def test_bulk_system_unenroll_by_api_set_correct_systems_fast_track(core_session, test_four_virtual_aapm_agents):
agents, _ = test_four_virtual_aapm_agents
all_agent_ids, all_server_ids = _setup_agents(core_session, agents)
unenroll_agent_ids = all_agent_ids[:2]
unenroll_server_ids = all_server_ids[:2]
keep_agent_ids = all_agent_ids[2:]
_validate_aapm_agent_details(core_session, all_agent_ids, True)
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "Server", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server")
SetsManager.update_members_collection(core_session, 'add', list(unenroll_server_ids), 'Server', set_id)
collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server")
filters = collection_and_filters['Filters']
logger.info(f'Manual set {collection_and_filters} - members - {unenroll_server_ids}')
_, success = ResourceManager.unenroll_multiple_systems_by_query(core_session, filters, wait_time=0,
SkipIfAgentReconciliationEnabled=True,
run_sync=True)
assert success, f'Unenroll systems job failed when expected success: {unenroll_server_ids}'
SetsManager.delete_collection(core_session, set_id)
_validate_aapm_agent_details(core_session, unenroll_agent_ids, False)
_validate_aapm_agent_details(core_session, keep_agent_ids, True)
def test_bulk_system_by_api_set_correct_systems_and_accounts_fast_track(clean_bulk_delete_systems_and_accounts,
core_session, list_of_created_systems):
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 2, list_of_created_systems,
sys_type="Unix")
batch3 = ResourceManager.add_multiple_systems_with_accounts(core_session, 5, 1, list_of_created_systems,
sys_type="Unix")
delete_system_ids, delete_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch2])
keep_system_ids, keep_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch1, batch3])
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3])
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "Server", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server")
SetsManager.update_members_collection(core_session, 'add', list(delete_system_ids), 'Server', set_id)
collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server")
filters = collection_and_filters['Filters']
logger.info(f'Manual set {collection_and_filters} - members - {delete_system_ids}')
result, success = ResourceManager.del_multiple_systems_by_query(core_session, filters, savepasswords=False,
secretname="", run_sync=True)
assert success is True, f'Delete systems job failed when expected success'
SetsManager.delete_collection(core_session, set_id)
assert set(ResourceManager.get_multi_added_system_ids(core_session,
all_systems).values()) == keep_system_ids, "Set of expected remaining systems did not match search"
assert set(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == keep_account_ids, "Set of expected remaining accounts did not match search"
def test_bulk_manage_works_with_different_methods_of_specifying_systems(
core_session,
remote_unmanaged_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, change_method):
account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3
job_result = None
if change_method == "ids":
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, account_ids)
assert success, "Did not bulk manage account"
elif change_method == "ids_with_invalid":
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, ["foo"] + list(account_ids))
assert success, "Did not bulk manage account"
elif change_method == "sql":
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in account_ids))
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, [], set_query=sql_query)
assert success, "Did not bulk manage accounts"
elif change_method == "group":
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name,
"VaultAccount", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name,
"VaultAccount")
SetsManager.update_members_collection(core_session, 'add', account_ids,
'VaultAccount', set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(
core_session, some_set_name, "VaultAccount")['Filters']
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, [], set_query=filters)
assert success, "Did not bulk manage accounts"
else:
raise Exception(f"Bad input variable change_method {change_method}")
_validate_accounts_are_managed(core_session, account_ids, job_result)
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Success.Multi'
start_message = f'{username} initiated management of {len(account_ids)} accounts'
end_message = f'{username} successfully managed {len(account_ids)} accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_bulk_account_delete_job_fails_due_to_invalid_request_missing_secret(
clean_bulk_delete_systems_and_accounts, core_session, simulate_failure,
list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
some_set_name = "ApiSet" + guid()
success, set_id = SetsManager.create_manual_collection(
core_session, some_set_name, "VaultAccount", None)
assert success, "Did not create collection"
SetsManager.update_members_collection(core_session, 'add',
list(all_accounts), 'VaultAccount',
set_id)
params = Util.scrub_dict({
'Ids': list(all_accounts),
'SaveToSecrets': simulate_failure,
'SecretName': "Bulk Account Delete",
'SetQuery': "",
'SkipIfHasAppsOrServices': simulate_failure
})
if simulate_failure:
request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE,
params)
request_json = request.json()
result, success = request_json['Result'], request_json['success']
ResourceManager.wait_for_job_state_succeeded(core_session, result)
assert simulate_failure == success, f"Query success was unexpected value, with message {result}"
else:
request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE,
params)
request_json = request.json()
result, success = request_json['Result'], request_json['success']
ResourceManager.wait_for_job_state_succeeded(core_session, result)
assert not simulate_failure == success, f"Query success was unexpected value, with message {result}"
total_account = RedrockController.get_accounts(core_session)
SetsManager.delete_collection(core_session, set_id)
list_account = []
for get_account in total_account:
if get_account['ID'] == all_accounts:
list_account.append(get_account['ID'])
assert 0 == len(
list_account
), "Number of remaining added accounts was unexpected number"
def test_bulk_rotate_works_with_different_methods_of_specifying_systems(
core_session,
remote_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method):
remote_ip = windows_test_machine_config['ip_address']
account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3)
passwords_fetched = BulkOperations.checkout_users(core_session, accounts)
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched)
if change_method == "checkin": # disabled, out of scope
BulkOperations.check_in_users(core_session, passwords_fetched)
elif change_method == "ids":
result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids)
assert success, "Did not bulk rotate passwords"
elif change_method == "ids_with_invalid":
result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids)
assert success, "Did not bulk rotate passwords"
elif change_method == "sql":
sql_query = 'SELECT * FROM VaultAccount ' \
'WHERE ' + ' OR '.join(('VaultAccount.ID = "' + str(n) + '"' for n in account_ids))
result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=sql_query)
assert success, "Did not bulk rotate passwords"
elif change_method == "group":
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount")
SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(core_session,
some_set_name, "VaultAccount")['Filters']
result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=filters)
assert success, "Did not bulk rotate passwords"
else:
raise Exception(f"Bad input variable change_method {change_method}")
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [False] * len(passwords_fetched), change_method)
# Verify passwords are no longer right
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Success.Multi'
start_message = f'{username} initiated password rotation of {len(account_ids)} accounts'
end_message = f'{username} successfully rotated {len(account_ids)} account passwords'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_a_secret_can_belong_to_multiple_sets(core_session, create_set_manual,
added_secrets,
pas_general_secrets,
cleanup_secrets_and_folders,
set_cleaner):
"""test method to check that a secret belongs to multiple set"""
added_secret_id, added_secret_name = added_secrets
set_params = pas_general_secrets
prefix = guid()
set_success, set_id = create_set_manual
"""Api to create another set manually"""
success, setid = SetsManager.create_manual_collection(
core_session, prefix + set_params['set_name'], 'DataVault')
logger.info(f'creating manual set:{success} with setid as: {setid}')
assert success is True, f'Failed to create manual set with one initial member {setid}'
text_secret_id = added_secret_id[0]
"""Api to add set to existing secret"""
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(
core_session, 'add', [text_secret_id], "DataVault", set_id)
assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}'
logger.info(f'Adding secret to one set: {added_to_set_success}')
"""Api to add another set to same secret"""
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(
core_session, 'add', [text_secret_id], "DataVault", setid)
assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}'
logger.info(f'Adding secret to another set: {added_to_set_success}')
"""Redrock query to fetch set related details"""
get_set_1 = RedrockController.verify_set_secret(core_session, set_id,
text_secret_id)
logger.info(f'{get_set_1}')
logger.info(
f'Verifiying secret name {get_set_1[0]["Row"]["SecretName"]} in '
f'set 1 with ID {get_set_1[0]["Row"]["CollectionID"]} ')
get_set_2 = RedrockController.verify_set_secret(core_session, setid,
text_secret_id)
logger.info(
f'Verifiying secret name {get_set_2[0]["Row"]["SecretName"]} in another '
f'set with ID {get_set_2[0]["Row"]["CollectionID"]}')
"""to verify that same secret is added to multiple sets"""
text_to_verify = 'secret1'
assert (text_to_verify in get_set_1[0]["Row"]["SecretName"]) and (
text_to_verify in get_set_2[0]["Row"]["SecretName"]
), f'secret doesnt belong to multiple set'
set_cleaner.append(setid)
def test_bulk_account_by_api_set_correct_accounts(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, core_admin_ui):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 2, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
delete_ids, keep_ids = DataManipulation.shuffle_and_split_into_two_lists(
all_accounts)
some_set_name = "ApiSet" + guid()
success, set_id = SetsManager.create_manual_collection(
core_session, some_set_name, "VaultAccount", None)
assert success, "Did not create collection"
SetsManager.update_members_collection(core_session, 'add',
list(delete_ids), 'VaultAccount',
set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(
core_session, some_set_name, "VaultAccount")['Filters']
result, success = ResourceManager.del_multiple_accounts_by_query(
core_session, filters)
assert success, "del_multiple_accounts_by_query failed " + result
SetsManager.delete_collection(core_session, set_id)
assert set(
ResourceManager.get_multi_added_system_ids(
core_session, all_systems).values()) == set(
all_systems), "Wrong set of added systems found"
assert set(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == set(keep_ids), "Wrong set of added accounts found"
def test_bulk_system_unenrolls_manually_from_set(core_session, core_admin_ui, create_manual_set,
test_four_virtual_aapm_agents):
agents, server_prefix = test_four_virtual_aapm_agents
agent_ids, server_ids, names_of_servers = _setup_agents(core_session, agents)
# Make sure aapm is enabled
_wait_for_systems_validation(core_session, agent_ids, True)
# enable paswdRecon on first system and last system
result = RedrockController.get_system(core_session, server_ids[0])
assert len(result) != 0
system = result[0]["Row"]
ResourceManager.update_system(core_session, server_ids[0], system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
result = RedrockController.get_system(core_session, server_ids[3])
assert len(result) != 0
system = result[0]["Row"]
ResourceManager.update_system(core_session, server_ids[3], system["Name"], system["FQDN"],
system["ComputerClass"],
allowautomaticlocalaccountmaintenance=True)
# Non-ui stuff, create a custom set, and all the new systems to that set.
manual_set = create_manual_set(core_session, "Server")
update_success, update_result = SetsManager.update_members_collection(core_session, 'add', server_ids, 'Server',
manual_set['ID'])
assert update_success, f"Failed to add resources {server_ids} to Set {manual_set['Name']}"
ui = core_admin_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
ui.set_action(manual_set['Name'], "Unenroll Systems")
ui.switch_context(Modal('Bulk System Unenroll'))
ui.button('Unenroll')
ui.switch_context(NoTitleModal())
ui.button('Close')
_wait_for_systems_validation(core_session, agent_ids[1:3], False)
_validate_aapm_agent_details(core_session, agent_ids[:1], True)
_validate_aapm_agent_details(core_session, agent_ids[3:], True)
# Now lets re-enroll and enable aapm on 1 and 2 systems and run the unenroll operation
# with SkipIfAgentReconciliationEnabled unchecked
# Expected: Both systems should successfully unenroll
_setup_agents(core_session, agents)
# Make sure aapm is enabled on all systems
_validate_aapm_agent_details(core_session, agent_ids, True)
ui = core_admin_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
ui.set_action(manual_set['Name'], "Unenroll Systems")
ui.switch_context(Modal('Bulk System Unenroll'))
ui.uncheck("SkipIfAgentReconciliationEnabled")
ui.button('Unenroll')
ui.switch_context(NoTitleModal())
ui.button('Close')
# Make sure aapm is disabled on both systems
_wait_for_systems_validation(core_session, agent_ids, False)
def test_needs_edit_permission_to_replace_contents(core_session,
users_and_roles,
added_secrets_file,
added_secrets,
pas_general_secrets):
"""
C283887: User needs edit permission on the secret to replace the contents.
:param core_session: Authenticated Centrify Session
:param users_and_roles: Fixture to create New user with PAS Power User & PAS User Rights
:param added_secrets_file: Fixture to create file type secret
:param added_secrets: Fixture to create text type secret
:param pas_general_secrets: Fixture to read secret data from yaml file
"""
secrets_params = pas_general_secrets
added_file_secret_id = added_secrets_file
added_text_secret_id, added_text_secret_name = added_secrets
suffix = guid()
# API to get new session for User A
pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User'
user_name = pas_power_user_session.auth_details['User']
user_id = pas_power_user_session.auth_details['UserId']
logger.info(f'User with PAS Power User Rights login successfully: user_Name:{user_name}')
# setting user permissions for file_type_secret"""
file_type_secret_result, file_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant',
user_id,
added_file_secret_id)
assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}'
logger.info(f'setting permissions for file type secret: {file_type_secret_success}')
# setting user permissions for file_type_secret"""
text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session,
user_name,
'View,Grant,Edit',
user_id,
added_text_secret_id[0])
assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}'
logger.info(f'setting permissions for text type secret: : {text_type_secret_success}')
# Replacing the content of the secret
secret_updated = update_secret(pas_power_user_session,
added_text_secret_id[0],
secrets_params['mfa_secret_name_update'] + suffix,
description=secrets_params['mfa_secret_description'],
secret_text=secrets_params['secret_text_updated'] + suffix)
assert secret_updated['success'], f'Failed to update secret: {secret_updated["Result"]["ID"]}'
logger.info(f' Successfully updated text type secret: {secret_updated}')
# Verifying replaced secret
get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents(
core_session, added_text_secret_id[0])
logger.info(f'Secret Updated details: {get_secret_details}')
replaced_content = get_secret_details['SecretText']
assert secrets_params['secret_text_updated'] in replaced_content, \
f'Failed to replace the secrets:{replaced_content}'
secret_name = get_secret_details['SecretName']
# creating set manually
success, set_id = SetsManager.create_manual_collection(pas_power_user_session, secrets_params['set_name'] + suffix,
'DataVault')
assert success, f'Failed to create manual set: {set_id}'
logger.info(f'creating manual set:{success} with setid as: {set_id}')
# Adding set to secret
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(pas_power_user_session,
'add',
[added_text_secret_id[0]],
"DataVault", set_id)
assert added_to_set_success, f'Failed to add secret to set: {added_to_set_result}'
logger.info(f'Adding secret to set: {added_to_set_success}')
# Redrock query to fetch "Add to set" related details
get_set_info = RedrockController.verify_set_secret(pas_power_user_session, set_id, added_text_secret_id[0])
logger.info(f'{get_set_info}')
assert get_set_info[0]["Row"]["SecretName"] == secret_name, f' Failed to get "ADD to Set" inside "Actions"'
logger.info(f'Verifiying secret name {get_set_info[0]["Row"]["SecretName"]} in '
f'set with ID {get_set_info[0]["Row"]["CollectionID"]} ')