id,
'View,Grant')
assert permissions[
'success'], f'Not able to set permissions to folder:{permissions["Result"]}'
logger.info(f'Permissions to folder: {permissions}')
# API to get new session for User A
application_management_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert application_management_session.auth_details is not None, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {application_management_user.get_login_name()}'
f' & Password: {application_management_user.get_password()} ')
# Api to move secret into Folder
result_move = move_secret(application_management_session,
added_text_secret_id[0], folder_id)
assert result_move[
'success'] is False, f'Able to move the secret into Folder: {result_move["Result"]}'
logger.info(
f'Moving secret with edit permissions:{result_move["Message"]}')
def test_delete_permission_on_secret_but_not_on_folder(
core_session, create_secret_inside_folder, users_and_roles):
"""
test method to Delete permission on secret but not on folder
:param core_session: Authenticated Centrify Session.
:param create_secret_inside_folder: Fixture to create text type secret inside folder &
yields folder id , folder name & secret id
:param users_and_roles: Fixture to create New user with PAS Power Rights
"""
folder_id_list, folder_name, secret_id_list = create_secret_inside_folder
pas_power_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id_list[0], 'View')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to set DELETE permissions to secret
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(
core_session, user_name, 'View,Delete,Retrieve', user_id,
secret_id_list[0])
assert text_type_secret_success, f'Failed to Set Member permissions to secret:{text_type_secret_result}'
logger.info(
f'Setting Member permissions for secret: {text_type_secret_success}')
# Api to delete the child secret
del_success, del_result = del_secret(pas_power_user_session,
secret_id_list[0])
assert del_success, f'Not Able to delete the child secret: {del_result}'
secret_id_list.remove(secret_id_list[0])
logger.info(f'Able to delete the child secret: {del_result}')
def test_bulk_system_delete_generates_secret(clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 3, list_of_created_systems)
batch3 = ResourceManager.add_multiple_ssh_systems_with_accounts(core_session, 1, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3])
all_non_ssh_systems, all_non_shh_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2])
secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid()
sql_query = RedrockController.get_query_for_ids('Server', all_systems)
ResourceManager.del_multiple_systems_by_query(core_session, sql_query, True, secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.strip().count("\n") == len(
all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("thisIsaPAsSwO0rd") == len(
all_non_shh_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}"
# Commenting following assert as AutomationTestKey is not available in secret_file_contents, Tested on both AWS,
# Azure devdog tenants
# assert 'AutomationTestKey' in secret_file_contents, f"Name of SSH key did not appear in secret file {secret_file_contents}"
for server_id in all_non_ssh_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_non_shh_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_bulk_system_delete_generates_secret_with_garbage_in_list(clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner, core_tenant):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2])
secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid()
clean_delete_system_ids = list(all_systems)
delete_system_ids = ["foo", "", clean_delete_system_ids[2]] + clean_delete_system_ids + ["!@#$%^&*()", "1", "?",
"Jason Alexander", "bar"]
ResourceManager.del_multiple_systems(core_session, delete_system_ids, savepasswords=True, secretname=secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user_name = core_tenant['admin_user']
user_id = UserManager.get_user_id(core_session, user_name)
result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert secret_file_contents.count("\n") == 1 + len(
all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}"
assert secret_file_contents.count("bsd_tst_usr_") == len(
all_accounts), f"Secret file contained the wrong number of accounts {secret_file_contents}"
assert secret_file_contents.count("thisIsaPAsSwO0rd") == len(
all_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}"
for server_id in all_systems:
assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}"
for account_id in all_accounts:
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_adding_several_items_during_creation(core_session,
added_secrets_file,
added_secrets,
users_and_roles,
pas_general_secrets,
clean_up_policy):
secret_prefix = guid()
secrets_params = pas_general_secrets
added_secret_id = added_secrets_file
added_text_secret_id, added_text_secret_name = added_secrets
application_management_user = users_and_roles.get_user('Privileged Access Service Power User')
user_name = application_management_user.get_login_name()
user_id = application_management_user.get_id()
# setting permissions for User A
set_permission_result, set_permission_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant',
user_id,
added_secret_id)
assert set_permission_success, f'Failed to set permission: {set_permission_result}'
logger.info(f'Setting permission:{set_permission_result}{set_permission_success}')
# creating new policy
policy_result = PolicyManager.create_new_auth_profile(core_session,
secret_prefix + secrets_params['policy_name'],
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Getting details of file type secrets
get_secret_details, get_secret_success, get_secret_created_date = get_file_type_secret_contents(core_session,
added_secret_id)
assert get_secret_success, f'Failed to get the file type secret contents:{get_secret_success}'
logger.info(f'Secret created details: {get_secret_details}')
secrete_file = {'Type': '',
'SecretFilePassword': '******',
'SecretFilePath': '',
'SecretFileSize': '',
'SecretName': get_secret_details['SecretName'],
'ID': added_secret_id,
'DataVaultDefaultProfile': ''
}
local_secret_path = get_asset_path('secret_upload.txt')
# Assigning policy to file type secrets
policy_assigned = update_file_type_secret(core_session, added_secret_id, secrete_file, local_secret_path,
policy_result)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f'Policy assigned to secret : {policy_assigned}')
# Removing policy to file type secrets
policy_assigned = update_file_type_secret(core_session, added_secret_id, secrete_file, local_secret_path)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f'Policy assigned to secret : {policy_assigned}')
# Setting permissions for text type secrets
set_permission_result, set_permission_success = set_users_effective_permissions(core_session, user_name,
'View,Grant', user_id,
added_text_secret_id[0])
assert set_permission_success, f'Failed to set permission: {set_permission_result}'
logger.info(f'Setting permission:{set_permission_result}{set_permission_success}')
# Applying Policy
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
added_text_secret_name,
policy_id=policy_result)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Removing policy
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
added_text_secret_name)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
def test_mfa_policy_on_secret_verify_not_challenged_on_settings_update(core_session,
pas_general_secrets,
users_and_roles,
create_secret_inside_folder,
clean_up_policy):
"""
test method to verify that mfa does not exist on updating the settings for an existing secret "MFAOnSecret"
with already assigned mfa for that secret
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param clean_up_policy: Fixture to clean up the policy created
"""
secrets_params = pas_general_secrets
prefix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
pas_power_user = users_and_roles.get_user('Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Edit',
user_id,
secret_list[0])
assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}'
logger.info(f'setting permissions for text type secret: : {text_type_secret_success}')
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(core_session,
prefix + secrets_params['policy_name'],
["UP", None],
None,
"30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to get the details of the secret
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session,
secret_list[0])
assert get_secret_success, f'Failed to get the details of the secret:{get_secret_success}'
logger.info(f'Details of the secret returned:{get_secret_details}')
# Api to assign MFA & update settings of secret
policy_assigned = update_secret(core_session,
secret_list[0],
prefix + secrets_params['mfa_secret_name_update'],
description=secrets_params['mfa_secret_description'],
secret_text=get_secret_text,
policy_id=policy_result)
assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Api to Remove MFA from secret
result = update_secret(core_session, secret_list[0],
prefix + secrets_params['mfa_secret_name_update'],
description=secrets_params['mfa_secret_description'])
assert result['success'], f'Not Able to update the settings: {result["Message"]} '
logger.info(f'Update settings for secret: {result}')
# Api to get details of the secret updated
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session,
secret_list[0])
description_updated = get_secret_details['Description']
name_updated = get_secret_details['SecretName']
assert 'MFAOnSecretUpdate' in name_updated, f'Failed to update the name{get_secret_success}'
assert 'mfa_description' in description_updated, f'Failed to update the description{get_secret_success}'
logger.info(f'Details of the secret updated: {get_secret_details}')
def test_need_to_have_edit_permission_on_secret_to_update_settings_and_policy(
core_session, users_and_roles, added_secrets_file, added_secrets,
pas_general_secrets, clean_up_policy):
"""
test method to set permissions on secrets(with Edit/Without Edit) to update the settings & policy.
:param core_session: Authenticated Centrify Session
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param added_secrets_file: Fixture to create file type secret & yield secret id
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param pas_general_secrets: Fixture to read secret data from yaml file
:param clean_up_policy: Fixture to clean up the policy created
"""
added_file_secret_id = added_secrets_file
added_text_secret_id, added_text_secret_name = added_secrets
secrets_params = pas_general_secrets
secret_prefix = guid()
pas_power_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
# API to set user permissions (Edit)for file_type_secret"""
file_type_secret_result, file_type_secret_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant,Edit', user_id,
added_file_secret_id)
assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}'
logger.info(
f'Setting permissions for file type secret: {file_type_secret_success}'
)
# API to set user permissions (without Edit)for text_type_secret"""
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant', user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'setting permissions for text type secret failed:{text_type_secret_result}'
logger.info(
f'Setting permissions for text type secret: : {text_type_secret_success}'
)
# API to get new session for User A"""
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to update the name of the secret(file_type)
result = update_secret(
pas_power_user_session, added_file_secret_id,
secret_prefix + secrets_params['updated_secret_name'])
assert result[
'success'], f'Not Able to update the settings {result["Result"]} '
logger.info(
f'Updating the settings for secret: {result["success"]} & {result["Exception"]}'
)
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secret_prefix + secrets_params['policy_name'],
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to assign policy to file type secret
policy_assigned = update_secret(pas_power_user_session,
added_file_secret_id,
added_text_secret_name,
policy_id=policy_result)
assert policy_assigned[
'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to secret: {policy_assigned}')
# Api to update settings for text type secret
result = update_secret(
pas_power_user_session, added_text_secret_id[0],
secret_prefix + secrets_params['updated_secret_name'])
assert result[
'success'] is False, f'Able to update the settings: {result["Message"]} '
logger.info(f'Not able to Update settings for secret: {result}')
# Api to assign policy for text type secret
policy_assigned = update_secret(pas_power_user_session,
added_text_secret_id[0],
added_text_secret_name,
policy_id=policy_result)
assert policy_assigned[
'success'] is False, f'Able to assign policy to secret: {policy_assigned["Message"]}'
logger.info(
f' Not able to assign Policy to text type secret: {policy_assigned}')
# Api to Remove policy for file type secret
policy_removed = update_secret(pas_power_user_session,
added_file_secret_id,
added_text_secret_name)
assert policy_removed[
'success'], f'Failed to remove policy to secret: {policy_removed["Message"]}'
logger.info(
f'Successfully removed Policy to text type secret: {policy_removed}')
def test_multiple_updates_in_permissions_policy_name_verify_all_2(
core_session, added_secrets, pas_general_secrets, users_and_roles,
clean_up_policy):
"""
test method to verify multiple updates like (permissions, policy, name ..) for a secret
:param core_session: Authenticated Centrify Session
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param clean_up_policy: Fixture to clean up the policy created
"""
secret_prefix = guid()
added_text_secret_id, added_text_secret_name = added_secrets
secrets_params = pas_general_secrets
application_management_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = application_management_user.get_login_name()
user_id = application_management_user.get_id()
# API to set user permissions for text_type_secret
set_permissions_result, set_permissions_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant,Edit', user_id,
added_text_secret_id[0])
assert set_permissions_success, f'setting permissions for file type secret failed: {set_permissions_result}'
logger.info(
f'setting permissions for text type secret: {set_permissions_success} {set_permissions_result}'
)
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secret_prefix + secrets_params['policy_name'],
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to assign policy to the secret
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
added_text_secret_name,
policy_id=policy_result)
assert policy_assigned[
'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Api to update settings(secret_name) of the secret
result = update_secret(
core_session, added_text_secret_id[0],
secret_prefix + secrets_params['updated_secret_name'])
assert result[
'success'], f'Not Able to update the settings {result["Result"]} '
logger.info(
f'Updating the settings for secret: {result["success"]} & {result["Exception"]}'
)
# Api to retrieve the activity of the secret
rows_result = UserManager.get_secret_activity(core_session,
added_text_secret_id[0])
assert rows_result is not None, f'Unable to fetch Secret updated details & activity fetched:{rows_result}'
logger.info(f'activity list:{rows_result}')
verify_name = 'update_secret1'
verify_permissions = 'View , Grant , Edit'
permissions_updated = False
assert verify_name in rows_result[0][
"Detail"], f'Unable to update the name:{rows_result[0]["Detail"]}'
logger.info(f'Secret Updated details: {rows_result[0]["Detail"]}')
for x in rows_result:
if verify_permissions in x['Detail']:
permissions_updated = True
assert permissions_updated, f'Unable to update the permissions: {permissions_updated}'
def test_update_retrieve_replace_activity_logged(core_session, added_secrets,
pas_general_secrets,
users_and_roles,
clean_up_policy):
"""
C3071: Update, retrieve, replace activity logged
:param core_session: Authenticated Centrify Session
:param added_secrets: Fixture to create text type secret & yield secret id, secret_name
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param clean_up_policy: Fixture to clean up the policy created
"""
secret_suffix = guid()
added_text_secret_id, added_text_secret_name = added_secrets
secrets_params = pas_general_secrets
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Api to give user permissions to secrets
set_permission_result, set_permission_success = set_users_effective_permissions(
core_session, user_name, 'View,Grant', user_id,
added_text_secret_id[0])
assert set_permission_success, f'Failed to set permission: {set_permission_result}'
logger.info(
f'Setting permission:{set_permission_result}{set_permission_success}')
# Retrieving details(text) of the secret
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, added_text_secret_id[0])
assert get_secret_success, f'Failed to retrieve the secret:{get_secret_text}'
logger.info(f' Retrieved secret details: {get_secret_details} ')
# Api to create new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + secret_suffix,
["UP", None], None, "30")
assert policy_result is not None, f'Failed to create policy:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Api to update secret(assign policy & update name)
policy_assigned = update_secret(core_session,
added_text_secret_id[0],
secrets_params['updated_secret_name'] +
secret_suffix,
policy_id=policy_result)
assert policy_assigned[
'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy assigned to text type secret: {policy_assigned}')
# Api to retrieve the activity of the secret
rows_result = UserManager.get_secret_activity(core_session,
added_text_secret_id[0])
assert rows_result, f'Failed to fetch Secret updated details & activity fetched:{rows_result}'
logger.info(f'Activity list:{rows_result}')
assert 'updated the secret' in rows_result[0][
"Detail"], f'Failed to update the secret:{rows_result[0]["Detail"]}'
assert 'viewed the secret' in rows_result[1][
"Detail"], f'Failed to retrieve the secret :{rows_result[1]["Detail"]}'
added_secret_status = False
added_permissions_status = False
for rows in rows_result:
if 'added a secret' in rows['Detail']:
added_secret_status = True
assert added_secret_status, f'Failed to add secret: {added_secret_status}'
for rows in rows_result:
if 'granted User' in rows['Detail']:
added_permissions_status = True
assert added_permissions_status, f'Failed to add permissions: {added_permissions_status}'
# Api to remove policy from the secret
policy_assigned = update_secret(core_session, added_text_secret_id[0],
added_text_secret_name)
assert policy_assigned[
'success'], f'Failed to remove policy from secret: {policy_assigned["Result"]["ID"]}'
logger.info(f' Policy removed from secret: {policy_assigned}')
def test_needs_edit_permission_to_replace_contents(core_session,
users_and_roles,
added_secrets_file,
added_secrets,
pas_general_secrets):
"""
C283887: User needs edit permission on the secret to replace the contents.
:param core_session: Authenticated Centrify Session
:param users_and_roles: Fixture to create New user with PAS Power User & PAS User Rights
:param added_secrets_file: Fixture to create file type secret
:param added_secrets: Fixture to create text type secret
:param pas_general_secrets: Fixture to read secret data from yaml file
"""
secrets_params = pas_general_secrets
added_file_secret_id = added_secrets_file
added_text_secret_id, added_text_secret_name = added_secrets
suffix = guid()
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'User with PAS Power User Rights login successfully: user_Name:{user_name}')
# setting user permissions for file_type_secret"""
file_type_secret_result, file_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant',
user_id,
added_file_secret_id)
assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}'
logger.info(f'setting permissions for file type secret: {file_type_secret_success}')
# setting user permissions for file_type_secret"""
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant,Edit',
user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}'
logger.info(f'setting permissions for text type secret: : {text_type_secret_success}')
# Replacing the content of the secret
secret_updated = update_secret(pas_power_user_session,
added_text_secret_id[0],
secrets_params['mfa_secret_name_update'] + suffix,
description=secrets_params['mfa_secret_description'],
secret_text=secrets_params['secret_text_updated'] + suffix)
assert secret_updated['success'], f'Failed to update secret: {secret_updated["Result"]["ID"]}'
logger.info(f' Successfully updated text type secret: {secret_updated}')
# Verifying replaced secret
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, added_text_secret_id[0])
logger.info(f'Secret Updated details: {get_secret_details}')
replaced_content = get_secret_details['SecretText']
assert secrets_params['secret_text_updated'] in replaced_content, \
f'Failed to replace the secrets:{replaced_content}'
secret_name = get_secret_details['SecretName']
# creating set manually
success, set_id = SetsManager.create_manual_collection(pas_power_user_session, secrets_params['set_name'] + suffix,
'DataVault')
assert success, f'Failed to create manual set: {set_id}'
logger.info(f'creating manual set:{success} with setid as: {set_id}')
# Adding set to secret
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(pas_power_user_session,
'add',
[added_text_secret_id[0]],
"DataVault", set_id)
assert added_to_set_success, f'Failed to add secret to set: {added_to_set_result}'
logger.info(f'Adding secret to set: {added_to_set_success}')
# Redrock query to fetch "Add to set" related details
get_set_info = RedrockController.verify_set_secret(pas_power_user_session, set_id, added_text_secret_id[0])
logger.info(f'{get_set_info}')
assert get_set_info[0]["Row"]["SecretName"] == secret_name, f' Failed to get "ADD to Set" inside "Actions"'
logger.info(f'Verifiying secret name {get_set_info[0]["Row"]["SecretName"]} in '
f'set with ID {get_set_info[0]["Row"]["CollectionID"]} ')
def test_user_needs_edit_permission_on_secret_move_a_secret(core_session,
users_and_roles,
added_secrets,
added_secrets_file,
pas_general_secrets,
cleanup_secrets_and_folders):
"""
test method to set permissions to secret for User A(With Edit/Without Edit) &
then to check Secret is movable to folder(Should movable/Not able to move)
:param core_session: Authenticated centrify session
:param users_and_roles: Fixture to create new user with specified roles
:param added_secrets: Fixture to add text type secret & yields secret id, secret name
:param added_secrets_file: Fixture to add file type secret & yields secret id
:param pas_general_secrets: Fixture to read secrets data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
"""
added_text_secret_id, added_text_secret_name = added_secrets
added_secret_id = added_secrets_file
folder_params = pas_general_secrets
prefix = guid()
folder_list = cleanup_secrets_and_folders[1]
pas_power_user = users_and_roles.get_user('Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
logger.info(f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to create secret folder
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(pas_power_user_session,
prefix + folder_params['name'],
folder_params['description'])
folder_list.append(secret_folder_id)
# Api to set permissions to secret (without Edit)
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant',
user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'Failed to set permissions for text type secret:{text_type_secret_result}'
logger.info(f'Setting permissions for text type secret: {text_type_secret_success}')
# Api to move secret without Edit permissions
result_move = move_secret(pas_power_user_session, added_text_secret_id[0], secret_folder_id)
assert result_move['success'] is False, f'Able to move the secret without edit permissions{result_move["Result"]}'
logger.info(f'Moving secret without edit permissions:{result_move["Message"]}')
# Api to set Edit permissions to secret
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant,Edit',
user_id,
added_secret_id)
assert text_type_secret_success, f'Failed to set permissions for file type secret:{text_type_secret_result}'
logger.info(f'Setting permissions for file type secret: : {text_type_secret_success}')
# Api to move secret with Edit permissions
result_move = move_secret(pas_power_user_session, added_secret_id, secret_folder_id)
assert result_move['success'], f'Not Able to move the secret with edit permissions{result_move["Result"]}'
logger.info(f'Moving secret with edit permissions:{result_move}')
def test_privilege_service_user_with_view_permission(core_session, pas_setup,
get_limited_user_module):
"""
Test case: C286564 :- Privilege Service User with view permission should can see the related activity
:param core_session: Authenticated Centrify session
:param pas_setup: fixture to create system with account
:param get_limited_user_module: creating cloud user with "Privileged Access Service Power User" right
"""
system_id, account_id, sys_info = pas_setup
cloud_user_session, cloud_user = get_limited_user_module
username = cloud_user.get_login_name()
user_id = cloud_user.get_id()
# "View" permission to cloud user for system
result, success = ResourceManager.assign_system_permissions(core_session,
"View",
username,
user_id,
pvid=system_id)
assert success, f'failed to assign view permission to user {username} for system {sys_info[0]}'
logger.info(
f'view permission for system {sys_info[0]} assigned to user {username}'
)
# Activity validation of system by cloud user
rows = ResourceManager.get_system_activity(cloud_user_session, system_id)
assert rows[0][
'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on system ' \
f'"{sys_info[0]}"({sys_info[1]})', 'No activity related to view permission found '
logger.info(
f'cloud user {username} can see all the activities of system {sys_info[0]}'
)
# "View" permission to cloud user for account
result, success = ResourceManager.assign_account_permissions(
core_session, "View", username, user_id, pvid=account_id)
assert success, f'failed to assign permissions "View" to {username} for account {sys_info[4]} ' \
f'for system {sys_info[0]}'
logger.info(
f'View permission for account {sys_info[4]} of system {sys_info[0]} to user {username}'
)
# Activity validation of account by cloud user
activity = RedrockController.get_account_activity(cloud_user_session,
account_id)
assert activity[0][
'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on local account' \
f' "{sys_info[4]}" for "{sys_info[0]}"({sys_info[1]}) with credential ' \
f'type Password ', 'No activity related to view permission found '
logger.info(
f'cloud user {username} can see all the activities of account {sys_info[4]} of system {sys_info[0]}'
)
# Created secret
secret_name = f"test_secret{guid()}"
status, parameters, secret_result = create_text_secret(
core_session, secret_name, "test_secret_text")
assert status, f'failed to create secret with returned result: {result}'
logger.info(
f'secret created successfully {result}, returned parameters are {parameters}'
)
# Assigning view permission to secret to cloud user
result, success = set_users_effective_permissions(core_session, username,
"View", user_id,
secret_result)
assert success, f'failed to set permissions of secret for user {username}'
logger.info(
f'successfully granted "View" permission for secret to {secret_name} to user {username}'
)
# Activity validation of secret by cloud user
secret_activity = get_secret_activity(cloud_user_session, secret_result)
assert f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on the ' \
f'secret "{secret_name}"' in secret_activity[0]['Detail'], 'No activity related to view permission found '
logger.info(
f'cloud user {username} can see all the activities of secret of {secret_name}'
)
