def test_other_user_cant_see_secret_created_by_first_user_in_bad(
core_session, users_and_roles, created_system_id_list, swap_roles):
roles = [
"Privileged Access Service Administrator",
"Privileged Access Service Power User"
]
if swap_roles:
roles_new = [roles[1], roles[0]]
roles = roles_new
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 2, created_system_id_list)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
deleter_user_0_session = users_and_roles.get_session_for_user(roles[0])
deleter_user_0_role = users_and_roles.get_role(roles[0])
other_user_1_session = users_and_roles.get_session_for_user(roles[1])
for account_id in all_accounts:
permission_string = 'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(
core_session, permission_string, deleter_user_0_role['Name'],
deleter_user_0_role['ID'], "Role", account_id)
assert success, "Did not set account permissions " + str(result)
for system_id in all_systems:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, deleter_user_0_role['Name'],
deleter_user_0_role['ID'], "Role", system_id)
assert success, "Did not set system permissions " + result
parent_folder = get_folder(deleter_user_0_session, "Bulk Delete")
assert not parent_folder[
'success'], "Should not be able to see folder before bulk delete operation as new user"
secret_name = f"secret{guid()}"
job_id, result = ResourceManager.del_multiple_accounts(
deleter_user_0_session,
all_accounts,
save_passwords=True,
secret_name=secret_name)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
parent_folder = get_folder(deleter_user_0_session, "Bulk Delete")
assert parent_folder[
'success'], "Should be able to see folder before bulk delete operation as new user"
remaining_accounts = set(
ResourceManager.get_multi_added_account_ids(core_session,
created_system_id_list))
assert remaining_accounts == set(
), "Remaining accounts did not match expectation"
secret_id = RedrockController.get_secret_id_by_name(
deleter_user_0_session, secret_name)
assert secret_id is not None, f"Secret was not visible to creator '{roles[0]}' user, either because it " \
f"wasn't created or because of a permissions issue"
secret_id = RedrockController.get_secret_id_by_name(
other_user_1_session, secret_name)
assert secret_id is None, f"Secret should not be '{roles[1]}' user when created by '{roles[0]}' user"
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, f"Sys admin should be able to see secret created by {roles[0]}"
def agent_enrolled_unix_system_with_users(core_tenant, core_session_global,
agent_enrolled_unix_system,
users_and_roles, cleanup_accounts,
create_unix_users, proxy_start_stop,
detect_proxy):
config = Configs().get_yaml_node_as_tuple("agents", "generic_cagent_unix")
accounts_list = cleanup_accounts[0]
proxycontrol = proxy_start_stop
logger.info("adding users on the enrolled system")
system_id = agent_enrolled_unix_system["ResourceId"]
ssh_session = agent_enrolled_unix_system["Session"]
adminuser = {"Name": config.username, "Password": config.password}
# add users on target system
accountusers = create_unix_users(ssh_session, "agent_", 2)
logger.info("Users created " + str(len(accountusers)))
for i, val in enumerate(accountusers):
logger.info(
str(i) + ", Name: " + val["Name"] + "Password:"******"Password"])
right_data = ("Privileged Access Service Power User",
"role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
role_info = users_and_roles.get_role(right_data[0])
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session_global, permission_string, role_info['Name'],
role_info['ID'], "Role", system_id)
assert success, "Did not set system permissions " + result
# Step 3 Create Accounts for testing
logger.info("Adding root account")
admin_account_id, add_account_success = ResourceManager.add_account(
requester_session,
adminuser['Name'],
adminuser["Password"],
system_id,
ismanaged=False)
assert add_account_success, "Failed to create Account user: root"
logger.info(f"Added root Account. Id {admin_account_id}")
accounts_list.append(admin_account_id)
logger.info("Adding user for reconciliation")
new_account_id, add_account_success = ResourceManager.add_account(
requester_session,
accountusers[0]['Name'],
accountusers[0]['Password'],
system_id,
ismanaged=True)
assert add_account_success, "Failed to create manged Account user: "******", Verify CC or agent settings and status"
logger.info(f"Added Account for testing. Id {new_account_id}")
accounts_list.append(new_account_id)
permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin"
result, success = ResourceManager.assign_account_permissions(
core_session_global, permission_string, role_info['Name'],
role_info['ID'], "Role", new_account_id)
assert success, "Did not set account permissions " + result
# Get computer details for update
result = RedrockController.get_system(requester_session, system_id)
system = result[0]["Row"]
# wait for managed password change event
filter = [['AccountName', accountusers[0]['Name']]]
RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.PasswordChange",
filter=filter,
maximum_wait_second=120) # wait for 20 seonds
accounts = [{
"Name": adminuser['Name'],
"Password": adminuser["Password"],
"Id": admin_account_id
}, {
"Name": accountusers[0]["Name"],
"Password": accountusers[0]["Password"],
"Id": new_account_id
}]
proxy = start_proxy_with_machinename(requester_session, proxycontrol,
config.proxy_name)
assert proxy != None, (
f'Failed to find the connector {config.proxy_name}, Setup the connector properly.'
)
# Set Admin Account and enable local account maintenance
result, success = ResourceManager.update_system(
requester_session,
system_id,
system["Name"],
system["FQDN"],
'Unix',
proxycollectionlist=proxy,
adminaccountid=admin_account_id,
allowautomaticlocalaccountmaintenance=True)
assert success, (f'Failed to set administrative account {result}')
# return acount ids, computer,
yield [{
"ResourceId": system_id,
"ProxyId": proxy,
"ResourceName": system["Name"],
"Accounts": accounts,
"Session": ssh_session
}]
result, success, message = ResourceManager.set_system_administrative_account(
requester_session, system_id)
assert success, f'Failed to remove administrative account on {message}'
def agent_enrolled_windows_system_with_users(
core_session_global, agent_enrolled_windows_system, users_and_roles,
remote_users_qty1, cleanup_accounts, pas_ad_domain,
pas_ad_administrative_account, cleanup_lapr_systems_and_domains,
proxy_start_stop):
config = Configs().get_yaml_node_as_tuple("agents", "generic_cagent_win")
accounts_list = cleanup_accounts[0]
domains_list = cleanup_lapr_systems_and_domains[1]
systems_list = cleanup_lapr_systems_and_domains[0]
user = remote_users_qty1
proxycontrol = proxy_start_stop
accountusers = [{"Name": user[0], "Password": "******"}]
logger.info("Users created " + str(len(accountusers)))
for i, val in enumerate(accountusers):
logger.info(
str(i) + ", Name: " + val["Name"] + "Password:"******"Password"])
logger.info("adding users on the enrolled system")
system_id = agent_enrolled_windows_system["ResourceId"]
winrm_session_as_admin = agent_enrolled_windows_system["Session"]
adminuser = {
"Name": config.admin_username,
"Password": config.admin_password
}
domain_id = pas_ad_domain['ID']
admin_id = pas_ad_administrative_account['ID']
right_data = ("Privileged Access Service Power User",
"role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
role_info = users_and_roles.get_role(right_data[0])
domains_list.append(pas_ad_domain)
systems_list.append(system_id)
logger.info(
"Setting Domain Administrator user as Administrative Account on domain."
)
result, success, response = ResourceManager.set_administrative_account(
core_session_global, [pas_ad_domain['Name']],
pas_ad_administrative_account['User'],
pas_ad_administrative_account['ID'])
logger.info(
"Setting Administrative Account on domain, but with no lapr settings enabled."
)
result, success = ResourceManager.update_domain_accounts(
core_session_global,
pas_ad_domain['Name'],
admin_id,
domain_id,
allowautomaticlocalaccountmaintenance=True,
allowmanuallocalaccountunlock=True)
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session_global, permission_string, role_info['Name'],
role_info['ID'], "Role", system_id)
assert success, f"Did not set system permissions {result}"
# Step 3 Create Accounts for testing
logger.info("Adding Admin account")
admin_account_id, add_account_success = ResourceManager.add_account(
requester_session,
adminuser['Name'],
adminuser["Password"],
system_id,
ismanaged=False)
assert add_account_success, "Failed to create admin user"
logger.info(f"Added root Account. Id {admin_account_id}")
accounts_list.append(admin_account_id)
logger.info("Adding user for reconciliation")
new_account_id, add_account_success = ResourceManager.add_account(
requester_session,
accountusers[0]['Name'],
accountusers[0]['Password'],
system_id,
ismanaged=True)
assert add_account_success, "Failed to create manged Account user: "******", Verify CC or agent settings and status"
logger.info(f"Added Account for testing. Id {new_account_id}")
accounts_list.append(new_account_id)
permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin"
result, success = ResourceManager.assign_account_permissions(
core_session_global, permission_string, role_info['Name'],
role_info['ID'], "Role", new_account_id)
assert success, "Did not set account permissions " + result
# Get computer details for update
result = RedrockController.get_system(requester_session, system_id)
system = result[0]["Row"]
# wait for managed password change event
filter = [['AccountName', accountusers[0]['Name']]]
RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.PasswordChange",
filter=filter,
maximum_wait_second=120) # wait for 120 seonds
accounts = [{
"Name": adminuser['Name'],
"Password": adminuser["Password"],
"Id": admin_account_id
}, {
"Name": accountusers[0]["Name"],
"Password": accountusers[0]["Password"],
"Id": new_account_id
}]
# set proxy
proxy = start_proxy_with_machinename(requester_session, proxycontrol,
config.proxy_name)
assert proxy != None, (
f'Failed to find the connector {config.proxy_name}, Setup the connector properly before the test'
)
result, success = ResourceManager.update_system(requester_session,
system_id,
system["Name"],
system["FQDN"],
'Windows',
domainid=domain_id,
proxycollectionlist=proxy)
assert success, (f'Failed to set reconciliation settings {result}')
result, success = ResourceManager.update_system(
requester_session,
system_id,
system["Name"],
system["FQDN"],
'Windows',
proxycollectionlist=proxy,
allowautomaticlocalaccountmaintenance=True,
allowmanuallocalaccountunlock=True)
assert success, (f'Failed to set reconciliation settings {result}')
# update_system reset the proxycollectionlist setting? Set it again.
result, success = ResourceManager.update_system(requester_session,
system_id,
system["Name"],
system["FQDN"],
'Windows',
domainid=domain_id,
proxycollectionlist=proxy)
assert success, (f'Failed to set reconciliation settings {result}')
# return acount ids, computer,
yield [{
"ResourceId": system_id,
"ProxyId": proxy,
"ResourceFQDN": system["FQDN"],
"Accounts": accounts,
"Session": winrm_session_as_admin
}]
result, success, message = ResourceManager.set_system_administrative_account(
requester_session, system_id)
assert success, f'Failed to remove administrative account on {message}'
def test_accounts_removed_my_sys_account_delete_workspace_permission(core_session, users_and_roles,
pas_windows_setup):
"""
TC:C2060 Account will removed from "My System Account" after delete "Workspace Login" permission.
:param:core_session: Returns a API session.
:param:users_and_roles:Fixture to manage roles and user.
:param pas_windows_setup:Returns a fixture.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup()
# Cloud user session with "Privileged Access Service Administrator".
cloud_user_session = users_and_roles.get_session_for_user('Privileged Access Service Administrator')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Not Assigning "Workspace_login account permission to user.
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, "View", user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f" Workspace account permission is assigned: " \
f"API response result:{assign_account_perm_res}"
logger.info(f"Successfully not assign account Workspace permission to user'{assign_account_perm_res}'")
# Assigning "View" permission for system to limited user.
assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(core_session,
"View",
user_name,
user_id,
'User',
system_id)
assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \
f'API response result {assign_system_perm_res}.'
logger.info(f"Successfully assign system permission to user'{assign_system_perm_res}'")
# Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts"
# list.
workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session)
assert sys_info[4] not in workspace_result, f'Could find the account {sys_info[4]} on workspace.'
logger.info("Could not display Account on workspace")
# Assigning "Workspace Login" permission for account to limited user.
rights = "View,Login,UserPortalLogin"
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \
f'API response result:{assign_account_perm_res}'
logger.info(f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"')
# Getting the details from "My System Accounts" in workspace and validating account in "My System Accounts" list.
workspace_account_list = []
workspace_result_detail, workspace_success = ResourceManager.\
get_my_system_accounts_from_workspace(cloud_user_session)
for workspace_result in workspace_result_detail:
if workspace_result['Name'] == sys_info[0]:
workspace_account_list.append(workspace_result['User'])
assert sys_info[4] in workspace_account_list, f'failed to get the account {sys_info[4]} on workspace.'
logger.info(f"Successfully display account {sys_info[4]} on workspace")
# Not Assigning "Workspace_login account permission to user.
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, "View", user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f" Workspace account permission is assigned: " \
f"API response result:{assign_account_perm_res}"
logger.info(f"Successfully not assign account Workspace permission to user'{assign_account_perm_res}'")
# Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts"
# list.
workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session)
assert sys_info[4] not in workspace_result, f'Could find the account {sys_info[4]} on workspace.'
logger.info(f"Failed to display on Account {sys_info[4]} on workspace")
def test_check_connector_page_for_system(core_session, pas_windows_setup,
users_and_roles):
"""
TC:C2171 Check UI on Connectors page for a system.
:param:core_session: Returns Authenticated Centrify session.
:param:users_and_roles:Fixture to manage roles and user.
:param pas_windows_setup: Return a fixture.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
# Cloud user session with "Privileged Access Service Administrator".
cloud_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Administrator')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# UI session with "Privileged Access Service Administrator" rights.
ui = users_and_roles.get_ui_as_user(
'Privileged Access Service Administrator')
# Assigning system "View,Delete" permission
assign_system_result, assign_system_success = ResourceManager.assign_system_permissions(
core_session, "View,Delete", user_name, user_id, 'User', system_id)
assert assign_system_success, f"Failed to assign system permissions: API response result: {assign_system_result}"
logger.info(
f'Successfully assigned "View" permission to user:{assign_system_result}.'
)
# Getting the connectors Details.
connector_details = Configs.get_environment_node('connector_data',
'automation_main')
list_connectors_id = []
connectors_details = RedrockController.get_all_proxy(core_session)
for connector_detail in connectors_details:
if connector_detail['Name'] == connector_details['connector']:
list_connectors_id.append(connector_detail['ID'])
# Choosing the connector for the system.
result, success = ResourceManager.update_system(
core_session,
system_id=system_id,
name=sys_info[0],
fqdn=sys_info[1],
computerclass=sys_info[2],
proxycollectionlist=connector_id,
chooseConnector="on",
filterConnectorCombo="all")
assert success, f'Failed to save the connector for the system: API response result: {result}.'
logger.info(
f'Successfully save the connector for the system: API response result: {result}.'
)
# UI Launch
ui.navigate('Resources', 'Systems')
ui.search(sys_info[0])
ui.click_row(GridRowByGuid(system_id))
ui.tab('Connectors', check_rendered_tab=False)
ui.switch_context(ActiveMainContentArea())
ui.expect(
ReadOnlyTextField('filterConnectorCombo'),
'Expected the username field to be readonly for this filterConnectorCombo strategy but it is not.'
)
logger.info(
'Successfully found connector settings grayed and no error icon')
def test_accounts_set_my_system_accounts(core_session, pas_windows_setup, users_and_roles, clean_up_collections):
"""
TC:C2067 Add account to set on "My System Accounts".
:param:core_session: Returns a API session.
:param:users_and_roles:Fixture to manage roles and user.
:param pas_windows_setup:Returns a fixture.
:param:clean_up_collections: Cleans up Set.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup()
# Cloud user session with "Privileged Access Service Administrator".
cloud_user_session = users_and_roles.get_session_for_user('Privileged Access Service Administrator')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Assigning "Workspace Login" permission for account to limited user.
rights = "View,Login,UserPortalLogin"
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \
f'API response result:{assign_account_perm_res}'
logger.info(f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"')
# Assigning "View" permission for system to limited user.
assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(core_session,
"View",
user_name,
user_id,
'User',
system_id)
assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \
f'API response result {assign_system_perm_res}.'
logger.info(f"Successfully assign system permission to user'{assign_system_perm_res}'")
# Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts"
# list.
workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session)
assert sys_info[4] not in workspace_result, f'Could find the account:API response result:{workspace_result}'
logger.info("Failed to display on Account on workspace")
# Creating a set and adding a account to set.
account_set_name = f'Set_test{guid()}'
success, account_set_result = SetsManager.create_manual_collection(core_session, account_set_name,
'VaultAccount',
object_ids=[account_id])
assert success, f"Failed to create system set {account_set_result}"
logger.info(f'Successfully created set:{account_set_result}')
# Getting the details of created_account_set in Accounts page and validating account is in created set.
account_set_details = RedrockController.get_set_account_details(core_session, account_id=account_id,
set_id=account_set_result)
assert account_set_details[0]['User'] == sys_info[4], f'Fail to find the account{sys_info[4]}'
logger.info(f'Successfully find "{account_set_details[0]["User"]}" in created set" {account_set_name}".')
# Cleanup the created set.
clean_up_collections.append(RedrockController.get_id_from_name(core_session, account_set_name, "Sets"))
logger.info(f'Successfully deleted created set" {account_set_name}".')
def test_privilege_elevation_workflow_can_be_enabled_by_sys_admin(
test_agent, cds_ui, cds_session, core_session):
ui, ui_user = cds_ui
session, user = cds_session
main_admin_session = core_session
main_admin_user = main_admin_session.get_user()
server_id = test_agent.computerUuid
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
main_admin_session, permission_string, ui_user.get_login_name(),
ui_user.get_id(), "User", server_id)
# Create an assignment at collection scope
ui.navigate('Resources', 'Systems')
ui.click_row_by_guid(server_id)
ui.tab('Workflow')
ui.select_option('PrivilegeElevationWorkflowEnabled', 'Yes')
ui.switch_context(Component('privilegeElevationApproverGrid'))
ui.button('Add')
ui.select_option('Type', 'Specified User or Role')
ui.launch_modal(Button('Add', 'inlineAddButton'), 'Select User or Role')
ui.search(user.get_login_name())
ui.check_row(user.get_login_name())
ui.close_modal('Add')
ui.save()
time.sleep(20)
request_settings = {
'assignment_type': 'Temporary',
'start_grant_value': '10',
'end_grant_value': '50',
'start_time_interval': 'hours',
'start_time_interval_value': 60,
'end_time_interval': 'hours',
'end_time_interval_value': 60,
'ticket': '1'
}
# Request twice so we can approve/reject
_request_pe_permission(ui, request_settings, server_id)
_request_pe_permission(ui, request_settings, server_id)
jobs, is_get = WorkflowManager.get_my_jobs(session)
request_jobs = []
options = None
for i in jobs:
if i['Row']['Context']['Scope'] == server_id:
job = i['Row']
request_jobs.append(job)
options = job['Context']['RequestedOptions']
assert options['StartGrantValue'] == int(
request_settings['start_grant_value']
), f'StartGrantValue is not correct in job context compared to ui entry'
assert options['EndGrantValue'] == int(
request_settings['end_grant_value']
), f'EndGrantValue is not correct in job context compared to ui entry'
assert options['StartTimeInterval'] == request_settings[
'start_time_interval_value'], f'StartTimeInterval is not correct in job context compared to ui entry'
assert options['EndTimeInterval'] == request_settings[
'end_time_interval_value'], f'EndTimeInterval is not correct in job context compared to ui entry'
approve_job = request_jobs[0]
ui.navigate('Access', 'Requests')
ui.click_row_by_guid(approve_job['ID'])
ui.launch_modal('Approve', 'Approve Privilege Elevation Request')
time.sleep(20)
ui.button(
'Submit',
expectations={
'click_element_should_dissapear': True,
'seconds_to_wait': 60 #because Azure
})
job = WorkflowManager.get_my_job(session, approve_job['ID'])
assert job[
'TargetPrincipalAction'] == 'Approved', f'PE workflow request should have been approved after UI interaction but it is not'
reject_job = request_jobs[1]
ui.navigate('Access', 'Requests')
ui.click_row_by_guid(reject_job['ID'])
ui.launch_modal('Reject', 'Reject Privilege Elevation Request')
ui.input('Reason', 'Not today')
time.sleep(20)
ui.button(
'Submit',
expectations={
'click_element_should_dissapear': True,
'seconds_to_wait': 60 #because Azure
})
job = WorkflowManager.get_my_job(session, reject_job['ID'])
assert job[
'TargetPrincipalAction'] == 'Rejected', f'PE workflow request should have been approved after UI interaction but it is not'
system_direct_selector = GridRow(user.get_login_name())
# Look at the server directly, make sure the system assignment via workflow is there.
ui.navigate('Resources', 'Systems')
ui.click_row_by_guid(server_id)
ui.tab('Privilege Elevation')
ui.expect(
system_direct_selector,
'Command assignment directly on system not present even though we just created it.'
)
time.sleep(20)
def test_ui_check_after_request_login_checkout(core_session, pas_setup,
get_limited_user_function):
"""
Test case: C2121
:param core_session: Authenticated Centrify session
:param pas_setup: fixture to create system with accounts
:param users_and_roles: fixture to create user with specific right
"""
system_id, account_id, sys_info = pas_setup
limited_sesh, limited_user = get_limited_user_function
username = limited_sesh.auth_details["User"]
user_id = limited_sesh.auth_details['UserId']
result, status = ResourceManager.assign_system_permissions(core_session,
"View,Edit",
username,
user_id,
pvid=system_id)
assert status, f'failed to assign "Edit" permission to user {username} for system {sys_info[0]}'
logger.info(
f'Edit permission assigned to user {username} for system {sys_info[0]}'
)
# Assigning rights to cloud user, excluding checkout and Login right.
rights = "View,Manage"
result, success = ResourceManager.assign_account_permissions(
core_session, rights, username, user_id, pvid=account_id)
assert success, f'failed to assign rights: {rights} to cloud user {username} for account {sys_info[4]} ' \
f'of {sys_info[0]}.'
logger.info(
f'rights {rights} successfully assigned to to cloud user {username} for account {sys_info[4]} '
f'of {sys_info[0]}.')
# enabling account workflow
result, status = ResourceManager.update_account_with_approver(
core_session, account_id, sys_info[4], system_id,
core_session.get_user().get_id(),
core_session.get_user().get_login_name())
assert status, f'failed to enable account workflow for account {sys_info[4]} of system {sys_info[0]}'
logger.info(
f'workflow enabled for account {sys_info[4]} of system {sys_info[0]}.')
req_request, req_success = WorkflowManager.request_checkout(
limited_sesh,
account_id,
starttime=None,
endtime=None,
accesstype="Login",
assignmenttype="perm")
assert req_success, "Workflow Request Failed"
logger.info(f'Workflow Request is success: {req_request}')
logger.info(
f'user: {username} successfully requested for Login in account: {sys_info[4]}'
)
# Step: Request login for an Account
timenow = datetime.datetime.utcnow()
start_time = str(timenow)
end_time = str(timenow + datetime.timedelta(hours=1))
req_request, req_success = WorkflowManager.request_checkout(
limited_sesh, account_id, start_time, end_time, "Reason: Testing",
"Checkout")
assert req_success, "Workflow checkout Request Failed"
logger.info(f'Workflow checkout Request is success: {req_request}')
logger.info(
f'user: {username} successfully requested for checkout of account: {sys_info[4]}'
)
test_description = f"Test description by user: {username}"
result, success = ResourceManager.update_system(
core_session,
system_id,
sys_info[0],
sys_info[1],
"Windows",
description=test_description)
assert success, f"Unable to add a description: {sys_info[0]}. API response result: {result}"
logger.info(
f'successfully updated the description of system: {sys_info[0]}')
# Get computer details
result = RedrockController.get_system(core_session, system_id)
assert result[0]['Row'][
'Description'] == test_description, f'System description is mismatched'
logger.info(
f'successfully matched the description of system: {sys_info[0]}')
def test_check_total_session(core_session, pas_setup, get_admin_user_function,
users_and_roles):
"""
Test case: C2117
:param core_session: Authenticated Centrify session manager
:param pas_setup: fixture to create system with accounts
:param users_and_roles: fixture to create user with roles
"""
system_id, account_id, sys_info = pas_setup
cloud_user_session, user = get_admin_user_function
cloud_user, user_id, user_password = user.get_login_name(), user.get_id(
), user.get_password()
user = {"Username": cloud_user, "Password": user_password}
result, status = ResourceManager.assign_system_permissions(
core_session,
"View",
principal=cloud_user,
principalid=user_id,
pvid=system_id)
assert status, f'failed to assign view permission to user {cloud_user} for system {sys_info[0]}'
logger.info(
f'View permission assigned to user {cloud_user} for system {sys_info[0]}'
)
result, status = ResourceManager.assign_account_permissions(
core_session,
"View,Login",
principal=cloud_user,
principalid=user_id,
pvid=account_id)
assert status, f'failed to assign view permission to user {cloud_user} for account {sys_info[4]}'
logger.info(
f'View permission assigned to user {cloud_user} for account {sys_info[4]}'
)
# update system to allow system for RDP connections
result, success = ResourceManager.update_system(core_session,
system_id,
sys_info[0],
sys_info[1],
sys_info[2],
allowremote=True)
assert success, f"failed to update system {sys_info[0]}, result is {result}"
logger.info('system updated for remote connection')
ui = users_and_roles.get_ui_as_user(user_properties=user,
user_already_exists=True)
ui.navigate('Resources', 'Systems')
ui.search(sys_info[0])
ui.right_click_action(GridRowByGuid(system_id), 'Select/Request Account')
ui.switch_context(Modal(text=f'{sys_info[0]} Login'))
account_row = ui.expect(
GridCell(sys_info[4]),
f'Expected to find account row {sys_info[4]} but did not.')
account_row.try_click()
ui.close_modal('Select')
ui.switch_to_pop_up_window()
ui.expect_disappear(LoadingMask(),
f'RDP session never exited loading state',
time_to_wait=60)
ui.switch_to_main_window()
ui.user_menu('Reload Rights')
# Api call to get details of account active session
result, success = ResourceManager.get_active_sessions(core_session)
active_session_list = []
for i in range(len(result)):
if result[i]["HostName"] == sys_info[0]:
active_session_list.append(result[i]["SessionID"])
assert active_session_list, f'Failed to find the login record with "System Name: {active_session_list}"'
logger.info(f'Active session details:{active_session_list}')
def test_privilege_service_user_with_view_permission(core_session, pas_setup,
get_limited_user_module):
"""
Test case: C286564 :- Privilege Service User with view permission should can see the related activity
:param core_session: Authenticated Centrify session
:param pas_setup: fixture to create system with account
:param get_limited_user_module: creating cloud user with "Privileged Access Service Power User" right
"""
system_id, account_id, sys_info = pas_setup
cloud_user_session, cloud_user = get_limited_user_module
username = cloud_user.get_login_name()
user_id = cloud_user.get_id()
# "View" permission to cloud user for system
result, success = ResourceManager.assign_system_permissions(core_session,
"View",
username,
user_id,
pvid=system_id)
assert success, f'failed to assign view permission to user {username} for system {sys_info[0]}'
logger.info(
f'view permission for system {sys_info[0]} assigned to user {username}'
)
# Activity validation of system by cloud user
rows = ResourceManager.get_system_activity(cloud_user_session, system_id)
assert rows[0][
'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on system ' \
f'"{sys_info[0]}"({sys_info[1]})', 'No activity related to view permission found '
logger.info(
f'cloud user {username} can see all the activities of system {sys_info[0]}'
)
# "View" permission to cloud user for account
result, success = ResourceManager.assign_account_permissions(
core_session, "View", username, user_id, pvid=account_id)
assert success, f'failed to assign permissions "View" to {username} for account {sys_info[4]} ' \
f'for system {sys_info[0]}'
logger.info(
f'View permission for account {sys_info[4]} of system {sys_info[0]} to user {username}'
)
# Activity validation of account by cloud user
activity = RedrockController.get_account_activity(cloud_user_session,
account_id)
assert activity[0][
'Detail'] == f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on local account' \
f' "{sys_info[4]}" for "{sys_info[0]}"({sys_info[1]}) with credential ' \
f'type Password ', 'No activity related to view permission found '
logger.info(
f'cloud user {username} can see all the activities of account {sys_info[4]} of system {sys_info[0]}'
)
# Created secret
secret_name = f"test_secret{guid()}"
status, parameters, secret_result = create_text_secret(
core_session, secret_name, "test_secret_text")
assert status, f'failed to create secret with returned result: {result}'
logger.info(
f'secret created successfully {result}, returned parameters are {parameters}'
)
# Assigning view permission to secret to cloud user
result, success = set_users_effective_permissions(core_session, username,
"View", user_id,
secret_result)
assert success, f'failed to set permissions of secret for user {username}'
logger.info(
f'successfully granted "View" permission for secret to {secret_name} to user {username}'
)
# Activity validation of secret by cloud user
secret_activity = get_secret_activity(cloud_user_session, secret_result)
assert f'{core_session.auth_details["User"]} granted User "{username}" to have "View" permissions on the ' \
f'secret "{secret_name}"' in secret_activity[0]['Detail'], 'No activity related to view permission found '
logger.info(
f'cloud user {username} can see all the activities of secret of {secret_name}'
)
