def test_add_delete_database_permission_port_specified(core_session,
database_config,
users_and_roles,
cleanup_resources):
"""
C281976 Add/delete database permissions if database port has been specified.
:param core_session: Authenticated Centrify session.
:param database_config:fixture to create database with accounts.
:param users_and_roles: Fixture to manage roles and user.
:param cleanup_resources:cleans up resources
"""
# Creating a database without defined port.
database_list = cleanup_resources[2]
db_data = database_config['sql_db_config']
db_name = f"{db_data['db_name']}{guid()}"
db_result, db_success = ResourceManager.add_database(
core_session,
name=db_name,
port=None,
fqdn=db_data['hostname'],
databaseclass=db_data['databaseclass'],
description=db_data['description'],
instancename=db_data['instancename'],
servicename=db_data['servicename'])
assert db_success, f'Failed to create database without defined port:API response result:{db_result}'
logger.info(
f'Successfully created database without defined port :{db_result}')
database_list.append(db_result)
# Updating the database setting.
update_db_res, update_db_success = ResourceManager.update_database(
core_session, db_result, db_name, db_data['hostname'], db_data['port'],
db_data['description'], db_data['instancename'])
assert update_db_success, f"Fail to update database: API response result:{update_db_res}"
logger.info(f"Successfully updated database with port:{update_db_res}")
# Cloud user session with "Privileged Access Service Administrator"rights.
cloud_user_session = users_and_roles.get_session_for_user(
'Privileged Access Service Administrator')
assert cloud_user_session.auth_details, f'Failed to create with PAS administrator:{cloud_user_session}'
cloud_user = cloud_user_session.auth_details['User']
cloud_user_id = cloud_user_session.auth_details['UserId']
logger.info(
f'User with Privileged Access Service Administrator Rights login successfully: user_Name:{cloud_user}'
)
# Assigning "Delete" permission to Cloud user.
db_perm_result, db_perm_success = ResourceManager.assign_database_permissions(
core_session, "Delete", cloud_user, cloud_user_id, pvid=db_result)
assert db_perm_success, f'Failed to "Delete rights:API response result:{db_perm_result}'
logger.info(
f'successfully assigned "Delete" rights to user: {db_perm_result}')
def test_check_account_view_permission_under_system_domain_database(core_session, pas_setup,
create_databases_with_accounts,
create_domains_with_accounts,
get_limited_no_view_user_function,
users_and_roles):
"""
Test case: C2127
:param core_session: Authenticated centrify session
:param pas_setup: fixture to create system with account
:param create_databases_with_accounts: fixture to create database with account
:param create_domains_with_accounts: fixture to create domain with account
"""
system_id, account_id, sys_info = pas_setup
database = create_databases_with_accounts(core_session, databasecount=1, accountcount=1)
domain = create_domains_with_accounts(core_session, domaincount=1, accountcount=1)
db_name, db_id, db_account, db_account_id = database[0]['Name'], database[0]['ID'], \
database[0]['Accounts'][0]['User'], database[0]['Accounts'][0]['ID']
domain_name, domain_id, domain_account, domain_account_id = domain[0]['Name'], domain[0]['ID'], \
domain[0]['Accounts'][0]['User'], \
domain[0]['Accounts'][0]['ID']
# Step3 : Get user has "Privilege Service Administrator" right
cloud_user_session, cloud_user = get_limited_no_view_user_function
cloud_user, user_id, user_password = \
cloud_user.get_login_name(), cloud_user.get_id(), cloud_user.get_password()
user = {"Username": cloud_user, "Password": user_password}
# Assigning permissions to system excluding "View" Permission
result, status = ResourceManager.assign_system_permissions(core_session, "Grant", cloud_user, user_id,
pvid=system_id)
assert status, f'failed to assign rights of system to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to system account including "View" Permission
result, status = ResourceManager.assign_account_permissions(core_session, "View", cloud_user, user_id,
pvid=account_id)
assert status, f'failed to assign rights of accounts to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to domain excluding "View" Permission
result, status = ResourceManager.set_domain_account_permissions(core_session, "Grant", cloud_user, user_id,
pvid=domain_id)
assert status, f'failed to assign rights of domain to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to domain account including "View" Permission
result, status = ResourceManager.assign_account_permissions(core_session, "View", cloud_user, user_id,
pvid=domain_account_id)
assert status, f'failed to assign rights of domain account to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to database excluding "View" Permission
result, status = ResourceManager.assign_database_permissions(core_session, "Grant", cloud_user, user_id, pvid=db_id)
assert status, f'failed to assign rights of database to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
# Assigning permissions to database account including "View" Permission
result, status = ResourceManager.assign_account_permissions(core_session, "View", cloud_user, user_id,
pvid=db_account_id)
assert status, f'failed to assign rights of database account to user {cloud_user}'
logger.info(f'successfully assigned rights to user {cloud_user} excluding "View" permission')
query = "@/lib/server/get_accounts.js(mode:'AllAccounts', newcode:true, localOnly:true, " \
"colmemberfilter:'Select ID from VaultAccount WHERE Host IS NOT NULL')"
result = RedrockController.redrock_query(cloud_user_session, query,
args={"PageNumber": 1, "PageSize": 100, "Limit": 100000, "SortBy": "Name",
"Ascending": True, "FilterBy": ["Name", "User"],
"FilterValue": f'{sys_info[0]}',
"FilterQuery": None, "Caching": 0})
assert len(result) == 0, f'User able to see the account details under account records user ' \
f'have different rights: {get_limited_no_view_user_function}'
logger.info(f'Local account {sys_info[4]} of system {sys_info[0]} is not visible to user {cloud_user}')
query = "SELECT * FROM (SELECT VaultAccount.ID, VaultAccount.User, VaultAccount.OwnerName, " \
"VaultAccount.Description, VaultAccount.LastChange, VaultAccount.Status, " \
"VaultAccount.DefaultCheckoutTime, VaultAccount.MissingPassword, VaultAccount.ActiveCheckouts, " \
"VaultAccount.NeedsPasswordReset, VaultAccount.PasswordResetRetryCount, " \
"VaultAccount.PasswordResetLastError, VaultAccount.IsManaged, VaultAccount.Host, VaultAccount.DomainID, " \
"VaultAccount.DatabaseID, VaultAccount.IsFavorite, VaultAccount.UseWheel, VaultAccount.CredentialType, " \
"SshKeys.Name as CredentialName, VaultAccount.WorkflowEnabled, COALESCE(NULLIF(" \
"VaultAccount.WorkflowApprovers, ''),NULLIF(VaultAccount.WorkflowApprover, '')) as WorkflowApprovers, " \
"VaultAccount.DiscoveredTime as AccountDiscoveredTime, VaultAccount.Name, VaultAccount.FQDN, " \
"VaultAccount.SessionType, VaultAccount.ComputerClass, VaultDatabase.DatabaseClass, " \
"VaultAccount.ProxyUser, VaultAccount.LastHealthCheck FROM VaultAccount LEFT OUTER JOIN VaultDatabase ON " \
"DatabaseID = VaultDatabase.ID LEFT OUTER JOIN SshKeys ON CredentialId = SshKeys.ID WHERE IFNULL(" \
"VaultAccount.Name, '') <> '') WHERE DomainID is not null AND IFNULL(Name, \"\") <> \"\" "
result = RedrockController.redrock_query(cloud_user_session, query,
args={"PageNumber": 1, "PageSize": 100, "Limit": 100000, "SortBy": "Name",
"Ascending": True, "FilterBy": ["Name", "User"],
"FilterValue": f"{domain_account}", "FilterQuery": None,
"Caching": 0})
assert len(result) == 1, f'User able to see the account details under account records user ' \
f'have different rights: {get_limited_no_view_user_function}'
logger.info(f'user {cloud_user} can see domain account {domain_account}')
query = "SELECT * FROM (SELECT VaultAccount.ID, VaultAccount.User, VaultAccount.OwnerName, " \
"VaultAccount.Description, VaultAccount.LastChange, VaultAccount.Status, " \
"VaultAccount.DefaultCheckoutTime, VaultAccount.MissingPassword, VaultAccount.ActiveCheckouts, " \
"VaultAccount.NeedsPasswordReset, VaultAccount.PasswordResetRetryCount, " \
"VaultAccount.PasswordResetLastError, VaultAccount.IsManaged, VaultAccount.Host, VaultAccount.DomainID, " \
"VaultAccount.DatabaseID, VaultAccount.IsFavorite, VaultAccount.UseWheel, VaultAccount.CredentialType, " \
"SshKeys.Name as CredentialName, VaultAccount.WorkflowEnabled, COALESCE(NULLIF(" \
"VaultAccount.WorkflowApprovers, ''),NULLIF(VaultAccount.WorkflowApprover, '')) as WorkflowApprovers, " \
"VaultAccount.DiscoveredTime as AccountDiscoveredTime, VaultAccount.Name, VaultAccount.FQDN, " \
"VaultAccount.SessionType, VaultAccount.ComputerClass, VaultDatabase.DatabaseClass, " \
"VaultAccount.ProxyUser, VaultAccount.LastHealthCheck FROM VaultAccount LEFT OUTER JOIN VaultDatabase ON " \
"DatabaseID = VaultDatabase.ID LEFT OUTER JOIN SshKeys ON CredentialId = SshKeys.ID WHERE IFNULL(" \
"VaultAccount.Name, '') <> '') WHERE DatabaseID IS NOT NULL AND IFNULL(Name, \"\") <> \"\" "
result = RedrockController.redrock_query(cloud_user_session, query,
args={"PageNumber": 1, "PageSize": 100, "Limit": 100000, "SortBy": "Name",
"Ascending": True, "FilterBy": ["Name", "User"],
"FilterValue": f"{db_account}", "FilterQuery": None, "Caching": 0})
assert len(result) == 0, f'User able to see the account details under account records user ' \
f'have different rights: {get_limited_no_view_user_function}'
logger.info(f'database account {db_account} is not visible to user {cloud_user}.')
