def test_sysadmin_without_explicit_pe_assignment_system_set( core_session, users_and_roles, create_manual_set): admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create Set and the system to this set set_id = create_manual_set(core_session, "Server")['ID'] logger.info( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) logger.info(result) assert result[ 'success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permissions but MA to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "assigning collection permissions on the resource set for the user failed: " + result # This sysadmin user does not have ManageAssignment permission, should still pass canManage, isSuccess = PrivilegeElevation.can_manage_pe( core_session, scopeType="Collection", scope=set_id) assert isSuccess and canManage, f"Can Manage Privilege Elevation for sysadmin user without MA permissions on a " \ f"system set failed, reason: {canManage}"
def test_nonServer_collection_scenario(core_session, users_and_roles, create_resources, create_manual_set): admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create nonServer Set set_id = create_manual_set(core_session, "VaultDatabase").get("ID", None) assert set_id is not None, f"set_id cannot be empty" logger.info(f"Successfully created a set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) logger.info(result) assert result[ 'success'], "assigning collection permissions on the set for the admin user, failed: " + result # Not a server collection, should fail canManage, isSuccess = PrivilegeElevation.can_manage_pe( core_session, scopeType="Collection", scope=set_id) assert isSuccess and not canManage, f"Can Manage Privilege Elevation for nonServer set passed, reason: {canManage}"
def test_check_ui_after_changing_setting(core_session, pas_setup, clean_up_collections): """ Test case: C2206 Check permission for set :param core_session: Authenticated centrify session :param pas_setup: Creating a new system with accounts """ # Adding Systems for test execution created_system_id, created_account_id, system_details = pas_setup user_details = core_session.__dict__ collection_name = "testManualCollection" + guid() # Get list of permission get_sys_result, get_sys_success = ResourceManager.get_system_permissions( core_session, created_system_id) assert get_sys_success, f"Failed to get system permissions for resource, API result:{get_sys_result}" permission = get_sys_result[0]['Rights'] permission_list = list(chain(*zip(permission.split())))[:-1] permission_index_value = [ list((i, permission_list[i])) for i in range(len(permission_list)) ] assert (permission_index_value[3][0] < permission_index_value[4][0] ), f"Failed to get permission 'Grant' is in front of 'View'" logger.info( f'Grant is successfully shows in front of View. as Grant index is {permission_index_value[3][0]} and View index is {permission_index_value[4][0]}' ) # Create set add_set_success, new_set_id = SetsManager.create_manual_collection( core_session, collection_name, "Server") assert add_set_success, "Collection " + new_set_id + " Failed to Create" # Set cleanup list clean_up_collections.append(new_set_id) # Assign permission to the set set_permissions_result = SetsManager.set_collection_permissions( core_session, "Grant,View,Edit,Delete", user_details["auth_details"]["User"], user_details['auth_details']['UserId'], new_set_id) logger.info( f'Successfully set collection Permissions for the set page :{set_permissions_result}' ) # Get collection permission rights get_permissions_result = SetsManager.get_collection_rights( core_session, new_set_id) set_permission = get_permissions_result['Result'] # Actual set permission rights list actual_set_permission_list = 'View, Edit, Delete, Grant' assert set_permission == actual_set_permission_list, f'Failed to verify permissions:{actual_set_permission_list}' logger.info( f'Successfully verify Permissions for the set page created:{actual_set_permission_list}' )
def test_delete_assignment_sysadmin_without_ma_permission_on_system_set(core_session, create_manual_set, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create Set and the system to this set set_id = create_manual_set( core_session, "Server")['ID'] logger.info(f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) logger.info(result) assert result['success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permissions but MA to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result['success'], "assigning collection permissions on the resource set for the user failed: " + result # Add assignment principalType = "User" principal = admin_user_name scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}" # Deleting assignment explicitly should pass result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID) assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_update_assignment_sysadmin_without_ma_permission_on_system_set( core_session, create_manual_set, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Create Set and the system to this set set_id = create_manual_set(core_session, "Server")['ID'] logger.info( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permissions but MA to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "assigning collection permissions on the resource set for the user failed: " + result # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal'], byPassChallenge=False) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # Update rules rule_info['BypassChallenge'] = True # This sysadmin user doesn't have MA permission, should still pass results, isSuccess = PrivilegeElevation.update_pe_assignment( core_session, ruleID=ruleID, bypassChallenge=True) assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \ f"a set failed, reason: {results}" # Make sure assignments are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for sysadmin user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_collection_scenario(core_session, users_and_roles, create_resources, create_manual_set, setup_generic_pe_command_with_no_rules): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Get User requester_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set(core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "setting admin collection permissions on the set failed: " + result # Give all permissions to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, admin_user_name, admin_user_id, set_id) assert result[ 'success'], "setting admin collection permissions on the resourceSet failed: " + result # Give all permission for the user on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions on the set failed: " + result # Give all permission but the MA permission to the PAS user on the resource Set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions on the resourceSet failed: " + result # Add assignment rule_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=user_info['Name'], scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=False) ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=rule_info['ScopeType'], scope=rule_info['Scope'], principalType=rule_info['PrincipalType'], principal=rule_info['Principal'], byPassChallenge=False) assert isSuccess, f" Adding rule assignment failed" rule_info['ID'] = ruleID # This user does not have MA permission, so should fail results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=False) assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \ f"UpdateAssignment for PAS power user with no MA permissions on a set passed, reason: {results}" # Now assign MA permission but not Edit permission to the user permission_string = 'Grant,View,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions failed: " + result # This user does not have Edit permission, so should fail results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=False) assert not isSuccess and results['Message'] == "Attempted to perform an unauthorized operation.", \ f"UpdateAssignment for PAS power user with no Edit permissions on a set passed, reason: {results}" # Now assign MA permission and Edit permission to the user permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], set_id, "User") assert result[ 'success'], "setting PAS power user collection permissions failed: " + result permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "setting PAS power user collection permissions failed: " + result # updated rules starts = datetime.datetime.now().replace(microsecond=0).isoformat() + "Z" expires = (datetime.datetime.now() + datetime.timedelta(minutes=10) ).replace(microsecond=0).isoformat() + "Z" rule_info['Starts'] = starts rule_info['Expires'] = expires rule_info['BypassChallenge'] = True # This user has Edit and MA permissions on the set, should pass results, isSuccess = PrivilegeElevation.update_pe_assignment( requester_session, ruleID=ruleID, bypassChallenge=rule_info['BypassChallenge'], starts=rule_info['Starts'], expires=rule_info['Expires']) assert isSuccess, f"UpdateAssignment for PAS power user with Edit and MA permissions on " \ f"a set failed, reason: {results}" # Make sure rules are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}" # Update rules rule_info['BypassChallenge'] = False # This sysadmin user does have MA permission, so should pass results, isSuccess = PrivilegeElevation.update_pe_assignment( core_session, ruleID=ruleID, bypassChallenge=False) assert isSuccess, f"UpdateAssignment for sys admin user with MA permissions on " \ f"a set failed, reason: {results}" # Make sure rules are actually updated results, isSuccess = PrivilegeElevation.list_pe_assignments( core_session, commandID=commandID) assert isSuccess, f"List Assignments for PAS power user failed, reason: {results}" rule_info_list = [rule_info] assert len(results['Result']) == 1 and PrivilegeElevation.check_rules_info_in_api_response( rule_info_list, results), \ f"List Assignments complete check failed: {ruleID}"
def test_adUser_permission_through_adGroup_system_set(core_session, setup_aduser, setup_user_in_ad_group, create_resources, create_manual_set): adUser, adUserPwd, adGroup = setup_user_in_ad_group if adGroup is None: pytest.skip("Cannot retreive ad group info") # Setup another ad user that's not part of above adGroup adUser2, adUserPwd2 = setup_aduser # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.info(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set(core_session, "Server", object_ids=[added_system_id])['ID'] logger.info( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the ad group on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, adGroup['DisplayName'], adGroup['InternalName'], set_id, ptype="Group") logger.info(result) assert result[ 'success'], "assigning admin collection permissions on the set failed: " + result # Give all permissions to the ad group on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, adGroup['DisplayName'], adGroup['InternalName'], set_id, ptype="Group") logger.info(result) assert result[ 'success'], "assigning admin collection permissions on the resourceSet failed: " + result ad_user_session = CentrifySessionManager(core_session.url, core_session.tenant_id) ad_user_session.security_login(core_session.tenant_id, adUser['SystemName'], adUserPwd) # should pass result, success = PrivilegeElevation.can_manage_pe(ad_user_session, scopeType="Collection", scope=set_id) assert success and result, f"Can Manage Privilege Elevation for adUser within an adgroup with MA permissions failed:" \ f"{result}" ad_user_session = CentrifySessionManager(core_session.url, core_session.tenant_id) ad_user_session.security_login(core_session.tenant_id, adUser2['SystemName'], adUserPwd2) # Should fail result, success = PrivilegeElevation.can_manage_pe(ad_user_session, scopeType="System", scope=added_system_id) assert success and not result, f"Can Manage Privilege Elevation for adUser not within an adgroup with MA " \ f"permissions passed: {result}"
def test_collection_scenario(core_session, users_and_roles, create_resources, create_manual_set): admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Get User requester_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') response = requester_session.get_current_session_user_info() user_info = response.json()['Result'] logger.info(user_info) # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.info(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_id = create_manual_set(core_session, "Server", object_ids=[added_system_id])['ID'] logger.info( f"Successfully created a set and added system to that set: {set_id}") # Give all permissions to the admin on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id) logger.info(result) assert result[ 'success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permissions to the admin on the ResourceSet permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, admin_user_name, admin_user_id, set_id) logger.info(result) assert result[ 'success'], "assigning collection permissions on the resource set for the user failed: " + result # Give all permission for the user on the set permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "assigning collection permissions on the set for the user, failed: " + result # Give all permission but the MA permission to the PAS user on the resource Set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "assigning collection permissions on the resource set for the user failed: " + result new_set = SetsManager.get_collection(requester_session, set_id) logger.info(new_set) # This user does not have MA permission, so should fail canManage, isSuccess = PrivilegeElevation.can_manage_pe( requester_session, scopeType="Collection", scope=set_id) assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PAS power user with no MA permissions on " \ f"a set passed, reason: {canManage}" # Now assign MA permission but not Edit permission to the user permission_string = 'Grant,View,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "assigning collection permissions for the user failed: " + result # This user does not have Edit permission, so should fail canManage, isSuccess = PrivilegeElevation.can_manage_pe( requester_session, scopeType="Collection", scope=set_id) assert isSuccess and not canManage, f"Can Manage Privilege Elevation for PAS power user with no Edit permissions on " \ f"a set passed, reason: {canManage}" # Now assign MA permission and Edit permission to the user permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions( core_session, permission_string, user_info['Name'], user_info['Id'], set_id, "User") assert result[ 'success'], "assigning collection permissions for the user failed: " + result permission_string = 'Grant,View,Edit,Delete' result = SetsManager.set_collection_permissions(core_session, permission_string, user_info['Name'], user_info['Id'], set_id) assert result[ 'success'], "assigning collection permissions for the user failed: " + result # This user has Edit and MA permissions on the set, should pass canManage, isSuccess = PrivilegeElevation.can_manage_pe( requester_session, scopeType="Collection", scope=set_id) assert isSuccess and canManage, f"Can Manage Privilege Elevation for PAS power user with Edit and MA permissions on " \ f"a set failed, reason: {canManage}" # This sysadmin user does have MA permission, so should pass canManage, isSuccess = PrivilegeElevation.can_manage_pe( core_session, scopeType="Collection", scope=set_id) assert isSuccess and canManage, f"Can Manage Privilege Elevation for sys admin user with MA permissions on " \ f"a set failed, reason: {canManage}"