def test_mfa_on_closest_parent_should_override_mfa_on_higher_levels( core_session, pas_general_secrets, cleanup_secrets_and_folders, clean_up_policy, core_session_unauthorized): """ C2982: MFA on closest parent should override MFA on higher levels 1) Create a multilevel folder "Folder/Subfolder/secretName" 2) Assign different MFA to parent(Folder) & Nested Folder(Subfolder) 3) Verify secretName inherits challenge of subfolder :param core_session: Authenticated Centrify Session :param pas_general_secrets: Fixture to read secret data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created :param clean_up_policy: Fixture to cleanup the policy created :param core_session_unauthorized: Fixture to start authentication MFA """ folder_list = cleanup_secrets_and_folders[1] secrets_list = cleanup_secrets_and_folders[0] folder_params = pas_general_secrets suffix = guid() folder_name = folder_params['folder_name_with_frwdslashes'] + suffix # creating multilevel folder "Folder/Subfolder/secretName" added_secret_success, details, secret_id = create_text_secret( core_session, folder_name, folder_params['secret_text']) assert added_secret_success, "Added Multilevel folder Failed,API response result: {secret_id} " logger.info(f'Added Multilevel folder info: {details, secret_id}') secrets_list.append(secret_id) # Getting details of the secret found_secret = get_secret(core_session, secret_id) assert found_secret['success'], \ f'Failed to get the details of the secret, API response result:{found_secret["Message"]}' logger.info(f'Getting details of the secret: {found_secret}') nested_folder_id = found_secret['Result']['FolderId'] nested_folder_path = found_secret['Result']['ParentPath'] parent_folder_list = nested_folder_path.split('\\') parent_folder_name = parent_folder_list[0] # Getting details of Parent Folder parent_folder = get_folder(core_session, nested_folder_id) parent_folder_id = parent_folder["Result"]["Results"][0]["Row"]["Parent"] nested_folder_name = parent_folder["Result"]["Results"][0]["Row"][ "SecretName"] logger.info(f'Parent Folder details: {parent_folder}') if folder_list != []: folder_list[0] = nested_folder_id folder_list[1] = parent_folder_id else: folder_list.append(nested_folder_id) folder_list.append(parent_folder_id) challenges = ["UP", ""] challenges_v2 = ["UP,EMAIL", ""] # Creating new policy with Password policy_result = PolicyManager.create_new_auth_profile( core_session, folder_params['policy_name'] + suffix, challenges, 0, 0) assert policy_result, f'Failed to create policy, API response result:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Creating new policy with Password & Email policy_result_email = PolicyManager.create_new_auth_profile( core_session, folder_params['policy_name'] + "V2" + suffix, challenges_v2, 0, 0) assert policy_result_email, f'Failed to create another policy, API response result:{policy_result_email}' logger.info(f' Creating another policy:{policy_result_email}') clean_up_policy.append(policy_result_email) # Applying MFA on Nested Folder result = update_folder(core_session, nested_folder_id, nested_folder_name, nested_folder_name, description=folder_params['mfa_folder_description'], policy_id=policy_result) assert result[ 'success'], f'Not Able to apply MFA on Nested folder, API response result: {result["Message"]} ' logger.info(f'MFA Applied on Nested Folder: {result}') # Applying MFA on Parent Folder result = update_folder(core_session, parent_folder_id, parent_folder_name, parent_folder_name, description=folder_params['mfa_folder_description'], policy_id=policy_result_email) assert result[ 'success'], f'Not Able to apply MFA on parent folder, API response result: {result["Message"]} ' logger.info(f'MFA Applied on Parent Folder: {result}') user = core_session.get_user() user_name = user.get_login_name() password = user.get_password() # MFA Authentication starts on the secret to be replaced mfa_authentication = core_session_unauthorized.start_authentication( user_name) result = mfa_authentication.json()['Result'] success = mfa_authentication.json()['success'] assert success, f'Failed to start MFA Authentication on the secret to be replaced, API response result:{result}' challenge_value = result['Challenges'][0]['Mechanisms'][0]['Name'] assert challenge_value == 'UP', f'Challenge "Password" is not set, API response result:{result}' logger.info( f'MFA Authentication applies for closest parent,Password Only:{mfa_authentication.json()}' ) # Advance MFA Authentication starts on the secret to be replaced up_result = core_session_unauthorized.advance_authentication( password, challenge_index=0, mechanism_name='UP') mfa_result = up_result.json() assert mfa_result[ 'success'], f'Failed to respond to challenge, API response result:{mfa_result["Result"]}' logger.info( f'MFA applies for closest parent,popups before secret gets replaced: {mfa_result}' ) # Replacing the text of the secret result = update_secret(core_session, secret_id, folder_params['mfa_secret_name_update'] + suffix, secret_text=folder_params['secret_text_replaced']) assert result[ 'success'], f'Not Able to replace the text of the secret, API response result:{result["Message"]} ' logger.info(f'Secret gets replaced: {result}') # Removing MFA from Nested folder result = update_folder(core_session, nested_folder_id, nested_folder_name, nested_folder_name, description=folder_params['mfa_folder_description']) assert result[ 'success'], f'Not Able to remove mfa from folder, API response result:: {result["Message"]} ' logger.info(f'Removing mfa from folder: {result}') # Removing MFA from Parent folder result = update_folder(core_session, parent_folder_id, parent_folder_name, parent_folder_name, description=folder_params['mfa_folder_description']) assert result[ 'success'], f'Not Able to remove mfa from folder, API response result:: {result["Message"]} ' logger.info(f'Removing mfa from folder: {result}') # Getting details of the Secret Replaced get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( core_session, secret_id) assert get_secret_text == folder_params['secret_text_replaced'], \ f'Failed to replace the secret, API response result: {get_secret_success}' logger.info(f'Details of the secret Replaced: {get_secret_details}')
def test_user_type_parameter(core_session, cleanup_accounts, cleanup_reports): """ TCID: C6341 Create report with User type parameter required :param core_session: Centrify Authentication session """ user_list = cleanup_accounts[2] session_user = core_session.__dict__ display_name_1 = session_user['auth_details']['DisplayName'] user_create_data = Configs.get_test_node('platform_report_data', 'automation_main') prefix = user_create_data['prefix'] user_alias = core_session.auth_details['User'].split('@')[1] user_name_2 = prefix + guid() + "@" + user_alias user_props = { "Mail": user_create_data['user_email'], "Password": user_create_data['password'], "PasswordNeverExpire": True, "DisplayName": user_create_data['display_name'], "Username": user_name_2, "Name": user_name_2 } success, result_user_2 = UserManager.create_user_with_args( core_session, user_props) assert success, f'Failed to create an user:{result_user_2}' logger.info(f'Successfully created an user:{result_user_2}') reports = Reports(core_session, pop_prefix_base) report = reports.create_report({ "Name": "report_A", "Query": "select Username, LastLogin from user where DisplayName= @userNM", "Parameters": [{ "Type": "User", "Name": "userNM", "Label": "Input searched username", "ObjectProperty": "DisplayName" }] }) assert report, f'Failed to create the report:{report}' logger.info(f'Successfully Created report: {report}') # Actual result for all user list with display name same as session user display name. # and this details will compare all the user from reports page actual_script_1 = f'Select Username, LastLogin from user where DisplayName = "{display_name_1}"' actual_user_list_1 = [] actual_result_1 = RedrockController.redrock_query(core_session, actual_script_1) for user in actual_result_1: actual_user_list_1.append(user['Row']) # Expected result for all users which user name same as session user display name and will assert the list # of users of actual session user display name list expected_result_1 = RedrockController.get_report_result_list_of_user( core_session, "userNM", display_name_1, "Input searched username") expected_user_list_1 = [] for expected_result in expected_result_1: expected_user_list_1.append(expected_result['Row']) assert expected_user_list_1 == actual_user_list_1, f'The report result list all users whose DisplayName is not ' \ f'same with selected users DisplayName:{actual_user_list_1}' logger.info(f'The report result list all users whose DisplayName is ' f'same with selected users displayname:{expected_user_list_1}') # Actual result for all user list with display name same as another user display name. # and this details will compare all the user from reports page actual_script_2 = f'Select Username, LastLogin from user where DisplayName = "{user_create_data["display_name"]}"' actual_user_list_2 = [] actual_result_2 = RedrockController.redrock_query(core_session, actual_script_2) for user in actual_result_2: actual_user_list_2.append(user['Row']) # Expected result for all users which user name same as another user display name and will assert the list # of users of actual another user display name list expected_result_2 = RedrockController.get_report_result_list_of_user( core_session, "userNM", user_create_data['display_name'], "Input searched username") expected_user_list_2 = [] for user in expected_result_2: expected_user_list_2.append(user['Row']) assert expected_user_list_2 == actual_user_list_2, f'The report result list all users whose DisplayName is not ' \ f'same with selected users DisplayName:{actual_user_list_2}' logger.info(f'The report result list all users whose DisplayName is ' f'same with selected users displayname:{expected_user_list_2}') # Delete the created user user_list.append(result_user_2) found_report = reports.get_report_by_name(core_session, report['Name'] + ".report") cleanup_reports.append(found_report['Path'])
def test_string_type_parameter(core_session, created_suffix, suffix_cleaner, cleanup_accounts, cleanup_reports): """ TCID: C6340 Create report with String type parameter required :param created_suffix: centrify Authentication Session :param core_session: Fixture to add the suffix :param suffix_cleaner: Fixture to delete the created suffix :param cleanup_accounts: Fixture to delete the created user :param cleanup_reports: Fixture to delete the created report """ user_list = cleanup_accounts[2] user_create_data = Configs.get_test_node('platform_report_data', 'automation_main') prefix = user_create_data['prefix'] user_alias = core_session.auth_details['User'].split('@')[1] user_name_1 = prefix + guid() + "@" + user_alias user_props = { "Mail": user_create_data['user_email'], "Password": user_create_data['password'], "PasswordNeverExpire": True, "Username": user_name_1, "Name": user_name_1 } success, result_user_1 = UserManager.create_user_with_args( core_session, user_props) assert success, f'Failed to create an user:{result_user_1}' logger.info(f'Successfully created an user:{result_user_1}') suffix_alias = created_suffix user_name_2 = prefix + guid() + "@" + suffix_alias['alias'] user_props = { "Mail": user_create_data['user_email'], "Password": user_create_data['password'], "PasswordNeverExpire": True, "Username": user_name_2, "Name": user_name_2 } success, result_user_2 = UserManager.create_user_with_args( core_session, user_props) assert success, f'Failed to create an user:{result_user_2}' logger.info(f'Successfully created an user:{result_user_2}') reports = Reports(core_session, pop_prefix_base) report = reports.create_report({ "Name": "report_A", "Query": "select Username, " "lastlogin from user where Username like @userNM", "Parameters": [{ "Type": "string", "Name": "userNM", "Label": "Input searched username" }] }) assert report, f'Failed to create the report:{report}' logger.info(f'Successfully Created report: {report}') # All users whose username starts with prefix sript_1 = f"select Username, lastlogin from user where Username like '{prefix}%'" result_prefix = RedrockController.redrock_query(core_session, sript_1) username_with_prefix = [] for username in result_prefix: username_with_prefix.append(username['Row']['Username']) for i in username_with_prefix: assert i.startswith( prefix ), f'The report result user list are not starting with {prefix}' logger.info( f'The report result list all users whose Username starts with: {username_with_prefix}' ) # All users whose username ends with suffix sript_2 = f"select Username, lastlogin from user where Username like '%{suffix_alias['alias']}'" result_suffix = RedrockController.redrock_query(core_session, sript_2) username_with_suffix = [] for username_suffix in result_suffix: username_with_suffix.append(username_suffix['Row']['Username']) for i in username_with_suffix: assert i.endswith( suffix_alias['alias'] ), f'The report result user list are not ending with:{suffix_alias["alias"]}' logger.info( f'The report result list all users whose Username ends with: {username_with_prefix}' ) # Delete created report, user and suffix found_report = reports.get_report_by_name(core_session, report['Name'] + ".report") cleanup_reports.append(found_report['Path']) user_list.append(result_user_2) user_list.append(result_user_1) suffix_cleaner.append(suffix_alias['alias'])
def test_both_source_and_destination_have_mfa(core_session, pas_general_secrets, create_secret_inside_folder, create_secret_folder, clean_up_policy): """ C284028: Both source and destination have MFA :param core_session: Authenticated Centrify Session :param pas_general_secrets: Fixture to read secret data from yaml file :param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder" :param create_secret_folder: Fixture to create Folder & yields folder related details :param clean_up_policy: Fixture to clean up the policy created """ user_detail = core_session.__dict__ user_name = user_detail['auth_details']['User'] secrets_params = pas_general_secrets suffix = guid() folder_id_source, folder_name_source, secret_list = create_secret_inside_folder secret_folder_details = create_secret_folder folder_id_destination = secret_folder_details['ID'] folder_name_destination = secret_folder_details['Name'] challenges = ["UP", ""] challenges_v2 = ["SQ", ""] # creating a new Authentication profile policy_result = PolicyManager.create_new_auth_profile( core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0) assert policy_result, f'Failed to create policy, API response result:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # creating a new Authentication profile policy_result_v2 = PolicyManager.create_new_auth_profile( core_session, secrets_params['policy_name'] + "v2" + suffix, challenges_v2, 0, 0) assert policy_result_v2, f'Failed to create policy, API response result:{policy_result_v2}' logger.info(f' Creating new policy:{policy_result_v2}') clean_up_policy.append(policy_result_v2) # Applying MFA on Folder result = update_folder( core_session, folder_id_source[0], folder_name_source, folder_name_source, description=secrets_params['mfa_folder_description'], policy_id=policy_result) assert result[ 'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} ' logger.info(f'Applying MFA for folder: {result}') # Applying MFA on Folder result = update_folder( core_session, folder_id_destination, folder_name_destination, folder_name_destination, description=secrets_params['mfa_folder_description'], policy_id=policy_result_v2) assert result[ 'success'], f'Not Able to apply MFA, API response result:: {result["Message"]} ' logger.info(f'Applying MFA for folder: {result}') # Move Folder with Mfa Authentication result_folder_result = move_folder(core_session, folder_id_source[0], folder_id_destination) # StartChallenge MFA Authentication session, mechanism = core_session.start_mfa_authentication( user_name, result_folder_result['Result']['ChallengeId']) # AdvanceAuthentication MFA to Password advance_auth_result = core_session.advance_authentication( answer=core_session.user.user_input.password, session_id=session, mechanism_id=mechanism) mfa_result = advance_auth_result.json() assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}' # After Authenticating of MFA move source folder with mfa to destination folder with mfa. moved_success, moved_result = move_folder_by_using_mfa( core_session, folder_id_source[0], target_folder_info=folder_id_destination, ChallengeStateId=result_folder_result['Result']['ChallengeId']) assert moved_success, f'Failed to verify Mfa challenged by source folder, API response result:{mfa_result} ' logger.info( f'Successfully verified Mfa challenged by source folder: {moved_result}' ) # Removing MFA on Folder result = update_folder( core_session, folder_id_source[0], folder_name_source, folder_name_source, description=secrets_params['mfa_folder_description']) assert result[ 'success'], f'Failed to remove MFA, API response result: {result["Message"]} ' logger.info(f'Successfully removed MFA for folder: {result}') # Removing MFA on Folder result = update_folder( core_session, folder_id_destination, folder_name_destination, folder_name_destination, description=secrets_params['mfa_folder_description']) assert result[ 'success'], f'Failed to remove MFA, API response result: {result["Message"]} ' logger.info(f'Successfully removed MFA for folder: {result}')
def _make_one_server_get_name(session, mutable_list, ssh=False): server_prefix = "bsd_tst_sys" + "-" + str(ResourceManager.time_mark_in_hours()) + "-" + guid() if ssh: batch1 = ResourceManager.add_multiple_ssh_systems_with_accounts(session, 1, 2, mutable_list, system_prefix=server_prefix) else: batch1 = ResourceManager.add_multiple_systems_with_accounts(session, 1, 2, mutable_list, system_prefix=server_prefix) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1]) names_of_servers = list(ResourceManager.get_multi_added_system_ids(session, all_systems).keys()) return server_prefix, names_of_servers, batch1.keys()
def test_pe_can_execute_priv_command_set_asmnt_on_adgroup( core_session, setup_user_in_ad_group, setup_generic_pe_command_with_no_rules_all_OS, create_manual_set, users_and_roles, cleanup_servers): # Add System sys_name = "test_pe_can_execute_priv_command" + guid() sys_fqdn = "fqdn" + guid() added_system_id, system_success_status = ResourceManager.add_system( core_session, name=sys_name, fqdn=sys_fqdn, computerclass="Windows", sessiontype="Rdp") assert system_success_status, f'Adding system failed returned status {system_success_status}' logger.debug(f"Successfully added a System: {added_system_id}") cleanup_servers.append(added_system_id) # Create Set and the system to this set set_id = create_manual_set(core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug( f"Successfully created a set and added system to that set: {set_id}") commandName, commandID = setup_generic_pe_command_with_no_rules_all_OS aduser, _, adgroup = setup_user_in_ad_group if adgroup is None: pytest.skip("Cannot create adgroup") # Add assignment asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Group", principal=adgroup['DisplayName'], scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=True) asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=asmnt_info['ScopeType'], scope=asmnt_info['Scope'], principalType=asmnt_info['PrincipalType'], principal=asmnt_info['Principal'], byPassChallenge=True, starts=asmnt_info['Starts'], expires=asmnt_info['Expires']) assert isSuccess, f"Adding assignment failed" asmnt_info['ID'] = asmntID results, isSuccess = PrivilegeElevation.can_execute_priv_command( core_session, user=aduser['SystemName'], system=sys_name, command="sc stop cagent") assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}" assert len(results['PrivilegeElevationCommands'] ) == 1, f"Only single command should exist {results}" results_assignments = results['PrivilegeElevationCommands'][0][ 'Assignments'] assert len(results_assignments ) == 1 and results['Granted'], f"Granted should be true" PrivilegeElevation.check_can_execute_priv_command_results( asmnt_info, results['PrivilegeElevationCommands'] [0]), f"All params not matching {results}" #clean up errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment( core_session, asmntID) assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_pe_can_execute_priv_command_sys_asmnt_on_user( core_session, setup_generic_pe_command_with_no_rules, cleanup_servers): # Add System sys_name = "test_pe_can_execute_priv_command" + guid() sys_fqdn = "fqdn" + guid() added_system_id, system_success_status = ResourceManager.add_system( core_session, name=sys_name, fqdn=sys_fqdn, computerclass="Unix", sessiontype="Ssh") assert system_success_status, f'Adding system failed returned status {system_success_status}' logger.debug(f"Successfully added a System: {added_system_id}") cleanup_servers.append(added_system_id) commandName, commandID = setup_generic_pe_command_with_no_rules # Get Admin info admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add assignment asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="User", principal=admin_user_name, scopeType="System", scope=added_system_id, principalId=admin_user_id, bypassChallenge=True) asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=asmnt_info['ScopeType'], scope=asmnt_info['Scope'], principalType=asmnt_info['PrincipalType'], principalID=asmnt_info['PrincipalId'], byPassChallenge=True, starts=asmnt_info['Starts'], expires=asmnt_info['Expires']) assert isSuccess, f"Adding assignment failed" asmnt_info['ID'] = asmntID results, isSuccess = PrivilegeElevation.can_execute_priv_command( core_session, user=admin_user_name, system=sys_name, command="sudo date") assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}" assert len(results['PrivilegeElevationCommands'] ) == 1, f"Only single command should exist {results}" results_assignments = results['PrivilegeElevationCommands'][0][ 'Assignments'] assert len(results_assignments ) == 1 and results['Granted'], f"Granted should be true" PrivilegeElevation.check_can_execute_priv_command_results( asmnt_info, results['PrivilegeElevationCommands'] [0]), f"All params not matching {results}" #clean up errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment( core_session, asmntID) assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_mfa_policy_parent_folder_and_secret_verify_not_challenged_on_settings_update( core_session, pas_general_secrets, users_and_roles, create_secret_inside_folder, clean_up_policy): """ test method to verify that mfa does not exist on updating the settings & policy for an existing parent folder "MFAOnParentFolder" & secret "MFAOnSecrets" with already assigned mfa for that folder & secret :param core_session: Authenticated Centrify Session :param pas_general_secrets: Fixture to read secret data from yaml file :param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder" :param users_and_roles: Fixture to create New user with PAS Power Rights :param clean_up_policy: Fixture to clean up the policy created """ secrets_params = pas_general_secrets prefix = guid() folder_list, folder_name, secret_list = create_secret_inside_folder pas_power_user = users_and_roles.get_user('Privileged Access Service Power User') user_name = pas_power_user.get_login_name() user_id = pas_power_user.get_id() text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session, user_name, 'View,Edit', user_id, secret_list[0]) assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}' logger.info(f'setting permissions for text type secret: : {text_type_secret_success}') # Api to create new policy policy_result_sq = PolicyManager.create_new_auth_profile(core_session, prefix + secrets_params['policy_name'], ["SQ", None], None, "30") assert policy_result_sq is not None, f'Failed to create policy:{policy_result_sq}' logger.info(f' Creating new policy:{policy_result_sq}') clean_up_policy.append(policy_result_sq) # Api to create new policy policy_result = PolicyManager.create_new_auth_profile(core_session, prefix + secrets_params['policy_name_new'], ["UP", None], None, "30") assert policy_result is not None, f'Failed to create policy:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Update settings & policy for Folder result = update_folder(core_session, folder_list[0], folder_name, secrets_params['mfa_folder_name_update'] + prefix, description=secrets_params['mfa_folder_description'], policy_id=policy_result_sq) assert result['success'], f'Not Able to update the settings: {result["Message"]} ' logger.info(f'Update settings for secret: {result}') # Update settings for secret result = update_secret(core_session, secret_list[0], prefix + secrets_params['mfa_secret_name_update'], description=secrets_params['mfa_secret_description'], policy_id=policy_result) assert result['success'], f'Not Able to update the settings: {result["Message"]} ' logger.info(f'Update settings for secret: {result}') # Removing policy for Folder result = update_folder(core_session, folder_list[0], folder_name, secrets_params['mfa_folder_name_update'] + prefix, description=secrets_params['mfa_folder_description']) assert result['success'], f'Not Able to update the settings: {result["Message"]} ' logger.info(f'Update settings for secret: {result}') # Removing policy for secret result = update_secret(core_session, secret_list[0], prefix + secrets_params['mfa_secret_name_update'], description=secrets_params['mfa_secret_description']) assert result['success'], f'Not Able to update the settings: {result["Message"]} ' logger.info(f'Update settings for secret: {result}') # Getting details of the Folder updated result_folder = get_folder(core_session, folder_list[0]) logger.info(f'Updated Folder details: {result_folder}') description_updated = result_folder["Result"]["Results"][0]["Row"]["Description"] name_updated = result_folder["Result"]["Results"][0]["Row"]["Name"] assert 'MFAOnParentFolderUpdate' in name_updated, \ f'Failed to update the name{result_folder["Result"]["Results"][0]["Row"]["Name"]}' assert 'mfa_description' in description_updated, \ f'Failed to update the description{result_folder["Result"]["Results"][0]["Row"]["Description"]}' # Getting details of the Secret updated get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( core_session, secret_list[0]) description_updated = get_secret_details['Description'] name_updated = get_secret_details['SecretName'] assert 'MFAOnSecretUpdate' in name_updated, f'Failed to update the name{get_secret_success}' assert 'mfa_description' in description_updated, f'Failed to update the description{get_secret_success}' logger.info(f'Details of the secret updated: {get_secret_details}')
def test_pe_can_execute_priv_command_set_asmnt_on_non_sysadmin_role( core_session, setup_generic_pe_command_with_no_rules, create_manual_set, users_and_roles, cleanup_servers): # Add System sys_name = "test_pe_can_execute_priv_command" + guid() sys_fqdn = "fqdn" + guid() added_system_id, system_success_status = ResourceManager.add_system( core_session, name=sys_name, fqdn=sys_fqdn, computerclass="Unix", sessiontype="Ssh") assert system_success_status, f'Adding system failed returned status {system_success_status}' logger.debug(f"Successfully added a System: {added_system_id}") cleanup_servers.append(added_system_id) # Create Set and the system to this set set_id = create_manual_set(core_session, "Server", object_ids=[added_system_id])['ID'] logger.debug( f"Successfully created a set and added system to that set: {set_id}") commandName, commandID = setup_generic_pe_command_with_no_rules role = users_and_roles.populate_role({ 'Name': "can_exec_role" + guid(), "Rights": ["Admin Portal Login"] }) # Get User userobj = users_and_roles.populate_user({'Name': 'user' + guid()}) #Add user to role users_and_roles.add_user_to_role(userobj, role) # Add assignment asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID, commandName=commandName, principalType="Role", principal=role['Name'], scopeType="Collection", scope=set_id, principalId=None, bypassChallenge=True) asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment( core_session, commandID=commandID, scopeType=asmnt_info['ScopeType'], scope=asmnt_info['Scope'], principalType=asmnt_info['PrincipalType'], principal=asmnt_info['Principal'], byPassChallenge=True, starts=asmnt_info['Starts'], expires=asmnt_info['Expires']) assert isSuccess, f"Adding assignment failed" asmnt_info['ID'] = asmntID results, isSuccess = PrivilegeElevation.can_execute_priv_command( core_session, user=userobj.get_login_name(), system=sys_name, command="sudo date") assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}" assert len(results['PrivilegeElevationCommands'] ) == 1, f"Only single command should exist {results}" results_assignments = results['PrivilegeElevationCommands'][0][ 'Assignments'] assert len(results_assignments ) == 1 and results['Granted'], f"Granted should be true" PrivilegeElevation.check_can_execute_priv_command_results( asmnt_info, results['PrivilegeElevationCommands'] [0]), f"All params not matching {results}" #clean up errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment( core_session, asmntID) assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_union_of_all_its_permissions(core_session, pas_general_secrets, cleanup_secrets_and_folders, users_and_roles): """ C3056: test method Union of all its permissions 1)create multilevel folder /alpha/beta/charlie/delta 2) Login as Admin, set folder permissions "View" for alpha,"Edit" for beta, "Delete" for charlie,"Add" for delta 3) Login as pas user 4) verify sub folder permissions will have a union of all parent folders :param core_session: Authenticated Centrify session :param pas_general_secrets: Fixture to read secrets related data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created :param users_and_roles: Fixture to create random user with PAS User Rights """ params = pas_general_secrets folder_prefix = guid() folders_list = cleanup_secrets_and_folders[1] secrets_list = cleanup_secrets_and_folders[0] # creating multilevel folder /alpha/beta/charlie/delta child_folder_success, child_folder_parameters, child_folder_id = create_folder( core_session, folder_prefix + params['multi_level_folder_name'], params['description']) assert child_folder_success, f'Failed to create multilevel folder, API response result: {child_folder_id}' logger.info(f'Multilevel Folder created successfully: {child_folder_success} & details are {child_folder_id}') # Getting details of Folder Charlie charlie_folder = get_folder(core_session, child_folder_id) assert charlie_folder['success'], \ f'Failed to retrieve charlie folder details, API response result:{charlie_folder["Message"]}' logger.info(f'charlie folder details:{charlie_folder}') charlie_id = charlie_folder['Result']['Results'][0]['Row']['Parent'] # Getting details of parent folder parent_path = charlie_folder['Result']['Results'][0]['Row']['ParentPath'] parent_folder_name = parent_path.split('\\') parent_folder_sliced = parent_folder_name[0] # Getting id of parent folder parent_folder = get_folder(core_session, parent_folder_sliced) assert parent_folder['success'], \ f'Failed to retrieve parent folder details, API response result:{parent_folder["Message"]}' logger.info(f'Parent folder details:{parent_folder}') parent_folder_id = parent_folder['Result']['Results'][0]['Row']['ID'] # Getting details of Folder alpha alpha_folder = get_secrets_and_folders_in_folders(core_session, parent_folder_id) assert alpha_folder['success'], f'Failed to retrieve alpha folder id, API response result: {alpha_folder["Result"]}' logger.info(f'Details of Alpha Folder Retrieved:{alpha_folder}') alpha_folder_id = alpha_folder["Result"]["Results"][0]["Entities"][0]["Key"] # Getting details of Folder beta folder_beta = get_secrets_and_folders_in_folders(core_session, alpha_folder_id) assert folder_beta['success'], f'Failed to retrieve beta folder id, API response result: {folder_beta["Result"]}' logger.info(f'Details of Beta Folder Retrieved:{folder_beta}') folder_beta_id = folder_beta["Result"]["Results"][0]["Entities"][0]["Key"] # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}') # Adding secrets inside child folder added_secret_success, added_secret_id = create_text_secret_within_folder(core_session, params['mfa_secret_name'] + folder_prefix, params['secret_text'], params['secret_description'], child_folder_id) assert added_secret_success, f"Added Secret Failed, API response result {added_secret_id}" logger.info(f'Added secrets info: {added_secret_id}') # Api to give user permissions to folder alpha user_permissions_alpha = give_user_permissions_to_folder(core_session, user_name, user_id, alpha_folder_id, 'View') assert user_permissions_alpha['success'], \ f'Not Able to set user permissions to folder, API response result: {user_permissions_alpha["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_alpha}') # Api to give user permissions to folder beta user_permissions_beta = give_user_permissions_to_folder(core_session, user_name, user_id, folder_beta_id, 'Edit') assert user_permissions_beta['success'], \ f'Not Able to set user permissions to folder, API response result: {user_permissions_beta["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_beta}') # Api to give member permissions(View, Edit) to folder beta member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session, user_name, 'View, Edit', user_id, folder_beta_id) assert member_perm_success,\ f'Not Able to set "View" member permissions to Folder, API response result: {member_perm_result}' logger.info(f'Member permissions to folder:{member_perm_result}') # Api to give member permissions(Delete, Retrieve) to folder member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session, user_name, 'Delete,Retrieve', user_id, charlie_id) assert member_perm_success,\ f'Not Able to set "View" member permissions to Folder, API response result: {member_perm_result}' logger.info(f'Member permissions to folder:{member_perm_result}') # Updating the secret name & description result = update_secret(pas_power_user_session, added_secret_id, folder_prefix + params['mfa_secret_name_update'], description=params['mfa_secret_description']) assert result['success'], f'Not Able to update the secret, API response result: {result["Message"]} ' logger.info(f'Secret Updated Details: {result}') # Getting details of the Secret updated get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( pas_power_user_session, added_secret_id) description_updated = get_secret_details['Description'] name_updated = get_secret_details['SecretName'] assert 'MFAOnSecretUpdate' in name_updated,\ f'Failed to update the name, API response result:{get_secret_success}' assert 'mfa_description' in description_updated,\ f'Failed to update the description, API response result:{get_secret_success}' logger.info(f'Details of the secret updated: {get_secret_details}') # Deleting newly created secrets del_success, del_result = del_secret(pas_power_user_session, added_secret_id) assert del_success, f'Failed to delete the secret with pas user, API response result: {del_result}' logger.info(f'Secret deleted successfully with pas user:{del_result}') folders_list.append(child_folder_id) folders_list.append(charlie_id) folders_list.append(folder_beta_id) folders_list.append(alpha_folder_id) folders_list.append(parent_folder_id) logger.info(f'Added Folders are deleted successfully: {folders_list}') logger.info(f'Added Secrets deleted successfully: {secrets_list}')
def test_add_duplicate_names_with_different_folder_names( core_session, cleanup_secrets_and_folders, pas_general_secrets): """test method to add duplicate names with different subfolder names using forwardslashes """ secrets_list = cleanup_secrets_and_folders[0] folder_list = cleanup_secrets_and_folders[1] secrets_params = pas_general_secrets secret_prefix = guid() secret_parameters = { 'SecretName': secret_prefix + secrets_params['nested_secret_name_new'], 'SecretText': secrets_params['secret_text'], 'Type': 'Text', 'Description': secrets_params['secret_description'], 'FolderId': '' } """Api to add secret """ secret_added_result = core_session.post(EndPoints.SECRET_ADD, secret_parameters).json() assert secret_added_result[ 'success'], f'Not able to create secret with {secret_added_result["Result"]}' logger.info( f'Secret Created successfully: {secret_added_result["success"]}{secret_added_result["Result"]}' ) secrets_list.append(secret_added_result["Result"]) get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( core_session, secret_added_result["Result"]) child_id = get_secret_details['FolderId'] logger.info(f'child id :{child_id}') parent_path = get_secret_details['ParentPath'] parent_folder_name = parent_path.split('\\') parent_folder_sliced = parent_folder_name[0] secret_parameters = { 'SecretName': parent_folder_sliced + secrets_params['nested_secret_name_new_duplicate'], 'SecretText': secrets_params['secret_text'], 'Type': 'Text', 'Description': secrets_params['secret_description'], 'FolderId': '' } """Api to add duplicate secret """ duplicate_secret_added_result = core_session.post( EndPoints.SECRET_ADD, secret_parameters).json() assert duplicate_secret_added_result["success"], \ f'Adding Duplicate Secret Failed:{duplicate_secret_added_result["Result"]}' logger.info( f'Duplicate Secret Created successfully: {duplicate_secret_added_result["success"]}' f'{duplicate_secret_added_result["Result"]}') secrets_list.append(duplicate_secret_added_result["Result"]) """Api to get id of parent folder """ parent_folder = get_folder(core_session, parent_folder_sliced) parent_folder_id = parent_folder["Result"]["Results"][0]["Row"]["ID"] assert parent_folder_id is not None, f'Failed to retrieve super parent id :{parent_folder_id}' logger.info(f'Super parent folder id:{parent_folder_id}') """Api to nested folder details""" nested_folder = get_secrets_and_folders_in_folders( core_session, parent_folder["Result"]["Results"][0]["Row"]["ID"]) nested_folder_id = nested_folder["Result"]["Results"][0]["Row"]["ID"] assert nested_folder_id is not None, f'Failed to retrieve nested folder id' logger.info(f'Nested Folder id:{nested_folder_id}') """Api to get child folder details""" child_folder = get_secrets_and_folders_in_folders( core_session, nested_folder["Result"]["Results"][0]["Row"]["ID"]) child_folder_id = child_folder["Result"]["Results"][0]["Row"]["ID"] assert child_folder_id is not None, f'Failed to retrieve child folder id' logger.info(f'child Folder id:{child_folder_id}') folder_list.append(child_id) folder_list.append(child_folder_id) folder_list.append(nested_folder_id) folder_list.append(parent_folder_id) logger.info(f'Secret deleted successfully:{secrets_list}') logger.info(f'Folder deleted successfully:{folder_list}')
def test_update_manage_proxy_account(pas_config, core_session, winrm_engine, remote_users_qty3, test_proxy, cleanup_accounts, cleanup_resources): """ TC: C2549 - Update managed account with using proxy account trying to Update managed account with using proxy account Steps: Pre: Create system with 1 proxy and manage account hand 1. Try to update invalid password for proxy account -Assert Failure 2. Try to update valid password for proxy account -Assert Failure 3. Try to check activity log's -Assert Failure 4. Try to check password history """ system_list = cleanup_resources[0] accounts_list = cleanup_accounts[0] # Getting system details. sys_name = f'{"Win-2012"}{guid()}' sys_details = pas_config add_user_in_target_system = remote_users_qty3 user_password = '******' fdqn = sys_details['Windows_infrastructure_data']['FQDN'] # Adding system. add_sys_result, add_sys_success = ResourceManager.add_system( core_session, sys_name, fdqn, 'Windows', "Rdp") assert add_sys_success, f"failed to add system:API response result:{add_sys_result}" logger.info(f"Successfully added system:{add_sys_result}") system_list.append(add_sys_result) # Update system with proxy user update_sys_success, update_sys_result = ResourceManager.update_system( core_session, add_sys_result, sys_name, fdqn, 'Windows', proxyuser=add_user_in_target_system[1], proxyuserpassword=user_password, proxyuserismanaged=True) assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}' logger.info(f"Successfully update the system:{update_sys_result}") # Update system with proxy user password. update_sys_success, update_sys_result = ResourceManager.update_system( core_session, add_sys_result, sys_name, fdqn, 'Windows', proxyuser=add_user_in_target_system[1], proxyuserpassword=guid(), proxyuserismanaged=True) assert update_sys_result is False, f'Fail to update the system:API response result: {update_sys_result}' logger.info(f"Successfully update the system:{update_sys_result}") # Adding account in portal. acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=user_password, host=add_sys_result, ismanaged=True) assert acc_success, f"Failed to add account in the portal: {acc_result}" logger.info( f"Successfully added account {add_user_in_target_system[0]} in the portal" ) accounts_list.append(acc_result) # set a different password for the user update_user_password(winrm_engine, add_user_in_target_system[1], user_password) user_name = core_session.get_user().get_login_name() # rotate password for manage account result, success = ResourceManager.rotate_password(core_session, acc_result) assert success, f"Did not Rotate Password {result}" logger.info( f'account activity logs for un manage account API response:{result}') result, success = ResourceManager.check_out_password( core_session, 1, acc_result) assert success, f"Did not retrieve password {result}" logger.info( f'account activity logs for un manage account API response:{result}') row = ResourceManager.get_system_activity(core_session, add_sys_result) assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \ f'password for system "{sys_name}"({fdqn})' in \ row[0]['Detail'], "user not able to update un managed account password" logger.info( f'account activity logs for un manage account API response:{row}') query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \ f"'{acc_result}' and StateUpdatedBy='{user_name}' and State='Retired'" password_history = RedrockController.get_result_rows( RedrockController.redrock_query(core_session, query))[0] assert len( password_history ) > 0, f"Password history table did not update {password_history}" logger.info(f'Password history table API response:{password_history}')
def test_update_manage_account_win_rm(pas_config, winrm_engine, core_session, remote_users_qty1, cleanup_accounts, test_proxy, cleanup_resources): """ :param pas_config: to get the data from yaml files. :param remote_users_qty1: to create a manage account in windows system :param cleanup_resources: cleanup the system from portal :param cleanup_accounts: cleanup the accounts from portal :param winrm_engine: session to update manage account :param core_session: Authenticated Centrify Session. TC: C2551 - Update managed account password with winRM https configured trying to Update managed account password with winRM https configured Steps: Pre: Create system with 1 proxy and manage account hand 1. Try to update invalid password for manage account -Assert Failure """ sys_details = pas_config system_data_values = sys_details['Windows_infrastructure_data'] add_user_in_target_system = remote_users_qty1 password = "******" # set a different password for the user update_user_password(winrm_engine, add_user_in_target_system[0], password) system_list = cleanup_resources[0] accounts_list = cleanup_accounts[0] # Getting system details. sys_name = f'{"Win-2012"}{guid()}' # Adding system. add_sys_result, add_sys_success = ResourceManager.add_system( core_session, sys_name, system_data_values['FQDN'], 'Windows', "Rdp") assert add_sys_success, f"failed to add system:API response result:{add_sys_result}" logger.info(f"Successfully added system:{add_sys_result}") system_list.append(add_sys_result) # Update system with management mode 'WinRMOverHttp'. update_sys_success, update_sys_result = ResourceManager.update_system( core_session, add_sys_result, sys_name, system_data_values['FQDN'], 'Windows', managementmode='WinRMOverHttps') assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}' logger.info(f"Successfully update the system:{update_sys_result}") # Adding account in portal. acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=password, host=add_sys_result, ismanaged=True) assert acc_success, f"Failed to add account in the portal: {acc_result}" logger.info( f"Successfully added account {add_user_in_target_system[0]} in the portal" ) accounts_list.append(acc_result) managementMode = RedrockController.get_computer_with_ID( core_session, add_sys_result) assert managementMode['ManagementMode'] == "WinRMOverHttps", \ f"management mode is failed because of system doesnt have proxy account. API response result: {managementMode}" logger.info( f"Fetch management mode successfully: {managementMode['ManagementMode']}" ) Result, success = ResourceManager.update_password(core_session, acc_result, guid()) assert success is False, f"Did not update password {Result}" logger.info(f"user not able to update password API response: {Result}")
def test_retrieve_mfa_on_closest_parent_should_override_mfa( core_session, pas_general_secrets, cleanup_secrets_and_folders, clean_up_policy): """ C283926: MFA on closest parent should override MFA on higher levels 1) Create a multilevel folder "Folder/Subfolder/secretName" 2) Assign different MFA to parent(Folder) & Nested Folder(Subfolder) 3) Verify secretName inherits challenge of subfolder :param core_session: Authenticated Centrify Session :param pas_general_secrets: Fixture to read secret data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created :param clean_up_policy: Fixture to cleanup the policy created """ folder_list = cleanup_secrets_and_folders[1] secrets_list = cleanup_secrets_and_folders[0] folder_params = pas_general_secrets suffix = guid() secret_name = folder_params['folder_name_with_frwdslashes'] + suffix user_name = core_session.auth_details['User'] # creating multilevel folder "Folder/Subfolder/secretName" added_secret_success, details, secret_id = create_text_secret( core_session, secret_name, folder_params['secret_text']) assert added_secret_success, "Added Multilevel folder Failed,API response result: {secret_id} " logger.info(f'Added Multilevel folder info: {details, secret_id}') secrets_list.append(secret_id) # Getting details of the secret found_secret = get_secret(core_session, secret_id) assert found_secret['success'], \ f'Failed to get the details of the secret, API response result:{found_secret["Message"]}' logger.info(f'Getting details of the secret: {found_secret}') nested_folder_id = found_secret['Result']['FolderId'] nested_folder_path = found_secret['Result']['ParentPath'] parent_folder_list = nested_folder_path.split('\\') parent_folder_name = parent_folder_list[0] # Getting details of Parent Folder parent_folder = get_folder(core_session, nested_folder_id) parent_folder_id = parent_folder["Result"]["Results"][0]["Row"]["Parent"] nested_folder_name = parent_folder["Result"]["Results"][0]["Row"][ "SecretName"] logger.info(f'Parent Folder details: {parent_folder}') if folder_list != []: folder_list[0] = nested_folder_id folder_list[1] = parent_folder_id else: folder_list.append(nested_folder_id) folder_list.append(parent_folder_id) challenges = ["UP", ""] challenges_v2 = ["UP,EMAIL", ""] # Creating new policy with Password policy_result = PolicyManager.create_new_auth_profile( core_session, folder_params['policy_name'] + suffix, challenges, 0, 0) assert policy_result, f'Failed to create policy, API response result:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Creating new policy with Password & Email policy_result_email = PolicyManager.create_new_auth_profile( core_session, folder_params['policy_name'] + "V2" + suffix, challenges_v2, 0, 0) assert policy_result_email, f'Failed to create another policy, API response result:{policy_result_email}' logger.info(f' Creating another policy:{policy_result_email}') clean_up_policy.append(policy_result_email) # Applying MFA on Nested Folder result = update_folder(core_session, nested_folder_id, nested_folder_name, nested_folder_name, description=folder_params['mfa_folder_description'], policy_id=policy_result) assert result[ 'success'], f'Failed to apply MFA on Nested folder, API response result: {result["Message"]} ' logger.info(f'MFA Applied on Nested Folder: {result}') # Applying MFA on Parent Folder result = update_folder(core_session, parent_folder_id, parent_folder_name, parent_folder_name, description=folder_params['mfa_folder_description'], policy_id=policy_result_email) assert result[ 'success'], f'Failed to apply MFA on parent folder, API response result: {result["Message"]} ' logger.info(f'MFA Applied on Parent Folder: {result}') # Move Secret with Mfa Authentication retrieve_success, retrieve_result = retrieve_secret_contents( core_session, secret_id) # StartChallenge MFA Authentication session, mechanism = core_session.start_mfa_authentication( user_name, retrieve_result['ChallengeId']) # AdvanceAuthentication MFA to Password advance_auth_result = core_session.advance_authentication( answer=core_session.user.user_input.password, session_id=session, mechanism_id=mechanism) mfa_result = advance_auth_result.json() assert advance_auth_result, f'Password Authentication Failed, API response result:{mfa_result["success"]}' logger.info( f'Successfully applied password authentication with closest parent: {mfa_result}' ) # After Authenticating of MFA move secret with challenge password retrieve_secret_success, retrieve_secret_result = retrieve_secret_contents_with_mfa( core_session, secret_id, ChallengeStateId=retrieve_result['ChallengeId']) assert retrieve_secret_success, f'Failed to retrieve secret with closest parent challenge: {retrieve_secret_result}' logger.info( f'Successfully retrieved secret with closest parent challenge: {retrieve_secret_result}' ) # Removing MFA on Nested Folder result = update_folder(core_session, nested_folder_id, nested_folder_name, nested_folder_name, description=folder_params['mfa_folder_description']) assert result[ 'success'], f'Failed to remove MFA on Nested folder, API response result: {result["Message"]} ' logger.info(f'MFA removed on Nested Folder: {result}') # Removing MFA on Parent Folder result = update_folder(core_session, parent_folder_id, parent_folder_name, parent_folder_name, description=folder_params['mfa_folder_description']) assert result[ 'success'], f'Failed to remove MFA on parent folder, API response result: {result["Message"]} ' logger.info(f'MFA removed on Parent Folder: {result}')
def test_delete_sub_folder_with_mfa_on_parent(core_session, create_folder_inside_folder, pas_general_secrets, clean_up_policy, cleanup_secrets_and_folders): """ C284043: Delete sub folder that has MFA on parent :param core_session: Authenticated Centrify Session. :param create_folder_inside_folder : Fixture to create nested folder & yields folder related details :param pas_general_secrets: Fixture to read secrets related data from yaml file :param clean_up_policy: Fixture to clean up the policy created :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folders created """ parent_folder_info, nested_folder_info, nested_folder_id = create_folder_inside_folder parent_folder_id = parent_folder_info['ID'] parent_folder_name = parent_folder_info['Name'] params = pas_general_secrets suffix = guid() challenges1 = ["UP", ""] user_name = core_session.auth_details['User'] folders_list = cleanup_secrets_and_folders[1] # creating a new Authentication profile for folder policy_result = PolicyManager.create_new_auth_profile( core_session, params['policy_name'] + suffix, challenges1, 0, 0) assert policy_result, f'Failed to create policy, API response result:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Updating the Parent Folder(Applying MFA) result = update_folder(core_session, parent_folder_id, parent_folder_name, parent_folder_name, description=params['mfa_folder_description'], policy_id=policy_result) assert result[ 'success'], f' Failed to apply MFA on parent folder, API response result: {result["Message"]} ' logger.info(f'MFA Applied on Parent Folder: {result}') # Delete sub folder with Mfa Authentication del_result = del_folder(core_session, nested_folder_id) # StartChallenge MFA Authentication session, mechanism = core_session.start_mfa_authentication( user_name, del_result['Result']['ChallengeId']) # AdvanceAuthentication MFA to Password result = core_session.advance_authentication( answer=core_session.user.user_input.password, session_id=session, mechanism_id=mechanism) assert result, "Password Authentication Failed" # After Authentication of MFA delete sub folder del_secret_result = del_folder_mfa( core_session, nested_folder_id, ChallengeStateId=del_result['Result']['ChallengeId']) assert del_secret_result[ 'success'], f'Failed to delete sub folder with mfa,API response result:{del_secret_result}' logger.info( f'Successfully deleted sub folder with MFA & get challenged: {del_secret_result}' ) folders_list.remove(nested_folder_id) # Updating the Folder(Removing MFA) result = update_folder(core_session, parent_folder_id, parent_folder_name, parent_folder_name) assert result[ 'success'], f' Failed to remove MFA on parent folder, API response result: {result["Message"]} ' logger.info(f'MFA Removed on Parent Folder: {result}')
def test_replace_mfa_policy_on_parent_folder_verify_challenged( core_session, pas_general_secrets, create_secret_inside_folder, core_session_unauthorized, clean_up_policy, users_and_roles): """ C2980: test method to MFA policy on Parent folder, verify challenged :param core_session: Authenticated Centrify Session :param pas_general_secrets: Fixture to read secret data from yaml file :param create_secret_inside_folder: Fixture to create secret "MFAOnSecret" inside folder "MFAOnParentFolder" :param core_session_unauthorized: Fixture to start authentication MFA :param clean_up_policy: Fixture to clean up the policy created :param users_and_roles: Fixture to create random user with pas user rights """ secrets_params = pas_general_secrets suffix = guid() folder_list, folder_name, secret_list = create_secret_inside_folder challenges = ["UP", ""] policy_result = PolicyManager.create_new_auth_profile(core_session, secrets_params['policy_name'] + suffix, challenges, 0, 0) assert policy_result, f'Failed to create policy, API response result:{policy_result}' logger.info(f' Creating new policy:{policy_result}') clean_up_policy.append(policy_result) # Applying MFA on Folder result = update_folder(core_session, folder_list[0], folder_name, secrets_params['mfa_folder_name_update'] + suffix, description=secrets_params['mfa_folder_description'], policy_id=policy_result) assert result['success'], f'Not Able to apply MFA, API response result:: {result["Message"]} ' logger.info(f'Applying MFA for folder: {result}') # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info(f'{pas_power_user_session.auth_details}') logger.info(f'User with PAS User Rights login successfully: user_Name:{user_name}') # Getting password for MFA password = users_and_roles.get_default_user_password() # Api to give user permissions to folder user_permissions_alpha = give_user_permissions_to_folder(core_session, user_name, user_id, folder_list[0], 'View') assert user_permissions_alpha['success'], \ f'Not Able to set user permissions to folder{user_permissions_alpha["Result"]}' logger.info(f'User Permissions to folder: {user_permissions_alpha}') # Api to give member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder(core_session, user_name, 'View, Edit', user_id, folder_list[0]) assert member_perm_success, f'Not Able to set member permissions to Folder: {member_perm_result}' logger.info(f'Member permissions to folder:{member_perm_result}') # MFA Authentication starts on the secret to be replaced mfa_authentication = pas_power_user_session.start_authentication(user_name) result = mfa_authentication.json()['Result'] success = mfa_authentication.json()['success'] assert success, f'Failed to start MFA Authentication on the secret to be replaced, API response result:{result}' challenge_value = result['Challenges'][0]['Mechanisms'][0]['Name'] assert challenge_value == 'UP', f'Challenge "Password" is not set, API response result:{result}' logger.info(f'MFA Authentication with "Password" starts on the secret to be replaced:{mfa_authentication.json()}') # Advance MFA Authentication starts on the secret to be replaced up_result = pas_power_user_session.advance_authentication(password, challenge_index=0, mechanism_name='UP') mfa_result = up_result.json() assert mfa_result['success'], f'Failed to respond to challenge, API response result:{mfa_result["Result"]}' logger.info(f'MFA popups before secret gets replaced:{mfa_result}') # Replacing the text of the secret result = update_secret(pas_power_user_session, secret_list[0], secrets_params['mfa_secret_name_update'] + suffix, secret_text=secrets_params['secret_text_replaced'], policy_id=policy_result) assert result['success'], f'Not Able to replace the text of the secret, API response result:{result["Message"]} ' logger.info(f'Secret gets replaced: {result}') # Removing MFA from secret result = update_secret(pas_power_user_session, secret_list[0], secrets_params['mfa_secret_name_update'] + suffix, secret_text=secrets_params['secret_text_replaced'] ) assert result['success'], f'Not Able to remove MFA, API response result:{result["Message"]} ' logger.info(f'Removing MFA from secret: {result}') # Removing MFA from folder result = update_folder(core_session, folder_list[0], folder_name, secrets_params['mfa_folder_name_update'] + suffix ) assert result['success'], f'Not Able to remove MFA, API response result:: {result["Message"]} ' logger.info(f'Removing MFA from folder: {result}') # Getting details of the Secret Replaced get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( core_session, secret_list[0]) assert get_secret_text == secrets_params['secret_text_replaced'], \ f'Failed to replace the secret, API response result: {get_secret_success}' logger.info(f'Details of the secret Replaced: {get_secret_details}')