def test_accounts_removed_my_sys_account_view_permission(core_session, users_and_roles, pas_windows_setup):
"""
TC:C2061 Account will removed from "My System Account" after delete "View" permission for user.
:param:core_session: Returns a API session.
:param:users_and_roles:Fixture to manage roles and user.
:param pas_windows_setup:Returns a fixture.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup()
# Cloud user session with "Privileged Access Service User".
cloud_user_session = users_and_roles.get_session_for_user('Privileged Access Service User')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Assigning "View" permission for system to limited user.
assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(core_session,
"View",
user_name,
user_id,
'User',
system_id)
assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \
f'API response result {assign_system_perm_res}.'
logger.info(f"Successfully assign system permission to user'{assign_system_perm_res}'")
# Assigning "Workspace Login" permission for account to limited user.
rights = "View,Login,UserPortalLogin"
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \
f'API response result:{assign_account_perm_res}'
logger.info(f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"')
# Getting the details from "My System Accounts" in workspace and validating account in "My System Accounts" list.
workspace_account_list = []
workspace_result_detail, workspace_success = ResourceManager.\
get_my_system_accounts_from_workspace(cloud_user_session)
for workspace_result in workspace_result_detail:
if workspace_result['Name'] == sys_info[0]:
workspace_account_list.append(workspace_result['User'])
assert sys_info[4] in workspace_account_list, f'Failed to get the account {sys_info[4]} on workspace.'
logger.info(f"Could display on Account {sys_info[4]} on workspace")
# Deleting the "Workspace Login permission for account to limited user.
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, "View", user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f"Failed to delete the workspace account permission:" \
f" API response result: {assign_account_perm_res}"
logger.info(f"Successfully assign account new permission to user'{assign_account_perm_res}'")
# Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts"
# list.
workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session)
assert sys_info[4] not in workspace_result, f'Could find the account {sys_info[4]} on workspace.'
logger.info(f"Could not display on Account {sys_info[4]} on workspace")
def test_need_naked_permission_to_retrieve_aws_access_key_secret(core_session, cloud_provider_ec2_account_config, live_aws_cloud_provider, user, cds_session):
cloud_provider_id, test_deleted_provider, _populate_iam_user_with_access_keys = live_aws_cloud_provider
requester_session, limited_user = cds_session
iam_user = cloud_provider_ec2_account_config[user]
access_key_1 = iam_user['access_key_1']
account_id, success = ResourceManager.add_account_cloud_provider(core_session, iam_user['username'], "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert not success, f"Succeeded to add access key1 when failure was expected {result}"
result, success = ResourceManager.assign_account_permissions(core_session, "Manage", limited_user.get_login_name(), limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert success, f"Succeeded to add access key1 when failure was expected {result}"
rows = CloudProviderManager.get_aws_access_keys(core_session, account_id)[0]
retrieve_single, success = CloudProviderManager.retrieve_aws_access_key(requester_session, account_id, rows[0]['ID'])
assert not success, f"Success while expecting failure to retrieve AWS access keys {retrieve_single}"
result, success = ResourceManager.assign_account_permissions(core_session, "Naked", limited_user.get_login_name(), limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
retrieve_single, success = CloudProviderManager.retrieve_aws_access_key(requester_session, account_id, rows[0]['ID'])
assert success, f"Failed to retrieve AWS access keys {retrieve_single}"
assert retrieve_single['SecretAccessKey'] == access_key_1['secret'], f"Did not return correct AWS access key secret {retrieve_single}"
assert retrieve_single['AccessKeyId'] == access_key_1['id'], f"Did not return correct AWS access key id {retrieve_single}"
def test_check_result_after_removing_related_permission(
core_session, get_admin_user_function, pas_setup):
"""
:param core_session: Authenticated Centrify session.
:param get_admin_user_function: core_session, Authenticated Centrify Session.
:param pas_setup: Returning a fixture.
Steps for this scenario using API:
1) Create a normal cloud user by using get_admin_user_function fixture
2) Assign grant permission to the normal cloud user under system
3) Assign grant and edit permission to the normal cloud user under system account
4) Remove grant permission of the account under system by calling assign_system_permissions API
5) Remove grant permission of the system by calling assign_system_permissions API
"""
# Creating a normal user
limited_sesh, limited_user = get_admin_user_function
created_system_id, created_account_id, sys_info = pas_setup
result, success = ResourceManager.assign_system_permissions(
core_session,
"Grant",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_system_id)
assert success, f"Failed to assign the system permission:{success}"
logger.info(
f"Successfully set the Grant permission for the system:{result}")
# Assign grant and edit permission to the normal cloud user under system account
result, success = ResourceManager.assign_account_permissions(
core_session,
"Owner,Manage",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_account_id)
assert success, f"Failed to set the system account permission:{success}"
logger.info(f"Successfully set the system account permission:{result}")
# Remove grant permission of the account
result, success = ResourceManager.assign_account_permissions(
limited_sesh,
"Manage",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_account_id)
assert success, f"Failed to set the account permission: {result}"
logger.info(
f"Successfully remove the grant member aacont Permission: {success}")
# Remove grant permission of the system
result, success = ResourceManager.assign_system_permissions(
limited_sesh,
"View",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_system_id)
assert success, f"Failed to remove the Grant member permission of the system: {result}"
logger.info(f"Successfully remove the grant member Permission: {success}")
def _verify_get_mfa_token(self, account_id, expect_challenge_on_checkout):
pas_user = self.session.get_user()
result, success = ResourceManager.assign_account_permissions(self.session,
"Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword",
pas_user.get_login_name(), pas_user.get_id(),
pvid=account_id)
assert success, f"Failed to set account permissions {result}"
result, success = ResourceManager.check_out_password(self.session, 6, account_id)
if not expect_challenge_on_checkout:
assert success and result['Password'] == self.root_password, f"Unexpected value for password {result}"
new_coid = result['COID']
result, success = ResourceManager.check_in_password(self.session, coid=new_coid)
assert success, "Did not check in password"
else:
assert 'ChallengeId' in result and len(
result) == 1, f"Did not receive expected challenge {result} {success}"
result, success = CloudProviderManager.get_mfa_token(self.session, account_id)
if self.mfa_code:
assert success, f"Failed to get_mfa_token {result}"
assert len(result['code']) == 6, f"Token returned was wrong length {result}"
else:
assert not success, f"Should fail with MFA not set {result}"
def test_set_and_retrieve_mfa(core_session, fake_cloud_provider_root_account,
cds_session):
account_id, username, password, cloud_provider_id, test_did_cleaning = fake_cloud_provider_root_account
requester_session, limited_user = cds_session
result, success = CloudProviderManager.set_mfa_token(
requester_session, account_id,
"kjshakjsakjasgfkjasgkjagfkjsakjgfakjsf")
assert not success, f"Success when expecting fail to set mfa token {result}"
result, success = ResourceManager.assign_account_permissions(
core_session, "View,Manage", limited_user.get_login_name(),
limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.set_mfa_token(
requester_session, account_id,
"kjshakjsakjasgfkjasgkjagfkjsakjgfakjsf")
assert success, f"Failed to set mfa token {result}"
result, success = CloudProviderManager.get_mfa_token(
requester_session, account_id)
assert not success, f"Success while expecting failure get_mfa_token {result}"
result, success = ResourceManager.assign_account_permissions(
core_session, 'View', limited_user.get_login_name(),
limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.get_mfa_token_settings(
requester_session, account_id)
assert success, f"failure get_mfa_token_settings {result}"
result, success = CloudProviderManager.get_mfa_token(
requester_session, account_id)
assert not success, f"success expecting failure get_mfa_token {result}"
result, success = ResourceManager.assign_account_permissions(
core_session, 'View,Naked', limited_user.get_login_name(),
limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.get_mfa_token(
requester_session, account_id)
assert success, f"success expecting failure get_mfa_token {result}"
def test_check_action_menu(core_session, pas_windows_setup, users_and_roles):
"""
TC:C2172 Check Actions menu.
:param core_session: Returns a API session.
:param pas_windows_setup: Returns a fixture.
:param users_and_roles: Returns Authenticated Centrify UI session with limited rights.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
# Getting the limited user session with limited rights " Privilege Service Power User right."
ui = users_and_roles.get_ui_as_user("Privileged Access Service Power User")
limited_user = ui.get_user()
# Assigning "Login" permission for system to limited user.
assign_system_perm_res, assign_system_perm_success = \
ResourceManager.assign_account_permissions(core_session, "Login",
limited_user.get_login_name(),
limited_user.get_id(),
'User',
account_id)
assert assign_system_perm_success, f"Failed to assign 'Edit' permissions to " \
f"user for the system: API response result: {assign_system_perm_res}."
logger.info(
f"Successfully assign 'Edit' permissions to user for the system:{assign_system_perm_res}."
)
# UI Launch.
ui.navigate('Resources', 'Systems')
ui.search(sys_info[0])
ui.click_row(GridRowByGuid(system_id))
ui.check_row_by_guid(account_id)
ui.switch_context(RenderedTab("Accounts"))
expected_actions = ['Login', 'Add To Set', 'Verify Credential']
ui.check_actions(expected_actions, sys_info[4])
logger.info('Successfully found "Actions" menu in Accounts page.')
ui.expect(GridRowCheckbox(sys_info[4], True),
"Not checking the row").try_click()
logger.info('Successfully uncheck the account row.')
ui.right_click(GridRowByGuid(account_id))
Flag = False
counter = 0
while Flag:
list_action_elements = ui.get_list_of_right_click_element_values(
'Login')
if 'Verify Credential' in list_action_elements:
Flag = True
break
counter += 1
if counter == 10:
break
assert expected_actions == list_action_elements, f"Expected actions elements are not found in the list"
logger.info(
'Successfully found the elements same as in "Actions" menu in Accounts page.'
)
def test_system_level_password_checkout_yes(core_session, pas_windows_setup,
users_and_roles,
update_tenant_multiple_checkouts):
"""
C1547 : System level password checkout set to 'yes'
:param core_session: Authenticated Centrify Session
:param pas_windows_setup: Added and return Windows system and Account associated to it.
:param users_and_roles: Gets user and role on demand.
"""
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
user_session = users_and_roles.get_session_for_user(
"Privileged Access Service Administrator")
pas_admin = user_session.__dict__['auth_details']
# Setting 'Allow multiple password checkouts for this system' policy to Yes on Advanced tab
result, success = ResourceManager.update_system(
core_session,
system_id,
sys_info[0],
sys_info[1],
sys_info[2],
allowmultiplecheckouts=True)
assert success, f"'Allow multiple password checkouts' policy not set to 'yes' for System : {system_id}. " \
f"API response result: {result}. "
logger.info(
f"'Allow multiple password checkouts' policy set to 'yes' for system : {system_id}"
)
# Setting 'Allow multiple password checkouts' policy to Uncheck on Global Security Setting page
result, success = update_tenant_multiple_checkouts(core_session, False)
assert success, f"Not able to disable 'Allow multiple password checkouts' policy on " \
f"Global Security Setting page. API response result: {result}. "
logger.info(
f"'Allow multiple password checkouts' policy Unchecked on Global Security Setting page"
)
# Assigning 'Checkout' permission to user for account.
account_result, account_success = ResourceManager.assign_account_permissions(
core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User',
account_id)
assert account_success, f"Assign Checkout permission to account : {account_id} failed. " \
f"API response result: {account_result}. "
logger.info(
f"'Checkout' permission given to user: {pas_admin['User']} for Account:{account_id}."
)
# Checkout account while logged in as Cloud Admin
admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password(
core_session, 1, account_id)
assert admin_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \
f"response result: {admin_checkout_result}. "
logger.info(f"Account Checkout successful for Account :{account_id}.")
# Checkout account while logged in as Privileged Access Service Administrator
user_checkout_result, user_checkout_success = ResourceManager.check_out_password(
user_session, 1, account_id)
assert user_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \
f"response result: {user_checkout_result}. "
logger.info(f"Account CheckIn successful for Account :{account_id}.")
def test_verify_accounts_credential_my_system_accounts(core_session,
pas_windows_setup,
users_and_roles):
"""
TC:C2068 Verify account's credential on "My System Accounts".
:param:core_session: Returns a API session.
:param:users_and_roles:Fixture to manage roles and user.
:param pas_windows_setup:Returns a fixture.
"""
# Creating a system and account.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
# Cloud user session with "Privileged Access Service Administrator".
cloud_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Administrator')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Assigning "Workspace Login" permission for account to limited user.
rights = "View,Login,UserPortalLogin"
assign_account_perm_res, assign_account_perm_success = \
ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id)
assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \
f'API response result:{assign_account_perm_res}'
logger.info(
f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"'
)
# Assigning "View" permission for system to limited user.
assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(
core_session, "View", user_name, user_id, 'User', system_id)
assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \
f'API response result {assign_system_perm_res}.'
logger.info(
f"Successfully assign system permission to user'{assign_system_perm_res}'"
)
# Getting the details from "My System Accounts" in workspace and validating account in "My System Accounts" list.
workspace_account_list = []
workspace_result_detail, workspace_success = ResourceManager.\
get_my_system_accounts_from_workspace(cloud_user_session)
for workspace_result in workspace_result_detail:
if workspace_result['Name'] == sys_info[0]:
workspace_account_list.append(workspace_result['User'])
assert sys_info[
4] in workspace_account_list, f'failed to get the account {sys_info[4]} on workspace.'
logger.info(f"Could display on Account{sys_info[4]} on workspace")
# validating Account health.
verify_pass_result, verify_pass_success = ResourceManager.check_account_health(
core_session, account_id)
assert verify_pass_success, f"Failed to verify account health:API response result:{verify_pass_result}. "
logger.info(f"Successfully account verified:{verify_pass_result}")
def test_cannot_manage_accounts_without_permission(
core_session,
remote_unmanaged_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, users_and_roles):
right_data = [
"Privileged Access Service Power User",
"role_Privileged Access Service Power User"
]
requestor_session = users_and_roles.get_session_for_user(right_data[0])
results_role = users_and_roles.get_role(right_data[0])
account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3
job_id, success = ResourceManager.manage_multiple_accounts(
requestor_session, account_ids)
assert success, "Did not kick off bulk manage accounts job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
# Validates accounts are still not managed.
_validate_accounts_are_not_managed(requestor_session, account_ids, job_id)
permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin"
account_id = account_ids[
2] # Grant permission to only one of the accounts, the middle one
result, success = ResourceManager.assign_account_permissions(
core_session, permission_string, results_role['Name'],
results_role['ID'], "Role", account_id)
assert success, "Did not set account permissions " + str(result)
job_id, success = ResourceManager.manage_multiple_accounts(
requestor_session, account_ids)
assert success, "Did not kick off bulk rotate passwords job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
# Validate the one account is managed.
_validate_accounts_are_not_managed(requestor_session,
[account_ids[0], account_ids[1]],
job_id)
_validate_accounts_are_managed(requestor_session, [account_ids[2]], job_id)
user_info = requestor_session.get_current_session_user_info().json(
)['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Failure.Multi'
start_message = f'{username} initiated management of {len(account_ids)} accounts'
end_message = f'{username} failed to manage 2 of 3 accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_system_level_password_checkout_blank(
core_session, pas_windows_setup, users_and_roles,
update_tenant_multiple_checkouts):
"""
C1548 : System level password checkout set to '--'
:param core_session: Authenticated Centrify Session
:param pas_windows_setup: Added and return Windows system and Account associated to it.
:param users_and_roles: Gets user and role on demand.
"""
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
)
user_session = users_and_roles.get_session_for_user(
"Privileged Access Service Administrator")
pas_admin = user_session.__dict__['auth_details']
# Setting 'Allow multiple password checkouts' policy to Uncheck on Global Security Setting page
result, success = update_tenant_multiple_checkouts(core_session, False)
assert success, f"Not able to disable 'Allow multiple password checkouts' policy on Global " \
f"Security Setting page. API response result: {result}."
logger.info(
f"'Allow multiple password checkouts' policy Unchecked on Global Security Setting page"
)
# Assigning 'Checkout' permission to user for Account.
account_result, account_success = ResourceManager.assign_account_permissions(
core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User',
account_id)
assert account_success, f"Assign Checkout permission to account : {account_id} failed. " \
f"API response result: {account_result}"
logger.info(
f"'Checkout' permission given to user: {pas_admin['User']} for Account:{account_id}."
)
# Checkout account while logged in as Cloud Admin
admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password(
core_session, 1, account_id)
assert admin_checkout_result['Password'] == user_password, f"Not able to checkout Account : {account_id}. API " \
f"response result: {admin_checkout_result} "
logger.info(f"Account Checkout successful for Account :{account_id}.")
# Checkout account while logged in as Privileged Access Service Administrator
user_checkout_result, user_checkout_success = ResourceManager.check_out_password(
user_session, 1, account_id)
assert not user_checkout_success, f"Checkout Account successful : {account_id} : API response " \
f"result: {user_checkout_result}"
logger.info(f"Not able to checkout Account : {account_id}")
activity = RedrockController.get_account_activity(user_session,
account_id)[0]['Detail']
assert 'Multiple checkouts not allowed' in activity, f"Checkout Failed activity not found " \
f"for account : {account_id}. API response result: {activity} "
logger.info(
f"Checkout Failed activity found in Activity for account : {account_id}"
)
def test_other_user_cant_see_secret_created_by_first_user(core_session, users_and_roles, created_system_id_list,
swap_roles):
roles = ["Privileged Access Service Administrator", "Privileged Access Service Power User"]
if swap_roles:
roles_new = [roles[1], roles[0]]
roles = roles_new
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, created_system_id_list)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch])
deleter_user_0_session = users_and_roles.get_session_for_user(roles[0])
deleter_user_0_role = users_and_roles.get_role(roles[0])
deleter_user_0_role_name = deleter_user_0_role['Name']
deleter_user_0_role_id = deleter_user_0_role['ID']
other_user_1_session = users_and_roles.get_session_for_user(roles[1])
for account_id in all_accounts:
permission_string = 'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
deleter_user_0_role_name, deleter_user_0_role_id,
"Role", account_id)
assert success, "Did not set account permissions " + str(result)
for system_id in all_systems:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
deleter_user_0_role_name, deleter_user_0_role_id,
"Role", system_id)
assert success, "Did not set system permissions " + result
secret_name = f"secret{guid()}"
job_id, result = ResourceManager.del_multiple_systems(deleter_user_0_session, batch.keys(), secretname=secret_name)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
remaining_accounts = set(ResourceManager.get_multi_added_account_ids(core_session, created_system_id_list))
remaining_systems = set(ResourceManager.get_multi_added_system_ids(core_session, created_system_id_list).values())
assert remaining_accounts == set(), "Remaining accounts did not match expectation"
assert remaining_systems == set(), "Remaining systems did not match expectation"
secret_id = RedrockController.get_secret_id_by_name(deleter_user_0_session, secret_name)
assert secret_id is not None, f"Secret was not visible to creator '{roles[0]}' user, either because it wasn't created or because of a permissions issue"
secret_id = RedrockController.get_secret_id_by_name(other_user_1_session, secret_name)
assert secret_id is None, f"Secret should not be '{roles[1]}' user when created by '{roles[0]}' user"
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, f"Sys admin should be able to see secret created by {roles[0]}"
def test_add_permission_for_account(core_session, pas_setup):
"""
TCID: C2204 Add permission for account
:param core_session: To create the session
:param pas_setup: Add system and its account
"""
system_id, account_id, sys_info = pas_setup
user_detail = core_session.__dict__
rights = "View"
user_name = user_detail['auth_details']['User']
principalid = user_detail['auth_details']['UserId']
result_permission, success_permission = ResourceManager.assign_account_permissions(
core_session, rights, user_name, principalid, pvid=account_id)
assert success_permission, f'Failed to add the user permission:{result_permission}'
logger.info(f'Add user permission successfully:{result_permission}')
def test_bulk_system_delete_works_with_built_in_set(clean_bulk_delete_systems_and_accounts, core_session, core_tenant,
clean_users, users_and_roles, list_of_created_systems,
get_environment):
Engines = get_environment
if Engines == "AWS - PLV8":
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 3, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch])
right_data = ("Privileged Access Service Power User", "role_Privileged Access Service Power User")
requester_session = users_and_roles.get_session_for_user(right_data[0])
role_info = users_and_roles.get_role(right_data[0])
account_ids = ResourceManager.get_multi_added_account_ids(core_session, all_systems)
for account_id in account_ids:
permission_string = 'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(
core_session,
permission_string,
role_info['Name'], role_info['ID'], "Role",
account_id)
assert success, "Did not set account permissions " + str(result)
system_ids = list(ResourceManager.get_multi_added_system_ids(core_session, all_systems).values())
for system_id in system_ids:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,' \
'UnlockAccount '
result, success = ResourceManager.assign_system_permissions(core_session,
permission_string,
role_info['Name'], role_info['ID'], "Role",
system_id)
assert success, "Did not set system permissions " + result
job_id, result = ResourceManager.del_multiple_systems_by_query(requester_session, '@@Windows Servers')
report = JobManager.get_job_report(core_session, job_id)
# not asserting success or failure, the admin may have access to windows systems created by other tests which
# would not succeed such as windows systems with uncertain accounts
assert len(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == 0, f"Expected no remaining added accounts {report}"
assert len(ResourceManager.get_multi_added_system_ids(core_session,
all_systems)) == 0, f"Expected no remaining added systems {report}"
else:
skip('todo: Fix this test to work on azure')
def test_database_level_password_checkout_blank(
core_session, create_databases_with_accounts, users_and_roles,
update_tenant_multiple_checkouts):
"""
C1552 : Database Level password checkout set to 'default'.
:param core_session: Authenticated Centrify Session.
:param create_databases_with_accounts: Added and return Database and Account associated to it.
:param users_and_roles: Gets user and role on demand.
"""
database = create_databases_with_accounts(core_session, 1, 1)[0]
user_session = users_and_roles.get_session_for_user(
"Privileged Access Service Administrator")
pas_admin = user_session.__dict__['auth_details']
# Setting 'Allow multiple password checkouts' policy to enable on Global Security Setting page
result, success = update_tenant_multiple_checkouts(core_session, True)
assert success, f"Not able to enable 'Allow multiple password checkouts' policy on Global Security Setting page. " \
f"API response result: {result}."
logger.info(
f"'Allow multiple password checkouts' policy Enabled on Global Security Setting page"
)
# Assigning 'Checkout' permission to user for account.
account_result, account_success = ResourceManager.assign_account_permissions(
core_session, 'Naked', pas_admin['User'], pas_admin['UserId'], 'User',
database['Accounts'][0]['ID'])
assert account_success, f"Assign Checkout permission to account : {database['Accounts'][0]['ID']} " \
f"failed. API response result: {account_result}. "
logger.info(
f"'Checkout' permission given to user: {pas_admin['User']} for "
f"Account:{database['Accounts'][0]['ID']}.")
# Checkout account while logged in as Cloud Admin
admin_checkout_result, admin_checkout_success = ResourceManager.check_out_password(
core_session, 1, database['Accounts'][0]['ID'])
assert admin_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. API response " \
f"result: {admin_checkout_result}. "
logger.info(
f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}."
)
# Checkout account while logged in as Privileged Access Service Administrator
user_checkout_result, user_checkout_success = ResourceManager.check_out_password(
user_session, 1, database['Accounts'][0]['ID'])
assert user_checkout_success, f"Not able to checkout Account : {database['Accounts'][0]['ID']}. API response " \
f"result: {user_checkout_result}. "
logger.info(
f"Account Checkout successful for Account :{database['Accounts'][0]['ID']}."
)
def test_check_number_of_total_checkout(core_session, pas_setup,
users_and_roles):
"""
Test case: C286364
:param core_session: Authenticated Centrify session
:param users_and_roles: Fixture to manage roles and user
"""
system_id, account_id, sys_info = pas_setup
# Cloud user session with "Privileged Access Service Administrator"
cloud_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Administrator')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Assigning system view permission
result, status = ResourceManager.assign_system_permissions(core_session,
"View",
user_name,
user_id,
pvid=system_id)
assert status, f"Failed to assign system permissions return result is {result}"
logger.info(
f'View rights assigned to user {user_name} for system {sys_info[0]}')
# Assigning cloud user view and checkout permission for account
account_rights = "View,Naked"
acc_result, acc_status = ResourceManager.assign_account_permissions(
core_session, account_rights, user_name, user_id, pvid=account_id)
assert acc_status, f"failed to assign account permission, returned result is {acc_result}"
logger.info(
f'successfully assigned {account_rights} permission for account {sys_info[4]} of '
f'{sys_info[0]} to user {user_name}')
# Checkout password using cloud user
result, success = ResourceManager.check_out_password(
cloud_user_session, 1, account_id)
assert success, f"cloud user: {user_name} failed to checkout account {sys_info[4]}."
logger.info(
f"Cloud user: {user_name} successfully checked out account {sys_info[4]} of system {sys_info[0]}."
)
# retrieving my total checkout value from workspace
checkout_count = ResourceManager.get_my_total_checkout(
cloud_user_session, user_id)
assert checkout_count > 0, f'failed to retrieve total checkout value as it never updated. returned count is ' \
f'{checkout_count}'
logger.info(f'My total Checkout field is updated by {checkout_count}')
def test_check_ui(core_session, pas_setup, users_and_roles):
"""
Test case: C2120
:param core_session: Authenticated centrify session
:param pas_setup: fixture to create system with accounts
:param users_and_roles: fixture to create cloud user ui session
"""
system_id, account_id, sys_info = pas_setup
# Getting user with PAS Power User rights
pas_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
assert pas_user_session.auth_details, 'Failed to Login with PAS Power User'
username = pas_user_session.auth_details['User']
user_id = pas_user_session.auth_details['UserId']
logger.info(
f'User with PAS Power User Rights login successfully: user_Name:{username}'
)
result, status = ResourceManager.assign_account_permissions(
core_session, "View,Manage", username, user_id, pvid=account_id)
assert status, f'failed to assign Edit permission to user: {username} for account {sys_info[4]}'
logger.info(
f'Edit permission provided for account {sys_info[4]} to user {username}'
)
# enabling account workflow
result, status = ResourceManager.update_account_with_approver(
core_session, account_id, sys_info[4], system_id,
core_session.get_user().get_id(),
core_session.get_user().get_login_name())
assert status, f'failed to enable account workflow for account {sys_info[4]} of system {sys_info[0]}'
logger.info(
f'workflow enabled for account {sys_info[4]} of system {sys_info[0]}.')
# Request login for an Account
start_time = str(datetime.datetime.utcnow())
end_time = str(datetime.datetime.utcnow() + datetime.timedelta(hours=1))
request_reason = 'I want to Login'
login_request, login_success = WorkflowManager.request_checkout(
pas_user_session,
account_id,
start_time,
end_time,
reason=request_reason,
accesstype='Login')
assert login_success, f"Login Request Failed:{login_request}"
logger.info(f'Login Request success: {login_request}')
def test_check_local_account_by_normal_user_with_no_view_permission(
core_session, users_and_roles, pas_setup):
"""
Test case ID: C2205 Check local account in User Portal using a normal user with Privilege Service User right
:param users_and_roles: Returns Authenticated Centrify UI session with limited rights.
:param core_session: Authenticated Centrify Session.
:param pas_setup: Returning a fixture.
"""
created_system_id, created_account_id, sys_info = pas_setup
# Getting the limited user session with limited rights " Privilege Service User right."
ui = users_and_roles.get_ui_as_user("Privileged Access Service User")
limited_user = ui.get_user()
# Assigning permission to the system account
account_set_result, account_set_success = ResourceManager.assign_account_permissions(
core_session,
"View,Login",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_account_id)
assert account_set_success, f"Failed to assign 'view' and 'login' permissions to user for system's account: {account_set_success}"
logger.info(
f"Successfully granted permission to the system account:{account_set_result}"
)
# Assigning permission to the system
system_set_success, system_set_result = ResourceManager.assign_system_permissions(
core_session,
"Edit",
limited_user.get_login_name(),
limited_user.get_id(),
pvid=created_system_id)
assert system_set_result, f"Failed to assign permission to user for system: {system_set_success}"
logger.info(
f"Successfully set the permission to other system: {system_set_result}"
)
# UI Launch.
ui.navigate('Resources', 'Systems')
empty_grid = ui.check_exists(EmptyGrid("No Systems listed "))
assert empty_grid, f"System found in the list"
ui.navigate('Resources', 'Accounts')
empty_grid = ui.check_exists(EmptyGrid("No Accounts listed "))
assert empty_grid, "Account found in the list"
def test_select_two_records_in_my_system_account_field(
core_session, create_resources_with_accounts, core_admin_ui,
cleanup_accounts):
"""
Test case id : C14833
:param core_session: Centrify session
:param create_resources_with_accounts: fixture to create system with accounts
:param core_admin_ui: Ui session
:param cleanup_accounts: cleanup fixture for accounts after test completion
"""
sys = create_resources_with_accounts(core_session, 1, 'Windows', 2)[0]
acc = sys['Accounts']
sys1 = acc[0]["User"]
sys2 = acc[1]["User"]
ui = core_admin_ui
admin_user_uuid = UserManager.get_user_id(
core_session, ui.user.centrify_user["Username"])
rights = "View,Login,UserPortalLogin"
for account in range(len(acc)):
result, status = ResourceManager.assign_account_permissions(
core_session,
rights,
ui.user.centrify_user["Username"],
admin_user_uuid,
pvid=acc[account]['ID'])
assert status, f'failed to assign {rights} permission to cloud admin {ui.user.centrify_user["Username"]}. returned result is: {result}'
logger.info(
f'rights {rights} are provided to {ui.user.centrify_user["Username"]} for account {acc[account]["Name"]}'
)
ui.user_menu('Reload Rights')
ui.navigate(('Workspace', 'My System Accounts'))
# Expecting to find both added systems in My System Account List in workspace
ui.expect(
GridRowByGuid(acc[0]["ID"]),
f'Expected to find system {sys1} in My System Account but did not')
ui.expect(
GridRowByGuid(acc[1]["ID"]),
f'Expected to find system {sys2} in My System Account but did not')
ui.check_actions(['Rotate credentials', 'Manage Accounts', 'Add To Set'],
[sys1, sys2])
logger.info('Add To set option is available')
def test_check_account_settings_page(core_session, pas_setup, get_limited_user_function):
"""
Test case: C2119
:param core_session: Authenticated centrify session
:param pas_setup: fixture to create system with account
:param get_limited_user_function: Centrify ui session for user with right "Privileged Access Service Administrator"
"""
system_id, account_id, sys_info = pas_setup
limited_sesh, limited_user = get_limited_user_function
user_details = core_session.__dict__['auth_details']
username = user_details['User']
user_id = user_details['UserId']
# Assigning rights to cloud user, excluding checkout and Login right.
rights = "Owner,View,Manage,Delete,UpdatePassword,RotatePassword,FileTransfer"
result, success = ResourceManager.assign_account_permissions(core_session, rights, username, user_id,
pvid=account_id)
assert success, f'failed to assign rights: {rights} to cloud user {username} for account {sys_info[4]} ' \
f'of {sys_info[0]}.'
logger.info(f'rights {rights} successfully assigned to to cloud user {username} for account {sys_info[4]} '
f'of {sys_info[0]}.')
# enabling account workflow
result, status = ResourceManager.update_account_with_approver(core_session, account_id, sys_info[4], system_id,
core_session.get_user().get_id(),
core_session.get_user().get_login_name())
assert status, f'failed to enable account workflow for account {sys_info[4]} of system {sys_info[0]}'
logger.info(f'workflow enabled for account {sys_info[4]} of system {sys_info[0]}.')
# Step: Request login for an Account
timenow = datetime.datetime.utcnow()
start_time = str(timenow)
end_time = str(timenow + datetime.timedelta(hours=1))
req_request, req_success = WorkflowManager.request_checkout(limited_sesh, account_id, start_time, end_time,
reason=None, accesstype="Login")
assert req_success, "Workflow Request Failed"
logger.info(f'Workflow Request is success: {req_request}')
# # Step: Request Checkout for an Account
req_request, req_success = WorkflowManager.request_checkout(limited_sesh, account_id, start_time, end_time)
assert req_success, "Workflow Request Failed"
logger.info(f'Workflow Request is success: {req_request}')
def test_cant_add_access_key_without_manage_permission(core_session, cloud_provider_ec2_account_config, live_aws_cloud_provider, user, cds_session):
cloud_provider_id, test_deleted_provider, _populate_iam_user_with_access_keys = live_aws_cloud_provider
requester_session, limited_user = cds_session
iam_user = cloud_provider_ec2_account_config[user]
access_key_1 = iam_user['access_key_1']
account_id, success = ResourceManager.add_account_cloud_provider(core_session, iam_user['username'], "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert not success, f"Succeeded to add access key1 when failure was expected {result}"
result, success = ResourceManager.assign_account_permissions(core_session, "View,Manage", limited_user.get_login_name(), limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert success, f"Succeeded to add access key1 when failure was expected {result}"
def test_cannot_rotate_passwords_without_permission(core_session, remote_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, users_and_roles):
right_data = ["Privileged Access Service Power User", "role_Privileged Access Service Power User"]
requestor_session = users_and_roles.get_session_for_user(right_data[0])
results_role = users_and_roles.get_role(right_data[0])
remote_ip = windows_test_machine_config['ip_address']
account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3)
passwords_fetched = BulkOperations.checkout_users(core_session, accounts)
job_id, success = ResourceManager.rotate_multiple_passwords(requestor_session, account_ids)
assert success, "Did not kick off bulk rotate passwords job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched) # Verify passwords are still right
permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer," \
"UserPortalLogin "
account_id = passwords_fetched[1][3] # Grant permission to only one of the accounts, the middle one
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
results_role['Name'], results_role['ID'],
"Role", account_id)
assert success, "Did not set account permissions " + str(result)
job_id, success = ResourceManager.rotate_multiple_passwords(requestor_session, account_ids)
assert success, "Did not kick off bulk rotate passwords job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [True, False, True])
user_info = requestor_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Failure.Multi'
start_message = f'{username} initiated password rotation of {len(account_ids)} accounts'
end_message = f'{username} failed to rotate 2 of 3 account passwords'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_missing_permissions_on_bulk_account_delete(
clean_bulk_delete_systems_and_accounts, core_session, core_tenant,
clean_users, users_and_roles, list_of_created_systems):
right_data = [
"Privileged Access Service Power User",
"role_Privileged Access Service Power User"
]
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 3, 3, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
has_permission_ids, missing_permission_ids = DataManipulation.shuffle_and_split_into_two_lists(
all_accounts)
requester_session = users_and_roles.get_session_for_user(right_data[0])
results_role = users_and_roles.get_role(right_data[0])
permissions_dict = dict.fromkeys(
has_permission_ids,
'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
)
permissions_dict.update(
dict.fromkeys(
missing_permission_ids,
'Owner,View,Manage,Login,Naked,UpdatePassword,FileTransfer,'
'UserPortalLogin'))
for account_id, permission_string in permissions_dict.items():
result, success = ResourceManager.assign_account_permissions(
core_session, permission_string, results_role['Name'],
results_role['ID'], "Role", account_id)
assert success, "Did not set account permissions " + str(result)
api_results, success = ResourceManager.del_multiple_accounts(
requester_session, all_accounts, run_sync=True)
assert not success, f"Expected fail result from missing permissions during test_missing_permissions_on_bulk_account_delete {api_results}"
assert set(
ResourceManager.get_multi_added_account_ids(
core_session, all_systems)) == set(missing_permission_ids)
def test_delete_fails_without_permission(core_session, live_aws_cloud_provider, user, cds_session):
cloud_provider_id, test_deleted_provider, _populate_iam_user_with_access_keys = live_aws_cloud_provider
requester_session, limited_user = cds_session
account_id = _populate_iam_user_with_access_keys(user)
rows = CloudProviderManager.get_aws_access_keys(core_session, account_id)
result, success = CloudProviderManager.delete_aws_access_key(requester_session, rows[0][0]['ID'])
assert not success, f"deleted access key1 when failure was expected {result}"
rows = CloudProviderManager.get_aws_access_keys(core_session, account_id)
assert len(rows[0]) == 2, f"Should retrieve 2 key"
result, success = ResourceManager.assign_account_permissions(core_session, "Manage", limited_user.get_login_name(), limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.delete_aws_access_key(requester_session, rows[0][0]['ID'])
assert success, f"failed to delete access key {result}"
rows = CloudProviderManager.get_aws_access_keys(core_session, account_id)
assert len(rows[0]) == 1, f"Should retrieve 1 key"
def test_check_button_status_after_canceling_account_deleted(
core_session, add_single_system, pas_config, users_and_roles):
"""
TC:C2217 Check button status after canceling account deleted with user who just has Delete permission.
:param core_session: Returns a API session.
:param add_single_system: Returns a fixture.
:param users_and_roles: Fixture to manage roles and user.
:param pas_config: Read yaml data.
"""
# Creating a system.
created_system_id, system_details = add_single_system
# Creating a account.
payload_data = pas_config['Windows_infrastructure_data']
account_id, account_success = ResourceManager.add_account(
core_session, payload_data['account_name'], payload_data['password'],
created_system_id, payload_data['account_type'])
assert account_success, f'Failed to create account: API response result:{account_id}'
logger.info(f'Successfully created account:{account_id}')
# Cloud user session with "Privileged Access Service Power User".
cloud_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Power User')
user_name = cloud_user_session.auth_details['User']
user_id = cloud_user_session.auth_details['UserId']
# Assigning account "Delete" permission.
assign_account_result, assign_account_success = ResourceManager.assign_account_permissions(
core_session, "Delete", user_name, user_id, 'User')
assert assign_account_success, f"Failed to assign account permissions: API response result: {assign_account_result}"
logger.info(
f'Successfully assigned "Delete" permission to user:{assign_account_result}.'
)
# Deleting a account by cloud user.
del_account_result, del_account_success = ResourceManager.del_account(
cloud_user_session, account_id)
assert del_account_success, f"Could not delete account:API response result:{del_account_result}"
logger.info(f"Successfully deleted account: {del_account_result}")
def test_grant_view_portal_login_permission_to_privileged_access_service_user(core_session, system_with_ssh_account,
core_admin_ui):
"""
TC: C2069
:param core_session: Authenticated Centrify session.
:param system_with_ssh_account: Valid unix system with ssh account
:param core_admin_ui: Authenticated browser session.
"""
system_id, account_id, ssh_id, system_list, account_list, ssh_list = system_with_ssh_account
ui = core_admin_ui
user_id = UserManager.get_user_id(core_session, ui.user.centrify_user['Username'])
result, status = ResourceManager.assign_account_permissions(core_session, rights="View,Login,UserPortalLogin",
principal=ui.user.centrify_user['Username'],
principalid=user_id, pvid=account_id)
assert status, f'failed to assign UserPortalLogin permission of account to user {ui.user.centrify_user["Username"]}'
logger.info(f'UserPortalLogin permission of account assigned successfully to user '
f'{ui.user.centrify_user["Username"]}')
ui = core_admin_ui
# "SSH Key" on column "Credential Type"
result, status = ResourceManager.get_workspace_my_system_account(core_session)
for account in result:
if account['Host'] == system_id:
assert account['CredentialType'] == 'SshKey', f'SSH Key not displayed in CredentialType column in ' \
f'My System Account'
logger.info('SSH key displayed in Credential type column.')
# Login to the ssh account
ui.navigate(('Workspace', 'My System Accounts'))
ui.right_click_action(GridRowByGuid(account_id), 'Login')
ui.switch_to_pop_up_window()
ui.expect_disappear(LoadingMask(), 'RDP session never exited loading state for system', time_to_wait=60)
ui.switch_to_main_window()
status, result = ResourceManager.get_my_active_sessions(core_session, account_id)
assert status, f'failed to retrieve details for active account session data, return result is {result}'
logger.info(f'details for active account found in My Active sessions, returned row is {result}.')
def _set_permissions(session, limited_user, cloud_provider_id, account_id,
provider_permissions, root_acct_permissions):
if isinstance(provider_permissions, list):
provider_permissions = ",".join(provider_permissions)
if isinstance(root_acct_permissions, list):
root_acct_permissions = ",".join(root_acct_permissions)
assert isinstance(
provider_permissions, str
), f"Invalid arguments passed to _set_permissions provider_permissions {provider_permissions}"
assert isinstance(
root_acct_permissions, str
), f"Invalid arguments passed to _set_permissions root_acct_permissions {root_acct_permissions}"
result, success = ResourceManager.assign_account_permissions(
session, root_acct_permissions, limited_user.get_login_name(),
limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.set_cloud_provider_permissions(
session, provider_permissions, limited_user.get_login_name(),
limited_user.get_id(), "User", cloud_provider_id)
assert success, f"Failed to execute API call to set permissions {result}"
def test_check_permission_name_on_portal(core_session, pas_setup, users_and_roles):
"""
Test case: C2118
:param core_session: Authenticated Centrify session
:param pas_setup: Fixture to create system with account in portal
:param users_and_roles: fixture to create user with role in portal
"""
system_id, account_id, sys_info = pas_setup
# API session for cloud user
cloud_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User')
cloud_user_data = cloud_user_session.get_user()
username = cloud_user_data.get_login_name()
user_id = cloud_user_data.get_id()
# Assigning cloud user "Grant" permission for system
result, status = ResourceManager.assign_system_permissions(core_session, "Grant,View", username, user_id,
pvid=system_id)
assert status, f'failed to assign Grant permission to user {username} for system {sys_info[0]} returned result is ' \
f'{result}'
logger.info(f'successfully assigned Grant permission to user {username} for system {sys_info[0]}')
# Assigning "Grant", "Edit" permission to user for account
result, status = ResourceManager.assign_account_permissions(core_session, "Owner,View,Manage", username,
user_id, pvid=account_id)
assert status, f'failed to assign "Grant", "Edit" permission to user {username} for account {sys_info[4]} ' \
f'of system {sys_info[0]}'
logger.info(f'successfully assigned "Grant", "Edit" permission to user {username} for account {sys_info[4]}')
# cloud user remove its own "Grant" permission for account
result, status = ResourceManager.assign_account_permissions(cloud_user_session, "View,Manage", username, user_id,
pvid=account_id)
assert status, f'user {username} failed to remove Grant permission'
logger.info('grant permission removed successfully')
# cloud remove its own "Grant" permission for system
result, status = ResourceManager.assign_system_permissions(core_session, "View", username, user_id,
pvid=system_id)
assert status, f'user {username} failed to remove Grant permission'
logger.info(f'grant permission removed successfully')
args = {"Args": {"Caching": -1}, "RowKey": system_id, "Table": "Server"}
aces_result = cloud_user_session.post(EndPoints.GET_ROW_ACES, args).json()
user_permission = []
for i in aces_result['Result']:
if i['PrincipalName'] == username:
user_permission.append(i['PrincipalName'])
assert user_permission[0] == username, 'expected to find user {username} row in permissions table but did not'
logger.info(f'UI for system permission for cloud user {username} '
f'shown normally after removing "Grant" permission of system.')
args = {"Args": {"Caching": -1}, "RowKey": account_id, "Table": "VaultAccount"}
aces_result = cloud_user_session.post(EndPoints.GET_ROW_ACES, args).json()
user_permission = []
for i in aces_result['Result']:
if i['PrincipalName'] == username:
user_permission.append(i['PrincipalName'])
assert user_permission[0] == username, 'expected to find user {username} row in permissions table but did not'
logger.info(f'UI for Account permission for cloud user {username} shown normally after removing "Grant" permission '
f'of system.')
def test_check_account_view_permission_under_system_domain_database(core_session, pas_setup,
create_databases_with_accounts,
create_domains_with_accounts,
get_limited_no_view_user_function,
users_and_roles):
"""
Test case: C2127
:param core_session: Authenticated centrify session
:param pas_setup: fixture to create system with account
:param create_databases_with_accounts: fixture to create database with account
:param create_domains_with_accounts: fixture to create domain with account
"""
system_id, account_id, sys_info = pas_setup
database = create_databases_with_accounts(core_session, databasecount=1, accountcount=1)
domain = create_domains_with_accounts(core_session, domaincount=1, accountcount=1)
db_name, db_id, db_account, db_account_id = database[0]['Name'], database[0]['ID'], \
database[0]['Accounts'][0]['User'], database[0]['Accounts'][0]['ID']
domain_name, domain_id, domain_account, domain_account_id = domain[0]['Name'], domain[0]['ID'], \
domain[0]['Accounts'][0]['User'], \
domain[0]['Accounts'][0]['ID']
# Step3 : Get user has "Privilege Service Administrator" right
cloud_user_session, cloud_user = get_limited_no_view_user_function
cloud_user, user_id, user_password = \
cloud_user.get_login_name(), cloud_user.get_id(), cloud_user.get_password()
user = {"Username": cloud_user, "Password": user_password}
# Assigning permissions to system excluding "View" Permission
result, status = ResourceManager.assign_system_permissions(core_session, "Grant", cloud_user, user_id,
pvid=system_id)
assert status, f'failed to assign rights of system to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to system account including "View" Permission
result, status = ResourceManager.assign_account_permissions(core_session, "View", cloud_user, user_id,
pvid=account_id)
assert status, f'failed to assign rights of accounts to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to domain excluding "View" Permission
result, status = ResourceManager.set_domain_account_permissions(core_session, "Grant", cloud_user, user_id,
pvid=domain_id)
assert status, f'failed to assign rights of domain to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to domain account including "View" Permission
result, status = ResourceManager.assign_account_permissions(core_session, "View", cloud_user, user_id,
pvid=domain_account_id)
assert status, f'failed to assign rights of domain account to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to database excluding "View" Permission
result, status = ResourceManager.assign_database_permissions(core_session, "Grant", cloud_user, user_id, pvid=db_id)
assert status, f'failed to assign rights of database to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to database account including "View" Permission
result, status = ResourceManager.assign_account_permissions(core_session, "View", cloud_user, user_id,
pvid=db_account_id)
assert status, f'failed to assign rights of database account to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
query = "@/lib/server/get_accounts.js(mode:'AllAccounts', newcode:true, localOnly:true, " \
"colmemberfilter:'Select ID from VaultAccount WHERE Host IS NOT NULL')"
result = RedrockController.redrock_query(cloud_user_session, query,
args={"PageNumber": 1, "PageSize": 100, "Limit": 100000, "SortBy": "Name",
"Ascending": True, "FilterBy": ["Name", "User"],
"FilterValue": f'{sys_info[0]}',
"FilterQuery": None, "Caching": 0})
assert len(result) == 0, f'User able to see the account details under account records user ' \
f'have different rights: {get_limited_no_view_user_function}'
logger.info(f'Local account {sys_info[4]} of system {sys_info[0]} is not visible to user {cloud_user}')
query = "SELECT * FROM (SELECT VaultAccount.ID, VaultAccount.User, VaultAccount.OwnerName, " \
"VaultAccount.Description, VaultAccount.LastChange, VaultAccount.Status, " \
"VaultAccount.DefaultCheckoutTime, VaultAccount.MissingPassword, VaultAccount.ActiveCheckouts, " \
"VaultAccount.NeedsPasswordReset, VaultAccount.PasswordResetRetryCount, " \
"VaultAccount.PasswordResetLastError, VaultAccount.IsManaged, VaultAccount.Host, VaultAccount.DomainID, " \
"VaultAccount.DatabaseID, VaultAccount.IsFavorite, VaultAccount.UseWheel, VaultAccount.CredentialType, " \
"SshKeys.Name as CredentialName, VaultAccount.WorkflowEnabled, COALESCE(NULLIF(" \
"VaultAccount.WorkflowApprovers, ''),NULLIF(VaultAccount.WorkflowApprover, '')) as WorkflowApprovers, " \
"VaultAccount.DiscoveredTime as AccountDiscoveredTime, VaultAccount.Name, VaultAccount.FQDN, " \
"VaultAccount.SessionType, VaultAccount.ComputerClass, VaultDatabase.DatabaseClass, " \
"VaultAccount.ProxyUser, VaultAccount.LastHealthCheck FROM VaultAccount LEFT OUTER JOIN VaultDatabase ON " \
"DatabaseID = VaultDatabase.ID LEFT OUTER JOIN SshKeys ON CredentialId = SshKeys.ID WHERE IFNULL(" \
"VaultAccount.Name, '') <> '') WHERE DomainID is not null AND IFNULL(Name, \"\") <> \"\" "
result = RedrockController.redrock_query(cloud_user_session, query,
args={"PageNumber": 1, "PageSize": 100, "Limit": 100000, "SortBy": "Name",
"Ascending": True, "FilterBy": ["Name", "User"],
"FilterValue": f"{domain_account}", "FilterQuery": None,
"Caching": 0})
assert len(result) == 1, f'User able to see the account details under account records user ' \
f'have different rights: {get_limited_no_view_user_function}'
logger.info(f'user {cloud_user} can see domain account {domain_account}')
query = "SELECT * FROM (SELECT VaultAccount.ID, VaultAccount.User, VaultAccount.OwnerName, " \
"VaultAccount.Description, VaultAccount.LastChange, VaultAccount.Status, " \
"VaultAccount.DefaultCheckoutTime, VaultAccount.MissingPassword, VaultAccount.ActiveCheckouts, " \
"VaultAccount.NeedsPasswordReset, VaultAccount.PasswordResetRetryCount, " \
"VaultAccount.PasswordResetLastError, VaultAccount.IsManaged, VaultAccount.Host, VaultAccount.DomainID, " \
"VaultAccount.DatabaseID, VaultAccount.IsFavorite, VaultAccount.UseWheel, VaultAccount.CredentialType, " \
"SshKeys.Name as CredentialName, VaultAccount.WorkflowEnabled, COALESCE(NULLIF(" \
"VaultAccount.WorkflowApprovers, ''),NULLIF(VaultAccount.WorkflowApprover, '')) as WorkflowApprovers, " \
"VaultAccount.DiscoveredTime as AccountDiscoveredTime, VaultAccount.Name, VaultAccount.FQDN, " \
"VaultAccount.SessionType, VaultAccount.ComputerClass, VaultDatabase.DatabaseClass, " \
"VaultAccount.ProxyUser, VaultAccount.LastHealthCheck FROM VaultAccount LEFT OUTER JOIN VaultDatabase ON " \
"DatabaseID = VaultDatabase.ID LEFT OUTER JOIN SshKeys ON CredentialId = SshKeys.ID WHERE IFNULL(" \
"VaultAccount.Name, '') <> '') WHERE DatabaseID IS NOT NULL AND IFNULL(Name, \"\") <> \"\" "
result = RedrockController.redrock_query(cloud_user_session, query,
args={"PageNumber": 1, "PageSize": 100, "Limit": 100000, "SortBy": "Name",
"Ascending": True, "FilterBy": ["Name", "User"],
"FilterValue": f"{db_account}", "FilterQuery": None, "Caching": 0})
assert len(result) == 0, f'User able to see the account details under account records user ' \
f'have different rights: {get_limited_no_view_user_function}'
logger.info(f'database account {db_account} is not visible to user {cloud_user}.')
def test_missing_permissions_on_bsd_accounts_and_systems(core_session, users_and_roles, created_system_id_list,
explicit_missing_delete_permission):
"""
Make three systems, with accounts
System 0 - Delete permissions on every account and on system
System 1 - Delete permissions on HALF its accounts and on system
System 2 - Delete permissions on every of its accounts, but not on system
Then Bulk System Delete. All accounts with delete permissions will be gone. Systems 0 and 1 will remain.
:param explicit_missing_delete_permission: If True, the permission string will be set without Delete. If False, the permissions will not be modified (with Delete missing assumed)
:param core_session: Authenticated Centrify Session.
:param users_and_roles: Fixture to create New user with PAS Power Rights
:param created_system_id_list: A list for holding created systems, that will be deleted after the test
:return:
"""
original_systems = 3
original_accounts_per_system = 4
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, original_systems,
original_accounts_per_system, created_system_id_list)
# These two variables will have extra set items added below from System 1
deleted_accounts, expected_preserved_accounts = set(batch[created_system_id_list[0]]).union(
set(batch[created_system_id_list[2]])), set()
split1, split2 = DataManipulation.shuffle_and_split_into_two_lists(batch[created_system_id_list[1]])
deleted_accounts = deleted_accounts.union(set(split1))
expected_preserved_accounts = expected_preserved_accounts.union(set(split2))
# System 1 fails to delete because some of its child accounts are not deleted
# System 2 fails for missing delete permission
expected_preserved_systems = {created_system_id_list[1], created_system_id_list[2]}
delete_system_permissions = {created_system_id_list[0], created_system_id_list[1]}
requester_session = users_and_roles.get_session_for_user("Privileged Access Service Power User")
results_role = users_and_roles.get_role("Privileged Access Service Power User")
for account_id in deleted_accounts:
permission_string = 'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
results_role['Name'], results_role['ID'], "Role",
account_id)
assert success, "Did not set account permissions " + str(result)
if explicit_missing_delete_permission:
for account_id in expected_preserved_accounts:
permission_string = 'Owner,View,Manage,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
results_role['Name'], results_role['ID'],
"Role", account_id)
assert success, "Did not set account permissions " + str(result)
for system_id in created_system_id_list:
if system_id in delete_system_permissions:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
else:
if not explicit_missing_delete_permission:
continue
permission_string = 'Grant,View,Edit,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
results_role['Name'], results_role['ID'], "Role",
system_id)
assert success, "Did not set system permissions " + result
job_id, result = ResourceManager.del_multiple_systems(requester_session, batch.keys())
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
remaining_accounts = set(ResourceManager.get_multi_added_account_ids(core_session, created_system_id_list))
remaining_systems = set(ResourceManager.get_multi_added_system_ids(core_session, created_system_id_list).values())
assert remaining_accounts == expected_preserved_accounts, "Remaining accounts did not match expectation"
assert remaining_systems == expected_preserved_systems, "Remaining systems did not match expectation"
def test_cloud_admin_login_from_my_system_account(core_session, pas_config,
core_admin_ui,
cleanup_accounts,
cleanup_resources,
remote_users_qty1):
"""
Test case: C14831
:param core_session: centrify session
:param core_admin_ui: Centrify UI session
"""
maximum_event_wait_time = 120
account_list = cleanup_accounts[0]
system_list = cleanup_resources[0]
systems = ServerManager.get_all_resources(core_session)
accounts = ServerManager.get_all_accounts(core_session)
for system in systems:
system_list.append(system['ID'])
for account in accounts:
account_list.append(account['ID'])
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
# Getting system details.
sys_name = f'{"Win-2012"}{guid()}'
user_password = '******'
sys_details = pas_config
add_user_in_target_system = remote_users_qty1
fdqn = sys_details['Windows_infrastructure_data']['FQDN']
# Adding system.
add_sys_result, add_sys_success = ResourceManager.add_system(
core_session, sys_name, fdqn, 'Windows', "Rdp")
assert add_sys_success, f"failed to add system:API response result:{add_sys_result}"
logger.info(f"Successfully added system:{add_sys_result}")
system_list.append(add_sys_result)
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
add_user_in_target_system[0],
password=user_password,
host=add_sys_result)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(
f"Successfully added account {add_user_in_target_system[0]} in the portal"
)
accounts_list.append(acc_result)
ui = core_admin_ui
admin_user_uuid = UserManager.get_user_id(
core_session, ui.user.centrify_user["Username"])
# assigning cloud admin workspace login permission
rights = "View,Login,UserPortalLogin"
result, status = ResourceManager.assign_account_permissions(
core_session,
rights,
ui.user.centrify_user["Username"],
admin_user_uuid,
pvid=acc_result)
assert status, f'failed to assign {rights} permission to cloud admin {ui.user.centrify_user["Username"]}.' \
f'returned result is: {result}'
# Updating allow remote to enable RDP session for targeted system
result, success = ResourceManager.update_system(core_session,
add_sys_result,
sys_name,
fdqn,
"Windows",
allowremote=True)
assert success, f'failed to assign rdp policy to account {add_user_in_target_system[0]} of system {sys_name}'
ui.navigate(('Workspace', 'My System Accounts'))
ui.expect(
GridRow(sys_name),
f'Expected to find system {sys_name} in My System Account but did not')
ui.right_click_action(GridRow(sys_name), 'Login')
ui.switch_to_pop_up_window()
ui.expect_disappear(
LoadingMask(),
'Error occurred while launching workspace login session',
time_to_wait=250)
ui.switch_to_main_window()
# wait for manged password change event
filter = [['AccountName', add_user_in_target_system[0]]]
RedrockController.wait_for_event_by_type_filter(
core_session,
"Cloud.Server.LocalAccount.RDPSession.Start",
filter=filter,
maximum_wait_second=maximum_event_wait_time) # wait for 20 seonds
# Api call to get details of account active session
status, result = ResourceManager.get_my_active_sessions(
core_session, acc_result)
assert status, f'failed to retrieve details for active account session data, return result is {result}'
logger.info(
f'details for active account {add_user_in_target_system[0]} are {result}'
)
ui.navigate('Resources', 'Systems')
ui.search(sys_name)
ui.expect(GridRowByGuid(add_sys_result),
expectation_message=
f'failed to search for the system by id {add_sys_result}')
ui.click_row(GridRowByGuid(add_sys_result))
# fetching Active session value from system view page
ui.inner_text_of_element(ActiveSessionTextCount(),
expectation_message='1',
warning_message="RDP Not taken from user")
logger.info(f'Active session value incremented to 1: Active Sessions:1')
