def test_system_level_password_checkout_yes(core_session, pas_windows_setup, users_and_roles, update_tenant_multiple_checkouts): """ C1547 : System level password checkout set to 'yes' :param core_session: Authenticated Centrify Session :param pas_windows_setup: Added and return Windows system and Account associated to it. :param users_and_roles: Gets user and role on demand. """ system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup( ) user_session = users_and_roles.get_session_for_user( "Privileged Access Service Administrator") pas_admin = user_session.__dict__['auth_details'] # Setting 'Allow multiple password checkouts for this system' policy to Yes on Advanced tab result, success = ResourceManager.update_system( core_session, system_id, sys_info[0], sys_info[1], sys_info[2], allowmultiplecheckouts=True) assert success, f"'Allow multiple password checkouts' policy not set to 'yes' for System : {system_id}. " \ f"API response result: {result}. " logger.info( f"'Allow multiple password checkouts' policy set to 'yes' for system : {system_id}" ) # Setting 'Allow multiple password checkouts' policy to Uncheck on Global Security Setting page result, success = update_tenant_multiple_checkouts(core_session, False) assert success, f"Not able to disable 'Allow multiple password checkouts' policy on " \ f"Global Security Setting page. API response result: {result}. " logger.info( f"'Allow multiple password checkouts' policy Unchecked on Global Security Setting page" ) # Assigning 'Checkout' permission to user for account. account_result, account_success = ResourceManager.assign_account_permissions( core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User', account_id) assert account_success, f"Assign Checkout permission to account : {account_id} failed. " \ f"API response result: {account_result}. " logger.info( f"'Checkout' permission given to user: {pas_admin['User']} for Account:{account_id}." ) # Checkout account while logged in as Cloud Admin admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password( core_session, 1, account_id) assert admin_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \ f"response result: {admin_checkout_result}. " logger.info(f"Account Checkout successful for Account :{account_id}.") # Checkout account while logged in as Privileged Access Service Administrator user_checkout_result, user_checkout_success = ResourceManager.check_out_password( user_session, 1, account_id) assert user_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \ f"response result: {user_checkout_result}. " logger.info(f"Account CheckIn successful for Account :{account_id}.")
def test_system_level_password_checkout_blank( core_session, pas_windows_setup, users_and_roles, update_tenant_multiple_checkouts): """ C1548 : System level password checkout set to '--' :param core_session: Authenticated Centrify Session :param pas_windows_setup: Added and return Windows system and Account associated to it. :param users_and_roles: Gets user and role on demand. """ system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup( ) user_session = users_and_roles.get_session_for_user( "Privileged Access Service Administrator") pas_admin = user_session.__dict__['auth_details'] # Setting 'Allow multiple password checkouts' policy to Uncheck on Global Security Setting page result, success = update_tenant_multiple_checkouts(core_session, False) assert success, f"Not able to disable 'Allow multiple password checkouts' policy on Global " \ f"Security Setting page. API response result: {result}." logger.info( f"'Allow multiple password checkouts' policy Unchecked on Global Security Setting page" ) # Assigning 'Checkout' permission to user for Account. account_result, account_success = ResourceManager.assign_account_permissions( core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User', account_id) assert account_success, f"Assign Checkout permission to account : {account_id} failed. " \ f"API response result: {account_result}" logger.info( f"'Checkout' permission given to user: {pas_admin['User']} for Account:{account_id}." ) # Checkout account while logged in as Cloud Admin admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password( core_session, 1, account_id) assert admin_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \ f"response result: {admin_checkout_result} " logger.info(f"Account Checkout successful for Account :{account_id}.") # Checkout account while logged in as Privileged Access Service Administrator user_checkout_result, user_checkout_success = ResourceManager.check_out_password( user_session, 1, account_id) assert not user_checkout_success, f"Checkout Account successful : {account_id} : API response " \ f"result: {user_checkout_result}" logger.info(f"Not able to checkout Account : {account_id}") activity = RedrockController.get_account_activity(user_session, account_id)[0]['Detail'] assert 'Multiple checkouts not allowed' in activity, f"Checkout Failed activity not found " \ f"for account : {account_id}. API response result: {activity} " logger.info( f"Checkout Failed activity found in Activity for account : {account_id}" )
def test_database_level_password_checkout_blank( core_session, create_databases_with_accounts, users_and_roles, update_tenant_multiple_checkouts): """ C1552 : Database Level password checkout set to 'default'. :param core_session: Authenticated Centrify Session. :param create_databases_with_accounts: Added and return Database and Account associated to it. :param users_and_roles: Gets user and role on demand. """ database = create_databases_with_accounts(core_session, 1, 1)[0] user_session = users_and_roles.get_session_for_user( "Privileged Access Service Administrator") pas_admin = user_session.__dict__['auth_details'] # Setting 'Allow multiple password checkouts' policy to enable on Global Security Setting page result, success = update_tenant_multiple_checkouts(core_session, True) assert success, f"Not able to enable 'Allow multiple password checkouts' policy on Global Security Setting page. " \ f"API response result: {result}." logger.info( f"'Allow multiple password checkouts' policy Enabled on Global Security Setting page" ) # Assigning 'Checkout' permission to user for account. account_result, account_success = ResourceManager.assign_account_permissions( core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User', database['Accounts'][0]['ID']) assert account_success, f"Assign Checkout permission to account : {database['Accounts'][0]['ID']} " \ f"failed. API response result: {account_result}. " logger.info( f"'Checkout' permission given to user: {pas_admin['User']} for " f"Account:{database['Accounts'][0]['ID']}.") # Checkout account while logged in as Cloud Admin admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password( core_session, 1, database['Accounts'][0]['ID']) assert admin_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. API response " \ f"result: {admin_checkout_result}. " logger.info( f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}." ) # Checkout account while logged in as Privileged Access Service Administrator user_checkout_result, user_checkout_success = ResourceManager.check_out_password( user_session, 1, database['Accounts'][0]['ID']) assert user_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. API response " \ f"result: {user_checkout_result}. " logger.info( f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}." )
def _verify_get_mfa_token(self, account_id, expect_challenge_on_checkout): pas_user = self.session.get_user() result, success = ResourceManager.assign_account_permissions(self.session, "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword", pas_user.get_login_name(), pas_user.get_id(), pvid=account_id) assert success, f"Failed to set account permissions {result}" result, success = ResourceManager.check_out_password(self.session, 6, account_id) if not expect_challenge_on_checkout: assert success and result['Password'] == self.root_password, f"Unexpected value for password {result}" new_coid = result['COID'] result, success = ResourceManager.check_in_password(self.session, coid=new_coid) assert success, "Did not check in password" else: assert 'ChallengeId' in result and len( result) == 1, f"Did not receive expected challenge {result} {success}" result, success = CloudProviderManager.get_mfa_token(self.session, account_id) if self.mfa_code: assert success, f"Failed to get_mfa_token {result}" assert len(result['code']) == 6, f"Token returned was wrong length {result}" else: assert not success, f"Should fail with MFA not set {result}"
def test_checkout_password_for_sql_unmanaged_account( core_session, add_database_with_account): """ Test case: C1101 - Checkout password for a SQL unmanaged account :param core_session: Authenticated centrify session :param add_database_with_account: fixture to create database with account as optional. """ db_name, db_id, db_account_id, db_data, database_cleaner_list, sql_account_cleaner_list = \ add_database_with_account(db_class='sql', add_account=True) result, status = ResourceManager.check_out_password( core_session, lifetime=15, accountid=db_account_id) assert status, f'failed to checkout account {db_data["db_account"]} password.' assert result['Password'] == db_data[ 'password'], "Checked out password dose'nt match the actual password" logger.info(f'{db_data["db_account"]} password check out successfully.') acc_activity = RedrockController.get_account_activity( core_session, db_account_id) assert f'{core_session.auth_details["User"]} checked out database account "{db_data["db_account"]}" password for ' \ f'database "{db_name}"' in \ acc_activity[0]['Detail'], f"no activity of checkout found for account {db_data['db_account']}" logger.info( f"There is a checkout record for the account {db_data['db_account']} in activity" )
def test_add_managed_proxy_account(core_session, pas_windows_setup): """ :param core_session: Authenticated Centrify Session. :param pas_windows_setup: Fixture for adding a system and an account associated with it. TC: C2537 - Add system with managed account and Proxy account with WinRM https settings trying to Add system with managed account and Proxy account with WinRM https settings Steps: Pre: Create system with 1 manage and proxy account 1. Try to fetch the management mode in setting page -Assert Failure 2. Try to check out password from account -Assert Failure """ system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(True, True) logger.info(f"System: {sys_info[0]} successfully added with UUID: {system_id} and account: {sys_info[4]} " f"with UUID: {account_id} associated with it.") managementmode = RedrockController.get_computer_with_ID(core_session, system_id) assert managementmode['ManagementMode'] == "WinRMOverHttps", \ f"management mode is failed because of system doesnt have proxy account. API response result: {managementmode}" logger.info(f"Fetch management mode successfully: {managementmode['ManagementMode']}") password_checkout_result, password_checkout_success = ResourceManager.check_out_password(core_session, 1, accountid=account_id) assert password_checkout_result['Password'] is not user_password, \ f"password checkout Failed. API response result: {password_checkout_result}" logger.info(f"password successfully checkout Account password: {password_checkout_result['COID']}")
def test_password_checkin_from_my_password_checkout_field( core_session, pas_setup, core_admin_ui): """ Test case: C14838 :param core_session: Centrify session :param pas_setup: fixture to create system with account :param core_admin_ui: UI session """ system_id, account_id, system_info = pas_setup result, status = ResourceManager.check_out_password( core_session, 1, account_id, 'test checkout account') assert status, f'failed to checkout password for account {system_info[4]}, returned result is: {result}' ui = core_admin_ui ui.navigate(('Workspace', 'My Password Checkouts')) ui.expect( GridCell(f'{system_info[4]} ({system_info[0]})'), f'expected to find checkout details for account ' f'{system_info[4]} but did not') logger.info( f'found details for account {system_info[4]} in My Password Checkout view' ) ui.right_click_action(GridCell(f'{system_info[4]} ({system_info[0]})'), 'Checkin') ui.expect_disappear( GridCell(f'{system_info[4]} ({system_info[0]})'), f'Expacted to find no records for ' f'{system_info[4]} in My Password Checkout, but found one') logger.info(f'successfully checkin password for account {system_info[4]} ')
def test_update_managed_account(pas_setup, core_session, pas_config): """ :param pas_config: :param pas_setup: Fixture for adding a system and an account associated with it. :param core_admin_ui: Authenticated Centrify Session. :param core_session: Authenticated Centrify Session. TC: C2547 - Update managed account trying to Update managed account password Steps: Pre: Create system with 1 manage account hand 1. Try to update invalid password -Assert Failure 2. Try to update valid password -Assert Failure 3. Try to check password history """ user_name = core_session.get_user().get_login_name() System_configurations_from_yaml = pas_config system_data = System_configurations_from_yaml[ 'Windows_infrastructure_data'] added_system_id, account_id, sys_info = pas_setup Result, success = ResourceManager.update_password(core_session, account_id, guid()) assert success, "Did not update password" Result, success = ResourceManager.update_password(core_session, account_id, system_data['password']) assert success, "Did not update password" result, success = ResourceManager.check_out_password( core_session, 1, account_id) assert success, "Did not retrieve password" query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \ f"'{account_id}' and StateUpdatedBy='{user_name}' and State='Retired'" password_history = RedrockController.get_result_rows( RedrockController.redrock_query(core_session, query))[0] assert len(password_history) > 0, "Password history table did not update"
def test_checkin_password_for_unmanaged_account(core_session, setup_pas_system_for_unix): """ TC: C279514 - Checkin password for unmanaged account. :param core_session: Authenticated Centrify Session. :param setup_pas_system_for_unix: Adds and yields uuid of a Unix system and account associated to it. """ added_system_id, account_id, sys_info = setup_pas_system_for_unix co_result, co_success = ResourceManager.check_out_password(core_session, 1, account_id, "checkout test") assert co_success, f"Account checkout failed with APi response result: {co_result}." checkin_result, checkin_success = ResourceManager.check_in_password(core_session, co_result['COID']) assert checkin_success, f"Checkin for account {account_id} failed with API response result: {checkin_result}" logger.info(f'Successfully checked in the password for account {account_id} with API response result:' f' {checkin_result} and success: {checkin_success}')
def test_check_number_of_total_checkout(core_session, pas_setup, users_and_roles): """ Test case: C286364 :param core_session: Authenticated Centrify session :param users_and_roles: Fixture to manage roles and user """ system_id, account_id, sys_info = pas_setup # Cloud user session with "Privileged Access Service Administrator" cloud_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Administrator') user_name = cloud_user_session.auth_details['User'] user_id = cloud_user_session.auth_details['UserId'] # Assigning system view permission result, status = ResourceManager.assign_system_permissions(core_session, "View", user_name, user_id, pvid=system_id) assert status, f"Failed to assign system permissions return result is {result}" logger.info( f'View rights assigned to user {user_name} for system {sys_info[0]}') # Assigning cloud user view and checkout permission for account account_rights = "View,Naked" acc_result, acc_status = ResourceManager.assign_account_permissions( core_session, account_rights, user_name, user_id, pvid=account_id) assert acc_status, f"failed to assign account permission, returned result is {acc_result}" logger.info( f'successfully assigned {account_rights} permission for account {sys_info[4]} of ' f'{sys_info[0]} to user {user_name}') # Checkout password using cloud user result, success = ResourceManager.check_out_password( cloud_user_session, 1, account_id) assert success, f"cloud user: {user_name} failed to checkout account {sys_info[4]}." logger.info( f"Cloud user: {user_name} successfully checked out account {sys_info[4]} of system {sys_info[0]}." ) # retrieving my total checkout value from workspace checkout_count = ResourceManager.get_my_total_checkout( cloud_user_session, user_id) assert checkout_count > 0, f'failed to retrieve total checkout value as it never updated. returned count is ' \ f'{checkout_count}' logger.info(f'My total Checkout field is updated by {checkout_count}')
def test_check_my_password_checkout_field_after_checkout_account(core_session, pas_setup, core_admin_ui): """ Test case: C14837 :param core_session: Centrify session :param pas_setup: fixture to create system with account :param core_admin_ui: UI session """ system_id, account_id, system_info = pas_setup result, status = ResourceManager.check_out_password(core_session, 1, account_id, 'test checkout account') assert status, f'failed to checkout password for account {system_info[4]}, returned result is: {result}' ui = core_admin_ui ui.navigate(('Workspace', 'My Password Checkouts')) ui.expect(GridCell(f'{system_info[4]} ({system_info[0]})'), f'expected to find checkout details for account ' f'{system_info[4]} but did not')
def test_update_un_managed_account(pas_windows_setup, core_session): """ :param pas_windows_setup: Fixture for adding a system and an account associated with it. :param core_session: Authenticated Centrify Session. TC: C2548 - Update un managed account trying to Update un managed account password Steps: Pre: Create system with 1 un manage account hand 1. Try to update valid password -Assert Failure 2. Try to get activity of updated password -Assert Failure 3. Try to check password history """ user_name = core_session.get_user().get_login_name() system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup( ) logger.info( f"System: {sys_info[0]} successfully added with UUID: {system_id} and account: {sys_info[4]} " f"with UUID: {account_id} associated with it.") Result, success = ResourceManager.update_password(core_session, account_id, guid()) assert success, f"Did not update password, API Response: {Result}" logger.info(f'user not able to update password, API Response::{Result}') row = ResourceManager.get_system_activity(core_session, system_id) assert f'{user_name} updated local account "{sys_info[4]}" password for "{sys_info[0]}"' in row[0]['Detail'], \ "user not able to update un managed account password" logger.info( f'account activity logs for un manage account API response:{row}') result, success = ResourceManager.check_out_password( core_session, 1, account_id) assert success, f"Did not retrieve password API response: {result}" logger.info(f'user not able to retrieve password API response:{result}') query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \ f"'{account_id}' and StateUpdatedBy='{user_name}' and State='Retired'" password_history = RedrockController.get_result_rows( RedrockController.redrock_query(core_session, query))[0] assert len( password_history ) > 0, f"Password history table did not update {password_history}" logger.info(f'Password history table API response:{password_history}')
def test_checkin_password_for_managed_account_from_workspace( core_session, setup_pas_system_for_unix, core_admin_ui): """ TC: C2503 - Checkin password for managed account from Workspace page :param core_session: Authenticated Centrify Session. :param setup_pas_system_for_unix: Adds and yields uuid of a Unix system and account associated to it. """ added_system_id, account_id, sys_info = setup_pas_system_for_unix co_result, co_success = ResourceManager.check_out_password( core_session, 1, account_id, "checkout test") assert co_success, f"Account checkout failed with APi response result: {co_result}." ui = core_admin_ui ui.navigate(['Workspace', 'My Password Checkouts']) ui.check_row_by_guid(co_result["COID"]) ui.action('Checkin') logger.info( f'Password for {account_id} has been checked-in from workspace page.') result, success = ResourceManager.check_in_password( core_session, account_id) assert success is False, "Password checkin from workspace page failed" logger.info('Password successfully checked-in from workspace page.')
def test_checkout_un_managed_account(core_session, pas_windows_setup, pas_config): """ Test case:C2552 Checkout password for an un managed account :param core_session: Returns a API session. :param pas_windows_setup: Returns a fixture. :param pas_config: fixture for fetching up the value from yaml. """ # Creating a system and account. system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup( ) # Checking out the password and validating the password. password_checkout_result, password_checkout_success = ResourceManager.check_out_password( core_session, 1, accountid=account_id) assert password_checkout_result['Password'] == user_password, \ f"password checkout Failed. API response result: {password_checkout_result}" logger.info( f"password successfully checkout Account password: {password_checkout_result['COID']}" )
def test_check_in_password_un_managed_account(core_session, pas_windows_setup, pas_config): """ Test case: C2553 Check in password for the un managed account :param core_session: Returns a API session. :param pas_windows_setup: Returns a fixture. :param pas_config: fixture for fetching up the value from yaml. """ # Creating a system and account. system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup( ) # Checking out the password and validating the password. password_checkout_result, password_checkout_success = ResourceManager.check_out_password( core_session, 1, accountid=account_id) assert password_checkout_result['Password'] == user_password, \ f"password checkout Failed. API response result: {password_checkout_result}" logger.info( f"password successfully checkout Account password: {password_checkout_result['COID']}" ) # Checking in password. password_check_in_result, password_check_in_success = ResourceManager.check_in_password( core_session, coid=password_checkout_result['COID']) assert password_check_in_success, f"password check-in Failed. API response result: {password_check_in_result}" logger.info( f"password successfully check in for account: {password_check_in_result}" ) # Checking the activity. username = core_session.get_user().get_login_name() result_activity = ResourceManager.get_system_activity( core_session, system_id) assert f'{username} checked in local account "{sys_info[4]}" password for system "{sys_info[0]}"' \ f'({sys_info[1]})' in result_activity[0]['Detail'], \ "Fail to check in password:API response result: {password_check_in_result} " logger.info(f"account activity list:{result_activity}")
def test_check_systems_checkouts(core_session, pas_setup): """ Test Case ID: C2209 Test Case Description: Check Top System Checkouts on Dashboards after checking out :param core_session: Authenticates API session :param pas_setup: Creates a windows system and account """ system_id, account_id, sys_info = pas_setup system_name = sys_info[0] result, success = ResourceManager.check_out_password(core_session, lifetime=2, accountid=account_id) assert success, f'Failed to checkout password due to result: {result}' logger.info('Successfully checkout account') get_system_checkouts = ResourceManager.get_top_system_checkouts( core_session) list_to_store_checkout = [] for name in get_system_checkouts: if name['Row']['Name'] == system_name: list_to_store_checkout.append(name['Row']['Name']) assert list_to_store_checkout, f'{system_name} is not present in Top Systems Checkouts' logger.info(f'{system_name} is present in Top system checkouts.')
def test_checkout_password_for_unmanaged_account_from_account_page( setup_pas_system_for_unix, core_session): """ TC: C2506 - Checkout password for unmanaged account from account page :param setup_pas_system_for_unix: Adds and yield UUID of a Unix system and account associated to it. :param core_admin_ui: Authenticated Centrify browser session with cloud admin credentials from core.yaml """ added_system_id, account_id, sys_info = setup_pas_system_for_unix automation_data = Configs.get_environment_node('resources_data', 'automation_main') password = automation_data['Unix_infrastructure_data']['password'] result, success = ResourceManager.check_out_password( core_session, 1, account_id, "Copy the password") assert success, f"Password checkout failed with API response result: {result}" logger.info( f"Password successfully checked out for account: '{sys_info[4]}'") assert result[ 'Password'] == password, "Clipboard contents didn't change after clicking 'Copy Password' button." logger.info( "Successfully clicked on 'Copy Password' button to copy the password.")
def test_checkin_password_for_unmanaged_account(core_session, add_database_with_account): """ Test case: C1104 :param core_session: Authenticated centrify session :param add_database_with_account: fixture to create database with account as optional. """ db_name, db_id, db_account_id, db_data, database_cleaner_list, sql_account_cleaner_list = \ add_database_with_account(db_class='sql', add_account=True) checkout_result, status = ResourceManager.check_out_password( core_session, lifetime=15, accountid=db_account_id) assert status, f'failed to checkout account {db_data["db_account"]} password. returned result is {checkout_result}' assert checkout_result['Password'] == db_data[ 'password'], "Checked out password dose'nt match the actual password" logger.info(f'{db_data["db_account"]} password check out successfully.') result, status = ResourceManager.check_in_password(core_session, checkout_result['COID']) assert status, f'failed to checkin password for account {db_data["db_account"]}, return result is {result}' logger.info( f'account {db_data["db_account"]} password checked in successfully') acc_activity = RedrockController.get_account_activity( core_session, db_account_id) assert f'{core_session.auth_details["User"]} checked in database account "{db_data["db_account"]}" password for ' \ f'database "{db_name}"' in \ acc_activity[0]['Detail'], f"no activity of checkout found for account {db_data['db_account']}" logger.info( f"There is a checkout record for the account {db_data['db_account']} in activity" ) for activity in acc_activity: assert 'Reason: Change password after checked-in' not in activity[ 'Detail'], f'activity for change password behavior found.' logger.info('activity for change password behavior not found.')
def test_Change_Account_managed(core_session, pas_config, remote_users_qty1, detect_proxy): """ :param core_session: Authenticated Centrify Session. :param pas_config: fixture reading data from resources_data.yaml file. TC: C2544 - Change Account to be a managed account and verify password changed in 5 minutes trying to validate the added manage Account password Activity log's Steps: 1. Try to add a system along with an manage account -Assert Failure 2. Try to check in the account password is rotated -Assert Failure 3. Try to validate account activity log's """ user = core_session.get_user() user_name = user.get_login_name() sys_name = f"Automatedsystem{guid()}" res_data = pas_config user = remote_users_qty1 sys_result, status = ResourceManager.add_system( core_session, sys_name, res_data['Windows_infrastructure_data']['FQDN'], 'Windows', "Rdp") assert status, f"failed to add system" success, response = ResourceManager.update_system( core_session, sys_result, sys_name, res_data['Windows_infrastructure_data']['FQDN'], 'Windows', managementmode='RpcOverTcp') assert success, f"failed to change the management mode:API response result:{response}" logger.info(f"Successfully updated the system:{response}") account_id, status = ResourceManager.add_account(core_session, user[0], 'Hello123', sys_result) assert status, f'failed to add account' success, response = ResourceManager.update_account(core_session, account_id, user[0], host=sys_result, ismanaged=True) assert success, f'Updating account failed. API response: {response}' server_id = ResourceManager.wait_for_server_to_exist_return_id( core_session, sys_name) acc_id = ResourceManager.wait_for_account_to_exist_return_id( core_session, user[0]) assert server_id == sys_result, "Server was not created" assert acc_id == account_id, "Account was not created" res, success = ResourceManager.rotate_password(core_session, account_id) assert success, f"Failed to add account in the portal: {res}" checkout_password, response = ResourceManager.check_out_password( core_session, 1, accountid=account_id) assert checkout_password[ 'Password'] != 'Hello123', f'Checkout Password Failed. API response: {response}' row = ResourceManager.get_system_activity(core_session, sys_result) checkout_activity = row[0]['Detail'] created_date_json = str(row[0]['When']) ResourceManager.get_date(created_date_json) assert f'{user_name} checked out local account "{user[0]}" password for system "{sys_name}"' \ f'({res_data["Windows_infrastructure_data"]["FQDN"]})' == checkout_activity, "No system activity data " logger.info(f"account activity list:{row}")
def test_verify_rule_restrict_character(core_session, cleanup_accounts, create_basic_pass_profile, pas_setup, remote_users_qty1): """ TC C281499: Verify the rule(Restrict number of character occurrences) work correct :param core_session: Authenticates API session :param create_basic_pass_profile: Creates a password profile :param pas_setup: Creates system and account :param remote_users_qty1: Creates account in target system :param cleanup_accounts: Deletes Accounts """ accounts_list = cleanup_accounts[0] added_system_id, account_id, sys_info = pas_setup logger.info( f"System: {sys_info[0]} successfully added with UUID: {added_system_id} and account: {sys_info[4]} " f"with UUID: {account_id} associated with it.") # Adding user in target machine add_user_in_target_system = remote_users_qty1 user_password = "******" # Adding account in portal acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=user_password, host=added_system_id, ismanaged=True) assert acc_success, f"Failed to add account: {acc_result}" logger.info("Successfully added account in system") # Cleanup Account accounts_list.append(acc_result) # Creating Password Profile profile = create_basic_pass_profile(core_session, 1)[0] profile_name_cps = profile[0]['Name'] cps_prof_id = profile[0]['_RowKey'] cps_prof_result, cps_prof_success = ResourceManager.get_password_profile_by_id( core_session, cps_prof_id) assert cps_prof_success, f"Failed to create Profile due to {cps_prof_result}" logger.info(f'System successfully updated with result: {cps_prof_result}') # Updating Password Profile update_cps_prof_success = ResourceManager.update_password_profile( core_session, cps_prof_id, profile_name_cps, 58, 128, one_lwr_case=False, one_upp_case=False, one_digit=False, consecutive_chars=False, one_special_char=False, min_alphabetic_char=5, max_alphabetic_char=3, restrict_occurrence=1) assert update_cps_prof_success, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user" logger.info(f'Profile {profile_name_cps} successfully updated') cps_prof_result, cps_prof_success = ResourceManager.get_password_profile_by_id( core_session, cps_prof_id) assert cps_prof_success, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user" assert cps_prof_result['MinimumPasswordLength'] == 58, \ f"Getting Min Password length for Profile {cps_prof_id} is {cps_prof_result['MinimumPasswordLength']} " \ f"instead of 8" logger.info("Successfully updated minimum password length as 8") assert cps_prof_result['MaximumPasswordLength'] == 128, \ f"Getting Min Password length for Profile {cps_prof_id} is {cps_prof_result['MaximumPasswordLength']} " \ f"instead of 20" logger.info("Successfully updated minimum password length as 20") assert cps_prof_result['MinimumAlphabeticCharacterCount'] == 5, \ f"Getting Min Password length for Profile {cps_prof_id} is " \ f"{cps_prof_result['MinimumAlphabeticCharacterCount']} instead of 5" logger.info("Updated Minimum Alphabetic Character Count successfully") assert cps_prof_result['MinimumNonAlphabeticCharacterCount'] == 3, \ f"Getting Min Password length for Profile {cps_prof_id} is " \ f"{cps_prof_result['MinimumNonAlphabeticCharacterCount']} instead of 3" logger.info("Updated Minimum Alphabetic Character Count successfully") assert cps_prof_result['MaximumCharOccurrenceCount'] == 1, \ f"Getting Min Password length for Profile {cps_prof_id} is " \ f"{cps_prof_result['MinimumNonAlphabeticCharacterCount']} instead of 3" logger.info("Updated Minimum Alphabetic Character Count successfully") update_result, update_success = ResourceManager.update_system( core_session, added_system_id, sys_info[0], sys_info[1], sys_info[2], passwordprofileid=cps_prof_id) assert update_success, f"Failed to update system sue to {update_result}" logger.info(f"Successfully update system {sys_info[0]}") # Rotate Password rotate_password_result, rotate_password_success = ResourceManager.rotate_password( core_session, acc_result) assert rotate_password_success, f"Failed to rotate password due to {rotate_password_result}" logger.info("Rotate password successfully") # Checkout Password check_out_password_result, check_out_password_success = ResourceManager.check_out_password( core_session, lifetime=1, accountid=acc_result) assert check_out_password_success, f"Failed to checkout password due to {check_out_password_result}" logger.info("Password checkout successfully") # Getting check out password value co_password_value = check_out_password_result['Password'] # Getting all the alpha characters in password check out get_alpha_characters = re.findall('[a-zA-Z]', co_password_value) # Checking the maximum occurrence of characters in a list count_alpha_chars = Counter(get_alpha_characters) for item, ct in count_alpha_chars.items(): assert len(item) == 1, "Item is grater than 1" logger.info('%s occurred %d times' % (item, ct)) # Removing password profile from system update_result, update_success = ResourceManager.update_system( core_session, added_system_id, sys_info[0], sys_info[1], sys_info[2], passwordprofileid=None) assert update_success, f"Failed to remove password profile from system {sys_info[0]}" logger.info( f"Successfully removed password profile from system {sys_info[0]}")
def test_database_level_password_checkout_yes( core_session, create_databases_with_accounts, users_and_roles, update_tenant_multiple_checkouts): """ C1551 : Database Level password checkout set to 'yes'. :param core_session: Authenticated Centrify Session. :param create_databases_with_accounts: Added and return Database and Account associated to it. :param users_and_roles: Gets user and role on demand. """ database = create_databases_with_accounts(core_session, 1, 1)[0] user_session = users_and_roles.get_session_for_user( "Privileged Access Service Administrator") pas_admin = user_session.__dict__['auth_details'] # Setting 'Allow multiple password checkouts per database account' setting to 'Yes' on Advanced tab result, success = ResourceManager.update_database( core_session, database['ID'], database['Name'], database['FQDN'], database['Port'], database['Description'], database['InstanceName'], allowmultiplecheckouts=True) assert success, f"'Allow multiple password checkouts per database' policy not set to 'yes' for " \ f"Database : {database['ID']}. API response result: {result}. " logger.info( f"'Allow multiple password checkouts per database' policy set to 'yes' for Database : {database['ID']}" ) # Setting 'Allow multiple password checkouts' policy to Uncheck on Global Security Setting page result, success = update_tenant_multiple_checkouts(core_session, False) assert success, f"Not able to disable 'Allow multiple password checkouts' policy on Global Security " \ f"Setting page. API response result: {result}. " logger.info( f"'Allow multiple password checkouts' policy Unchecked on Global Security Setting page" ) # Assigning 'Checkout' permission to user for account. account_result, account_success = ResourceManager.assign_account_permissions( core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User', database['Accounts'][0]['ID']) assert account_success, f"Assign Checkout permission to account : {database['Accounts'][0]['ID']} failed. API " \ f"response result: {account_result}. " logger.info( f"'Checkout' permission given to user: {pas_admin['User']} for " f"Account:{database['Accounts'][0]['ID']}.") # Checkout account while logged in as Cloud Admin admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password( core_session, 1, database['Accounts'][0]['ID']) assert admin_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. " \ f"API response result: {admin_checkout_result}. " logger.info( f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}." ) # Checkout account while logged in as Privileged Access Service Administrator user_checkout_result, user_checkout_success = ResourceManager.check_out_password( user_session, 1, database['Accounts'][0]['ID']) assert user_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. API response " \ f"result: {user_checkout_result}. " logger.info( f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}." )
def test_check_menu_two_sys_under_password_checkouts(core_session, list_of_created_systems, core_admin_ui, cleanup_resources, cleanup_accounts): """ TC:C2174 Check menu when choosing two systems under My Password Checkouts. :param:core_session: Returns Authenticated Centrify session. :param:list_of_created_systems:Container for created system. :param:core_admin_ui: Returns browser session. :param:cleanup_resources: Cleans up system. :param:cleanup_accounts:Cleans up accounts. """ system_list = cleanup_resources[0] accounts_list = cleanup_accounts[0] # Creating multiple system and accounts. batches = ResourceManager.add_multiple_systems_with_accounts( core_session, 2, 1, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batches]) assert len( ResourceManager.get_multi_added_system_ids(core_session, all_systems)) == 2, f"Failed to create multiple " \ f"system with accounts: API " \ f"response result: {batches} " assert len(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == 2, f"Failed to create multiple system " \ f"with accounts: API response result: " \ f"{batches} " logger.info( f'Successfully Created multiple system with accounts.:{batches}') # Appending the created system and accounts id for cleanup. for all_account in all_accounts: accounts_list.append(all_account) for all_system in all_systems: system_list.append(all_system) # Checking out password for the account created. accounts_password_checkout = [] for account_id in all_accounts: result, status = ResourceManager.check_out_password( core_session, 1, account_id, 'test checkout account') accounts_password_checkout.append(result['COID']) assert status, f'Failed to checkout password: API response result: {result}' # Getting the account name. accounts_name = [] for account_id in all_accounts: result, success = ResourceManager.get_account_information( core_session, account_id) accounts_name.append(result["VaultAccount"]["Row"]['User']) # Validating "No actions available" after selecting two accounts from My Password Checkout Title in workspace. ui = core_admin_ui ui.navigate(("Workspace", "My Password Checkouts")) ui.switch_context(RenderedTab('My Password Checkouts')) ui.check_actions_by_guid([], accounts_password_checkout) logger.info( 'Successfully found "No actions available." after password account checkout.' )
def test_windows_client_account_unlock(users_and_roles, agent_enrolled_windows_system_with_users, proxy_start_stop): # NOTE: policy must be set on the system to lock the account after 3 failed login attemps """ This test verifies account unlock using agent, connector and both Steps for this scenario: * Enroll a windows system and create a managed account.Also set admin account and enable manual unlock * Verify the managed account's password is rotated. * Lock the account (try to verify the account multiple times with wrong password to lock the account) * Unlock the account - Verify success - Verify OperationMode is Connector * stop the connector * Lock the account * Get the account status - Verify failure * Start the agent (only Agent is availabe) * Unlock the account - Verify success - Verify OperationMode is Client * Lock the account * Start the connector * Unlock the account - Verify success - Verify OperationMode is Client """ """ Testrail Link: https://testrail.centrify.com/index.php?/cases/view/1293479 https://testrail.centrify.com/index.php?/cases/view/1293480 https://testrail.centrify.com/index.php?/cases/view/1293481 """ # verfiy the test is run with single thread. assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, f'This test cannot be run with multiple threads due to starting and stopping connectors' enrolledsystems = agent_enrolled_windows_system_with_users accounts = enrolledsystems[0]["Accounts"] resourceId = enrolledsystems[0]["ResourceId"] proxyid = enrolledsystems[0]["ProxyId"] hostName = enrolledsystems[0]["ResourceFQDN"] winrm_session_as_admin = enrolledsystems[0]["Session"] proxycontrol = proxy_start_stop right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User") requester_session = users_and_roles.get_session_for_user(right_data[0]) accountuser = accounts[1] logger.info("stop the agent") winrm_helper.stop_agent(winrm_session_as_admin) proxycontrol(proxyid, True) # get the correct password of the account. result, success = ResourceManager.check_out_password(requester_session, 15, accountuser["Id"]) assert success, "Reconciliation failed during checkout, Account " + accountuser['Name'] password = result['Password'] # count managed password change events filter = [['AccountName', accountuser['Name']], ['ComputerID', resourceId]] # lock the account winrm_helper.lock_account(hostName, accountuser['Name'], password) result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"]) assert success, f"Failed to unlock account. {message}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter(requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock", filter=filter) eventcount = len(rows) logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}") assert rows[0]["OperationMode"] == "Connector", "Failed to verify OperationMode" # stop Connector, Should fail logger.info("Stopping the connector") proxycontrol(proxyid, False) # set a different password for the user winrm_helper.lock_account(hostName, accountuser['Name'], password) result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"]) assert (success == False), "Unlock account succeeded when agent and conmnector are not available." # Start agent logger.info("Starting the agent") winrm_helper.start_agent(winrm_session_as_admin) winrm_helper.lock_account(hostName, accountuser['Name'], password) result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"]) assert success, f"Failed to unlock account. {message}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock", filter=filter, count=eventcount + 1) eventcount = len(rows) logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}") assert rows[0]["OperationMode"] == "Client", "Failed to verify OperationMode is Client" # verify account again, both connector and agent are running logger.info("Starting connector") proxycontrol(proxyid, True) # set a different password winrm_helper.lock_account(hostName, accountuser['Name'], password) result, success, message = ResourceManager.unlock_account(requester_session, accountuser["Id"]) assert success, f"Failed to unlock account. {message}" verify_pass_result, verify_pass_success = ResourceManager.check_account_health(requester_session, accountuser["Id"]) assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock", filter=filter, count=eventcount + 1) eventcount = len(rows) logger.info(f"# of Cloud.Server.LocalAccount.AdministrativeManualAccountUnlock events : {eventcount}") assert rows[0]["OperationMode"] == "Client", "Failed to verify OperationMode is Client"
def test_verify_rule_work_correct(core_session, cleanup_accounts, create_basic_pass_profile, pas_setup, remote_users_qty1, cleanup_password_profile): """ TC C281498: Verify the rule (Min number of non-alpha characters) :param core_session: Authenticates API session :param create_basic_pass_profile: Creates a password profile :param pas_setup: Creates system and account :param remote_users_qty1: Creates account in target system :param cleanup_password_profile: Deletes password profile :param cleanup_accounts: Deletes Account """ accounts_list = cleanup_accounts[0] added_system_id, account_id, sys_info = pas_setup logger.info( f"System: {sys_info[0]} successfully added with UUID: {added_system_id} and account: {sys_info[4]} " f"with UUID: {account_id} associated with it.") profile_list = cleanup_password_profile # Adding user in target machine add_user_in_target_system = remote_users_qty1 user_password = "******" # Adding account in portal acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=user_password, host=added_system_id, ismanaged=True) assert acc_success, f"Failed to add account: {acc_result}" logger.info("Successfully added account in system") # Cleanup Account accounts_list.append(acc_result) # Creating Password Profile profile = create_basic_pass_profile(core_session, 1)[0] profile_name_cps = profile[0]['Name'] cps_prof_id = profile[0]['_RowKey'] # Deleting Password Profile profile_list.append(cps_prof_id) cps_prof_result, cps_prof_success = ResourceManager.get_password_profile_by_id( core_session, cps_prof_id) assert cps_prof_success, f"Failed to create Profile due to {cps_prof_result}" logger.info(f'System successfully updated with result: {cps_prof_result}') # Updating Password Profile update_cps_prof_success = ResourceManager.update_password_profile( core_session, cps_prof_id, profile_name_cps, 8, 20, one_lwr_case=False, one_upp_case=False, one_digit=False, consecutive_chars=False, one_special_char=False, min_alphabetic_char=5, max_alphabetic_char=3, ) assert update_cps_prof_success, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user" logger.info(f'Profile {profile_name_cps} successfully updated') cps_prof_result, cps_prof_success = ResourceManager.get_password_profile_by_id( core_session, cps_prof_id) assert cps_prof_success, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user" assert cps_prof_result['MinimumPasswordLength'] == 8, \ f"Getting Min Password length for Profile {cps_prof_id} is {cps_prof_result['MinimumPasswordLength']} " \ f"instead of 8" logger.info("Successfully updated minimum password length as 8") assert cps_prof_result['MaximumPasswordLength'] == 20, \ f"Getting Min Password length for Profile {cps_prof_id} is {cps_prof_result['MaximumPasswordLength']} " \ f"instead of 20" logger.info("Successfully updated minimum password length as 20") assert cps_prof_result['MinimumAlphabeticCharacterCount'] == 5, \ f"Getting Min Password length for Profile {cps_prof_id} is " \ f"{cps_prof_result['MinimumAlphabeticCharacterCount']} instead of 5" logger.info("Updated Minimum Alphabetic Character Count successfully") assert cps_prof_result['MinimumNonAlphabeticCharacterCount'] == 3, \ f"Getting Min Password length for Profile {cps_prof_id} is " \ f"{cps_prof_result['MinimumNonAlphabeticCharacterCount']} instead of 3" logger.info("Updated Minimum Alphabetic Character Count successfully") update_result, update_success = ResourceManager.update_system( core_session, added_system_id, sys_info[0], sys_info[1], sys_info[2], passwordprofileid=cps_prof_id) assert update_success, f"Failed to update system sue to {update_result}" logger.info(f"Successfully update system {sys_info[0]}") # Rotate Password rotate_password_result, rotate_password_success = ResourceManager.rotate_password( core_session, acc_result) assert rotate_password_success, f"Failed to rotate password due to {rotate_password_result}" logger.info("Rotate password successfully") # Checkout Password check_out_password_result, check_out_password_success = ResourceManager.check_out_password( core_session, lifetime=1, accountid=acc_result) assert check_out_password_success, f"Failed to checkout password due to {check_out_password_result}" logger.info("Password checkout successfully") # Getting password value after checkout co_password_value = check_out_password_result['Password'] # Finding all non alpha characters after check out password get_non_alpha_characters = re.findall('[^a-zA-Z]', co_password_value) assert len( get_non_alpha_characters ) >= 3, "Length of Minimum Alphabetic Character Count is less than 3" logger.info( "Minimum Non Alphabetic Character Count is greater than or equal to 3") # Removing Password Profile from system so that profile can be deleted update_result, update_success = ResourceManager.update_system( core_session, added_system_id, sys_info[0], sys_info[1], sys_info[2], passwordprofileid=None) assert update_success, f"Failed to remove password profile from system {sys_info[0]}" logger.info( f"Successfully removed password profile from system {sys_info[0]}")
def test_add_manage_account_with_proxy_account(core_session, pas_config, remote_users_qty3, cleanup_resources, cleanup_accounts, test_proxy): """ TC: C2574 - Add system with managed account using proxy account trying to Add system with managed account using proxy account Steps: Pre: Create system with 1 proxy and manage account hand 1. Try to checkout password -Assert Failure 2. Try to check activity of manage account -Assert Failure """ user_name = core_session.get_user().get_login_name() logger.info(f'core sessoin user {core_session.get_user()}') system_list = cleanup_resources[0] accounts_list = cleanup_accounts[0] # Getting system details. sys_name = f'{"Win-2012"}{guid()}' user_password = '******' sys_details = pas_config add_user_in_target_system = remote_users_qty3 fdqn = sys_details['Windows_infrastructure_data']['FQDN'] # Adding system. add_sys_result, add_sys_success = ResourceManager.add_system( core_session, sys_name, fdqn, 'Windows', "Rdp") assert add_sys_success, f"failed to add system:API response result:{add_sys_result}" logger.info(f"Successfully added system:{add_sys_result}") system_list.append(add_sys_result) # Update system with proxy user update_sys_success, update_sys_result = ResourceManager.update_system( core_session, add_sys_result, sys_name, fdqn, 'Windows', proxyuser=add_user_in_target_system[1], proxyuserpassword=user_password, proxyuserismanaged=True) assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}' logger.info(f"Successfully update the system:{update_sys_result}") # Update system with management mode 'Smb'. update_sys_success, update_sys_result = ResourceManager.update_system( core_session, add_sys_result, sys_name, fdqn, 'Windows', managementmode='Smb') assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}' logger.info(f"Successfully update the system:{update_sys_result}") # Adding account in portal. acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=user_password, host=add_sys_result, ismanaged=True) assert acc_success, f"Failed to add account in the portal: {acc_result}" logger.info( f"Successfully added account {add_user_in_target_system[0]} in the portal" ) server_id = ResourceManager.wait_for_server_to_exist_return_id( core_session, sys_name) acc_id = ResourceManager.wait_for_account_to_exist_return_id( core_session, add_user_in_target_system[0]) assert server_id == add_sys_result, "Server was not created" assert acc_id == acc_result, "Account was not created" res, success = ResourceManager.rotate_password(core_session, acc_result) assert success, f"Failed to add account in the portal: {res}" result, success = ResourceManager.check_out_password( core_session, 1, acc_result) assert result['Password'] != "Hello123", \ f"password checkout Failed. API response result: {result}" logger.info( f"password successfully checkout Account password: {result['COID']}") row = ResourceManager.get_system_activity(core_session, add_sys_result) assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \ f'password for system "{sys_name}"({fdqn})' in row[0]['Detail'], \ "Did not retrieve the activity of rotate password" logger.info(f"User able to get the activity logs: {row[0]['Detail']}") accounts_list.append(acc_result)
def test_add_account_existing_system(core_session, pas_config, remote_users_qty1, test_proxy, cleanup_resources, cleanup_accounts): """ TC: C2575 - Add managed account to existing system trying to Add managed account to existing system Steps: Pre: Create system with 1 proxy and manage account hand 1. Try to checkout password -Assert Failure 2. Try to check activity of manage account -Assert Failure """ user_details = core_session.__dict__['auth_details'] user_name = core_session.get_user().get_login_name() system_list = cleanup_resources[0] accounts_list = cleanup_accounts[0] # Getting system details. sys_name = f'{"Win-2012"}{guid()}' user_password = '******' sys_details = pas_config add_user_in_target_system = remote_users_qty1 fdqn = sys_details['Windows_infrastructure_data']['FQDN'] # Adding system. add_sys_result, add_sys_success = ResourceManager.add_system( core_session, sys_name, fdqn, 'Windows', "Rdp") assert add_sys_success, f"failed to add system:API response result:{add_sys_result}" logger.info(f"Successfully added system:{add_sys_result}") system_list.append(add_sys_result) # Adding account in portal. acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=user_password, host=add_sys_result, ismanaged=True) assert acc_success, f"Failed to add account in the portal: {acc_result}" logger.info( f"Successfully added account {add_user_in_target_system[0]} in the portal" ) rights = "Owner,View,Manage,Delete,Login,Naked,RotatePassword,FileTransfer" result, success = ResourceManager.assign_account_permissions( core_session, rights, user_details['User'], user_details['UserId'], pvid=acc_result) assert success, f"Did not rotate password, API response: {result}" # Update system with management mode 'Smb'. update_sys_success, update_sys_result = ResourceManager.update_system( core_session, add_sys_result, sys_name, fdqn, 'Windows', managementmode='Smb') assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}' logger.info(f"Successfully update the system:{update_sys_result}") res, success = ResourceManager.rotate_password(core_session, acc_result) assert success, f"Failed to add account in the portal: {res}" result, success = ResourceManager.check_out_password( core_session, 1, acc_result) assert result['Password'] != "Hello123", \ f"password checkout Failed. API response result: {result}" logger.info( f"password successfully checkout Account password: {result['COID']}") row = ResourceManager.get_system_activity(core_session, add_sys_result) assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \ f'password for system "{sys_name}"({fdqn})' in row[0]['Detail'], \ "Did not retrieve the activity of rotate password" logger.info(f"User able to get the activity logs: {row[0]['Detail']}") accounts_list.append(acc_result)
def test_unix_client_account_checkout_reconciliation( users_and_roles, unix_machine_environment_config, agent_enrolled_unix_system_with_users, proxy_start_stop): """ This test verifies password reconcilation using agent, connector and both during checkout operation Steps for this scenario: * Enroll an unix system and create a managed account. * Verify the managed account's password is rotated. * Change the password of the account on the target system * stop the agent and checkout the password of managed account(only connector is availabe) - Verify success - Verify OperationMode is Connector * Verify managed acount - Verify success * Change the password of the account on the target system * stop the connector and checkout the password of managed account - Verify failure * Start the agent and checkout the password of managed account (only Agent is availabe) - Verify success - Verify OperationMode is Client * Verify managed acount - Verify success * Change the password of the account on the target system * Start the connector and checkout the password of managed account (Both agent and connector are available) - Verify success - Verify OperationMode is Client * Verify managed acount - Verify success """ """ Testrail Link: https://testrail.centrify.com/index.php?/cases/view/1293462 https://testrail.centrify.com/index.php?/cases/view/1293463 https://testrail.centrify.com/index.php?/cases/view/1293464 """ # verfiy the test is run with single thread. assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, \ f'This test cannot be run with multiple threads due to starting and stopping connectors' enrolledsystems = agent_enrolled_unix_system_with_users accounts = enrolledsystems[0]["Accounts"] resourceId = enrolledsystems[0]["ResourceId"] proxyid = enrolledsystems[0]["ProxyId"] session = enrolledsystems[0]["Session"] proxycontrol = proxy_start_stop conf = unix_machine_environment_config success_message = conf['success_message'] right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User") requester_session = users_and_roles.get_session_for_user(right_data[0]) accountuser = accounts[1] logger.info("stop the agent") ssh_manager.ssh_stop_agent(session) proxycontrol(proxyid, True) # count managed password change events filter = [['AccountName', accountuser['Name']], ['ComputerID', resourceId]] # set a different password for the user ssh_manager.change_sshuser_password(session, accountuser['Name'], "differentpassword3", success_message) logger.info( "Rotate account and verify reconciliation, Connector is available") result, success = ResourceManager.check_out_password( requester_session, 1, accountuser["Id"]) assert success, "Reconciliation failed during checkout, Account " + accountuser[ 'Name'] verify_pass_result, verify_pass_success = ResourceManager.check_account_health( requester_session, accountuser["Id"]) assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeResetAccountPassword", filter=filter) eventcount = len(rows) logger.info( f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}" ) assert rows[0][ "OperationMode"] == "Connector", "Failed to verify OperationMode" # stop Connector, Should fail logger.info("Stopping the connector") proxycontrol(proxyid, False) # set a different password for the user ssh_manager.change_sshuser_password(session, accountuser['Name'], "differentpassword4", success_message) verify_pass_result, verify_pass_success = ResourceManager.check_account_health( requester_session, accountuser["Id"]) assert verify_pass_result != 'OK', f"Verify Failed on Account: {accountuser['Name']}" # Start agent logger.info("Starting the agent") ssh_manager.ssh_start_agent(session, True) # set a different password for the user ssh_manager.change_sshuser_password(session, accountuser['Name'], "differentpassword5", success_message) logger.info( "Rotate account and verify reconciliation, Agent is available") result, success = ResourceManager.check_out_password( requester_session, 1, accountuser["Id"]) assert success, f"Reconciliation failed during checkout, Account {accountuser['Name']}" verify_pass_result, verify_pass_success = ResourceManager.check_account_health( requester_session, accountuser["Id"]) assert verify_pass_result == 'OK', f"Verify Failed on account: {accountuser['Name']}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeResetAccountPassword", filter=filter, count=eventcount + 1) eventcount = len(rows) logger.info( f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}" ) assert rows[0][ "OperationMode"] == "Client", "Failed to verify OperationMode is Client" # verify account again, both connector and agent are running logger.info("Starting connector") proxycontrol(proxyid, True) # set a different password ssh_manager.change_sshuser_password(session, accountuser['Name'], "differentpassword3", success_message) logger.info( "Rotate account and verify reconciliation, client and connector are available" ) result, success = ResourceManager.check_out_password( requester_session, 1, accountuser["Id"]) assert success, f"Reconciliation failed during checkout, Account {accountuser['Name']}" verify_pass_result, verify_pass_success = ResourceManager.check_account_health( requester_session, accountuser["Id"]) assert verify_pass_result == 'OK', f"Verify Failed on Account: {accountuser['Name']}" # verify operationMode rows = RedrockController.wait_for_event_by_type_filter( requester_session, "Cloud.Server.LocalAccount.AdministrativeResetAccountPassword", filter=filter, count=eventcount + 1) eventcount = len(rows) logger.info( f"# of Cloud.Server.LocalAccount.AdministrativeResetAccountPassword events : {eventcount}" ) assert rows[0][ "OperationMode"] == "Client", "Failed to verify OperationMode is Client"
def test_system_local_account_level(core_session, pas_config, remote_users_qty1, cleanup_accounts, cleanup_resources): """ TC C282671: System Local Account Level. :param cleanup_resources: cleanup for systems. :param core_session: Authenticates API session :param pas_config: returns yaml object :param remote_users_qty1: Creates account in target system. :param cleanup_accounts: cleanup for account. """ systems_list = cleanup_resources[0] accounts_list = cleanup_accounts[0] # Getting system details. sys_name = f"{'Win-2012'}{guid()}" sys_details = pas_config sys_fqdn = sys_details['Windows_infrastructure_data']['FQDN'] add_user_in_target_system = remote_users_qty1 user_password = '******' # Adding system. add_sys_result, add_sys_success = ResourceManager.add_system( core_session, sys_name, sys_fqdn, 'Windows', "Rdp") assert add_sys_success, f"failed to add system:API response result:{add_sys_result}" logger.info(f"Successfully added system:{add_sys_result}") systems_list.append(add_sys_result) # Adding account in portal. acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=user_password, host=add_sys_result, ismanaged=True) assert acc_success, f"Failed to add account in the portal: {acc_result}" logger.info( f"Successfully added account {add_user_in_target_system[0]} in the portal" ) accounts_list.append(acc_result) # Setting the lifetime checkout for account to 15 min. default_checkout_lifetime = 15 updated_account_result, update_account_success = \ ResourceManager.update_account(core_session, acc_result, add_user_in_target_system[0], host=add_sys_result, default_checkout_time=default_checkout_lifetime) assert update_account_success, f"Failed to add default checkout time: API response result:{updated_account_result}" logger.info( f'Successfully added default checkout time: {updated_account_result}"') # Setting the lifetime checkout for system to 60 min. updated_sys_result, update_sys_success = ResourceManager.update_system( core_session, add_sys_result, sys_name, sys_fqdn, 'Windows', defaultcheckouttime=60) assert update_sys_success, f"Failed to add default checkout time: API response result:{updated_account_result}" logger.info( f'Successfully added default checkout time: {updated_sys_result}"') # Checking the default account password set to default ie 60 min. default_account_password_chk_lifetime = 60 results, success = ServerManager.get_server_settings(core_session, key='policy') assert results['DefaultCheckoutTime'] == default_account_password_chk_lifetime, \ f"account password checkout lifetime is not {default_account_password_chk_lifetime} " # Checkout account. checkout_result, checkout_success = ResourceManager.check_out_password( core_session, 15, acc_result) assert checkout_success, f"Fail to checkout account : {acc_result} : API response " \ f"result: {checkout_result}" logger.info(f"Successfully checked account : {checkout_result}") # Checking the checkout in the workspace and validating the checkout lifetime. checkout_remaining_time = str(default_checkout_lifetime - 1) checkout_accounts = RedrockController.get_password_checkout_from_workspace( core_session, core_session.auth_details['UserId']) for checkout_account in checkout_accounts: if checkout_account['ID'] == checkout_result['COID']: assert checkout_account['Remaining'].split()[0] == checkout_remaining_time,\ f"Fail to find the remaining checkout time equal to {checkout_remaining_time} " logger.info( " Successfully found the checkout activity in workspace.") # Trying to checkout once again,expecting a null checkout ID. failed_checkout_result, failed_checkout_success = ResourceManager.check_out_password( core_session, 15, acc_result) assert failed_checkout_result['COID'] is None, f"checkout account ID generated for : " \ f"{add_user_in_target_system[0]}:" \ f"API response result: {failed_checkout_result}" logger.info(f"Check in option is action enable : {failed_checkout_result}") # Checking out checkout activity. acc_activity = RedrockController.get_account_activity( core_session, acc_result) assert f'{core_session.auth_details["User"]} checked out local account "{add_user_in_target_system[0]}" password ' \ f'for system "{sys_name}"({sys_fqdn})' in \ acc_activity[0]['Detail'], f"no activity of checkout found for account {add_user_in_target_system[0]}" logger.info( f"There is a checkout record for the account {add_user_in_target_system[0]} in activity" )
def test_settings_Policy_page(core_session, pas_config, remote_users_qty1, cleanup_resources, cleanup_accounts, core_admin_ui): """C2541 Settings on Policy page trying to get rdp through system account with in 15 minute Steps: Pre: Create system with 1 account hand 1. Try to take rdp for system -Assert Failure 2. Try to checkout password for account -Assert Failure """ core_ui = core_admin_ui user_name = core_ui.get_user().get_login_name() system_list = cleanup_resources[0] accounts_list = cleanup_accounts[0] # Getting system details. sys_name = f'{"Win-2012"}{guid()}' user_password = '******' sys_details = pas_config add_user_in_target_system = remote_users_qty1 fdqn = sys_details['Windows_infrastructure_data']['FQDN'] # Adding system. add_sys_result, add_sys_success = ResourceManager.add_system( core_session, sys_name, fdqn, 'Windows', "Rdp") assert add_sys_success, f"failed to add system:API response result:{add_sys_result}" logger.info(f"Successfully added system:{add_sys_result}") system_list.append(add_sys_result) success, response = ResourceManager.update_system(core_session, add_sys_result, sys_name, fdqn, 'Windows', allowremote=True, defaultcheckouttime=15) assert success, f"failed to change the management mode:API response result:{response}" logger.info(f"Successfully updated the system:{add_sys_result}") # Adding account in portal. acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=user_password, host=add_sys_result, ismanaged=True) assert acc_success, f"Failed to add account in the portal: {acc_result}" logger.info( f"Successfully added account {add_user_in_target_system[0]} in the portal" ) accounts_list.append(acc_result) core_ui.navigate('Resources', 'Accounts') core_ui.search(add_user_in_target_system[0]) core_ui.right_click_action(GridRowByGuid(acc_result), 'Login') core_ui.switch_to_pop_up_window() core_ui.expect_disappear( LoadingMask(), f'RDP session never exited loading state for system {sys_name}', time_to_wait=50) core_ui.switch_to_main_window() row = ResourceManager.get_system_activity(core_session, add_sys_result) assert f'{user_name} logged into system "{sys_name}"({fdqn}) from "web" using local account ' \ f'"{add_user_in_target_system[0]}"' in row[0]['Detail'], "user not able to take rdp" password_checkout_result, password_checkout_success = \ ResourceManager.check_out_password(core_session, 1, accountid=acc_result) new_cid = password_checkout_result['COID'] assert password_checkout_result['Password'] is not user_password, \ f"expected password equal to actual password: {password_checkout_result}" logger.info(f"password successfully checkout Account password: {new_cid}")
def test_update_manage_proxy_account(pas_config, core_session, winrm_engine, remote_users_qty3, test_proxy, cleanup_accounts, cleanup_resources): """ TC: C2549 - Update managed account with using proxy account trying to Update managed account with using proxy account Steps: Pre: Create system with 1 proxy and manage account hand 1. Try to update invalid password for proxy account -Assert Failure 2. Try to update valid password for proxy account -Assert Failure 3. Try to check activity log's -Assert Failure 4. Try to check password history """ system_list = cleanup_resources[0] accounts_list = cleanup_accounts[0] # Getting system details. sys_name = f'{"Win-2012"}{guid()}' sys_details = pas_config add_user_in_target_system = remote_users_qty3 user_password = '******' fdqn = sys_details['Windows_infrastructure_data']['FQDN'] # Adding system. add_sys_result, add_sys_success = ResourceManager.add_system( core_session, sys_name, fdqn, 'Windows', "Rdp") assert add_sys_success, f"failed to add system:API response result:{add_sys_result}" logger.info(f"Successfully added system:{add_sys_result}") system_list.append(add_sys_result) # Update system with proxy user update_sys_success, update_sys_result = ResourceManager.update_system( core_session, add_sys_result, sys_name, fdqn, 'Windows', proxyuser=add_user_in_target_system[1], proxyuserpassword=user_password, proxyuserismanaged=True) assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}' logger.info(f"Successfully update the system:{update_sys_result}") # Update system with proxy user password. update_sys_success, update_sys_result = ResourceManager.update_system( core_session, add_sys_result, sys_name, fdqn, 'Windows', proxyuser=add_user_in_target_system[1], proxyuserpassword=guid(), proxyuserismanaged=True) assert update_sys_result is False, f'Fail to update the system:API response result: {update_sys_result}' logger.info(f"Successfully update the system:{update_sys_result}") # Adding account in portal. acc_result, acc_success = ResourceManager.add_account( core_session, add_user_in_target_system[0], password=user_password, host=add_sys_result, ismanaged=True) assert acc_success, f"Failed to add account in the portal: {acc_result}" logger.info( f"Successfully added account {add_user_in_target_system[0]} in the portal" ) accounts_list.append(acc_result) # set a different password for the user update_user_password(winrm_engine, add_user_in_target_system[1], user_password) user_name = core_session.get_user().get_login_name() # rotate password for manage account result, success = ResourceManager.rotate_password(core_session, acc_result) assert success, f"Did not Rotate Password {result}" logger.info( f'account activity logs for un manage account API response:{result}') result, success = ResourceManager.check_out_password( core_session, 1, acc_result) assert success, f"Did not retrieve password {result}" logger.info( f'account activity logs for un manage account API response:{result}') row = ResourceManager.get_system_activity(core_session, add_sys_result) assert f'{user_name} checked out local account "{add_user_in_target_system[0]}" ' \ f'password for system "{sys_name}"({fdqn})' in \ row[0]['Detail'], "user not able to update un managed account password" logger.info( f'account activity logs for un manage account API response:{row}') query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \ f"'{acc_result}' and StateUpdatedBy='{user_name}' and State='Retired'" password_history = RedrockController.get_result_rows( RedrockController.redrock_query(core_session, query))[0] assert len( password_history ) > 0, f"Password history table did not update {password_history}" logger.info(f'Password history table API response:{password_history}')