def test_bulk_system_unenroll_works_with_built_in_set(core_session, clean_users, users_and_roles,
get_environment, test_four_virtual_aapm_agents):
Engines = get_environment
if Engines == "AWS - PLV8":
agents, _ = test_four_virtual_aapm_agents
agent_ids, server_ids = _setup_agents(core_session, agents)
right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
role_info = users_and_roles.get_role(right_data[0])
_validate_aapm_agent_details(core_session, agent_ids, True)
for system_id in server_ids:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,' \
'UnlockAccount '
result, success = ResourceManager.assign_system_permissions(core_session,
permission_string,
role_info['Name'], role_info['ID'], "Role",
system_id)
assert success, "Did not set system permissions " + result
ResourceManager.unenroll_multiple_systems_by_query(requester_session, '@@Unix Servers')
# not asserting success or failure, the admin may have access to systems created by other tests which
# would not succeed
_validate_aapm_agent_details(core_session, agent_ids, False)
else:
skip('todo: Fix this test to work on azure')
def test_delete_system_with_stored_account(core_session, network_device_setup):
"""
TC: C2608 - Delete system with stored account
:param core_session: Authenticated Centrify session.
:param network_device_setup: Adds a network with account and returns UUID of both.
"""
system_id, account_id, device_data, system_list, account_list = network_device_setup(
'checkpoint')
# Deleting system without deleting associated account.
result, success = ResourceManager.del_system(core_session, system_id)
assert not success, f"System successfully deleted though system have active accounts. API response result: {result}"
logger.info("Unable to delete the system. System has active accounts.")
# Deleting associated account
result, success = ResourceManager.del_account(core_session, account_id)
assert success, f"Unable to delete account {account_id}, API response result: {result}."
logger.info(f"Account :{account_id} successfully deleted.")
account_list.remove(account_id) # To avoid error during account cleanup.
# Deleting system after deleting the associated account.
result, success = ResourceManager.del_system(core_session, system_id)
assert success, f"System: {system_id} successfully deleted. API response result: {result}"
logger.info(
"System successfully deleted after deleting the associated accounts.")
system_list.remove(system_id) # To avoid error during resource cleanup.
def test_bulk_rotate_works(core_session,
remote_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, users_and_roles):
remote_ip = windows_test_machine_config['ip_address']
account_ids, accounts = BulkOperations.grab_relevant_users(
core_session, remote_users_with_mirrored_managed_local_users_qty3)
account_names = []
for i in range(len(accounts)):
account_names.append(accounts[i][1])
passwords_fetched = BulkOperations.checkout_users(core_session, accounts)
result, success = ResourceManager.rotate_multiple_passwords(
core_session, account_ids)
assert success, "Did not bulk rotate passwords"
job_ids = RedrockController.get_all_running_bulk_rotate_password_jobs(
core_session)
for id in job_ids:
ResourceManager.wait_for_job_state_succeeded(core_session, id)
# Verify passwords are no longer right
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched,
[False] * len(passwords_fetched),
"E2E")
def test_sys_admin_grant_to_adGroup(core_session, setup_adgroup):
adGroup = setup_adgroup
if adGroup is None:
pytest.skip("Cannot retreive ad group info")
# Add System
sys_name = "test_pe_can_manage_priv_elev" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions to the ad group
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result, success = ResourceManager.assign_system_permissions(
core_session, permission_string, adGroup['DisplayName'],
adGroup['InternalName'], "Group", added_system_id)
assert success, f"Unable to assign system permissions to adgroup: {result}"
def test_windows_client_system_connection(core_session, agent_enrolled_windows_system_with_users, proxy_start_stop):
"""
This test verifies connection to a windows system using Client, Connectors
Steps for this scenario:
* Enroll a windows system.
* stop the agent, start the connector and verify connection to the system (only connector is available)
- Verify success
* stop the connector verify connection to the system
- Verify failure
* Start the agent and verify connection to the system (only Agent is available)
- Verify success
* Start the connector and verify connection to the system (Both agent and connector are available)
- Verify success
"""
"""
Testrail Link:
https://testrail.centrify.com/index.php?/cases/view/1293468
https://testrail.centrify.com/index.php?/cases/view/1293468
https://testrail.centrify.com/index.php?/cases/view/1293469
"""
# verfiy the test is run with single thread.
assert 'PYTEST_XDIST_WORKER_COUNT' not in os.environ, f'This test cannot be run with multiple threads due to starting and stopping connectors'
enrolledsystems = agent_enrolled_windows_system_with_users
winrm_session_as_admin = enrolledsystems[0]["Session"]
resourceid = enrolledsystems[0]["ResourceId"]
proxyid = enrolledsystems[0]["ProxyId"]
proxycontrol = proxy_start_stop
logger.info("stop the agent")
winrm_helper.stop_agent(winrm_session_as_admin)
logger.info("start the connector")
proxycontrol(proxyid, True)
logger.info("Testing connection to the computer, Connector is ready")
result, success = ResourceManager.get_system_health(core_session, resourceid)
assert success and result == 'OK', f"Unable to verify system is reachable {result} {success}"
# stop Conector, healthe check Should fail
logger.info("Stopping the connector")
proxycontrol(proxyid, False)
logger.info("Testing connection to the system")
result, success = ResourceManager.get_system_health(core_session, resourceid)
assert success and result != 'OK', f"cerify system is reachable {result} {success}"
# Start agent
logger.info("Starting the agent")
winrm_helper.start_agent(winrm_session_as_admin)
logger.info("Testing connection to the computer, agent is available.")
result, success = ResourceManager.get_system_health(core_session, resourceid)
assert success and result == 'OK', f"Unable to verify system is reachable {result} {success}"
# verify account again, both connector and agent are running
proxycontrol(proxyid, True)
logger.info("Testing connection to the computer, both agent and connector are available")
result, success = ResourceManager.get_system_health(core_session, resourceid)
assert success and result == 'OK', f"Unable to verify system is reachable {result} {success}"
def test_bulk_system_delete_no_secret_manually(clean_bulk_delete_systems_and_accounts, core_session, core_ui, list_of_created_systems, secret_cleaner):
server_prefix, names_of_servers, server_ids = _make_two_servers_get_names(core_session, list_of_created_systems)
ui = core_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
for name in names_of_servers:
assert ui.check_exists(GridCell(name)), "Server not found in grid " + name
ui.action('Delete Systems', names_of_servers)
core_ui.switch_context(Modal('Bulk System Delete'))
core_ui.uncheck("SaveSecret")
core_ui.button('Delete')
core_ui.switch_context(ConfirmModal())
core_ui.button('Yes')
core_ui.switch_context(NoTitleModal())
core_ui.button('Close')
ResourceManager.wait_for_systems_to_delete_or_timeout(core_session, server_ids)
assert len(ResourceManager.get_multi_added_account_ids(core_session, server_ids)) == 0, "All added accounts not removed"
assert len(ResourceManager.get_multi_added_system_ids(core_session, server_ids)) == 0, "All added systems not removed"
def test_delete_cloud_provider_fails_without_permission(
core_session, fake_cloud_provider_root_account, fake_cloud_provider,
cds_session):
account_id, username, password, cloud_provider_id, test_did_cleaning = fake_cloud_provider_root_account
name, desc, cloud_provider_id, cloud_account_id, test_did_cleaning = fake_cloud_provider
account_name = f"acctname{guid()}"
account_id, success = ResourceManager.add_account_cloud_provider(
core_session, account_name, "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
pas_user_session, limited_user = cds_session
result, success = CloudProviderManager.delete_cloud_providers(
pas_user_session, [cloud_provider_id], save_passwords=False)
assert not success, f"Delete should not have succeeded {result}"
result, success = CloudProviderManager.delete_cloud_providers(
pas_user_session, cloud_provider_id)
assert not success, f"Delete should not have succeeded {result}"
result, success = ResourceManager.del_account(pas_user_session, account_id)
assert not success, f"Deleting IAM account failed with API response result: {result}"
result, success = ResourceManager.del_account(pas_user_session, account_id)
assert not success, f"Deleting IAM account failed with API response result: {result}"
def test_bulk_account_deletes_with_ui_no_secret(
clean_bulk_delete_systems_and_accounts, core_session, core_admin_ui,
list_of_created_systems):
server_prefix, account_prefix, all_systems, all_accounts, all_account_names = _make_four_accounts_get_names(
core_session, list_of_created_systems, ssh=True)
ui = core_admin_ui
ui.navigate('Resources', 'Accounts')
ui.search(server_prefix)
for name in all_account_names:
assert ui.check_exists(
GridCell(name)), f"Account name {name} not found in grid"
ui.action('Delete accounts', all_account_names)
ui.switch_context(Modal('Bulk Account Delete'))
ui.uncheck("SaveSecret")
ui.button('Delete')
ui.switch_context(ConfirmModal())
ui.button('Yes')
ui.switch_context(InfoModal())
ui.button('Close')
ResourceManager.wait_for_accounts_to_delete_or_timeout(
core_session, all_systems, all_accounts)
assert len(
ResourceManager.get_multi_added_account_ids(
core_session, all_systems)) == 0, "All added accounts not removed"
assert len(
ResourceManager.get_multi_added_system_ids(
core_session,
all_systems)) == 2, "Wrong number of added systems remain"
def test_bulk_system_deletes_manually_from_set(clean_bulk_delete_systems_and_accounts, core_session, core_ui, list_of_created_systems):
server_prefix, names_of_servers, server_ids = _make_two_servers_get_names(core_session, list_of_created_systems)
ui = core_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
not_favorite_stars = ui.browser.get_list_of_elements_by_css_selector("img.server-is-not-favorite")
assert len(not_favorite_stars) == 2, "Expected two favorite stars to be found, but other number returned"
for star in not_favorite_stars:
star.click() # favorite server
core_ui.set_action("Favorites", "Delete Systems")
core_ui.switch_context(Modal('Bulk System Delete'))
core_ui.button('Delete')
core_ui.switch_context(NoTitleModal())
core_ui.button('Close')
ResourceManager.wait_for_systems_to_delete_or_timeout(core_session, server_ids)
assert len(ResourceManager.get_multi_added_account_ids(core_session, server_ids)) == 0, "All added accounts not removed"
assert len(ResourceManager.get_multi_added_system_ids(core_session, server_ids)) == 0, "All added systems not removed"
def _make_four_accounts_get_names(session, mutable_list, ssh=False):
server_prefix = "bsd_tst_sys" + "-" + str(
ResourceManager.time_mark_in_hours()) + "-" + guid()
account_prefix = "ta_"
if ssh:
batch = ResourceManager.add_multiple_systems_with_accounts(
session,
1,
3,
mutable_list,
system_prefix=f'{server_prefix}_password',
user_prefix=f'{account_prefix}_password')
batch2 = ResourceManager.add_multiple_ssh_systems_with_accounts(
session,
1,
1,
mutable_list,
system_prefix=f'{server_prefix}_ssh',
user_prefix=f'{account_prefix}_ssh')
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch, batch2])
else:
batch = ResourceManager.add_multiple_systems_with_accounts(
session,
1,
4,
mutable_list,
system_prefix=server_prefix,
user_prefix=account_prefix)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
all_account_names = ResourceManager.get_multi_added_account_names(
session, all_systems)
return server_prefix, account_prefix, all_systems, all_accounts, all_account_names
def test_update_managed_account(pas_setup, core_session, pas_config):
"""
:param pas_config:
:param pas_setup: Fixture for adding a system and an account associated with it.
:param core_admin_ui: Authenticated Centrify Session.
:param core_session: Authenticated Centrify Session.
TC: C2547 - Update managed account
trying to Update managed account password
Steps:
Pre: Create system with 1 manage account hand
1. Try to update invalid password
-Assert Failure
2. Try to update valid password
-Assert Failure
3. Try to check password history
"""
user_name = core_session.get_user().get_login_name()
System_configurations_from_yaml = pas_config
system_data = System_configurations_from_yaml[
'Windows_infrastructure_data']
added_system_id, account_id, sys_info = pas_setup
Result, success = ResourceManager.update_password(core_session, account_id,
guid())
assert success, "Did not update password"
Result, success = ResourceManager.update_password(core_session, account_id,
system_data['password'])
assert success, "Did not update password"
result, success = ResourceManager.check_out_password(
core_session, 1, account_id)
assert success, "Did not retrieve password"
query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \
f"'{account_id}' and StateUpdatedBy='{user_name}' and State='Retired'"
password_history = RedrockController.get_result_rows(
RedrockController.redrock_query(core_session, query))[0]
assert len(password_history) > 0, "Password history table did not update"
def test_accounts_removed_my_sys_account_view_permission(core_session, users_and_roles, pas_windows_setup):
"""
TC:C2061 Account will removed from "My System Account" after delete "View" permission for user.
:param:core_session: Returns a API session.
:param:users_and_roles:Fixture to manage roles and user.
:param pas_windows_setup:Returns a fixture.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup()
# Cloud user session with "Privileged Access Service User".
cloud_user_session = users_and_roles.get_session_for_user('Privileged Access Service User')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Assigning "View" permission for system to limited user.
assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(core_session,
"View",
user_name,
user_id,
'User',
system_id)
assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \
f'API response result {assign_system_perm_res}.'
logger.info(f"Successfully assign system permission to user'{assign_system_perm_res}'")
# Assigning "Workspace Login" permission for account to limited user.
rights = "View,Login,UserPortalLogin"
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \
f'API response result:{assign_account_perm_res}'
logger.info(f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"')
# Getting the details from "My System Accounts" in workspace and validating account in "My System Accounts" list.
workspace_account_list = []
workspace_result_detail, workspace_success = ResourceManager.\
get_my_system_accounts_from_workspace(cloud_user_session)
for workspace_result in workspace_result_detail:
if workspace_result['Name'] == sys_info[0]:
workspace_account_list.append(workspace_result['User'])
assert sys_info[4] in workspace_account_list, f'Failed to get the account {sys_info[4]} on workspace.'
logger.info(f"Could display on Account {sys_info[4]} on workspace")
# Deleting the "Workspace Login permission for account to limited user.
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, "View", user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f"Failed to delete the workspace account permission:" \
f" API response result: {assign_account_perm_res}"
logger.info(f"Successfully assign account new permission to user'{assign_account_perm_res}'")
# Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts"
# list.
workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session)
assert sys_info[4] not in workspace_result, f'Could find the account {sys_info[4]} on workspace.'
logger.info(f"Could not display on Account {sys_info[4]} on workspace")
def test_missing_permissions_on_systems(core_session, users_and_roles,
explicit_missing_delete_permission, test_four_virtual_aapm_agents):
# System 0-1 has delete permissions
# System 2-3 has no delete permissions
agents, _ = test_four_virtual_aapm_agents
agent_ids, server_ids = _setup_agents(core_session, agents)
requester_session = users_and_roles.get_session_for_user("Privileged Access Service Power User")
results_role = users_and_roles.get_role("Privileged Access Service Power User")
for system_id in server_ids:
if system_id in server_ids[:2]:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
else:
if not explicit_missing_delete_permission:
continue
permission_string = 'Grant,View,Edit,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
logger.info(system_id)
logger.info(permission_string)
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
results_role['Name'], results_role['ID'], "Role",
system_id)
assert success, "Did not set system permissions " + result
_, success = ResourceManager.unenroll_multiple_systems(requester_session, server_ids)
assert success, f"Unenroll multiple systems failed: {server_ids}"
_validate_aapm_agent_details(core_session, agent_ids[:2], False)
_validate_aapm_agent_details(core_session, agent_ids[2:], True)
def test_modify_existing_password_complex_profiles(core_session, create_basic_pass_profile):
"""
Test case: C1631
:param core_session: Centrify session
:param create_basic_pass_profile: Created a basic password complexity profile.
"""
profile = create_basic_pass_profile(core_session, 1, 8)[0]
cps_prof_id = profile[0]['_RowKey']
profile_name_cps = profile[0]['Name']
# Getting the password profile by id
cps_prof_result, cps_prof_succcess = ResourceManager.get_password_profile_by_id(core_session, cps_prof_id)
assert cps_prof_succcess, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user"
logger.info(f"Password profile created successfully with {cps_prof_result}")
# updates the exiting password profile.
update_cps_prof_success = ResourceManager.update_password_profile(core_session, cps_prof_id, profile_name_cps,
min_pwd_len=13, max_pwd_len=26,
special_char_set="!#$%&()*",
min_alphabetic_char=5, max_alphabetic_char=5)
assert update_cps_prof_success, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user"
# Getting the password profile by id
cps_prof_result, cps_prof_succcess = ResourceManager.get_password_profile_by_id(core_session, cps_prof_id)
assert cps_prof_succcess, f"Getting Password Profile Failed for Profile {cps_prof_id} for core user"
expected_profile_update_values = [13, 26, '!#$%&()*', 5, 5]
actual_profile_update_values = [cps_prof_result['MinimumPasswordLength'], cps_prof_result['MaximumPasswordLength'],
cps_prof_result['SpecialCharSet'],
cps_prof_result['MinimumAlphabeticCharacterCount'],
cps_prof_result['MinimumNonAlphabeticCharacterCount']]
# Checking the password complexity profile field's value.
assert expected_profile_update_values == actual_profile_update_values, f"Getting Password profile update values " \
f"for Profile {cps_prof_id} for core user " \
f"did not match values " \
f"{actual_profile_update_values}"
logger.info(f"Password profile updated successfully with {cps_prof_result}")
def test_app_management_user_can_create_job_but_not_delete_servers(clean_bulk_delete_systems_and_accounts, core_session,
core_tenant, clean_users, users_and_roles,
list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 2, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch])
requestor_session = users_and_roles.get_session_for_user('Application Management')
user_info = requestor_session.get_current_session_user_info().json()['Result']
all_systems = batch.keys()
job_id, result = ResourceManager.del_multiple_systems(requestor_session, all_systems)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
assert len(
ResourceManager.get_multi_added_system_ids(core_session, all_systems)) == 3, "Wrong number of remaining systems"
assert len(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == 6, "Wrong number of remaining accounts"
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Failure.Multi'
start_message = f'{username} initiated delete of {len(all_systems)} systems'
end_message = f'{username} failed to delete {len(all_systems)} of {len(all_systems)} systems'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_delete_password_profile(core_session):
"""
TC: C281495 - Delete Password Complex Profile
:param core_session: Authenticates API session
"""
profile_name_cps = f'Profile {guid()}'
profile_create_result, profile_create_success = ResourceManager.add_password_profile(
core_session, profile_name_cps, min_pwd_len=12, max_pwd_len=24)
assert profile_create_success, f"Profile: {profile_name_cps} failed to create due to {profile_create_result}"
logger.info(
f"Profile {profile_name_cps} successfully created and result is {profile_create_result}"
)
all_profiles_result, all_profiles_success = ResourceManager.get_profiles(
core_session, type='All', rr_format=True)
assert all_profiles_success, f"Failed to get profiles list {all_profiles_result}"
logger.info(
f"Successfully get the list of all the profiles {all_profiles_result}")
cloned_builtin_profile_id = []
for profile_list in all_profiles_result['Results']:
if profile_list['Row']['Name'] == profile_name_cps:
cloned_builtin_profile_id.append(profile_list['Row']['ID'])
profile_delete_success = ResourceManager.delete_password_profile(
core_session, cloned_builtin_profile_id[0])
assert profile_delete_success, f"Failed to delete profile {profile_name_cps}"
logger.info(f"Successfully deleted password profile {profile_name_cps}")
def test_select_more_than_one_domain(core_session, domain_setup, cleanup_resources, clean_up_collections):
"""
TC:C2215 Select more than one domains.
:param core_session: Returns API session.
:param domain_setup: Fixture for domain creation.
:param cleanup_resources: cleaner for domain.
"""
# Creating a parent domain.
parent_domain_id, domain_info = domain_setup
set_list = clean_up_collections
# Create a child domain.
child_domain_name = f"{'child'}{guid()}"
domain_cleanup_list = cleanup_resources[1]
new_child_domain_id, add_child_domain_success = ResourceManager.add_child_domain(core_session, child_domain_name,
description='test_child_domain',
parent_id=parent_domain_id)
assert add_child_domain_success, f'Failed to create child domain:API response result:{new_child_domain_id}'
logger.info(f"Successfully created child domain:API response result: {new_child_domain_id}")
domain_cleanup_list.append(new_child_domain_id)
Result, success = ResourceManager.get_administrative_account(core_session, "administrator")
logger.info(f" Successfully get Domain for adding Administrative account.")
assert success, f'Failed to get Domain account {Result}'
# set name created with guid and add it in the domain set
set_name = f'set_name{guid()}'
add_success, add_result = SetsManager.create_manual_collection(core_session, set_name, "VaultDomain",
object_ids=[parent_domain_id])
assert add_success, f'Failed to create set and addition of member to set as: {add_result}'
logger.info(f'Successfully created set with member:{add_result}')
# cleanup the set and account
set_list.append(add_result)
def test_delete_live_aws_access_keys_stores_secret_when_deleting_account(core_session, cloud_provider_ec2_account_config, live_aws_cloud_provider, secret_cleaner, user):
cloud_provider_id, test_deleted_provider, _populate_iam_user_with_access_keys = live_aws_cloud_provider
account_id = _populate_iam_user_with_access_keys(user)
secret_name = f"aws_cloud_provider_api_{guid()}"
result, success = ResourceManager.del_multiple_accounts(core_session, [account_id], save_passwords=True, secret_name=secret_name, run_sync=True)
assert success, "Api did not complete successfully for bulk account delete MSG: " + result
secret_file_contents = ResourceManager.fetch_and_delete_secret(core_session, secret_name, secret_cleaner)
iam_user = cloud_provider_ec2_account_config[user]
access_key_1 = iam_user['access_key_1']
access_key_2 = iam_user['access_key_2']
cloud_account_id = cloud_provider_ec2_account_config['id']
assert cloud_account_id in secret_file_contents, f"Cloud Account ID absent from secret file {secret_file_contents}"
assert account_id in secret_file_contents, f"Account ID absent from secret file {secret_file_contents}"
assert access_key_1['id'] in secret_file_contents, f"Access key absent from secret file {secret_file_contents}"
assert access_key_1['secret'] in secret_file_contents, f"Access key secret absent from secret file {secret_file_contents}"
assert access_key_2['id'] in secret_file_contents, f"Access key 2 absent from secret file {secret_file_contents}"
assert access_key_1['secret'] in secret_file_contents, f"Access key 2 secret absent from secret file {secret_file_contents}"
def test_add_un_manage_account_activity(core_session, pas_setup):
"""
:param core_session: Authenticated Centrify Session.
:param pas_setup: Fixture for adding a system and an account associated with it.
TC: C2534 - Add Windows system with un managed account
trying to validate the add un manage Account Activity log's
Steps:
1. Try to add a system with un managed account
-Assert Failure
2. Try to check in the activity of system
-Assert Failure
"""
user_name = core_session.get_user().get_login_name()
sys_id, acc_id, sys_info = pas_setup
logger.info(f"System: {sys_info[0]} successfully added with UUID: {sys_id} and account: {sys_info[4]} "
f"with UUID: {acc_id} associated with it.")
checkflag = True
counter = 0
row = None
while checkflag is True:
if counter != 5:
row = ResourceManager.get_system_activity(core_session, sys_id)
if row is not None:
break
checkflag = False
counter += 1
reports = []
for system_activity in row:
if system_activity['Detail'].__contains__("added local"):
reports.append(system_activity["Detail"])
created_date_json = str(row[0]['When'])
ResourceManager.get_date(created_date_json)
assert f'{user_name} added local account "{sys_info[4]}" for "{sys_info[0]}"({sys_info[1]}) ' \
f'with credential type Password ' in reports[0], "Account Not Added"
logger.info(f"account activity list:{row}")
def test_system_with_managed_account(core_session, setup_pas_system_for_unix):
"""
Test case : C279339
:param core_session: Centrify session manager
:param setup_pas_system_for_unix: fixture that provide created unix system data
"""
system_id, account_id, system_info = setup_pas_system_for_unix
system_rows = RedrockController.get_computer_with_ID(
core_session, system_id)
assert system_rows['Name'] == system_info[
0], f"failed to find system {system_info[0]} in portal as returned system result is {system_rows}"
logger.info(f"system found {system_rows}")
account, status = ResourceManager.get_accounts_from_resource(
core_session, system_id)
assert status, f"failed to find accounts in system {system_info[0]} as returned account result is {account}"
logger.info(f"Account found {account}")
# Fetching account information to validate desired account is unmanaged
result, status = ResourceManager.get_account_information(
core_session, account_id)
assert status, f"failed to retrieve account information, returned result is {result}"
is_managed = result['VaultAccount']['Row']['IsManaged']
assert is_managed is False, f"Added account is not managed account"
def test_need_naked_permission_to_retrieve_aws_access_key_secret(core_session, cloud_provider_ec2_account_config, live_aws_cloud_provider, user, cds_session):
cloud_provider_id, test_deleted_provider, _populate_iam_user_with_access_keys = live_aws_cloud_provider
requester_session, limited_user = cds_session
iam_user = cloud_provider_ec2_account_config[user]
access_key_1 = iam_user['access_key_1']
account_id, success = ResourceManager.add_account_cloud_provider(core_session, iam_user['username'], "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert not success, f"Succeeded to add access key1 when failure was expected {result}"
result, success = ResourceManager.assign_account_permissions(core_session, "Manage", limited_user.get_login_name(), limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert success, f"Succeeded to add access key1 when failure was expected {result}"
rows = CloudProviderManager.get_aws_access_keys(core_session, account_id)[0]
retrieve_single, success = CloudProviderManager.retrieve_aws_access_key(requester_session, account_id, rows[0]['ID'])
assert not success, f"Success while expecting failure to retrieve AWS access keys {retrieve_single}"
result, success = ResourceManager.assign_account_permissions(core_session, "Naked", limited_user.get_login_name(), limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
retrieve_single, success = CloudProviderManager.retrieve_aws_access_key(requester_session, account_id, rows[0]['ID'])
assert success, f"Failed to retrieve AWS access keys {retrieve_single}"
assert retrieve_single['SecretAccessKey'] == access_key_1['secret'], f"Did not return correct AWS access key secret {retrieve_single}"
assert retrieve_single['AccessKeyId'] == access_key_1['id'], f"Did not return correct AWS access key id {retrieve_single}"
def test_import_system_and_health_check(core_session, pas_windows_setup):
"""
C1554 : Import system and check health
:param core_session: Authenticated Centrify Session.
:param pas_windows_setup:
"""
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup()
system_details = RedrockController.get_computer_with_ID(core_session, system_id)
system_counter = 1
while system_counter < 60:
if system_details['HealthStatus'] == 'OK' and system_details['LastHealthCheck']:
break
system_counter += 1
ResourceManager.get_date(system_details['LastHealthCheck'])
assert system_details['HealthStatus'] == 'OK', "System not reachable because connector is not up."
logger.info(f"System is reachable successfully: {system_details}")
account_counter = 1
account_details = None
while account_counter < 60:
account_details = ResourceManager.get_account_information(core_session, account_id)
if account_details[0]['VaultAccount']['Row']['Healthy'] == 'OK' and \
account_details[0]['VaultAccount']['Row']['LastHealthCheck']:
break
account_counter += 1
ResourceManager.get_date(account_details[0]['VaultAccount']['Row']['LastHealthCheck'])
assert account_details[0]['VaultAccount']['Row']['Healthy'] == 'OK', \
"System not reachable because connector is not up."
logger.info(f"Account is reachable successfully: {account_details}")
def test_delete_profile_global_profile_mapping(core_session,
create_basic_pass_profile):
"""
Test case: C1658
:param core_session: Returns API session
:param create_basic_pass_profile: Created a basic password complexity profile.
"""
# Creating one password complexity profile
profile = create_basic_pass_profile(core_session, 1)[0]
cps_prof_id = profile[0]['_RowKey']
profile_name_cps = profile[0]['Name']
# Updating the 'Unix' Type with new Password Complexity profile
result, success = ResourceManager.update_global_pass_profile_mapping(
core_session, "Unix", cps_prof_id)
assert success, f"failed to update global password profile mapping {result}"
logger.info(f"Password complexity profile {profile_name_cps} not deleted")
# Fetching the global password profile mapping.
result, success = ResourceManager.get_global_pass_profile_mapping(
core_session)
profile_name = []
for row in result:
if row['_RowKey'] == cps_prof_id:
profile_name.append(row['Name'])
assert profile_name_cps == profile_name[
0], f"profile name is not updated with the Type of global profile mapping {result}"
resp = ResourceManager.delete_password_profile(core_session, cps_prof_id)
assert resp is False, f"Password complexity profile {profile_name_cps} deleted"
logger.info(f"Password complexity profile {profile_name_cps} not deleted")
def _verify_get_mfa_token(self, account_id, expect_challenge_on_checkout):
pas_user = self.session.get_user()
result, success = ResourceManager.assign_account_permissions(self.session,
"Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword",
pas_user.get_login_name(), pas_user.get_id(),
pvid=account_id)
assert success, f"Failed to set account permissions {result}"
result, success = ResourceManager.check_out_password(self.session, 6, account_id)
if not expect_challenge_on_checkout:
assert success and result['Password'] == self.root_password, f"Unexpected value for password {result}"
new_coid = result['COID']
result, success = ResourceManager.check_in_password(self.session, coid=new_coid)
assert success, "Did not check in password"
else:
assert 'ChallengeId' in result and len(
result) == 1, f"Did not receive expected challenge {result} {success}"
result, success = CloudProviderManager.get_mfa_token(self.session, account_id)
if self.mfa_code:
assert success, f"Failed to get_mfa_token {result}"
assert len(result['code']) == 6, f"Token returned was wrong length {result}"
else:
assert not success, f"Should fail with MFA not set {result}"
def test_update_unmanaged_account(core_session,
set_domain_administrative_account,
cleanup_accounts):
"""
TC ID: C1333, Update an unmanaged account without password to managed when automatic maintenance policy is set as
:param set_domain_administrative_account: To open a browser and login with the admin account
:param core_session: To create a session
"""
directory_service_Name, directory_service_Admin_ID, directory_service_ID = set_domain_administrative_account
accounts_list = cleanup_accounts[0]
unmanaged_account = f'user{guid()}'
account_id, success_status = ResourceManager.add_account(
core_session,
unmanaged_account,
password='',
domainid=directory_service_ID)
assert success_status, f'failed to add account{account_id}'
logger.info(f'Successfully add the account{account_id}')
result, success = ResourceManager.update_account(
core_session,
account_id,
unmanaged_account,
domainid=directory_service_ID,
ismanaged=True)
assert success is False, f'Successfully update the account:{result}'
logger.info(
f'Cannot add managed account or update account from unmanaged to managed '
f'without password as automatic account maintenance is not enabled:{result}'
)
accounts_list.append(account_id)
def test_bulk_account_delete_performs_quickly(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems):
# test constants
large_number_for_stress_testing = 50 # tested once with higher numbers but reduced for quick execution
reasonable_amount_of_time_to_execute = 90
batch1 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, large_number_for_stress_testing // 2,
list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, large_number_for_stress_testing // 2,
list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1, batch2])
start_time = time.time()
result, success = ResourceManager.del_multiple_accounts(
core_session, all_accounts)
assert success, "Api did not complete successfully for bulk account delete " + result
end_time = time.time()
elapsed_time = end_time - start_time
assert elapsed_time <= reasonable_amount_of_time_to_execute, \
"Did not complete operation in a reasonable amount of time"
assert len(
ResourceManager.get_multi_added_account_ids(
core_session, all_systems)) == 0, "Expected 0 added accounts found"
assert len(
ResourceManager.get_multi_added_system_ids(
core_session, all_systems)) == 2, "Expected 2 added systems found"
def test_bulk_account_delete_by_sql_query_only_deletes_correct_accounts_fast_track(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 12, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
delete_ids, keep_ids = DataManipulation.shuffle_and_split_into_two_lists(
all_accounts)
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in list(delete_ids)))
result, success = ResourceManager.del_multiple_accounts_by_query(
core_session, sql_query, run_sync=True)
assert success, "del_multiple_accounts_by_query failed " + result
assert set(ResourceManager.get_multi_added_system_ids(core_session, all_systems).values()) == set(all_systems), \
"Wrong set of added systems found"
assert set(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == set(keep_ids), \
"Wrong set of added accounts found"
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.StartQuery.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.Success.Multi'
start_message = f'{username} initiated delete of multiple accounts'
end_message = f'{username} successfully deleted {len(delete_ids)} accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_add_account_without_add_account_permission(core_session,
domain_config_data,
create_domain,
cleanup_accounts):
"""
TC:- C1325 Add account without Add Account permission
Steps for this scenario using API:
1) Add Domain Accounts without Add Account Permission
System configuration received through test_pas_bat_domain.yaml stored in config/tests/PAS/PAS_BAT
"""
user_details = core_session.__dict__
domain_id = create_domain
account_list = cleanup_accounts[0]
assert domain_id, f'failed to create domain with response {domain_id}'
conf = domain_config_data
data = conf['pas_scenario1_new_accounts'][0]
permissions = "Grant,View,Edit,Delete"
result, add_domain_account_success = ResourceManager.set_domain_account_permissions(
core_session,
permissions,
user_details["auth_details"]["User"],
user_details["auth_details"]["UserId"],
pvid=domain_id)
assert add_domain_account_success, f'Failed to set add account permission in the domain {result}'
logger.info(f"add account permission set successfully in the Domain.")
new_account_id, add_account_success = ResourceManager.add_account(
core_session, data['User_name'], data['Password'], domainid=domain_id)
assert add_account_success is False, (
f"Successfully added domain account: {data['User_name']}")
account_list.append(new_account_id)
logger.info(
f"Failed to add Account in the Domain, Add Account permission for this domain is required: {new_account_id}"
)
def test_add_system_account_with_win_rm(core_session, pas_windows_setup):
"""C2536 Add system with managed account with WinRM http setting
validate the added Account with win rm and check out password after 5 minutes"""
# Getting system details.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
True)
# Verifying Default management mode should be 'RpcOverTcp'
system_rows = RedrockController.get_computer_with_ID(
core_session, system_id)
assert system_rows[
'ManagementMode'] == 'RpcOverTcp', "Default Management mode is not RpcOverTcp"
logger.info("Default Management mode is RPC Over TCP")
# Checkout Password
checkout_password_result, checkout_password_success = ResourceManager. \
check_out_password(core_session,
lifetime=1,
accountid=account_id)
assert checkout_password_success, f"Failed to checkout password due to {checkout_password_result}"
logger.info("Password checkout successfully")
assert checkout_password_result[
'Password'] != user_password, "Password is same after adding managed account"
logger.info("Password updated after adding managed account")
success, response = ResourceManager.update_system(
core_session,
system_id,
sys_info[0],
sys_info[1],
'Windows',
proxycollectionlist=connector_id,
chooseConnector="on",
managementmode="WinRMOverHttp")
assert success, "Failed to update system"
logger.info(f"Successfully updated system '{sys_info[0]}'")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
sys_info[6],
password=user_password,
host=system_id,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(f"Successfully added account {sys_info[6]} in the portal")
# Checkout Password after changing management mode to WinRMOverHttp
checkout_password_winrm, checkout_password_success = ResourceManager. \
check_out_password(core_session,
lifetime=1,
accountid=acc_result)
assert checkout_password_success, f"Failed to checkout password due to {checkout_password_winrm}"
logger.info("Password checkout successfully")
assert checkout_password_winrm[
'Password'] != user_password, "Password is same after adding managed account"
logger.info("Password updated after adding managed account")
def test_check_result_after_removing_related_permission(
core_session, get_admin_user_function, pas_setup):
"""
:param core_session: Authenticated Centrify session.
:param get_admin_user_function: core_session, Authenticated Centrify Session.
:param pas_setup: Returning a fixture.
Steps for this scenario using API:
1) Create a normal cloud user by using get_admin_user_function fixture
2) Assign grant permission to the normal cloud user under system
3) Assign grant and edit permission to the normal cloud user under system account
4) Remove grant permission of the account under system by calling assign_system_permissions API
5) Remove grant permission of the system by calling assign_system_permissions API
"""
# Creating a normal user
limited_sesh, limited_user = get_admin_user_function
created_system_id, created_account_id, sys_info = pas_setup
result, success = ResourceManager.assign_system_permissions(
core_session,
"Grant",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_system_id)
assert success, f"Failed to assign the system permission:{success}"
logger.info(
f"Successfully set the Grant permission for the system:{result}")
# Assign grant and edit permission to the normal cloud user under system account
result, success = ResourceManager.assign_account_permissions(
core_session,
"Owner,Manage",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_account_id)
assert success, f"Failed to set the system account permission:{success}"
logger.info(f"Successfully set the system account permission:{result}")
# Remove grant permission of the account
result, success = ResourceManager.assign_account_permissions(
limited_sesh,
"Manage",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_account_id)
assert success, f"Failed to set the account permission: {result}"
logger.info(
f"Successfully remove the grant member aacont Permission: {success}")
# Remove grant permission of the system
result, success = ResourceManager.assign_system_permissions(
limited_sesh,
"View",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_system_id)
assert success, f"Failed to remove the Grant member permission of the system: {result}"
logger.info(f"Successfully remove the grant member Permission: {success}")
