def test_move_secret_to_different_folder_with_member_permission_edit_on_source_folder_for_user_a(
core_session, users_and_roles, create_secret_inside_folder,
pas_general_secrets, cleanup_secrets_and_folders):
"""
test method to move a secret to another folder with "EDIT" member permissions on source folder for User A
:param core_session: Authenticated Centrify Session.
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param create_secret_inside_folder: Fixture to create text type secret inside folder &
yields folder & secret details.
:param pas_general_secrets: Fixture to read secret data from yaml file.
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
"""
folder_id_list, folder_name, secret_id_list = create_secret_inside_folder
folders_list = cleanup_secrets_and_folders[1]
params = pas_general_secrets
prefix = guid()
pas_power_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id_list[0], 'View,Grant')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant,Edit', user_id, folder_id_list[0])
assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to create secret folder for User A
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(
pas_power_user_session, prefix + params['name'], params['description'])
logger.info(
f' Folder created successfully: {secret_folder_success} & details are {secret_folder_parameters}'
)
assert secret_folder_success is True, f'Failed to create a folder {secret_folder_id}'
folders_list.append(secret_folder_id)
# Api to move secret into another Folder
result_move = move_secret(pas_power_user_session, secret_id_list[0],
secret_folder_id)
assert result_move[
'success'], f'Not Able to move the secret into Folder: {result_move["Result"]}'
logger.info(
f'Moving secret with edit permissions to another folder:{result_move}')
def test_view_on_members_but_not_on_folders(core_session,
create_secret_inside_folder,
pas_general_secrets,
users_and_roles,
cleanup_secrets_and_folders):
"""
C3055: test method to View on members but not on folders
1) create multiple secrets & folders inside parent folder
2) Login as Admin, set member permissions "View" for parent folder
3) Login as pas user
4) Verify can view secrets but not folders
:param core_session: Authenticated Centrify session
:param create_secret_inside_folder: Fixture to create secret inside folder
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param users_and_roles: Fixture to create random user with PAS User Rights
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created
"""
folder_id_list, folder_name, secret_id = create_secret_inside_folder
folders_list = cleanup_secrets_and_folders[1]
params = pas_general_secrets
# creating nested folder
child_folder_success, child_folder_parameters, child_folder_id = create_folder(
core_session,
params['name'],
params['description'],
parent=folder_id_list[0])
assert child_folder_success, f'Failed to create nested folder, API response result: {child_folder_id}'
logger.info(
f'Nested Folder created successfully, details are: {child_folder_parameters}'
)
folders_list.insert(0, child_folder_id)
# API to get new session for User with pas user Rights
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Api to give member permissions(View) to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View', user_id, folder_id_list[1])
assert member_perm_success, \
f'Not Able to set "View" member permissions to Folder, API response result: {member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Getting the secret for pas user should pass
found_secret = get_secret(pas_power_user_session, secret_id[0])
assert found_secret['success'], \
f'Unable to find the secret for pas user, API response result:{found_secret["Message"]}'
logger.info(f'Able to find the secret for pas user: {found_secret}')
def test_cant_add_folder_if_you_dont_have_add_permission_on_parent_folder(
core_session, create_secret_folder, pas_general_secrets,
users_and_roles):
"""
test method to not able to add a child Folder inside a Parent Folder
when ADD permissions are not enabled for the Parent Folder
:param core_session: Authenticated Centrify Session
:param create_secret_folder: Fixture to create a folder & yields folder related details
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create a random user with PAS Power Rights
"""
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
folder_params = pas_general_secrets
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name: {user_name}'
)
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id, 'View')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant', user_id, folder_id)
assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
folder_prefix = guid()
# Creating ChildFolder for PAS Power User
folder_success, folder_parameters, child_folder_id = create_folder(
pas_power_user_session,
folder_prefix + folder_params['name'],
folder_params['description'],
parent=folder_id)
assert folder_success is False, \
f'Added subfolder without ADD permissions for the folder:{child_folder_id}'
logger.info(
f'Add Folder without ADD permissions: {folder_success}{folder_parameters}'
)
def test_have_delete_permission_on_parent_should_be_able_to_delete_child_members(
core_session, users_and_roles, create_secret_inside_folder,
pas_general_secrets):
"""
C3000: Have delete permission on parent, should be able to delete child members
:param core_session: Authenticated Centrify Session.
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param create_secret_inside_folder: Fixture to create text type secret inside folder &
yields folder & secret details.
:param pas_general_secrets: Fixture to read secret data from yaml file.
"""
folder_id_list, folder_name, secret_id_list = create_secret_inside_folder
pas_power_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
# Getting new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details is not None, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id_list[0], 'View,Grant')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give member permissions(Delete) to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant,Delete,Retrieve', user_id,
folder_id_list[0])
assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to delete the child secret
del_success, del_result = del_secret(pas_power_user_session,
secret_id_list[0])
assert del_success, f'Not Able to delete the child secret: {del_result}'
for secret_id in secret_id_list:
secret_id_list.remove(secret_id)
logger.info(f'Able to delete the child secret:{del_result}')
def test_move_secret_without_edit_member_permission_on_source_folder_should_not_be_allowed(
core_session, users_and_roles, create_secret_folder,
pas_general_secrets, cleanup_secrets_and_folders):
"""
test method to move a secret to another folder without "EDIT" member permissions & Folder permissions
on source folder for User A should not be allowed
:param core_session: Authenticated Centrify Session.
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param create_secret_folder: Fixture to create secret folder & yields folder details.
:param pas_general_secrets: Fixture to read secret data from yaml file.
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
"""
secret_folder_details = create_secret_folder
secret_list = cleanup_secrets_and_folders[0]
folders_list = cleanup_secrets_and_folders[1]
params = pas_general_secrets
prefix = guid()
folder_id = secret_folder_details['ID']
pas_power_user = users_and_roles.get_user(
'Privileged Access Service Power User')
user_name = pas_power_user.get_login_name()
user_id = pas_power_user.get_id()
# Api to create text type secret within folder
added_text_secret_success, added_text_secret_result = create_text_secret_within_folder(
core_session, prefix + params['secret_name'], params['secret_text'],
params['secret_description'], folder_id)
assert added_text_secret_success, f'Unable to create secret {added_text_secret_result}'
logger.info(f'Secret Created successfully: {added_text_secret_success}')
secret_list.append(added_text_secret_result)
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
logger.info(
f'User with PAS Power User Rights login successfully :user_Name: {user_name}'
f' & Password: {pas_power_user.get_password()} ')
# Api to give user permissions to folder(without EDIT)
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id, 'View,Grant')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give member permissions to folder(without EDIT)
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant', user_id, folder_id)
assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to create secret folder for User A
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(
pas_power_user_session, prefix + params['name'], params['description'])
assert secret_folder_success, f'Failed to create a folder:{secret_folder_id}'
logger.info(
f' Folder created successfully: {secret_folder_success} & details are {secret_folder_id}'
)
folders_list.append(secret_folder_id)
# Api to move secret into another Folder
result_move = move_secret(pas_power_user_session, added_text_secret_result,
secret_folder_id)
assert result_move[
'success'] is False, f'Able to move the secret into Folder: {result_move["Result"]}'
logger.info(
f'Not Able to move the secret into another folder without Edit permissions:{result_move["Message"]}'
)
def test_inherited_permissions_after_move(core_session,
create_secret_inside_folder,
create_secret_folder,
cleanup_secrets_and_folders,
users_and_roles):
"""
C3058:Inherited permissions after move
:param core_session: Authenticated Centrify Session
:param create_secret_inside_folder: Fixture to create secret inside Folder & yields folder & secret related details
:param create_secret_folder: Fixture to create Folder & yields folder related details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created
:param users_and_roles: Fixture to create random user
"""
folder_id_list, folder_name, secret_list = create_secret_inside_folder
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'User with PAS Power User Rights login successfully: user_Name: {user_name}')
# Api to set permissions with folder
permissions_folder = give_user_permissions_to_folder(core_session,
user_name,
user_id,
folder_id_list[0],
'View')
assert permissions_folder['success'], f'Not able to set permissions to folder:{permissions_folder["Result"]}'
logger.info(f'Permissions to folder: {permissions_folder}')
# Api to set permissions with folder
folder_permissions = give_user_permissions_to_folder(core_session,
user_name, user_id,
folder_id,
'View,Add')
assert folder_permissions['success'], f'Not able to set permissions to folder:{folder_permissions["Result"]}'
logger.info(f'Permissions to folder: {folder_permissions}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View,Edit',
user_id,
folder_id_list[0])
assert member_perm_success, \
f'Not Able to set member permissions to Folder, API response result: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View,Edit,Grant,Retrieve,Delete',
user_id,
folder_id)
assert member_perm_success, \
f'Not Able to set member permissions to Folder, API response result: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to move secret into new Folder
result_move = move_secret(pas_power_user_session, secret_list[0], folder_id)
assert result_move['success'], \
f'Not Able to move secret into new Folder. API response result: {result_move["Result"]}'
logger.info(f'Able to move the secret into new folder:{result_move["Message"]}')
# Api to get secret permissions
get_permission_result = get_users_effective_secret_permissions(core_session, secret_list[0])
verify_permissions = ['View', 'Edit', 'Delete', 'Grant', 'Retrieve']
assert get_permission_result == verify_permissions,\
f'Failed to inherit secret permissions from new parent folder. API response result: {get_permission_result}'
logger.info(f'Secret permissions are inherited from new parent folder.: {get_permission_result}')
def test_user_need_retrieve_secret_permission_to_delete(
core_session,
pas_general_secrets,
cleanup_secrets_and_folders,
users_and_roles):
"""
C283961: User needs Retrieve Secret permission to retrieve secret contents
:param core_session: Authenticated Centrify Session
:param users_and_roles: Fixture to create random user with pas user rights
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
:param pas_general_secrets: Fixture to read secrets data from yaml file
"""
folder_params = pas_general_secrets
folder_prefix = guid()
folders_list = cleanup_secrets_and_folders[1]
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(
core_session,
folder_params['name'] + folder_prefix,
folder_params['description'])
assert secret_folder_success, f'Failed to create a folder{secret_folder_id} '
logger.info(f' Folder created successfully: {secret_folder_success} & details are {secret_folder_parameters}')
folders_list.append(secret_folder_id)
added_text_secret_success, added_text_secret_result = create_text_secret_within_folder(
core_session, folder_prefix + folder_params['secret_name'], folder_params['secret_text'],
folder_params['secret_description'], secret_folder_id)
logger.info(f'Secret Created successfully: {added_text_secret_success}')
assert added_text_secret_success, f'Unable to create secret {added_text_secret_result}'
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'{pas_power_user_session.auth_details}')
logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Api to give user permissions to folder
user_permissions = give_user_permissions_to_folder(core_session, user_name, user_id, secret_folder_id,
'View')
assert user_permissions['success'], \
f'Not Able to set user permissions to folder{user_permissions["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions}')
# Api to disable member permissions Retrieve in folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View,Delete',
user_id,
secret_folder_id)
assert member_perm_success, f'Not Able to set member permissions to Folder: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Deleting secret without Retrieve permission in folder.
retrieve_success, retrieve_result, retrieve_message = retrieve_secret(pas_power_user_session,
added_text_secret_result)
assert retrieve_success is False, f'Users {user_name} have permission to retrieve the secret: {retrieve_result}'
logger.info(f'No longer to delete as you have "Retrieve" '
f'permission which is required prior to delete:{retrieve_message}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View,Delete,Retrieve',
user_id,
secret_folder_id)
assert member_perm_success, f'Not Able to set member permissions to Folder: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
del_success, del_result = del_secret(pas_power_user_session, added_text_secret_result)
assert del_success, f'Not Able to delete the child secret: {del_result}'
logger.info(f'Secret is Successfully deleted:{del_result}')
def test_delete_mfa_policy_on_secret(core_session, pas_general_secrets,
clean_up_policy, users_and_roles):
"""
C283962: MFA policy on Secret, verify challenged
:param core_session: Authenticated Centrify session
:param pas_general_secrets: Fixture to read secrets data from yaml file
:param clean_up_policy: Fixture to cleanup the policy created
:param users_and_roles: Fixture to create new user with restricted rights
"""
secrets_params = pas_general_secrets
suffix = guid()
# Create a folder A
secret_folder_success, secret_folder_parameters, secret_folder_id = create_folder(
core_session, secrets_params['mfa_folder_name'] + suffix,
secrets_params['description'])
assert secret_folder_success, f'Failed to create a folder {secret_folder_id}'
logger.info(f' Folder created successfully: {secret_folder_success} ')
secret_folder_parameters['ID'] = secret_folder_id
# Create a secret under A folder
added_secret_success, added_secret_id = create_text_secret_within_folder(
core_session, secrets_params['mfa_secret_name'] + suffix,
secrets_params['secret_text'], secrets_params['secret_description'],
secret_folder_id)
assert added_secret_success, f"Added Secret Failed {added_secret_id}"
logger.info(f'Added secrets info {added_secret_success, added_secret_id}')
# Getting details of the secret
found_secret = get_secret(core_session, added_secret_id)
assert found_secret['success'], \
f'Failed to get the details of the secret , API response result:{found_secret["Message"]}'
logger.info(f'Getting details of the secret: {found_secret}')
secret_name = found_secret['Result']['SecretName']
challenges = ["UP", ""]
# Creating new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Secret
result = update_secret(
core_session,
added_secret_id,
secret_name,
description=secrets_params['mfa_secret_description'],
policy_id=policy_result)
assert result[
'success'], f' Failed to apply MFA on the secret, API response result:{result["Message"]} '
logger.info(f'MFA Applied on the secret: {result}')
# Getting new session for User
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name: {user_name}'
)
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, secret_folder_id,
'Grant,View,Delete')
assert user_permissions_result, f'Failed to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to set DELETE permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'Grant,View,Delete,Retrieve', user_id,
secret_folder_id)
assert member_perm_success, f'Failed to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Delete secret with Mfa Authentication
del_success, del_result = del_secret(pas_power_user_session,
added_secret_id)
# StartChallenge MFA Authentication
session, mechanism = pas_power_user_session.start_mfa_authentication(
user_name, del_result['ChallengeId'])
# AdvanceAuthentication MFA to Password
result = pas_power_user_session.advance_authentication(
answer=pas_power_user_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
assert result, "Password Authentication Failed"
logger.info(f'Advance authentication: {result}')
# After Authentication of MFA delete the secret under folder
del_secret_success, del_secret_result = del_secret_mfa(
pas_power_user_session,
added_secret_id,
ChallengeStateId=del_result['ChallengeId'])
assert del_secret_success, f'User: {user_name} failed to delete secret from this folder: {secret_folder_id}'
logger.info(
f'User: {user_name} deleted secret: '
f'{added_secret_id} successfully from this folder: {secret_folder_id}')
# Delete folder
del_folder_res = del_folder(core_session, secret_folder_id)
assert del_folder_res, f'User: {user_name} failed to delete folder: {secret_folder_id}'
logger.info(
f'User: {user_name} successfully deleted folder: {secret_folder_id}')
def test_delete_secret_with_mfa_on_parent(core_session, pas_general_secrets,
clean_up_policy, users_and_roles,
create_secret_inside_folder,
cleanup_secrets_and_folders):
"""
C283963: MFA policy on Parent folder, verify challenged
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: fixture to read secrets related data from yaml file
:param clean_up_policy: Fixture to cleanup the policy created
:param users_and_roles: Fixture to create new user with restricted rights
:param create_secret_inside_folder: Fixture to create secrets inside folder & yields secrets & folders data
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
"""
secrets_params = pas_general_secrets
suffix = guid()
folder_id_list, folder_name, secret_id_list = create_secret_inside_folder
secrets_list = cleanup_secrets_and_folders[0]
challenges = ["UP", ""]
# Creating new policy
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Updating the Folder(Applying MFA)
result = update_folder(
core_session,
folder_id_list[0],
folder_name,
folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f' Failed to apply MFA on folder, API response result: {result["Message"]} '
logger.info(f'MFA Applied on Folder: {result}')
# Getting new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name: {user_name}'
)
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id_list[0], 'View')
assert user_permissions_result, f'Failed to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to set DELETE permissions folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'Grant,View,Delete,Retrieve', user_id,
folder_id_list[0])
assert member_perm_success, f'Failed to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Delete secret with Mfa Authentication
del_success, del_result = del_secret(pas_power_user_session,
secret_id_list[0])
# StartChallenge MFA Authentication
session, mechanism = pas_power_user_session.start_mfa_authentication(
user_name, del_result['ChallengeId'])
# AdvanceAuthentication MFA to Password
result = pas_power_user_session.advance_authentication(
answer=pas_power_user_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
assert result, "Password Authentication Failed"
# After Authentication of MFA delete the secret under folder
del_secret_success, del_secret_result = del_secret_mfa(
pas_power_user_session,
secret_id_list[0],
ChallengeStateId=del_result['ChallengeId'])
assert del_secret_success, f'Failed to delete secret with MFA {del_secret_result} with User: {user_name}'
logger.info(
f'Successfully deleted secret with MFA {del_secret_result} for User: {user_name} '
)
secrets_list.remove(secret_id_list[0])
# Updating the Folder(Removing MFA)
result = update_folder(
core_session,
folder_id_list[0],
folder_name,
folder_name,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA on folder, API response result: {result["Message"]} '
logger.info(f'Successfully Removed MFA on Folder: {result}')
def test_move_mfa_on_closest_parent_should_override(
core_session, pas_general_secrets, create_folder_inside_folder,
cleanup_secrets_and_folders, clean_up_policy, users_and_roles):
"""
C283938: MFA on closest parent should override MFA on higher levels
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_folder_inside_folder: Fixture to create nested Folder & yields folder & sub folder related details
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created.
:param clean_up_policy: Fixture to clean up the policy created
:param users_and_roles: Fixture to create New user with PAS Power Rights
"""
secrets_params = pas_general_secrets
suffix = guid()
parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder
parent_folder_id = parent_folder_info['ID']
parent_folder_name = parent_folder_info['Name']
secret_list = cleanup_secrets_and_folders[0]
challenges1 = ["UP", ""]
challenges2 = ["SQ", ""]
# Api to create secret within folder
added_text_secret_success, secret_id = create_text_secret_within_folder(
core_session, secrets_params['secret_name'] + suffix,
secrets_params['secret_text'], secrets_params['secret_description'],
nested_folder_id)
assert added_text_secret_success, f'Unable to create secret {secret_id}'
logger.info(f'Secret Created successfully: {added_text_secret_success}')
secret_list.append(secret_id)
# creating a new Authentication profile for nested folder
policy_result = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + suffix, challenges1, 0,
0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# creating another Authentication profile for parent folder
policy_result_v1 = PolicyManager.create_new_auth_profile(
core_session, secrets_params['policy_name'] + "V1" + suffix,
challenges2, 0, 0)
assert policy_result_v1, f'Failed to create policy, API response result:{policy_result_v1}'
logger.info(f' Creating new policy:{policy_result_v1}')
clean_up_policy.append(policy_result_v1)
# Applying MFA on Nested Folder
result = update_folder(
core_session,
nested_folder_id,
nested_folder_info['Name'],
nested_folder_info['Name'],
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Applying MFA on Parent Folder
result = update_folder(
core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result_v1)
assert result[
'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# Getting User with PAS Power User rights
pas_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_user_session.auth_details['User']
user_id = pas_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name:{user_name}'
)
# Api to give user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, parent_folder_id, 'View')
assert user_permissions_result, f'Not Able to set user permissions to folder{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View, Edit', user_id, parent_folder_id)
assert member_perm_success, f'Not Able to set member permissions to Folder{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Move Secret with Mfa Authentication
result_secret = move_secret(pas_user_session, secret_id)
# StartChallenge MFA Authentication
session, mechanism = pas_user_session.start_mfa_authentication(
user_name, result_secret['Result']['ChallengeId'])
# AdvanceAuthentication MFA to Password
advance_auth_result = pas_user_session.advance_authentication(
answer=pas_user_session.user.user_input.password,
session_id=session,
mechanism_id=mechanism)
mfa_result = advance_auth_result.json()
assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}'
logger.info(f'successfully applied password authentication: {mfa_result}')
# After Authenticating of MFA move secret with challenge password
moved_success, moved_result = move_secret_by_using_mfa(
pas_user_session,
secret_id,
ChallengeStateId=result_secret['Result']['ChallengeId'])
assert moved_success, f'User: {user_name} Failed to move secret with closest parent challenge: {moved_result}'
logger.info(
f'User: {user_name} successfully moved secret with closest parent challenge: {moved_result}'
)
# Removing MFA on Nested Folder
result = update_folder(
core_session,
nested_folder_id,
nested_folder_info['Name'],
nested_folder_info['Name'],
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Removing MFA for Nested folder: {result}')
# Removing MFA on Parent Folder
result = update_folder(
core_session,
parent_folder_id,
parent_folder_name,
parent_folder_name,
description=secrets_params['mfa_folder_description'])
assert result[
'success'], f'Failed to remove MFA, API response result: {result["Message"]} '
logger.info(f'Removing MFA for Parent folder: {result}')
def test_member_permission_from_parent_or_higher_should_propagate(core_session,
pas_general_secrets,
cleanup_secrets_and_folders,
users_and_roles):
"""
C3053: test method Member permission from parent or higher should propagate all the way down hierarchy
1) create multilevel folder /alpha/beta/charlie/delta
2) Login as Admin, set folder permissions "View" & member permissions "View, Retrieve" for parent folder
3) Add new folder inside delta
4) Login as pas user
5) Verify you can view and retrieve secret under the "delta" folder
:param core_session: Authenticated Centrify session
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
:param users_and_roles: Fixture to create random user with PAS User Rights
"""
params = pas_general_secrets
folder_prefix = guid()
folders_list = cleanup_secrets_and_folders[1]
secrets_list = cleanup_secrets_and_folders[0]
# creating multilevel folder /alpha/beta/charlie/delta
child_folder_success, child_folder_parameters, child_folder_id = create_folder(
core_session,
folder_prefix + params['multi_level_folder_name'],
params['description'])
assert child_folder_success, f'Failed to create multilevel folder, API response result {child_folder_id}'
logger.info(f'Multilevel Folder created successfully: {child_folder_success} & details are {child_folder_id}')
# Getting details of Folder Charlie
charlie_folder = get_folder(core_session, child_folder_id)
assert charlie_folder['success'],\
f'Failed to retrieve charlie folder details, API response result:{charlie_folder["Message"]}'
logger.info(f'charlie folder details:{charlie_folder}')
charlie_id = charlie_folder['Result']['Results'][0]['Row']['Parent']
# Getting details of parent folder
parent_path = charlie_folder['Result']['Results'][0]['Row']['ParentPath']
parent_folder_name = parent_path.split('\\')
parent_folder_sliced = parent_folder_name[0]
# Getting id of parent folder
parent_folder = get_folder(core_session, parent_folder_sliced)
assert parent_folder['success'],\
f'Failed to retrieve parent folder details, API response result:{parent_folder["Message"]}'
logger.info(f'Parent folder details:{parent_folder}')
parent_folder_id = parent_folder['Result']['Results'][0]['Row']['ID']
# Getting details of Folder alpha
alpha_folder = get_secrets_and_folders_in_folders(core_session, parent_folder_id)
assert alpha_folder['success'], f'Failed to retrieve alpha folder id, API response result: {alpha_folder["Result"]}'
logger.info(f'Details of Alpha Folder Retrieved:{alpha_folder}')
alpha_folder_id = alpha_folder["Result"]["Results"][0]["Entities"][0]["Key"]
# Getting details of Folder beta
folder_beta = get_secrets_and_folders_in_folders(core_session, alpha_folder_id)
assert folder_beta['success'], f'Failed to retrieve beta folder id, API response result: {folder_beta["Result"]}'
logger.info(f'Details of Beta Folder Retrieved:{folder_beta}')
folder_beta_id = folder_beta["Result"]["Results"][0]["Entities"][0]["Key"]
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Api to give user permissions to parent folder
user_permissions_alpha = give_user_permissions_to_folder(core_session,
user_name,
user_id,
parent_folder_id,
'View')
assert user_permissions_alpha['success'], \
f'Not Able to set user permissions to folder, API response result: {user_permissions_alpha["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_alpha}')
# Api to give member permissions(View, Retrieve) to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View,Retrieve',
user_id,
parent_folder_id)
assert member_perm_success,\
f'Not Able to set "View" member permissions to Folder, API response result: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Adding secrets inside child folder
added_secret_success, added_secret_id = create_text_secret_within_folder(core_session,
params['mfa_secret_name'] + folder_prefix,
params['secret_text'],
params['secret_description'],
child_folder_id)
assert added_secret_success, f"Added Secret Failed, API response result: {added_secret_id}"
logger.info(f'Added secrets info: {added_secret_id}')
secrets_list.append(added_secret_id)
# Getting details of the Secret Added
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
pas_power_user_session,
added_secret_id)
secret_name_pas = get_secret_details['SecretName']
assert 'MFAOnSecret' in secret_name_pas, f'Failed to view the secret, API response result: {get_secret_success}'
logger.info(f'Details of the secret Retrieved: {get_secret_details}')
folders_list.append(child_folder_id)
folders_list.append(charlie_id)
folders_list.append(folder_beta_id)
folders_list.append(alpha_folder_id)
folders_list.append(parent_folder_id)
logger.info(f'Added Folders are deleted successfully: {folders_list}')
logger.info(f'Added Secret deleted successfully: {secrets_list}')
def test_inherited_member_permissions(core_session, create_secret_folder,
pas_general_secrets, users_and_roles,
cleanup_secrets_and_folders):
"""
C284058: Inherited member permissions
:param core_session: Authenticated Centrify session
:param create_secret_folder: Fixture to create secret folder & yields folder details
:param pas_general_secrets: Fixture to read secret data from yaml file
:param users_and_roles: Fixture to create New user with PAS Power User & PAS User Rights
:param cleanup_secrets_and_folders: Fixture to clean-up the secrets & folders created.
"""
secrets_list = cleanup_secrets_and_folders[0]
secret_folder_details = create_secret_folder
folder_id = secret_folder_details['ID']
secret_params = pas_general_secrets
suffix = guid()
# Getting new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name:{user_name}'
)
# Setting user A permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id, 'View, Add')
assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Setting member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant,Edit', user_id, folder_id)
assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Getting new session for User B
pas_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service User')
assert pas_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name_pas = pas_user_session.auth_details['User']
user_id_pas = pas_user_session.auth_details['UserId']
logger.info(
f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Setting user B permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name_pas, user_id_pas, folder_id, 'View, Add')
assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Setting member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name_pas, 'View,Grant,Edit', user_id_pas, folder_id)
assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Creating set for UserA
success, set_id = SetsManager.create_manual_collection(
pas_power_user_session, secret_params['set_name'] + suffix,
'DataVault')
logger.info(f'creating manual set:{success} with set id as: {set_id}')
assert success, f'Failed to create manual set for User A: {set_id}'
# Create text type secret within folder for User A
added_text_secret_success, added_text_secret_result = create_text_secret_within_folder(
pas_power_user_session, secret_params['secret_name'] + suffix,
secret_params['secret_text'], secret_params['secret_description'],
folder_id, set_id)
assert added_text_secret_success, f'Failed to create secret for User A:{added_text_secret_result}'
logger.info(f'Secret Created successfully: {added_text_secret_success}')
# Verifying inherited permissions for User B
get_permission_result = get_rows_acl(pas_power_user_session,
added_text_secret_result)
assert get_permission_result, f'Failed to inherit permissions for User B:{get_permission_result}'
logger.info(
f' Successfully inherited permissions for User B: {get_permission_result}'
)
secrets_list.append(added_text_secret_result)
rows_returned = get_permission_result['Result']
for rows in rows_returned:
if rows['PrincipalName'] == user_name_pas:
assert rows[
'Inherited'], "Failed to verify the inherited permissions"
def test_needs_retrieve_permission_to_secret(core_session, users_and_roles,
create_secret_inside_folder,
pas_general_secrets):
"""
C283961: User needs Retrieve Secret permission to retrieve and delete secret
:param core_session: Authenticated Centrify Session.
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param create_secret_inside_folder: Fixture to create secret inside foledr & yield secrets & folders details.
:param pas_general_secrets: Fixture to read secret data from yaml file.
"""
folder_id_list, folder_name, secret_id = create_secret_inside_folder
params = pas_general_secrets
suffix = guid()
# Getting new session for User A
pas_power_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name:{user_name}'
)
# Create text type secret within folder
added_text_secret_success, added_text_secret_result = create_text_secret_within_folder(
core_session, params['secret_name'] + suffix, params['secret_text'],
params['secret_description'], folder_id_list[0])
assert added_text_secret_success, f'Failed to create secret {added_text_secret_result}'
logger.info(f'Secret Created successfully: {added_text_secret_success}')
# Setting user permissions to folder
user_permissions_result = give_user_permissions_to_folder(
core_session, user_name, user_id, folder_id_list[0], 'View')
assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}'
logger.info(f'User Permissions to folder: {user_permissions_result}')
# Setting member permissions(Delete, Retrieve) to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant,Delete,Retrieve', user_id,
folder_id_list[0])
assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Deleting child secret should work
del_success, del_result = del_secret(pas_power_user_session,
added_text_secret_result)
assert del_success, f'Failed to delete child secret: {del_result}'
logger.info(
f'Successfully deleted child secret: {del_success}{del_result}')
# Setting member permissions(Delete) to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(
core_session, user_name, 'View,Grant,Delete', user_id,
folder_id_list[0])
assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Deleting child secret should work(without Retrieve)
del_success, del_result = del_secret(pas_power_user_session, secret_id[0])
assert del_success, f'Failed to delete child secret: {del_result}'
logger.info(f'Successfully deleted child secret: {del_result}')
secret_id.remove(secret_id[0])
def test_union_of_all_its_permissions(core_session,
pas_general_secrets,
cleanup_secrets_and_folders,
users_and_roles):
"""
C3056: test method Union of all its permissions
1)create multilevel folder /alpha/beta/charlie/delta
2) Login as Admin, set folder permissions "View" for alpha,"Edit" for beta, "Delete" for charlie,"Add" for delta
3) Login as pas user
4) verify sub folder permissions will have a union of all parent folders
:param core_session: Authenticated Centrify session
:param pas_general_secrets: Fixture to read secrets related data from yaml file
:param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created
:param users_and_roles: Fixture to create random user with PAS User Rights
"""
params = pas_general_secrets
folder_prefix = guid()
folders_list = cleanup_secrets_and_folders[1]
secrets_list = cleanup_secrets_and_folders[0]
# creating multilevel folder /alpha/beta/charlie/delta
child_folder_success, child_folder_parameters, child_folder_id = create_folder(
core_session,
folder_prefix + params['multi_level_folder_name'],
params['description'])
assert child_folder_success, f'Failed to create multilevel folder, API response result: {child_folder_id}'
logger.info(f'Multilevel Folder created successfully: {child_folder_success} & details are {child_folder_id}')
# Getting details of Folder Charlie
charlie_folder = get_folder(core_session, child_folder_id)
assert charlie_folder['success'], \
f'Failed to retrieve charlie folder details, API response result:{charlie_folder["Message"]}'
logger.info(f'charlie folder details:{charlie_folder}')
charlie_id = charlie_folder['Result']['Results'][0]['Row']['Parent']
# Getting details of parent folder
parent_path = charlie_folder['Result']['Results'][0]['Row']['ParentPath']
parent_folder_name = parent_path.split('\\')
parent_folder_sliced = parent_folder_name[0]
# Getting id of parent folder
parent_folder = get_folder(core_session, parent_folder_sliced)
assert parent_folder['success'], \
f'Failed to retrieve parent folder details, API response result:{parent_folder["Message"]}'
logger.info(f'Parent folder details:{parent_folder}')
parent_folder_id = parent_folder['Result']['Results'][0]['Row']['ID']
# Getting details of Folder alpha
alpha_folder = get_secrets_and_folders_in_folders(core_session, parent_folder_id)
assert alpha_folder['success'], f'Failed to retrieve alpha folder id, API response result: {alpha_folder["Result"]}'
logger.info(f'Details of Alpha Folder Retrieved:{alpha_folder}')
alpha_folder_id = alpha_folder["Result"]["Results"][0]["Entities"][0]["Key"]
# Getting details of Folder beta
folder_beta = get_secrets_and_folders_in_folders(core_session, alpha_folder_id)
assert folder_beta['success'], f'Failed to retrieve beta folder id, API response result: {folder_beta["Result"]}'
logger.info(f'Details of Beta Folder Retrieved:{folder_beta}')
folder_beta_id = folder_beta["Result"]["Results"][0]["Entities"][0]["Key"]
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Adding secrets inside child folder
added_secret_success, added_secret_id = create_text_secret_within_folder(core_session,
params['mfa_secret_name'] + folder_prefix,
params['secret_text'],
params['secret_description'],
child_folder_id)
assert added_secret_success, f"Added Secret Failed, API response result {added_secret_id}"
logger.info(f'Added secrets info: {added_secret_id}')
# Api to give user permissions to folder alpha
user_permissions_alpha = give_user_permissions_to_folder(core_session, user_name, user_id, alpha_folder_id, 'View')
assert user_permissions_alpha['success'], \
f'Not Able to set user permissions to folder, API response result: {user_permissions_alpha["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_alpha}')
# Api to give user permissions to folder beta
user_permissions_beta = give_user_permissions_to_folder(core_session, user_name, user_id, folder_beta_id, 'Edit')
assert user_permissions_beta['success'], \
f'Not Able to set user permissions to folder, API response result: {user_permissions_beta["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_beta}')
# Api to give member permissions(View, Edit) to folder beta
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View, Edit',
user_id,
folder_beta_id)
assert member_perm_success,\
f'Not Able to set "View" member permissions to Folder, API response result: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Api to give member permissions(Delete, Retrieve) to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'Delete,Retrieve',
user_id,
charlie_id)
assert member_perm_success,\
f'Not Able to set "View" member permissions to Folder, API response result: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# Updating the secret name & description
result = update_secret(pas_power_user_session,
added_secret_id,
folder_prefix + params['mfa_secret_name_update'],
description=params['mfa_secret_description'])
assert result['success'], f'Not Able to update the secret, API response result: {result["Message"]} '
logger.info(f'Secret Updated Details: {result}')
# Getting details of the Secret updated
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
pas_power_user_session,
added_secret_id)
description_updated = get_secret_details['Description']
name_updated = get_secret_details['SecretName']
assert 'MFAOnSecretUpdate' in name_updated,\
f'Failed to update the name, API response result:{get_secret_success}'
assert 'mfa_description' in description_updated,\
f'Failed to update the description, API response result:{get_secret_success}'
logger.info(f'Details of the secret updated: {get_secret_details}')
# Deleting newly created secrets
del_success, del_result = del_secret(pas_power_user_session, added_secret_id)
assert del_success, f'Failed to delete the secret with pas user, API response result: {del_result}'
logger.info(f'Secret deleted successfully with pas user:{del_result}')
folders_list.append(child_folder_id)
folders_list.append(charlie_id)
folders_list.append(folder_beta_id)
folders_list.append(alpha_folder_id)
folders_list.append(parent_folder_id)
logger.info(f'Added Folders are deleted successfully: {folders_list}')
logger.info(f'Added Secrets deleted successfully: {secrets_list}')
def test_replace_mfa_policy_on_parent_folder_verify_challenged(
core_session,
pas_general_secrets,
create_secret_inside_folder,
core_session_unauthorized,
clean_up_policy,
users_and_roles):
"""
C2980: test method to MFA policy on Parent folder, verify challenged
:param core_session: Authenticated Centrify Session
:param pas_general_secrets: Fixture to read secret data from yaml file
:param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder"
:param core_session_unauthorized: Fixture to start authentication MFA
:param clean_up_policy: Fixture to clean up the policy created
:param users_and_roles: Fixture to create random user with pas user rights
"""
secrets_params = pas_general_secrets
suffix = guid()
folder_list, folder_name, secret_list = create_secret_inside_folder
challenges = ["UP", ""]
policy_result = PolicyManager.create_new_auth_profile(core_session, secrets_params['policy_name'] + suffix,
challenges, 0, 0)
assert policy_result, f'Failed to create policy, API response result:{policy_result}'
logger.info(f' Creating new policy:{policy_result}')
clean_up_policy.append(policy_result)
# Applying MFA on Folder
result = update_folder(core_session, folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + suffix,
description=secrets_params['mfa_folder_description'],
policy_id=policy_result)
assert result['success'], f'Not Able to apply MFA, API response result:: {result["Message"]} '
logger.info(f'Applying MFA for folder: {result}')
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'{pas_power_user_session.auth_details}')
logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}')
# Getting password for MFA
password = users_and_roles.get_default_user_password()
# Api to give user permissions to folder
user_permissions_alpha = give_user_permissions_to_folder(core_session, user_name, user_id, folder_list[0], 'View')
assert user_permissions_alpha['success'], \
f'Not Able to set user permissions to folder{user_permissions_alpha["Result"]}'
logger.info(f'User Permissions to folder: {user_permissions_alpha}')
# Api to give member permissions to folder
member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session,
user_name,
'View, Edit',
user_id,
folder_list[0])
assert member_perm_success, f'Not Able to set member permissions to Folder: {member_perm_result}'
logger.info(f'Member permissions to folder:{member_perm_result}')
# MFA Authentication starts on the secret to be replaced
mfa_authentication = pas_power_user_session.start_authentication(user_name)
result = mfa_authentication.json()['Result']
success = mfa_authentication.json()['success']
assert success, f'Failed to start MFA Authentication on the secret to be replaced, API response result:{result}'
challenge_value = result['Challenges'][0]['Mechanisms'][0]['Name']
assert challenge_value == 'UP', f'Challenge "Password" is not set, API response result:{result}'
logger.info(f'MFA Authentication with "Password" starts on the secret to be replaced:{mfa_authentication.json()}')
# Advance MFA Authentication starts on the secret to be replaced
up_result = pas_power_user_session.advance_authentication(password, challenge_index=0, mechanism_name='UP')
mfa_result = up_result.json()
assert mfa_result['success'], f'Failed to respond to challenge, API response result:{mfa_result["Result"]}'
logger.info(f'MFA popups before secret gets replaced:{mfa_result}')
# Replacing the text of the secret
result = update_secret(pas_power_user_session,
secret_list[0],
secrets_params['mfa_secret_name_update'] + suffix,
secret_text=secrets_params['secret_text_replaced'],
policy_id=policy_result)
assert result['success'], f'Not Able to replace the text of the secret, API response result:{result["Message"]} '
logger.info(f'Secret gets replaced: {result}')
# Removing MFA from secret
result = update_secret(pas_power_user_session,
secret_list[0],
secrets_params['mfa_secret_name_update'] + suffix,
secret_text=secrets_params['secret_text_replaced']
)
assert result['success'], f'Not Able to remove MFA, API response result:{result["Message"]} '
logger.info(f'Removing MFA from secret: {result}')
# Removing MFA from folder
result = update_folder(core_session, folder_list[0],
folder_name,
secrets_params['mfa_folder_name_update'] + suffix
)
assert result['success'], f'Not Able to remove MFA, API response result:: {result["Message"]} '
logger.info(f'Removing MFA from folder: {result}')
# Getting details of the Secret Replaced
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session,
secret_list[0])
assert get_secret_text == secrets_params['secret_text_replaced'], \
f'Failed to replace the secret, API response result: {get_secret_success}'
logger.info(f'Details of the secret Replaced: {get_secret_details}')