def test_need_to_have_edit_permission_on_secret_to_update_permissions_case( core_session, users_and_roles, added_secrets_file, added_secrets, pas_general_secrets): """ test method to create 2 secrets with and without edit permissions for UserA & verify the permissions for User A """ added_file_secret_id = added_secrets_file added_text_secret_id, added_text_secret_name = added_secrets application_management_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = application_management_user.get_login_name() user_id = application_management_user.get_id() """API to set user permissions for file_type_secret""" file_type_secret_result, file_type_secret_success = set_users_effective_permissions( core_session, user_name, 'View,Grant,Edit', user_id, added_file_secret_id) assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}' logger.info( f'setting permissions for file type secret: {file_type_secret_success}' ) """API to set user permissions for text_type_secret""" text_type_secret_result, text_type_secret_success = set_users_effective_permissions( core_session, user_name, 'View,Grant', user_id, added_text_secret_id[0]) assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}' logger.info( f'setting permissions for text type secret: : {text_type_secret_success}' ) """API to get new session for User A""" application_management_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert application_management_session.auth_details is not None, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {user_name}' f' & Password: {application_management_user.get_password()} ') """API to get "Edit" secret permissions for User A """ get_permission_result = get_users_effective_secret_permissions( application_management_session, added_file_secret_id) assert "Edit" in f'{get_permission_result}', f'verification failed for file type secret{get_permission_result}' logger.info( f' Get permission for file type Secret: {get_permission_result}') """API to get secret permissions(without Edit for User A)""" get_text_permission_result = get_users_effective_secret_permissions( application_management_session, added_text_secret_id[0]) assert "Edit" not in f'{get_text_permission_result}', \ f'verification failed for Text type secret{get_text_permission_result}' logger.info( f'Get permission for text type Secret: {get_text_permission_result}')
def test_bulk_account_delete_generates_secret_with_ssh_accounts( clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems, secret_cleaner, core_tenant): batch1 = ResourceManager.add_multiple_ssh_systems_with_accounts( core_session, 2, 2, list_of_created_systems, system_prefix=f'test_ssh', user_prefix=f'test_usr_ssh') all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch1]) secret_name = "TestSecret-" + str( ResourceManager.time_mark_in_hours()) + "-" + guid() result, success = ResourceManager.del_multiple_accounts( core_session, all_accounts, save_passwords=True, secret_name=secret_name) assert success, "Api did not complete successfully for bulk account delete MSG: " + result ResourceManager.wait_for_secret_to_exist_or_timeout( core_session, secret_name) secret_id = RedrockController.get_secret_id_by_name( core_session, secret_name) assert secret_id is not None, "Secret not found" secret_cleaner.append(secret_id) assert len( ResourceManager.get_multi_added_account_ids( core_session, all_systems)) == 0, "Expected zero added accounts remain" user_name = core_tenant['admin_user'] user_id = UserManager.get_user_id(core_session, user_name) result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id) assert success, f"Did not set secret permission successfully with message {result}" secret_file_contents = get_file_secret_contents(core_session, secret_id) assert secret_file_contents.count("\n") == 1 + len( all_accounts ), f"Secret file contained the wrong number of lines {secret_file_contents}" assert secret_file_contents.count("AutomationTestKey") == len( all_accounts ), f"Secret file contained the wrong number of keys {secret_file_contents}" for server_id in all_systems: assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}" for account_id in all_accounts: assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_delete_cloud_provider_secret(core_session, fake_cloud_provider_root_account, fake_cloud_provider, secret_cleaner): account_id, username, password, cloud_provider_id, test_did_cleaning = fake_cloud_provider_root_account name, desc, cloud_provider_id, cloud_account_id, test_did_cleaning = fake_cloud_provider account_name = f"acctname{guid()}" account_id, success = ResourceManager.add_account_cloud_provider( core_session, account_name, "", cloud_provider_id) assert success, f"Account addition failed with API response result {account_id}" key_secret = "kjshakjsakjasgfkjysgkjagfkjsakjgfakjsf" result, success = CloudProviderManager.set_mfa_token( core_session, account_id, key_secret) assert success, f"Failed to set mfa token {result}" secret_name = f"SecretName{guid()}" result, success = CloudProviderManager.delete_cloud_providers( core_session, [cloud_provider_id], save_passwords=True, secret_name=secret_name) assert success, f"Failed to delete cloud provider with response {result}" test_did_cleaning() ResourceManager.wait_for_secret_to_exist_or_timeout( core_session, secret_name) secret_id = RedrockController.get_secret_id_by_name( core_session, secret_name) assert secret_id is not None, "No secret was created" secret_cleaner.append(secret_id) user = core_session.get_user() user_name = user.get_login_name() user_id = user.get_id() result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id) assert success, f"Did not set secret permission successfully with message {result}" secret_file_contents = get_file_secret_contents(core_session, secret_id) assert username in secret_file_contents, f"username absent from secret file {secret_file_contents}" assert password in secret_file_contents, f"password absent from secret file {secret_file_contents}" assert cloud_provider_id in secret_file_contents, f"cloud_provider_id absent from secret file {secret_file_contents}" assert account_name in secret_file_contents, f"account_name absent from secret file {secret_file_contents}" assert key_secret in secret_file_contents, f"mfa secret absent from secret file {secret_file_contents}"
def test_should_not_able_to_move_secret_into_folder_that_do_not_have_add_permissions_on( core_session, users_and_roles, added_secrets, create_secret_folder): """ test method to not able to move a secret(with EDIT permissions) to a folder( with no ADD permissions) :param core_session: Authenticated Centrify Session :param users_and_roles: Fixture to create New user with PAS Power Rights :param added_secrets: Fixture to create text type secret & yield secret id, secret_name :param create_secret_folder: Fixture to create secret Folder & yield folder related details """ added_text_secret_id, added_text_secret_name = added_secrets secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] application_management_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = application_management_user.get_login_name() user_id = application_management_user.get_id() # Api to set Edit permissions to secret text_type_secret_result, text_type_secret_success = set_users_effective_permissions( core_session, user_name, 'View,Grant,Edit', user_id, added_text_secret_id[0]) assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}' logger.info( f'setting permissions for text type secret: : {text_type_secret_success}' ) # Api to set permissions with folder permissions = give_user_permissions_to_folder(core_session, user_name, user_id, folder_id, 'View,Grant') assert permissions[ 'success'], f'Not able to set permissions to folder:{permissions["Result"]}' logger.info(f'Permissions to folder: {permissions}') # API to get new session for User A application_management_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert application_management_session.auth_details is not None, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {application_management_user.get_login_name()}' f' & Password: {application_management_user.get_password()} ') # Api to move secret into Folder result_move = move_secret(application_management_session, added_text_secret_id[0], folder_id) assert result_move[ 'success'] is False, f'Able to move the secret into Folder: {result_move["Result"]}' logger.info( f'Moving secret with edit permissions:{result_move["Message"]}')
def test_delete_permission_on_secret_but_not_on_folder( core_session, create_secret_inside_folder, users_and_roles): """ test method to Delete permission on secret but not on folder :param core_session: Authenticated Centrify Session. :param create_secret_inside_folder: Fixture to create text type secret inside folder & yields folder id , folder name & secret id :param users_and_roles: Fixture to create New user with PAS Power Rights """ folder_id_list, folder_name, secret_id_list = create_secret_inside_folder pas_power_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = pas_power_user.get_login_name() user_id = pas_power_user.get_id() pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {user_name}' f' & Password: {pas_power_user.get_password()} ') # Api to give user permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id_list[0], 'View') assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Api to set DELETE permissions to secret text_type_secret_result, text_type_secret_success = set_users_effective_permissions( core_session, user_name, 'View,Delete,Retrieve', user_id, secret_id_list[0]) assert text_type_secret_success, f'Failed to Set Member permissions to secret:{text_type_secret_result}' logger.info( f'Setting Member permissions for secret: {text_type_secret_success}') # Api to delete the child secret del_success, del_result = del_secret(pas_power_user_session, secret_id_list[0]) assert del_success, f'Not Able to delete the child secret: {del_result}' secret_id_list.remove(secret_id_list[0]) logger.info(f'Able to delete the child secret: {del_result}')
def test_bulk_system_delete_generates_secret(clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems, secret_cleaner, core_tenant): batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 4, list_of_created_systems) batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 3, list_of_created_systems) batch3 = ResourceManager.add_multiple_ssh_systems_with_accounts(core_session, 1, 1, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3]) all_non_ssh_systems, all_non_shh_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2]) secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid() sql_query = RedrockController.get_query_for_ids('Server', all_systems) ResourceManager.del_multiple_systems_by_query(core_session, sql_query, True, secret_name) ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name) secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name) assert secret_id is not None, "No secret was created" secret_cleaner.append(secret_id) user_name = core_tenant['admin_user'] user_id = UserManager.get_user_id(core_session, user_name) result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id) assert success, f"Did not set secret permission successfully with message {result}" secret_file_contents = get_file_secret_contents(core_session, secret_id) assert secret_file_contents.strip().count("\n") == len( all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}" assert secret_file_contents.count("thisIsaPAsSwO0rd") == len( all_non_shh_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}" # Commenting following assert as AutomationTestKey is not available in secret_file_contents, Tested on both AWS, # Azure devdog tenants # assert 'AutomationTestKey' in secret_file_contents, f"Name of SSH key did not appear in secret file {secret_file_contents}" for server_id in all_non_ssh_systems: assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}" for account_id in all_non_shh_accounts: assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_bulk_system_delete_generates_secret_with_garbage_in_list(clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems, secret_cleaner, core_tenant): batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, list_of_created_systems) batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 1, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2]) secret_name = "TestSecret-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid() clean_delete_system_ids = list(all_systems) delete_system_ids = ["foo", "", clean_delete_system_ids[2]] + clean_delete_system_ids + ["!@#$%^&*()", "1", "?", "Jason Alexander", "bar"] ResourceManager.del_multiple_systems(core_session, delete_system_ids, savepasswords=True, secretname=secret_name) ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name) secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name) assert secret_id is not None, "No secret was created" secret_cleaner.append(secret_id) user_name = core_tenant['admin_user'] user_id = UserManager.get_user_id(core_session, user_name) result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id) assert success, f"Did not set secret permission successfully with message {result}" secret_file_contents = get_file_secret_contents(core_session, secret_id) assert secret_file_contents.count("\n") == 1 + len( all_accounts), f"Secret file contained the wrong number of lines {secret_file_contents}" assert secret_file_contents.count("bsd_tst_usr_") == len( all_accounts), f"Secret file contained the wrong number of accounts {secret_file_contents}" assert secret_file_contents.count("thisIsaPAsSwO0rd") == len( all_accounts), f"Secret file contained the wrong number of passwords {secret_file_contents}" for server_id in all_systems: assert server_id in secret_file_contents, f"Server ID absent from secret file {secret_file_contents}" for account_id in all_accounts: assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
def test_adding_several_items_during_creation(core_session, added_secrets_file, added_secrets, users_and_roles, pas_general_secrets, clean_up_policy): secret_prefix = guid() secrets_params = pas_general_secrets added_secret_id = added_secrets_file added_text_secret_id, added_text_secret_name = added_secrets application_management_user = users_and_roles.get_user('Privileged Access Service Power User') user_name = application_management_user.get_login_name() user_id = application_management_user.get_id() # setting permissions for User A set_permission_result, set_permission_success = set_users_effective_permissions(core_session, user_name, 'View,Grant', user_id, added_secret_id) assert set_permission_success, f'Failed to set permission: {set_permission_result}' logger.info(f'Setting permission:{set_permission_result}{set_permission_success}') # creating new policy policy_result = PolicyManager.create_new_auth_profile(core_session, secret_prefix + secrets_params['policy_name'], ["UP", None], None, "30") assert policy_result is not None, f'Failed to create policy:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Getting details of file type secrets get_secret_details, get_secret_success, get_secret_created_date = get_file_type_secret_contents(core_session, added_secret_id) assert get_secret_success, f'Failed to get the file type secret contents:{get_secret_success}' logger.info(f'Secret created details: {get_secret_details}') secrete_file = {'Type': '', 'SecretFilePassword': '******', 'SecretFilePath': '', 'SecretFileSize': '', 'SecretName': get_secret_details['SecretName'], 'ID': added_secret_id, 'DataVaultDefaultProfile': '' } local_secret_path = get_asset_path('secret_upload.txt') # Assigning policy to file type secrets policy_assigned = update_file_type_secret(core_session, added_secret_id, secrete_file, local_secret_path, policy_result) assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}' logger.info(f'Policy assigned to secret : {policy_assigned}') # Removing policy to file type secrets policy_assigned = update_file_type_secret(core_session, added_secret_id, secrete_file, local_secret_path) assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}' logger.info(f'Policy assigned to secret : {policy_assigned}') # Setting permissions for text type secrets set_permission_result, set_permission_success = set_users_effective_permissions(core_session, user_name, 'View,Grant', user_id, added_text_secret_id[0]) assert set_permission_success, f'Failed to set permission: {set_permission_result}' logger.info(f'Setting permission:{set_permission_result}{set_permission_success}') # Applying Policy policy_assigned = update_secret(core_session, added_text_secret_id[0], added_text_secret_name, policy_id=policy_result) assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}' logger.info(f' Policy assigned to text type secret: {policy_assigned}') # Removing policy policy_assigned = update_secret(core_session, added_text_secret_id[0], added_text_secret_name) assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}' logger.info(f' Policy assigned to text type secret: {policy_assigned}')
def test_mfa_policy_on_secret_verify_not_challenged_on_settings_update(core_session, pas_general_secrets, users_and_roles, create_secret_inside_folder, clean_up_policy): """ test method to verify that mfa does not exist on updating the settings for an existing secret "MFAOnSecret" with already assigned mfa for that secret :param core_session: Authenticated Centrify Session :param pas_general_secrets: Fixture to read secret data from yaml file :param users_and_roles: Fixture to create New user with PAS Power Rights :param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder" :param clean_up_policy: Fixture to clean up the policy created """ secrets_params = pas_general_secrets prefix = guid() folder_list, folder_name, secret_list = create_secret_inside_folder pas_power_user = users_and_roles.get_user('Privileged Access Service Power User') user_name = pas_power_user.get_login_name() user_id = pas_power_user.get_id() text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session, user_name, 'View,Edit', user_id, secret_list[0]) assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}' logger.info(f'setting permissions for text type secret: : {text_type_secret_success}') # Api to create new policy policy_result = PolicyManager.create_new_auth_profile(core_session, prefix + secrets_params['policy_name'], ["UP", None], None, "30") assert policy_result is not None, f'Failed to create policy:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Api to get the details of the secret get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( core_session, secret_list[0]) assert get_secret_success, f'Failed to get the details of the secret:{get_secret_success}' logger.info(f'Details of the secret returned:{get_secret_details}') # Api to assign MFA & update settings of secret policy_assigned = update_secret(core_session, secret_list[0], prefix + secrets_params['mfa_secret_name_update'], description=secrets_params['mfa_secret_description'], secret_text=get_secret_text, policy_id=policy_result) assert policy_assigned['success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}' logger.info(f' Policy assigned to text type secret: {policy_assigned}') # Api to Remove MFA from secret result = update_secret(core_session, secret_list[0], prefix + secrets_params['mfa_secret_name_update'], description=secrets_params['mfa_secret_description']) assert result['success'], f'Not Able to update the settings: {result["Message"]} ' logger.info(f'Update settings for secret: {result}') # Api to get details of the secret updated get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( core_session, secret_list[0]) description_updated = get_secret_details['Description'] name_updated = get_secret_details['SecretName'] assert 'MFAOnSecretUpdate' in name_updated, f'Failed to update the name{get_secret_success}' assert 'mfa_description' in description_updated, f'Failed to update the description{get_secret_success}' logger.info(f'Details of the secret updated: {get_secret_details}')
def test_need_to_have_edit_permission_on_secret_to_update_settings_and_policy( core_session, users_and_roles, added_secrets_file, added_secrets, pas_general_secrets, clean_up_policy): """ test method to set permissions on secrets(with Edit/Without Edit) to update the settings & policy. :param core_session: Authenticated Centrify Session :param users_and_roles: Fixture to create New user with PAS Power Rights :param added_secrets_file: Fixture to create file type secret & yield secret id :param added_secrets: Fixture to create text type secret & yield secret id, secret_name :param pas_general_secrets: Fixture to read secret data from yaml file :param clean_up_policy: Fixture to clean up the policy created """ added_file_secret_id = added_secrets_file added_text_secret_id, added_text_secret_name = added_secrets secrets_params = pas_general_secrets secret_prefix = guid() pas_power_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = pas_power_user.get_login_name() user_id = pas_power_user.get_id() # API to set user permissions (Edit)for file_type_secret""" file_type_secret_result, file_type_secret_success = set_users_effective_permissions( core_session, user_name, 'View,Grant,Edit', user_id, added_file_secret_id) assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}' logger.info( f'Setting permissions for file type secret: {file_type_secret_success}' ) # API to set user permissions (without Edit)for text_type_secret""" text_type_secret_result, text_type_secret_success = set_users_effective_permissions( core_session, user_name, 'View,Grant', user_id, added_text_secret_id[0]) assert text_type_secret_success, f'setting permissions for text type secret failed:{text_type_secret_result}' logger.info( f'Setting permissions for text type secret: : {text_type_secret_success}' ) # API to get new session for User A""" pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' logger.info( f'User with PAS Power User Rights login successfully :user_Name: {user_name}' f' & Password: {pas_power_user.get_password()} ') # Api to update the name of the secret(file_type) result = update_secret( pas_power_user_session, added_file_secret_id, secret_prefix + secrets_params['updated_secret_name']) assert result[ 'success'], f'Not Able to update the settings {result["Result"]} ' logger.info( f'Updating the settings for secret: {result["success"]} & {result["Exception"]}' ) # Api to create new policy policy_result = PolicyManager.create_new_auth_profile( core_session, secret_prefix + secrets_params['policy_name'], ["UP", None], None, "30") assert policy_result is not None, f'Failed to create policy:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Api to assign policy to file type secret policy_assigned = update_secret(pas_power_user_session, added_file_secret_id, added_text_secret_name, policy_id=policy_result) assert policy_assigned[ 'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}' logger.info(f' Policy assigned to secret: {policy_assigned}') # Api to update settings for text type secret result = update_secret( pas_power_user_session, added_text_secret_id[0], secret_prefix + secrets_params['updated_secret_name']) assert result[ 'success'] is False, f'Able to update the settings: {result["Message"]} ' logger.info(f'Not able to Update settings for secret: {result}') # Api to assign policy for text type secret policy_assigned = update_secret(pas_power_user_session, added_text_secret_id[0], added_text_secret_name, policy_id=policy_result) assert policy_assigned[ 'success'] is False, f'Able to assign policy to secret: {policy_assigned["Message"]}' logger.info( f' Not able to assign Policy to text type secret: {policy_assigned}') # Api to Remove policy for file type secret policy_removed = update_secret(pas_power_user_session, added_file_secret_id, added_text_secret_name) assert policy_removed[ 'success'], f'Failed to remove policy to secret: {policy_removed["Message"]}' logger.info( f'Successfully removed Policy to text type secret: {policy_removed}')
def test_multiple_updates_in_permissions_policy_name_verify_all_2( core_session, added_secrets, pas_general_secrets, users_and_roles, clean_up_policy): """ test method to verify multiple updates like (permissions, policy, name ..) for a secret :param core_session: Authenticated Centrify Session :param added_secrets: Fixture to create text type secret & yield secret id, secret_name :param pas_general_secrets: Fixture to read secret data from yaml file :param users_and_roles: Fixture to create New user with PAS Power Rights :param clean_up_policy: Fixture to clean up the policy created """ secret_prefix = guid() added_text_secret_id, added_text_secret_name = added_secrets secrets_params = pas_general_secrets application_management_user = users_and_roles.get_user( 'Privileged Access Service Power User') user_name = application_management_user.get_login_name() user_id = application_management_user.get_id() # API to set user permissions for text_type_secret set_permissions_result, set_permissions_success = set_users_effective_permissions( core_session, user_name, 'View,Grant,Edit', user_id, added_text_secret_id[0]) assert set_permissions_success, f'setting permissions for file type secret failed: {set_permissions_result}' logger.info( f'setting permissions for text type secret: {set_permissions_success} {set_permissions_result}' ) # Api to create new policy policy_result = PolicyManager.create_new_auth_profile( core_session, secret_prefix + secrets_params['policy_name'], ["UP", None], None, "30") assert policy_result is not None, f'Failed to create policy:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Api to assign policy to the secret policy_assigned = update_secret(core_session, added_text_secret_id[0], added_text_secret_name, policy_id=policy_result) assert policy_assigned[ 'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}' logger.info(f' Policy assigned to text type secret: {policy_assigned}') # Api to update settings(secret_name) of the secret result = update_secret( core_session, added_text_secret_id[0], secret_prefix + secrets_params['updated_secret_name']) assert result[ 'success'], f'Not Able to update the settings {result["Result"]} ' logger.info( f'Updating the settings for secret: {result["success"]} & {result["Exception"]}' ) # Api to retrieve the activity of the secret rows_result = UserManager.get_secret_activity(core_session, added_text_secret_id[0]) assert rows_result is not None, f'Unable to fetch Secret updated details & activity fetched:{rows_result}' logger.info(f'activity list:{rows_result}') verify_name = 'update_secret1' verify_permissions = 'View , Grant , Edit' permissions_updated = False assert verify_name in rows_result[0][ "Detail"], f'Unable to update the name:{rows_result[0]["Detail"]}' logger.info(f'Secret Updated details: {rows_result[0]["Detail"]}') for x in rows_result: if verify_permissions in x['Detail']: permissions_updated = True assert permissions_updated, f'Unable to update the permissions: {permissions_updated}'
def test_update_retrieve_replace_activity_logged(core_session, added_secrets, pas_general_secrets, users_and_roles, clean_up_policy): """ C3071: Update, retrieve, replace activity logged :param core_session: Authenticated Centrify Session :param added_secrets: Fixture to create text type secret & yield secret id, secret_name :param pas_general_secrets: Fixture to read secret data from yaml file :param users_and_roles: Fixture to create New user with PAS Power Rights :param clean_up_policy: Fixture to clean up the policy created """ secret_suffix = guid() added_text_secret_id, added_text_secret_name = added_secrets secrets_params = pas_general_secrets # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS User Rights login successfully: user_Name:{user_name}') # Api to give user permissions to secrets set_permission_result, set_permission_success = set_users_effective_permissions( core_session, user_name, 'View,Grant', user_id, added_text_secret_id[0]) assert set_permission_success, f'Failed to set permission: {set_permission_result}' logger.info( f'Setting permission:{set_permission_result}{set_permission_success}') # Retrieving details(text) of the secret get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( core_session, added_text_secret_id[0]) assert get_secret_success, f'Failed to retrieve the secret:{get_secret_text}' logger.info(f' Retrieved secret details: {get_secret_details} ') # Api to create new policy policy_result = PolicyManager.create_new_auth_profile( core_session, secrets_params['policy_name'] + secret_suffix, ["UP", None], None, "30") assert policy_result is not None, f'Failed to create policy:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Api to update secret(assign policy & update name) policy_assigned = update_secret(core_session, added_text_secret_id[0], secrets_params['updated_secret_name'] + secret_suffix, policy_id=policy_result) assert policy_assigned[ 'success'], f'Failed to assign policy to secret: {policy_assigned["Result"]["ID"]}' logger.info(f' Policy assigned to text type secret: {policy_assigned}') # Api to retrieve the activity of the secret rows_result = UserManager.get_secret_activity(core_session, added_text_secret_id[0]) assert rows_result, f'Failed to fetch Secret updated details & activity fetched:{rows_result}' logger.info(f'Activity list:{rows_result}') assert 'updated the secret' in rows_result[0][ "Detail"], f'Failed to update the secret:{rows_result[0]["Detail"]}' assert 'viewed the secret' in rows_result[1][ "Detail"], f'Failed to retrieve the secret :{rows_result[1]["Detail"]}' added_secret_status = False added_permissions_status = False for rows in rows_result: if 'added a secret' in rows['Detail']: added_secret_status = True assert added_secret_status, f'Failed to add secret: {added_secret_status}' for rows in rows_result: if 'granted User' in rows['Detail']: added_permissions_status = True assert added_permissions_status, f'Failed to add permissions: {added_permissions_status}' # Api to remove policy from the secret policy_assigned = update_secret(core_session, added_text_secret_id[0], added_text_secret_name) assert policy_assigned[ 'success'], f'Failed to remove policy from secret: {policy_assigned["Result"]["ID"]}' logger.info(f' Policy removed from secret: {policy_assigned}')
def test_needs_edit_permission_to_replace_contents(core_session, users_and_roles, added_secrets_file, added_secrets, pas_general_secrets): """ C283887: User needs edit permission on the secret to replace the contents. :param core_session: Authenticated Centrify Session :param users_and_roles: Fixture to create New user with PAS Power User & PAS User Rights :param added_secrets_file: Fixture to create file type secret :param added_secrets: Fixture to create text type secret :param pas_general_secrets: Fixture to read secret data from yaml file """ secrets_params = pas_general_secrets added_file_secret_id = added_secrets_file added_text_secret_id, added_text_secret_name = added_secrets suffix = guid() # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info(f'User with PAS Power User Rights login successfully: user_Name:{user_name}') # setting user permissions for file_type_secret""" file_type_secret_result, file_type_secret_success = set_users_effective_permissions(core_session, user_name, 'View,Grant', user_id, added_file_secret_id) assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}' logger.info(f'setting permissions for file type secret: {file_type_secret_success}') # setting user permissions for file_type_secret""" text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session, user_name, 'View,Grant,Edit', user_id, added_text_secret_id[0]) assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}' logger.info(f'setting permissions for text type secret: : {text_type_secret_success}') # Replacing the content of the secret secret_updated = update_secret(pas_power_user_session, added_text_secret_id[0], secrets_params['mfa_secret_name_update'] + suffix, description=secrets_params['mfa_secret_description'], secret_text=secrets_params['secret_text_updated'] + suffix) assert secret_updated['success'], f'Failed to update secret: {secret_updated["Result"]["ID"]}' logger.info(f' Successfully updated text type secret: {secret_updated}') # Verifying replaced secret get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( core_session, added_text_secret_id[0]) logger.info(f'Secret Updated details: {get_secret_details}') replaced_content = get_secret_details['SecretText'] assert secrets_params['secret_text_updated'] in replaced_content, \ f'Failed to replace the secrets:{replaced_content}' secret_name = get_secret_details['SecretName'] # creating set manually success, set_id = SetsManager.create_manual_collection(pas_power_user_session, secrets_params['set_name'] + suffix, 'DataVault') assert success, f'Failed to create manual set: {set_id}' logger.info(f'creating manual set:{success} with setid as: {set_id}') # Adding set to secret added_to_set_success, added_to_set_result = SetsManager.update_members_collection(pas_power_user_session, 'add', [added_text_secret_id[0]], "DataVault", set_id) assert added_to_set_success, f'Failed to add secret to set: {added_to_set_result}' logger.info(f'Adding secret to set: {added_to_set_success}') # Redrock query to fetch "Add to set" related details get_set_info = RedrockController.verify_set_secret(pas_power_user_session, set_id, added_text_secret_id[0]) logger.info(f'{get_set_info}') assert get_set_info[0]["Row"]["SecretName"] == secret_name, f' Failed to get "ADD to Set" inside "Actions"' logger.info(f'Verifiying secret name {get_set_info[0]["Row"]["SecretName"]} in ' f'set with ID {get_set_info[0]["Row"]["CollectionID"]} ')
def test_user_needs_edit_permission_on_secret_move_a_secret(core_session, users_and_roles, added_secrets, added_secrets_file, pas_general_secrets, cleanup_secrets_and_folders): """ test method to set permissions to secret for User A(With Edit/Without Edit) & then to check Secret is movable to folder(Should movable/Not able to move) :param core_session: Authenticated centrify session :param users_and_roles: Fixture to create new user with specified roles :param added_secrets: Fixture to add text type secret & yields secret id, secret name :param added_secrets_file: Fixture to add file type secret & yields secret id :param pas_general_secrets: Fixture to read secrets data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created. """ added_text_secret_id, added_text_secret_name = added_secrets added_secret_id = added_secrets_file folder_params = pas_general_secrets prefix = guid() folder_list = cleanup_secrets_and_folders[1] pas_power_user = users_and_roles.get_user('Privileged Access Service Power User') user_name = pas_power_user.get_login_name() user_id = pas_power_user.get_id() # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' logger.info(f'User with PAS Power User Rights login successfully :user_Name: {user_name}' f' & Password: {pas_power_user.get_password()} ') # Api to create secret folder secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(pas_power_user_session, prefix + folder_params['name'], folder_params['description']) folder_list.append(secret_folder_id) # Api to set permissions to secret (without Edit) text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session, user_name, 'View,Grant', user_id, added_text_secret_id[0]) assert text_type_secret_success, f'Failed to set permissions for text type secret:{text_type_secret_result}' logger.info(f'Setting permissions for text type secret: {text_type_secret_success}') # Api to move secret without Edit permissions result_move = move_secret(pas_power_user_session, added_text_secret_id[0], secret_folder_id) assert result_move['success'] is False, f'Able to move the secret without edit permissions{result_move["Result"]}' logger.info(f'Moving secret without edit permissions:{result_move["Message"]}') # Api to set Edit permissions to secret text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session, user_name, 'View,Grant,Edit', user_id, added_secret_id) assert text_type_secret_success, f'Failed to set permissions for file type secret:{text_type_secret_result}' logger.info(f'Setting permissions for file type secret: : {text_type_secret_success}') # Api to move secret with Edit permissions result_move = move_secret(pas_power_user_session, added_secret_id, secret_folder_id) assert result_move['success'], f'Not Able to move the secret with edit permissions{result_move["Result"]}' logger.info(f'Moving secret with edit permissions:{result_move}')
def test_privilege_service_user_with_view_permission(core_session, pas_setup, get_limited_user_module): """ Test case: C286564 :- Privilege Service User with view permission should can see the related activity :param core_session: Authenticated Centrify session :param pas_setup: fixture to create system with account :param get_limited_user_module: creating cloud user with "Privileged Access Service Power User" right """ system_id, account_id, sys_info = pas_setup cloud_user_session, cloud_user = get_limited_user_module username = cloud_user.get_login_name() user_id = cloud_user.get_id() # "View" permission to cloud user for system result, success = ResourceManager.assign_system_permissions(core_session, "View", username, user_id, pvid=system_id) assert success, f'failed to assign view permission to user {username} for system {sys_info[0]}' logger.info( f'view permission for system {sys_info[0]} assigned to user {username}' ) # Activity validation of system by cloud user rows = ResourceManager.get_system_activity(cloud_user_session, system_id) assert rows[0][ 'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on system ' \ f'"{sys_info[0]}"({sys_info[1]})', 'No activity related to view permission found ' logger.info( f'cloud user {username} can see all the activities of system {sys_info[0]}' ) # "View" permission to cloud user for account result, success = ResourceManager.assign_account_permissions( core_session, "View", username, user_id, pvid=account_id) assert success, f'failed to assign permissions "View" to {username} for account {sys_info[4]} ' \ f'for system {sys_info[0]}' logger.info( f'View permission for account {sys_info[4]} of system {sys_info[0]} to user {username}' ) # Activity validation of account by cloud user activity = RedrockController.get_account_activity(cloud_user_session, account_id) assert activity[0][ 'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on local account' \ f' "{sys_info[4]}" for "{sys_info[0]}"({sys_info[1]}) with credential ' \ f'type Password ', 'No activity related to view permission found ' logger.info( f'cloud user {username} can see all the activities of account {sys_info[4]} of system {sys_info[0]}' ) # Created secret secret_name = f"test_secret{guid()}" status, parameters, secret_result = create_text_secret( core_session, secret_name, "test_secret_text") assert status, f'failed to create secret with returned result: {result}' logger.info( f'secret created successfully {result}, returned parameters are {parameters}' ) # Assigning view permission to secret to cloud user result, success = set_users_effective_permissions(core_session, username, "View", user_id, secret_result) assert success, f'failed to set permissions of secret for user {username}' logger.info( f'successfully granted "View" permission for secret to {secret_name} to user {username}' ) # Activity validation of secret by cloud user secret_activity = get_secret_activity(cloud_user_session, secret_result) assert f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on the ' \ f'secret "{secret_name}"' in secret_activity[0]['Detail'], 'No activity related to view permission found ' logger.info( f'cloud user {username} can see all the activities of secret of {secret_name}' )