def test_verify_accounts_credential_my_system_accounts(core_session, pas_windows_setup, users_and_roles): """ TC:C2068 Verify account's credential on "My System Accounts". :param:core_session: Returns a API session. :param:users_and_roles:Fixture to manage roles and user. :param pas_windows_setup:Returns a fixture. """ # Creating a system and account. system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup( ) # Cloud user session with "Privileged Access Service Administrator". cloud_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Administrator') user_name = cloud_user_session.auth_details['User'] user_id = cloud_user_session.auth_details['UserId'] # Assigning "Workspace Login" permission for account to limited user. rights = "View,Login,UserPortalLogin" assign_account_perm_res, assign_account_perm_success = \ ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id) assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \ f'API response result:{assign_account_perm_res}' logger.info( f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"' ) # Assigning "View" permission for system to limited user. assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions( core_session, "View", user_name, user_id, 'User', system_id) assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \ f'API response result {assign_system_perm_res}.' logger.info( f"Successfully assign system permission to user'{assign_system_perm_res}'" ) # Getting the details from "My System Accounts" in workspace and validating account in "My System Accounts" list. workspace_account_list = [] workspace_result_detail, workspace_success = ResourceManager.\ get_my_system_accounts_from_workspace(cloud_user_session) for workspace_result in workspace_result_detail: if workspace_result['Name'] == sys_info[0]: workspace_account_list.append(workspace_result['User']) assert sys_info[ 4] in workspace_account_list, f'failed to get the account {sys_info[4]} on workspace.' logger.info(f"Could display on Account{sys_info[4]} on workspace") # validating Account health. verify_pass_result, verify_pass_success = ResourceManager.check_account_health( core_session, account_id) assert verify_pass_success, f"Failed to verify account health:API response result:{verify_pass_result}. " logger.info(f"Successfully account verified:{verify_pass_result}")
def test_sort_accounts(core_session, pas_setup): """ Test Case ID: C2101 Test Case Description: Sort accounts :param core_session: Authenticate API session :param pas_setup: Creates System and Account """ system_id, account_id, sys_info = pas_setup sorting = ServerManager.get_all_accounts(core_session, sortby='Status', ascending=True) get_result_account_health, get_success_account_health = ResourceManager.check_account_health( core_session, account_id) assert get_success_account_health, f'Account is not reachable due to result: {get_result_account_health}' logger.info('Account created successfully') # Checking whether the first account's status is blank assert sorting[0][ 'Status'] == "", "Status is not blank because Account is unreachable" logger.info( 'Status is blank and it appears at the top after sorting it in ascending order.' )
def test_add_sap_ase_db_with_unmanaged_account(core_session, add_database_with_account): """ Test case: C286609 :param core_session: Authenticated Centrify session :param add_database_with_account: fixture to create database with account """ db_name, db_id, db_account_id, db_data, database_cleaner_list, account_cleaner_list = \ add_database_with_account(db_class='sapase', add_account=True) result = UserManager.security_refresh_token(core_session) assert result['success'], 'failed to refresh Centrify session.' db_row = RedrockController.get_database(core_session, db_id=db_id) assert db_name == db_row[ 'Name'], f'"{db_name}" not found in Centrify portal.' logger.info( f'Database {db_name} found in Centrify portal with details {db_row}') result, status = ResourceManager.check_account_health( core_session, db_account_id) assert status, f"failed to verify DB account {db_data['db_account']} health" logger.info( f"database account {db_data['db_account']} verified successfully")
def test_unix_client_account_verification( core_session, agent_enrolled_unix_system_with_users, proxy_start_stop): """ This test verifies accounts using Client, Connectors Steps for this scenario: * Enroll an unix system and create a managed account and an unmanaged account. * Verify the managed account's password is changed. * stop the agent, start connector and verify both accounts (only connector is availabe) - Verify success * stop the connector and verify both accounts - Verify failure * Start the agent and verify both accounts (only Agent is availabe) - Verify success * Start the connector and verify both accounts (Both agent and connector are available) - Verify success """ """ Testrail Link: https://testrail.centrify.com/index.php?/cases/view/1293456 https://testrail.centrify.com/index.php?/cases/view/1293457 https://testrail.centrify.com/index.php?/cases/view/1293458 """ # verfiy the test is run with single thread. assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, \ f'This test cannot be run with multiple threads due to starting and stopping connectors' enrolledsystems = agent_enrolled_unix_system_with_users accounts = enrolledsystems[0]["Accounts"] proxyid = enrolledsystems[0]["ProxyId"] session = enrolledsystems[0]["Session"] proxycontrol = proxy_start_stop logger.info("stop the agent") ssh_manager.ssh_stop_agent(session) logger.info("start the connector") proxycontrol(proxyid, True) logger.info("Verifying accounts, Connector is available") for i, val in enumerate(accounts): logger.info(str(i) + ", Name: " + val["Name"]) verify_pass_result, verify_pass_success = ResourceManager.check_account_health( core_session, val["Id"]) assert verify_pass_result == 'OK', "Verify Failed on Account: " + val[ 'Name'] + ", " + verify_pass_result # stop Conector , Should fail logger.info("Stopping the connector") proxycontrol(proxyid, False) logger.info("Verifying accounts, no agent or connector") for i, val in enumerate(accounts): verify_pass_result, verify_pass_success = ResourceManager.check_account_health( core_session, val["Id"]) assert verify_pass_result != 'OK', "Verify success on Account: " + val[ 'Name'] + ", " + verify_pass_result # Start agent logger.info("Starting the agent") ssh_manager.ssh_start_agent(session, True) logger.info("Verifying accounts, agent is available.") for i, val in enumerate(accounts): verify_pass_result, verify_pass_success = ResourceManager.check_account_health( core_session, val["Id"]) assert verify_pass_result == 'OK', "Verify failed on Account: " + val[ 'Name'] + ", " + verify_pass_result # verify account again, both connector and agent are running proxycontrol(proxyid, True) logger.info( "Verifying accounts, both agent and connector are available") for i, val in enumerate(accounts): verify_pass_result, verify_pass_success = ResourceManager.check_account_health( core_session, val["Id"]) assert verify_pass_result == 'OK', "Verify Failed on Account: " + val[ 'Name'] + ", " + verify_pass_result
def test_unix_client_account_checkout_reconciliation( users_and_roles, unix_machine_environment_config, agent_enrolled_unix_system_with_users, proxy_start_stop): """ This test verifies password reconcilation using agent, connector and both during checkout operation Steps for this scenario: * Enroll an unix system and create a managed account. * Verify the managed account's password is rotated. * Change the password of the account on the target system * stop the agent and checkout the password of managed account(only connector is availabe) - Verify success - Verify OperationMode is Connector * Verify managed acount - Verify success * Change the password of the account on the target system * stop the connector and checkout the password of managed account - Verify failure * Start the agent and checkout the password of managed account (only Agent is availabe) - Verify success - Verify OperationMode is Client * Verify managed acount - Verify success * Change the password of the account on the target system * Start the connector and checkout the password of managed account (Both agent and connector are available) - Verify success - Verify OperationMode is Client * Verify managed acount - Verify success """ """ Testrail Link: https://testrail.centrify.com/index.php?/cases/view/1293462 https://testrail.centrify.com/index.php?/cases/view/1293463 https://testrail.centrify.com/index.php?/cases/view/1293464 """ # verfiy the test is run with single thread. assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, \ f'This test cannot be run with multiple threads due to starting and stopping connectors' enrolledsystems = agent_enrolled_unix_system_with_users accounts = enrolledsystems[0]["Accounts"] resourceId = enrolledsystems[0]["ResourceId"] proxyid = enrolledsystems[0]["ProxyId"] session = enrolledsystems[0]["Session"] proxycontrol = proxy_start_stop conf = unix_machine_environment_config success_message = conf['success_message'] right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User") requester_session = users_and_roles.get_session_for_user(right_data[0]) accountuser = accounts[1] logger.info("stop the agent") ssh_manager.ssh_stop_agent(session) proxycontrol(proxyid, True) # count managed password change events filter = [['AccountName', accountuser['Name']], ['ComputerID', resourceId]] # set a different password for the user ssh_manager.change_sshuser_password(session, accountuser['Name'], "differentpassword3", success_message) logger.info( "Rotate account and verify reconciliation, Connector is available") result, success = ResourceManager.check_out_password( requester_session, 1, accountuser["Id"]) assert success, "Reconciliation failed during checkout, Account " + accountuser[ 'Name'] verify_pass_result, verify_pass_success = ResourceManager.check_account_health( requester_session, accountuser["Id"]) assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeResetAccountPassword", filter=filter) eventcount = len(rows) logger.info( f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}" ) assert rows[0][ "OperationMode"] == "Connector", "Failed to verify OperationMode" # stop Connector, Should fail logger.info("Stopping the connector") proxycontrol(proxyid, False) # set a different password for the user ssh_manager.change_sshuser_password(session, accountuser['Name'], "differentpassword4", success_message) verify_pass_result, verify_pass_success = ResourceManager.check_account_health( requester_session, accountuser["Id"]) assert verify_pass_result != 'OK', f"Verify Failed on Account: {accountuser['Name']}" # Start agent logger.info("Starting the agent") ssh_manager.ssh_start_agent(session, True) # set a different password for the user ssh_manager.change_sshuser_password(session, accountuser['Name'], "differentpassword5", success_message) logger.info( "Rotate account and verify reconciliation, Agent is available") result, success = ResourceManager.check_out_password( requester_session, 1, accountuser["Id"]) assert success, f"Reconciliation failed during checkout, Account {accountuser['Name']}" verify_pass_result, verify_pass_success = ResourceManager.check_account_health( requester_session, accountuser["Id"]) assert verify_pass_result == 'OK', f"Verify Failed on account: {accountuser['Name']}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeResetAccountPassword", filter=filter, count=eventcount + 1) eventcount = len(rows) logger.info( f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}" ) assert rows[0][ "OperationMode"] == "Client", "Failed to verify OperationMode is Client" # verify account again, both connector and agent are running logger.info("Starting connector") proxycontrol(proxyid, True) # set a different password ssh_manager.change_sshuser_password(session, accountuser['Name'], "differentpassword3", success_message) logger.info( "Rotate account and verify reconciliation, client and connector are available" ) result, success = ResourceManager.check_out_password( requester_session, 1, accountuser["Id"]) assert success, f"Reconciliation failed during checkout, Account {accountuser['Name']}" verify_pass_result, verify_pass_success = ResourceManager.check_account_health( requester_session, accountuser["Id"]) assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeResetAccountPassword", filter=filter, count=eventcount + 1) eventcount = len(rows) logger.info( f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}" ) assert rows[0][ "OperationMode"] == "Client", "Failed to verify OperationMode is Client"
def test_windows_client_account_unlock(users_and_roles, agent_enrolled_windows_system_with_users, proxy_start_stop): # NOTE: policy must be set on the system to lock the account after 3 failed login attemps """ This test verifies account unlock using agent, connector and both Steps for this scenario: * Enroll a windows system and create a managed account.Also set admin account and enable manual unlock * Verify the managed account's password is rotated. * Lock the account (try to verify the account multiple times with wrong password to lock the account) * Unlock the account - Verify success - Verify OperationMode is Connector * stop the connector * Lock the account * Get the account status - Verify failure * Start the agent (only Agent is availabe) * Unlock the account - Verify success - Verify OperationMode is Client * Lock the account * Start the connector * Unlock the account - Verify success - Verify OperationMode is Client """ """ Testrail Link: https://testrail.centrify.com/index.php?/cases/view/1293479 https://testrail.centrify.com/index.php?/cases/view/1293480 https://testrail.centrify.com/index.php?/cases/view/1293481 """ # verfiy the test is run with single thread. assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, f'This test cannot be run with multiple threads due to starting and stopping connectors' enrolledsystems = agent_enrolled_windows_system_with_users accounts = enrolledsystems[0]["Accounts"] resourceId = enrolledsystems[0]["ResourceId"] proxyid = enrolledsystems[0]["ProxyId"] hostName = enrolledsystems[0]["ResourceFQDN"] winrm_session_as_admin = enrolledsystems[0]["Session"] proxycontrol = proxy_start_stop right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User") requester_session = users_and_roles.get_session_for_user(right_data[0]) accountuser = accounts[1] logger.info("stop the agent") winrm_helper.stop_agent(winrm_session_as_admin) proxycontrol(proxyid, True) # get the correct password of the account. result, success = ResourceManager.check_out_password(requester_session, 15, accountuser["Id"]) assert success, "Reconciliation failed during checkout, Account " + accountuser['Name'] password = result['Password'] # count managed password change events filter = [['AccountName', accountuser['Name']], ['ComputerID', resourceId]] # lock the account winrm_helper.lock_account(hostName, accountuser['Name'], password) result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"]) assert success, f"Failed to unlock account. {message}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter(requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock", filter=filter) eventcount = len(rows) logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}") assert rows[0]["OperationMode"] == "Connector", "Failed to verify OperationMode" # stop Connector, Should fail logger.info("Stopping the connector") proxycontrol(proxyid, False) # set a different password for the user winrm_helper.lock_account(hostName, accountuser['Name'], password) result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"]) assert (success == False), "Unlock account succeeded when agent and conmnector are not available." # Start agent logger.info("Starting the agent") winrm_helper.start_agent(winrm_session_as_admin) winrm_helper.lock_account(hostName, accountuser['Name'], password) result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"]) assert success, f"Failed to unlock account. {message}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock", filter=filter, count=eventcount + 1) eventcount = len(rows) logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}") assert rows[0]["OperationMode"] == "Client", "Failed to verify OperationMode is Client" # verify account again, both connector and agent are running logger.info("Starting connector") proxycontrol(proxyid, True) # set a different password winrm_helper.lock_account(hostName, accountuser['Name'], password) result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"]) assert success, f"Failed to unlock account. {message}" verify_pass_result, verify_pass_success = ResourceManager.check_account_health(requester_session, accountuser["Id"]) assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock", filter=filter, count=eventcount + 1) eventcount = len(rows) logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}") assert rows[0]["OperationMode"] == "Client", "Failed to verify OperationMode is Client"