def test_add_system_with_root_with_managed_proxy_account(
core_session, unix_machine_environment_config,
cleanup_resources_with_admin, cleanup_accounts, create_unix_users,
ssh_session_as_root):
"""
Test case : C279340
:param ssh_session_as_root: session to create a user_account in unix
:param cleanup_accounts: to delete all accounts
:param cleanup_resources_with_admin: to delete the all the systems from portal
:param unix_machine_environment_config: to get the unix system details
:param core_session: Centrify session manager
:param create_unix_users: fixture that provide created unix system data
"""
systems_list = cleanup_resources_with_admin
accounts_list = cleanup_accounts[0]
conf = unix_machine_environment_config
hostname = conf['host'] + "_" + Util.random_string(5)
# add users on target system
users = create_unix_users(ssh_session_as_root, "manage-unix", 2)
logger.info("Users created " + str(len(users)))
proxy_user = users[0]
accountuser = users[1]
new_system_id, add_system_success = ResourceManager.add_system(
core_session, hostname, conf["ipaddress"], "Unix", "Ssh",
"Unix system")
assert add_system_success, "Add System Failed"
logger.info(f"Added system Id {new_system_id}")
systems_list.append(new_system_id)
# Update system with proxy user
update_sys_success, update_sys_result = ResourceManager.update_system(
core_session,
new_system_id,
hostname,
conf["ipaddress"],
'Unix',
proxyuser=proxy_user['Name'],
proxyuserpassword=proxy_user['Password'],
proxyuserismanaged=True)
assert update_sys_success, f'Fail to update the system:API response result: {update_sys_result}'
logger.info(f"Successfully update the system:{update_sys_result}")
admin_account_id, add_account_success = ResourceManager.add_account(
core_session, accountuser['Name'], accountuser['Password'],
new_system_id)
assert add_account_success, "Failed to create Account user: root"
logger.info(f"Added root Account. Id {admin_account_id}")
accounts_list.append(admin_account_id)
# Get computer details for update
result = RedrockController.get_system(core_session, new_system_id)
system = result[0]["Row"]
is_managed = system['ProxyUserIsManaged']
assert is_managed, f"Added account is not managed account"
def test_bulk_system_unenrolls_manually_single_system(core_session, core_ui, test_virtual_aapm_agent):
agent, server_prefix = test_virtual_aapm_agent
agent.enroll(core_session, True)
result = RedrockController.get_system(core_session, agent.computerUuid)
assert len(result) != 0
system = result[0]["Row"]
logger.info(agent.agentProfileId)
logger.info(agent.resourceName)
# Make sure agent has aapm feature
_validate_aapm_agent_details(core_session, [agent.agentProfileId], True)
ui = core_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
assert ui.check_exists(GridCell(agent.resourceName)), "Missing server from view " + agent.resourceName
ui.action('Unenroll', agent.resourceName)
core_ui.switch_context(Modal('System Unenroll'))
core_ui.button('Unenroll')
logger.info(agent.agentProfileId)
logger.info(agent.resourceName)
# Test Unenroll should be successful and feature appm should be disabled
assert _wait_for_systems_validation(core_session, [agent.agentProfileId], False)
ui = core_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
assert ui.check_exists(GridCell(agent.resourceName)), "Missing server from view " + agent.resourceName
agent.enroll(core_session, True)
ResourceManager.update_system(core_session, agent.computerUuid, system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
_validate_aapm_agent_details(core_session, [agent.agentProfileId], True)
ui.action('Unenroll', agent.resourceName)
core_ui.switch_context(Modal('System Unenroll'))
core_ui.uncheck("SkipIfAgentReconciliationEnabled")
core_ui.button('Unenroll')
# Test Unenroll should be successful and feature appm should be disabled
assert _wait_for_systems_validation(core_session, [agent.agentProfileId], False)
def test_bulk_system_unenroll_honours_skipPwdRecon_option(core_session, test_ten_virtual_aapm_agents):
agents, _ = test_ten_virtual_aapm_agents
all_agent_ids, all_server_ids = _setup_agents(core_session, agents)
unenroll_agent_ids = all_agent_ids[:4]
pwdRecon_agent_ids = all_agent_ids[4:6]
keep_agent_ids = all_agent_ids[6:]
unenroll_server_ids = all_server_ids[:4]
pwdRecon_server_ids = all_server_ids[4:6]
keep_server_ids = all_server_ids[6:]
#Set Pwd recon for the second set of systems
for server_id in pwdRecon_server_ids:
result = RedrockController.get_system(core_session, server_id)
assert len(result) != 0
system = result[0]["Row"]
ResourceManager.update_system(core_session, server_id, system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
all_agent_ids = unenroll_agent_ids + pwdRecon_agent_ids + keep_agent_ids
_validate_aapm_agent_details(core_session, all_agent_ids, True)
_, success = ResourceManager.unenroll_multiple_systems(core_session, unenroll_server_ids + pwdRecon_server_ids,
SkipIfAgentReconciliationEnabled=True)
assert success, f"unenroll multiple systems failed: {unenroll_server_ids + pwdRecon_server_ids}"
_validate_aapm_agent_details(core_session, unenroll_agent_ids, False)
_validate_aapm_agent_details(core_session, pwdRecon_agent_ids, True)
_validate_aapm_agent_details(core_session, keep_agent_ids, True)
#Now, uneroll the remaining agents with SkipIfAgentReconciliationEnabled=False
_, success = ResourceManager.unenroll_multiple_systems(core_session, pwdRecon_server_ids + keep_server_ids,
SkipIfAgentReconciliationEnabled=False)
assert success, f"Unenroll multiple systems failed: {pwdRecon_server_ids + keep_server_ids}"
_validate_aapm_agent_details(core_session, all_agent_ids, False)
def test_bulk_system_unenrolls_manually(core_session, core_ui, test_four_virtual_aapm_agents):
agents, server_prefix = test_four_virtual_aapm_agents
agent_ids, server_ids, names_of_servers = _setup_agents(core_session, agents)
# Make sure aapm is enabled
_validate_aapm_agent_details(core_session, agent_ids, True)
# enable paswdRecon on first and last system
result = RedrockController.get_system(core_session, server_ids[0])
system = result[0]["Row"]
ResourceManager.update_system(core_session, server_ids[0], system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
result = RedrockController.get_system(core_session, server_ids[3])
assert len(result) != 0
system = result[0]["Row"]
ResourceManager.update_system(core_session, server_ids[3], system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
ui = core_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
for name in names_of_servers:
assert ui.check_exists(GridCell(name)), "Missing server from view " + name
ui.action('Unenroll Systems', names_of_servers)
core_ui.switch_context(Modal('Bulk System Unenroll'))
core_ui.button('Unenroll')
core_ui.switch_context(InfoModal())
core_ui.button('Close')
_wait_for_systems_validation(core_session, agent_ids[1:3], False)
_validate_aapm_agent_details(core_session, agent_ids[:1], True)
_validate_aapm_agent_details(core_session, agent_ids[3:], True)
# Now lets re-enroll and enable aapm on 1 and 2 systems and run the unenroll operation
# with SkipIfAgentReconciliationEnabled unchecked
# Expected: Both systems should successfully unenroll
_setup_agents(core_session, agents)
# Make sure aapm is enabled on all systems
_validate_aapm_agent_details(core_session, agent_ids, True)
ui = core_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
for name in names_of_servers:
assert ui.check_exists(GridCell(name)), "Missing server from view " + name
ui.action('Unenroll Systems', names_of_servers)
core_ui.switch_context(Modal('Bulk System Unenroll'))
core_ui.uncheck("SkipIfAgentReconciliationEnabled")
core_ui.button('Unenroll')
core_ui.switch_context(InfoModal())
core_ui.button('Close')
_wait_for_systems_validation(core_session, agent_ids, False)
def test_bulk_system_unenrolls_manually_from_set(core_session, core_admin_ui, create_manual_set,
test_four_virtual_aapm_agents):
agents, server_prefix = test_four_virtual_aapm_agents
agent_ids, server_ids, names_of_servers = _setup_agents(core_session, agents)
# Make sure aapm is enabled
_wait_for_systems_validation(core_session, agent_ids, True)
# enable paswdRecon on first system and last system
result = RedrockController.get_system(core_session, server_ids[0])
assert len(result) != 0
system = result[0]["Row"]
ResourceManager.update_system(core_session, server_ids[0], system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
result = RedrockController.get_system(core_session, server_ids[3])
assert len(result) != 0
system = result[0]["Row"]
ResourceManager.update_system(core_session, server_ids[3], system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
# Non-ui stuff, create a custom set, and all the new systems to that set.
manual_set = create_manual_set(core_session, "Server")
update_success, update_result = SetsManager.update_members_collection(core_session, 'add', server_ids, 'Server',
manual_set['ID'])
assert update_success, f"Failed to add resources {server_ids} to Set {manual_set['Name']}"
ui = core_admin_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
ui.set_action(manual_set['Name'], "Unenroll Systems")
ui.switch_context(Modal('Bulk System Unenroll'))
ui.button('Unenroll')
ui.switch_context(NoTitleModal())
ui.button('Close')
_wait_for_systems_validation(core_session, agent_ids[1:3], False)
_validate_aapm_agent_details(core_session, agent_ids[:1], True)
_validate_aapm_agent_details(core_session, agent_ids[3:], True)
# Now lets re-enroll and enable aapm on 1 and 2 systems and run the unenroll operation
# with SkipIfAgentReconciliationEnabled unchecked
# Expected: Both systems should successfully unenroll
_setup_agents(core_session, agents)
# Make sure aapm is enabled on all systems
_validate_aapm_agent_details(core_session, agent_ids, True)
ui = core_admin_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
ui.set_action(manual_set['Name'], "Unenroll Systems")
ui.switch_context(Modal('Bulk System Unenroll'))
ui.uncheck("SkipIfAgentReconciliationEnabled")
ui.button('Unenroll')
ui.switch_context(NoTitleModal())
ui.button('Close')
# Make sure aapm is disabled on both systems
_wait_for_systems_validation(core_session, agent_ids, False)
def agent_enrolled_windows_system_with_users(
core_session_global, agent_enrolled_windows_system, users_and_roles,
remote_users_qty1, cleanup_accounts, pas_ad_domain,
pas_ad_administrative_account, cleanup_lapr_systems_and_domains,
proxy_start_stop):
config = Configs().get_yaml_node_as_tuple("agents", "generic_cagent_win")
accounts_list = cleanup_accounts[0]
domains_list = cleanup_lapr_systems_and_domains[1]
systems_list = cleanup_lapr_systems_and_domains[0]
user = remote_users_qty1
proxycontrol = proxy_start_stop
accountusers = [{"Name": user[0], "Password": "******"}]
logger.info("Users created " + str(len(accountusers)))
for i, val in enumerate(accountusers):
logger.info(
str(i) + ", Name: " + val["Name"] + "Password:"******"Password"])
logger.info("adding users on the enrolled system")
system_id = agent_enrolled_windows_system["ResourceId"]
winrm_session_as_admin = agent_enrolled_windows_system["Session"]
adminuser = {
"Name": config.admin_username,
"Password": config.admin_password
}
domain_id = pas_ad_domain['ID']
admin_id = pas_ad_administrative_account['ID']
right_data = ("Privileged Access Service Power User",
"role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
role_info = users_and_roles.get_role(right_data[0])
domains_list.append(pas_ad_domain)
systems_list.append(system_id)
logger.info(
"Setting Domain Administrator user as Administrative Account on domain."
)
result, success, response = ResourceManager.set_administrative_account(
core_session_global, [pas_ad_domain['Name']],
pas_ad_administrative_account['User'],
pas_ad_administrative_account['ID'])
logger.info(
"Setting Administrative Account on domain, but with no lapr settings enabled."
)
result, success = ResourceManager.update_domain_accounts(
core_session_global,
pas_ad_domain['Name'],
admin_id,
domain_id,
allowautomaticlocalaccountmaintenance=True,
allowmanuallocalaccountunlock=True)
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session_global, permission_string, role_info['Name'],
role_info['ID'], "Role", system_id)
assert success, f"Did not set system permissions {result}"
# Step 3 Create Accounts for testing
logger.info("Adding Admin account")
admin_account_id, add_account_success = ResourceManager.add_account(
requester_session,
adminuser['Name'],
adminuser["Password"],
system_id,
ismanaged=False)
assert add_account_success, "Failed to create admin user"
logger.info(f"Added root Account. Id {admin_account_id}")
accounts_list.append(admin_account_id)
logger.info("Adding user for reconciliation")
new_account_id, add_account_success = ResourceManager.add_account(
requester_session,
accountusers[0]['Name'],
accountusers[0]['Password'],
system_id,
ismanaged=True)
assert add_account_success, "Failed to create manged Account user: "******", Verify CC or agent settings and status"
logger.info(f"Added Account for testing. Id {new_account_id}")
accounts_list.append(new_account_id)
permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin"
result, success = ResourceManager.assign_account_permissions(
core_session_global, permission_string, role_info['Name'],
role_info['ID'], "Role", new_account_id)
assert success, "Did not set account permissions " + result
# Get computer details for update
result = RedrockController.get_system(requester_session, system_id)
system = result[0]["Row"]
# wait for managed password change event
filter = [['AccountName', accountusers[0]['Name']]]
RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.PasswordChange",
filter=filter,
maximum_wait_second=120) # wait for 120 seonds
accounts = [{
"Name": adminuser['Name'],
"Password": adminuser["Password"],
"Id": admin_account_id
}, {
"Name": accountusers[0]["Name"],
"Password": accountusers[0]["Password"],
"Id": new_account_id
}]
# set proxy
proxy = start_proxy_with_machinename(requester_session, proxycontrol,
config.proxy_name)
assert proxy != None, (
f'Failed to find the connector {config.proxy_name}, Setup the connector properly before the test'
)
result, success = ResourceManager.update_system(requester_session,
system_id,
system["Name"],
system["FQDN"],
'Windows',
domainid=domain_id,
proxycollectionlist=proxy)
assert success, (f'Failed to set reconciliation settings {result}')
result, success = ResourceManager.update_system(
requester_session,
system_id,
system["Name"],
system["FQDN"],
'Windows',
proxycollectionlist=proxy,
allowautomaticlocalaccountmaintenance=True,
allowmanuallocalaccountunlock=True)
assert success, (f'Failed to set reconciliation settings {result}')
# update_system reset the proxycollectionlist setting? Set it again.
result, success = ResourceManager.update_system(requester_session,
system_id,
system["Name"],
system["FQDN"],
'Windows',
domainid=domain_id,
proxycollectionlist=proxy)
assert success, (f'Failed to set reconciliation settings {result}')
# return acount ids, computer,
yield [{
"ResourceId": system_id,
"ProxyId": proxy,
"ResourceFQDN": system["FQDN"],
"Accounts": accounts,
"Session": winrm_session_as_admin
}]
result, success, message = ResourceManager.set_system_administrative_account(
requester_session, system_id)
assert success, f'Failed to remove administrative account on {message}'
def agent_enrolled_unix_system_with_users(core_tenant, core_session_global,
agent_enrolled_unix_system,
users_and_roles, cleanup_accounts,
create_unix_users, proxy_start_stop,
detect_proxy):
config = Configs().get_yaml_node_as_tuple("agents", "generic_cagent_unix")
accounts_list = cleanup_accounts[0]
proxycontrol = proxy_start_stop
logger.info("adding users on the enrolled system")
system_id = agent_enrolled_unix_system["ResourceId"]
ssh_session = agent_enrolled_unix_system["Session"]
adminuser = {"Name": config.username, "Password": config.password}
# add users on target system
accountusers = create_unix_users(ssh_session, "agent_", 2)
logger.info("Users created " + str(len(accountusers)))
for i, val in enumerate(accountusers):
logger.info(
str(i) + ", Name: " + val["Name"] + "Password:"******"Password"])
right_data = ("Privileged Access Service Power User",
"role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
role_info = users_and_roles.get_role(right_data[0])
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(
core_session_global, permission_string, role_info['Name'],
role_info['ID'], "Role", system_id)
assert success, "Did not set system permissions " + result
# Step 3 Create Accounts for testing
logger.info("Adding root account")
admin_account_id, add_account_success = ResourceManager.add_account(
requester_session,
adminuser['Name'],
adminuser["Password"],
system_id,
ismanaged=False)
assert add_account_success, "Failed to create Account user: root"
logger.info(f"Added root Account. Id {admin_account_id}")
accounts_list.append(admin_account_id)
logger.info("Adding user for reconciliation")
new_account_id, add_account_success = ResourceManager.add_account(
requester_session,
accountusers[0]['Name'],
accountusers[0]['Password'],
system_id,
ismanaged=True)
assert add_account_success, "Failed to create manged Account user: "******", Verify CC or agent settings and status"
logger.info(f"Added Account for testing. Id {new_account_id}")
accounts_list.append(new_account_id)
permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin"
result, success = ResourceManager.assign_account_permissions(
core_session_global, permission_string, role_info['Name'],
role_info['ID'], "Role", new_account_id)
assert success, "Did not set account permissions " + result
# Get computer details for update
result = RedrockController.get_system(requester_session, system_id)
system = result[0]["Row"]
# wait for managed password change event
filter = [['AccountName', accountusers[0]['Name']]]
RedrockController.wait_for_event_by_type_filter(
requester_session,
"Cloud.Server.LocalAccount.PasswordChange",
filter=filter,
maximum_wait_second=120) # wait for 20 seonds
accounts = [{
"Name": adminuser['Name'],
"Password": adminuser["Password"],
"Id": admin_account_id
}, {
"Name": accountusers[0]["Name"],
"Password": accountusers[0]["Password"],
"Id": new_account_id
}]
proxy = start_proxy_with_machinename(requester_session, proxycontrol,
config.proxy_name)
assert proxy != None, (
f'Failed to find the connector {config.proxy_name}, Setup the connector properly.'
)
# Set Admin Account and enable local account maintenance
result, success = ResourceManager.update_system(
requester_session,
system_id,
system["Name"],
system["FQDN"],
'Unix',
proxycollectionlist=proxy,
adminaccountid=admin_account_id,
allowautomaticlocalaccountmaintenance=True)
assert success, (f'Failed to set administrative account {result}')
# return acount ids, computer,
yield [{
"ResourceId": system_id,
"ProxyId": proxy,
"ResourceName": system["Name"],
"Accounts": accounts,
"Session": ssh_session
}]
result, success, message = ResourceManager.set_system_administrative_account(
requester_session, system_id)
assert success, f'Failed to remove administrative account on {message}'
def test_ui_check_after_request_login_checkout(core_session, pas_setup,
get_limited_user_function):
"""
Test case: C2121
:param core_session: Authenticated Centrify session
:param pas_setup: fixture to create system with accounts
:param users_and_roles: fixture to create user with specific right
"""
system_id, account_id, sys_info = pas_setup
limited_sesh, limited_user = get_limited_user_function
username = limited_sesh.auth_details["User"]
user_id = limited_sesh.auth_details['UserId']
result, status = ResourceManager.assign_system_permissions(core_session,
"View,Edit",
username,
user_id,
pvid=system_id)
assert status, f'failed to assign "Edit" permission to user {username} for system {sys_info[0]}'
logger.info(
f'Edit permission assigned to user {username} for system {sys_info[0]}'
)
# Assigning rights to cloud user, excluding checkout and Login right.
rights = "View,Manage"
result, success = ResourceManager.assign_account_permissions(
core_session, rights, username, user_id, pvid=account_id)
assert success, f'failed to assign rights: {rights} to cloud user {username} for account {sys_info[4]} ' \
f'of {sys_info[0]}.'
logger.info(
f'rights {rights} successfully assigned to to cloud user {username} for account {sys_info[4]} '
f'of {sys_info[0]}.')
# enabling account workflow
result, status = ResourceManager.update_account_with_approver(
core_session, account_id, sys_info[4], system_id,
core_session.get_user().get_id(),
core_session.get_user().get_login_name())
assert status, f'failed to enable account workflow for account {sys_info[4]} of system {sys_info[0]}'
logger.info(
f'workflow enabled for account {sys_info[4]} of system {sys_info[0]}.')
req_request, req_success = WorkflowManager.request_checkout(
limited_sesh,
account_id,
starttime=None,
endtime=None,
accesstype="Login",
assignmenttype="perm")
assert req_success, "Workflow Request Failed"
logger.info(f'Workflow Request is success: {req_request}')
logger.info(
f'user: {username} successfully requested for Login in account: {sys_info[4]}'
)
# Step: Request login for an Account
timenow = datetime.datetime.utcnow()
start_time = str(timenow)
end_time = str(timenow + datetime.timedelta(hours=1))
req_request, req_success = WorkflowManager.request_checkout(
limited_sesh, account_id, start_time, end_time, "Reason: Testing",
"Checkout")
assert req_success, "Workflow checkout Request Failed"
logger.info(f'Workflow checkout Request is success: {req_request}')
logger.info(
f'user: {username} successfully requested for checkout of account: {sys_info[4]}'
)
test_description = f"Test description by user: {username}"
result, success = ResourceManager.update_system(
core_session,
system_id,
sys_info[0],
sys_info[1],
"Windows",
description=test_description)
assert success, f"Unable to add a description: {sys_info[0]}. API response result: {result}"
logger.info(
f'successfully updated the description of system: {sys_info[0]}')
# Get computer details
result = RedrockController.get_system(core_session, system_id)
assert result[0]['Row'][
'Description'] == test_description, f'System description is mismatched'
logger.info(
f'successfully matched the description of system: {sys_info[0]}')
