def test_update_managed_account(pas_setup, core_session, pas_config):
"""
:param pas_config:
:param pas_setup: Fixture for adding a system and an account associated with it.
:param core_admin_ui: Authenticated Centrify Session.
:param core_session: Authenticated Centrify Session.
TC: C2547 - Update managed account
trying to Update managed account password
Steps:
Pre: Create system with 1 manage account hand
1. Try to update invalid password
-Assert Failure
2. Try to update valid password
-Assert Failure
3. Try to check password history
"""
user_name = core_session.get_user().get_login_name()
System_configurations_from_yaml = pas_config
system_data = System_configurations_from_yaml[
'Windows_infrastructure_data']
added_system_id, account_id, sys_info = pas_setup
Result, success = ResourceManager.update_password(core_session, account_id,
guid())
assert success, "Did not update password"
Result, success = ResourceManager.update_password(core_session, account_id,
system_data['password'])
assert success, "Did not update password"
result, success = ResourceManager.check_out_password(
core_session, 1, account_id)
assert success, "Did not retrieve password"
query = f"select EntityId, State, StateUpdatedBy, StateUpdatedTime from PasswordHistory where EntityId=" \
f"'{account_id}' and StateUpdatedBy='{user_name}' and State='Retired'"
password_history = RedrockController.get_result_rows(
RedrockController.redrock_query(core_session, query))[0]
assert len(password_history) > 0, "Password history table did not update"
def test_system_default_management_port(core_session, network_device_setup,
core_admin_ui):
"""
TC: C2607 - System default management port
:param core_session: Authenticated Centrify session.
:param network_device_setup: Adds a network with account and returns UUID of both.
:param core_admin_ui: Authenticated Centrify browser session.
"""
system_id, account_id, device_data, system_list, account_list = network_device_setup(
'paloalto')
system_info = RedrockController.get_computer_with_ID(
core_session, system_id)
ui = core_admin_ui
ui.navigate('Resources', 'Systems')
ui.search(system_info['Name'])
ui.click_row(GridRowByGuid(system_id))
ui.tab('Settings')
ui.input("ManagementPort", "1")
ui.save()
ui.expect(TextField('ManagementPort'),
"Unable to locate management port input").clear()
ui.save()
management_port = RedrockController.get_computer_with_ID(
core_session, system_id)['ManagementPort']
assert management_port is None, "Management port value isn't 443 i.e. default."
logger.info(
f'Management port value retrieved via API is {management_port} i.e. placeholder 443 in UI.'
)
def test_bulk_account_delete_by_sql_query_only_deletes_correct_accounts_fast_track(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 12, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch])
delete_ids, keep_ids = DataManipulation.shuffle_and_split_into_two_lists(
all_accounts)
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in list(delete_ids)))
result, success = ResourceManager.del_multiple_accounts_by_query(
core_session, sql_query, run_sync=True)
assert success, "del_multiple_accounts_by_query failed " + result
assert set(ResourceManager.get_multi_added_system_ids(core_session, all_systems).values()) == set(all_systems), \
"Wrong set of added systems found"
assert set(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == set(keep_ids), \
"Wrong set of added accounts found"
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.StartQuery.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkAccountDelete.Success.Multi'
start_message = f'{username} initiated delete of multiple accounts'
end_message = f'{username} successfully deleted {len(delete_ids)} accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_bulk_system_delete_by_ids_only_deletes_correct_systems_and_accounts_fast_track(
clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems):
user_info = core_session.get_current_session_user_info().json()['Result']
batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 2, list_of_created_systems)
batch3 = ResourceManager.add_multiple_systems_with_accounts(core_session, 4, 6, list_of_created_systems)
batch4 = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 8, list_of_created_systems)
batch5 = ResourceManager.add_multiple_systems_with_accounts(core_session, 5, 1, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1, batch2, batch3, batch4, batch5])
delete_system_ids, delete_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch2, batch4])
keep_system_ids, keep_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch1, batch3, batch5])
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1, batch2, batch3, batch4, batch5])
ResourceManager.del_multiple_systems(core_session, delete_system_ids, savepasswords=True, wait_time=0,
skip_if_has_apps_or_services=True, run_sync=True)
assert set(ResourceManager.get_multi_added_system_ids(core_session,
all_systems).values()) == keep_system_ids, "Set of expected remaining systems did not match search"
assert set(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == keep_account_ids, "Set of expected remaining accounts did not match search"
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Success.Multi'
start_message = f'{username} initiated delete of {len(delete_system_ids)} systems'
end_message = f'{username} successfully deleted {len(delete_system_ids)} systems'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_import_all_nix_system(core_session, cleanup_accounts, cleanup_resources):
"""
Test case: C279397
:param core_session: Centrify session
"""
# datframe to store systems with unique name in csv import template
# dataframe to store systems in csv import template
# datframe to store systems with unique name in csv import template
system_list = cleanup_resources[0]
accounts_list = cleanup_accounts[0]
dataframe = pd.read_csv('Assets\\serverimport.csv')
server_list = dataframe['Name']
for server in server_list:
dataframe = dataframe.replace(server, f'{server}{guid()}')
temp_server_csv = f"Assets\\serverimport{guid()}.csv"
dataframe.to_csv(temp_server_csv, encoding='utf-8', index=False)
# API call with server import template
result, success = ResourceManager.bulk_import_system(core_session, temp_server_csv)
assert success, f"failed to add systems, return result is: {result}"
logger.info('bulk import successful')
server = RedrockController.get_accounts(core_session)
for row in server:
if row['User'].__contains__("Administrator"):
accounts_list.append(row["ID"])
server = RedrockController.get_computers(core_session)
for row in server:
if row['Name'].__contains__("host"):
system_list.append(row["ID"])
if os.path.exists(temp_server_csv):
os.remove(temp_server_csv)
else:
pass
def test_check_ui_on_subnet_mapping_page(core_session, cleanup_system_subnet_mapping):
"""
TC:C2197 Check UI on Subnet Mappings page.
1) Login Admin Portal as cloud admin
2) Add System subnet mapping by calling API add_system_subnet_mapping
3) Checking through UI for assertion
:param core_session: Authenticated Centrify session.
:param core_admin_ui: Authenticated Centrify browser session.
:param: cleanup_system_subnet_mapping: cleanup for created system subnet.
"""
subnet = Configs.get_environment_node('update_discovery_profile',
'automation_main')['port_scan_scope']['subnet_mask']
subnet_list = cleanup_system_subnet_mapping
# Adding System Subnet Mapping.
result, success, message = ResourceManager.add_system_subnet_mapping(core_session, subnet, chooseConnector="on")
system_subnet_id = result['ID']
assert success, f'Failed to add System subnet mapping with API response: {message}'
subnet_list.append(system_subnet_id)
logger.info(f"System subnet mapping added successfully, {system_subnet_id}")
# Checking on ui for assertion
query = "select * from ProxyGroup"
results = RedrockController.get_result_rows(RedrockController.redrock_query(core_session, query))
assert results[0]['Subnet'] == subnet, \
f'Failed to see the detail of System Subnet Mapping with API response: {message}'
def test_app_management_user_can_create_job_but_not_delete_servers(clean_bulk_delete_systems_and_accounts, core_session,
core_tenant, clean_users, users_and_roles,
list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 2, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch])
requestor_session = users_and_roles.get_session_for_user('Application Management')
user_info = requestor_session.get_current_session_user_info().json()['Result']
all_systems = batch.keys()
job_id, result = ResourceManager.del_multiple_systems(requestor_session, all_systems)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
assert len(
ResourceManager.get_multi_added_system_ids(core_session, all_systems)) == 3, "Wrong number of remaining systems"
assert len(ResourceManager.get_multi_added_account_ids(core_session,
all_systems)) == 6, "Wrong number of remaining accounts"
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkSystemDelete.Failure.Multi'
start_message = f'{username} initiated delete of {len(all_systems)} systems'
end_message = f'{username} failed to delete {len(all_systems)} of {len(all_systems)} systems'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_bulk_system_unenroll_by_ids_only_unenrolls_correct_systems_fast_track(core_session,
test_four_virtual_aapm_agents):
user_info = core_session.get_current_session_user_info().json()['Result']
agents, _ = test_four_virtual_aapm_agents
all_agent_ids, all_server_ids = _setup_agents(core_session, agents)
unenroll_agent_ids = all_agent_ids[:2]
unenroll_server_ids = all_server_ids[:2]
keep_agent_ids = all_agent_ids[2:]
_validate_aapm_agent_details(core_session, all_agent_ids, True)
_, success = ResourceManager.unenroll_multiple_systems(core_session, unenroll_server_ids, wait_time=0,
SkipIfAgentReconciliationEnabled=True, run_sync=True)
assert success, f"Unenroll multiple systems failed: {unenroll_server_ids}"
_validate_aapm_agent_details(core_session, unenroll_agent_ids, False)
_validate_aapm_agent_details(core_session, keep_agent_ids, True)
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.StartQuery.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.Success.Multi'
start_message = f'{username} initiated unenroll of multiple systems'
end_message = f'{username} successfully unenrolled {len(unenroll_server_ids)} systems'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_delete_ssh_keys_and_account(core_session, add_system_with_ssh_account, get_ssh_key_function, remove_related):
system_id, account_id, ssh_id, system_list, account_list, ssh_list = add_system_with_ssh_account
# Deleting SSH Account
all_key_ids = [ssh_id, get_ssh_key_function]
delete_result, delete_success = ResourceManager.del_multiple_ssh_keys(core_session, all_key_ids,
run_sync=True, remove_related_account=remove_related)
if remove_related:
assert delete_success, f"SSH key {ssh_id} deletion failed with API response result: {delete_result}"
logger.info(f"Account{account_id} associated with system {system_id} and SSH key {ssh_id} was deleted successfully")
else:
assert not delete_success, "Delete should have failed with attached account {delete_result}"
account_list.remove(account_id)
activity = RedrockController.get_ssh_activity(core_session, ssh_id)
sql_query = RedrockController.get_query_for_ids('VaultAccount', [account_id])
result = RedrockController.redrock_query(core_session, sql_query)
if remove_related:
assert len(result) == 0, f"Account not deleted as expected {result}"
else:
assert len(result) == 1, f"Account was delete and should not have been {result} when removed_related_account == False"
sql_query = RedrockController.get_query_for_ids('SshKeys', all_key_ids)
result = RedrockController.redrock_query(core_session, sql_query)
if remove_related:
assert len(result) == 0, f"SSH keys not deleted as expected {result}"
else:
assert len(result) == 1 and ssh_id in str(result), f"Should remain exactly 1 SSH key associated with account {result}"
def test_bulk_system_unenroll_by_sql_query_only_unenrolls_correct_systems(core_session, test_four_virtual_aapm_agents):
user_info = core_session.get_current_session_user_info().json()['Result']
agents, _ = test_four_virtual_aapm_agents
all_agent_ids, all_server_ids = _setup_agents(core_session, agents)
unenroll_agent_ids = all_agent_ids[:2]
unenroll_server_ids = all_server_ids[:2]
keep_agent_ids = all_agent_ids[2:]
_validate_aapm_agent_details(core_session, all_agent_ids, True)
sql_query = RedrockController.get_query_for_ids('Server', unenroll_server_ids)
_, success = ResourceManager.unenroll_multiple_systems_by_query(core_session, sql_query)
assert success, f"Unenroll Multiple systems by query failed: {sql_query}"
_validate_aapm_agent_details(core_session, unenroll_agent_ids, False)
_validate_aapm_agent_details(core_session, keep_agent_ids, True)
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.StartQuery.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkSystemUnenrollClient.Success.Multi'
start_message = f'{username} initiated unenroll of multiple systems'
end_message = f'{username} successfully unenrolled {len(unenroll_server_ids)} systems'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def _validate_aapm_agent_details(session, agent_ids, expected):
query = RedrockController.get_query_for_ids('centrifyclients', agent_ids, columns='ResourceID, FeatureAAPM')
results = RedrockController.get_result_rows(
RedrockController.redrock_query(session, query))
# make sure num of systems match
assert len(results) == len(agent_ids)
for row in results:
assert row["FeatureAAPM"] is expected
def test_cannot_manage_accounts_without_permission(
core_session,
remote_unmanaged_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, users_and_roles):
right_data = [
"Privileged Access Service Power User",
"role_Privileged Access Service Power User"
]
requestor_session = users_and_roles.get_session_for_user(right_data[0])
results_role = users_and_roles.get_role(right_data[0])
account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3
job_id, success = ResourceManager.manage_multiple_accounts(
requestor_session, account_ids)
assert success, "Did not kick off bulk manage accounts job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
# Validates accounts are still not managed.
_validate_accounts_are_not_managed(requestor_session, account_ids, job_id)
permission_string = "Owner,View,Manage,Delete,Login,Naked,UpdatePassword,RotatePassword,FileTransfer,UserPortalLogin"
account_id = account_ids[
2] # Grant permission to only one of the accounts, the middle one
result, success = ResourceManager.assign_account_permissions(
core_session, permission_string, results_role['Name'],
results_role['ID'], "Role", account_id)
assert success, "Did not set account permissions " + str(result)
job_id, success = ResourceManager.manage_multiple_accounts(
requestor_session, account_ids)
assert success, "Did not kick off bulk rotate passwords job"
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
# Validate the one account is managed.
_validate_accounts_are_not_managed(requestor_session,
[account_ids[0], account_ids[1]],
job_id)
_validate_accounts_are_managed(requestor_session, [account_ids[2]], job_id)
user_info = requestor_session.get_current_session_user_info().json(
)['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Failure.Multi'
start_message = f'{username} initiated management of {len(account_ids)} accounts'
end_message = f'{username} failed to manage 2 of 3 accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_delete_administrative_account(core_session, network_device_setup):
"""
TC: C2623 - Delete administrative account
:param core_session: Authenticated Centrify session.
:param network_device_setup: Adds a network with account and returns UUID of both.
"""
system_id, account_id, device_data, system_list, account_list = network_device_setup(
'checkpoint')
system_info = RedrockController.get_computer_with_ID(
core_session, system_id)
# setting up Admin account for system
result, success, message = ResourceManager.set_system_administrative_account(
core_session, system_id, account_id)
assert success, f"Failed to update Administrative account for system {system_info['Name']}"
logger.info(
f"Successfully added an administrative account for system {system_info['Name']}"
)
# deleting administrative account
del_result, del_success = ResourceManager.del_account(
core_session, account_id)
assert del_success is False, f"Admin account deleted successfully, unexpected behaviour as Admin account " \
f"should not be deleted. API response result: {del_success}"
logger.info(
f'Admin account could not be deleted as expected, API response result: {del_success}'
)
# finding all systems for cleanup:
acc_script = "@/lib/server/get_accounts.js(mode:'AllAccounts', newcode:true, localOnly:true, colmemberfilter:" \
"'Select ID from VaultAccount WHERE Host IS NOT NULL')"
acc = RedrockController.redrock_query(core_session, acc_script)
for account in acc:
if account['Row']['FQDN'] == "Check.Point":
# Removing Admin Account for successful cleanup of system and account
result, success, message = ResourceManager.set_administrative_account(
core_session, systems=[account['Row']['Host']])
assert success, f"Failed to update Administrative account for system {account['Row']['Name']}"
# Removing Admin Account for successful cleanup of system and account
ResourceManager.update_system(
core_session,
account['Row']['Host'],
account['Row']['Name'],
account['Row']['FQDN'],
'CheckPointGaia',
sessiontype=account['Row']['SessionType'])
# deleting administrative account from this system
ResourceManager.del_account(core_session, account['Row']['ID'])
# Removing Admin Account for successful cleanup of system and account
result, success, message = ResourceManager.set_administrative_account(
core_session, systems=[account['Row']['Host']])
assert success, f"Failed to update Administrative account for system {account['Row']['Name']}"
def test_other_user_cant_see_secret_created_by_first_user(core_session, users_and_roles, created_system_id_list,
swap_roles):
roles = ["Privileged Access Service Administrator", "Privileged Access Service Power User"]
if swap_roles:
roles_new = [roles[1], roles[0]]
roles = roles_new
batch = ResourceManager.add_multiple_systems_with_accounts(core_session, 2, 2, created_system_id_list)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch])
deleter_user_0_session = users_and_roles.get_session_for_user(roles[0])
deleter_user_0_role = users_and_roles.get_role(roles[0])
deleter_user_0_role_name = deleter_user_0_role['Name']
deleter_user_0_role_id = deleter_user_0_role['ID']
other_user_1_session = users_and_roles.get_session_for_user(roles[1])
for account_id in all_accounts:
permission_string = 'Owner,View,Manage,Delete,Login,Naked,UpdatePassword,FileTransfer,UserPortalLogin'
result, success = ResourceManager.assign_account_permissions(core_session, permission_string,
deleter_user_0_role_name, deleter_user_0_role_id,
"Role", account_id)
assert success, "Did not set account permissions " + str(result)
for system_id in all_systems:
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
deleter_user_0_role_name, deleter_user_0_role_id,
"Role", system_id)
assert success, "Did not set system permissions " + result
secret_name = f"secret{guid()}"
job_id, result = ResourceManager.del_multiple_systems(deleter_user_0_session, batch.keys(), secretname=secret_name)
result = ResourceManager.get_job_state(core_session, job_id)
assert result == "Succeeded", "Job did not execute"
remaining_accounts = set(ResourceManager.get_multi_added_account_ids(core_session, created_system_id_list))
remaining_systems = set(ResourceManager.get_multi_added_system_ids(core_session, created_system_id_list).values())
assert remaining_accounts == set(), "Remaining accounts did not match expectation"
assert remaining_systems == set(), "Remaining systems did not match expectation"
secret_id = RedrockController.get_secret_id_by_name(deleter_user_0_session, secret_name)
assert secret_id is not None, f"Secret was not visible to creator '{roles[0]}' user, either because it wasn't created or because of a permissions issue"
secret_id = RedrockController.get_secret_id_by_name(other_user_1_session, secret_name)
assert secret_id is None, f"Secret should not be '{roles[1]}' user when created by '{roles[0]}' user"
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, f"Sys admin should be able to see secret created by {roles[0]}"
def test_bulk_manage_works_with_different_methods_of_specifying_systems(
core_session,
remote_unmanaged_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, change_method):
account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3
job_result = None
if change_method == "ids":
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, account_ids)
assert success, "Did not bulk manage account"
elif change_method == "ids_with_invalid":
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, ["foo"] + list(account_ids))
assert success, "Did not bulk manage account"
elif change_method == "sql":
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in account_ids))
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, [], set_query=sql_query)
assert success, "Did not bulk manage accounts"
elif change_method == "group":
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name,
"VaultAccount", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name,
"VaultAccount")
SetsManager.update_members_collection(core_session, 'add', account_ids,
'VaultAccount', set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(
core_session, some_set_name, "VaultAccount")['Filters']
job_result, success = ResourceManager.manage_multiple_accounts(
core_session, [], set_query=filters)
assert success, "Did not bulk manage accounts"
else:
raise Exception(f"Bad input variable change_method {change_method}")
_validate_accounts_are_managed(core_session, account_ids, job_result)
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Success.Multi'
start_message = f'{username} initiated management of {len(account_ids)} accounts'
end_message = f'{username} successfully managed {len(account_ids)} accounts'
RedrockController.expect_event_message_by_type(core_session, start_type,
start_message)
RedrockController.expect_event_message_by_type(core_session, end_type,
end_message)
def test_checkout_password_for_sql_unmanaged_account(
core_session, add_database_with_account):
"""
Test case: C1101 - Checkout password for a SQL unmanaged account
:param core_session: Authenticated centrify session
:param add_database_with_account: fixture to create database with account as optional.
"""
db_name, db_id, db_account_id, db_data, database_cleaner_list, sql_account_cleaner_list = \
add_database_with_account(db_class='sql', add_account=True)
result, status = ResourceManager.check_out_password(
core_session, lifetime=15, accountid=db_account_id)
assert status, f'failed to checkout account {db_data["db_account"]} password.'
assert result['Password'] == db_data[
'password'], "Checked out password dose'nt match the actual password"
logger.info(f'{db_data["db_account"]} password check out successfully.')
acc_activity = RedrockController.get_account_activity(
core_session, db_account_id)
assert f'{core_session.auth_details["User"]} checked out database account "{db_data["db_account"]}" password for ' \
f'database "{db_name}"' in \
acc_activity[0]['Detail'], f"no activity of checkout found for account {db_data['db_account']}"
logger.info(
f"There is a checkout record for the account {db_data['db_account']} in activity"
)
def test_import_system_and_health_check(core_session, pas_windows_setup):
"""
C1554 : Import system and check health
:param core_session: Authenticated Centrify Session.
:param pas_windows_setup:
"""
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup()
system_details = RedrockController.get_computer_with_ID(core_session, system_id)
system_counter = 1
while system_counter < 60:
if system_details['HealthStatus'] == 'OK' and system_details['LastHealthCheck']:
break
system_counter += 1
ResourceManager.get_date(system_details['LastHealthCheck'])
assert system_details['HealthStatus'] == 'OK', "System not reachable because connector is not up."
logger.info(f"System is reachable successfully: {system_details}")
account_counter = 1
account_details = None
while account_counter < 60:
account_details = ResourceManager.get_account_information(core_session, account_id)
if account_details[0]['VaultAccount']['Row']['Healthy'] == 'OK' and \
account_details[0]['VaultAccount']['Row']['LastHealthCheck']:
break
account_counter += 1
ResourceManager.get_date(account_details[0]['VaultAccount']['Row']['LastHealthCheck'])
assert account_details[0]['VaultAccount']['Row']['Healthy'] == 'OK', \
"System not reachable because connector is not up."
logger.info(f"Account is reachable successfully: {account_details}")
def test_system_password_rotation_switch_page(core_session, pas_setup, core_admin_ui):
"""
Test Case ID: C1672
:param core_session: Returns API session
:param pas_setup: Creates System and Account
:param core_admin_ui: Authenticates Centrify UI session
"""
# Creating windows system.
system_id, account_id, sys_info = pas_setup
system_name = sys_info[0]
# Navigating to System and enabling the "password rotation duration" option with valid values.
ui = core_admin_ui
ui.navigate('Resources', 'Systems')
ui.search(system_name)
ui.click_row(GridRowByGuid(system_id))
ui.tab('Advanced')
ui.switch_context(RenderedTab("Advanced"))
ui.select_option("AllowPasswordRotation", "Yes")
expected_password_rotation_duration = 5
ui.input("PasswordRotateDuration", expected_password_rotation_duration)
ui.save()
ui.navigate('Resources', 'Domains')
# Leaving the page and coming back to the System's page as per the test case.
ui.navigate('Resources', 'Systems')
system_list = RedrockController.get_computers(core_session)
discovered_system = []
for system in system_list:
if system['Name'] == sys_info[0]:
discovered_system.append(system['ID'])
discovered_system.append(system['PasswordRotateDuration'])
assert expected_password_rotation_duration == discovered_system[1], f"password rotation duration count {expected_password_rotation_duration} not matched with actual count {discovered_system[1]}"
logger.info(
f"Password rotation duration of the system {system_name} with id {system_id} saved with count {discovered_system[1]}")
def test_add_system_account_with_win_rm(core_session, pas_windows_setup):
"""C2536 Add system with managed account with WinRM http setting
validate the added Account with win rm and check out password after 5 minutes"""
# Getting system details.
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(
True)
# Verifying Default management mode should be 'RpcOverTcp'
system_rows = RedrockController.get_computer_with_ID(
core_session, system_id)
assert system_rows[
'ManagementMode'] == 'RpcOverTcp', "Default Management mode is not RpcOverTcp"
logger.info("Default Management mode is RPC Over TCP")
# Checkout Password
checkout_password_result, checkout_password_success = ResourceManager. \
check_out_password(core_session,
lifetime=1,
accountid=account_id)
assert checkout_password_success, f"Failed to checkout password due to {checkout_password_result}"
logger.info("Password checkout successfully")
assert checkout_password_result[
'Password'] != user_password, "Password is same after adding managed account"
logger.info("Password updated after adding managed account")
success, response = ResourceManager.update_system(
core_session,
system_id,
sys_info[0],
sys_info[1],
'Windows',
proxycollectionlist=connector_id,
chooseConnector="on",
managementmode="WinRMOverHttp")
assert success, "Failed to update system"
logger.info(f"Successfully updated system '{sys_info[0]}'")
# Adding account in portal.
acc_result, acc_success = ResourceManager.add_account(
core_session,
sys_info[6],
password=user_password,
host=system_id,
ismanaged=True)
assert acc_success, f"Failed to add account in the portal: {acc_result}"
logger.info(f"Successfully added account {sys_info[6]} in the portal")
# Checkout Password after changing management mode to WinRMOverHttp
checkout_password_winrm, checkout_password_success = ResourceManager. \
check_out_password(core_session,
lifetime=1,
accountid=acc_result)
assert checkout_password_success, f"Failed to checkout password due to {checkout_password_winrm}"
logger.info("Password checkout successfully")
assert checkout_password_winrm[
'Password'] != user_password, "Password is same after adding managed account"
logger.info("Password updated after adding managed account")
def test_bulk_rotate_works(core_session,
remote_users_with_mirrored_managed_local_users_qty3,
windows_test_machine_config, users_and_roles):
remote_ip = windows_test_machine_config['ip_address']
account_ids, accounts = BulkOperations.grab_relevant_users(
core_session, remote_users_with_mirrored_managed_local_users_qty3)
account_names = []
for i in range(len(accounts)):
account_names.append(accounts[i][1])
passwords_fetched = BulkOperations.checkout_users(core_session, accounts)
result, success = ResourceManager.rotate_multiple_passwords(
core_session, account_ids)
assert success, "Did not bulk rotate passwords"
job_ids = RedrockController.get_all_running_bulk_rotate_password_jobs(
core_session)
for id in job_ids:
ResourceManager.wait_for_job_state_succeeded(core_session, id)
# Verify passwords are no longer right
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched,
[False] * len(passwords_fetched),
"E2E")
def test_bulk_account_delete_generates_secret(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems, secret_cleaner):
batch1 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 3, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1, batch2])
secret_name = "TestSecret-" + str(
ResourceManager.time_mark_in_hours()) + "-" + guid()
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in list(all_accounts)))
ResourceManager.del_multiple_accounts_by_query(core_session, sql_query,
True, secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "Secret not found"
secret_cleaner.append(secret_id)
assert len(
ResourceManager.get_multi_added_account_ids(
core_session,
all_systems)) == 0, "Expected zero added accounts remain"
def test_bulk_account_delete_does_not_generate_secret_when_told_not_to(
clean_bulk_delete_systems_and_accounts, core_session,
list_of_created_systems):
batch1 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, 4, list_of_created_systems)
batch2 = ResourceManager.add_multiple_systems_with_accounts(
core_session, 2, 3, list_of_created_systems)
all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values(
[batch1, batch2])
secret_name = "TestSecret-" + str(
ResourceManager.time_mark_in_hours()) + "-" + guid()
sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join(
('VaultAccount.ID = "' + str(n) + '"' for n in list(all_accounts)))
ResourceManager.del_multiple_accounts_by_query(core_session, sql_query,
False, secret_name)
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session,
secret_name,
intervals_to_wait=60)
# set low intervals to wait, since secret should not be generated
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is None, "Secret not found!"
assert len(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == 0, \
"Expected zero remaining added accounts remain"
def test_system_with_managed_account(core_session, setup_pas_system_for_unix):
"""
Test case : C279339
:param core_session: Centrify session manager
:param setup_pas_system_for_unix: fixture that provide created unix system data
"""
system_id, account_id, system_info = setup_pas_system_for_unix
system_rows = RedrockController.get_computer_with_ID(
core_session, system_id)
assert system_rows['Name'] == system_info[
0], f"failed to find system {system_info[0]} in portal as returned system result is {system_rows}"
logger.info(f"system found {system_rows}")
account, status = ResourceManager.get_accounts_from_resource(
core_session, system_id)
assert status, f"failed to find accounts in system {system_info[0]} as returned account result is {account}"
logger.info(f"Account found {account}")
# Fetching account information to validate desired account is unmanaged
result, status = ResourceManager.get_account_information(
core_session, account_id)
assert status, f"failed to retrieve account information, returned result is {result}"
is_managed = result['VaultAccount']['Row']['IsManaged']
assert is_managed is False, f"Added account is not managed account"
def test_bulk_system_deletes_manually_single_system_and_secret(clean_bulk_delete_systems_and_accounts, core_session, core_ui, list_of_created_systems, secret_cleaner):
server_prefix, names_of_servers, server_ids = _make_one_server_get_name(core_session, list_of_created_systems)
ui = core_ui
ui.navigate('Resources', 'Systems')
ui.search(server_prefix)
for name in names_of_servers:
assert ui.check_exists(GridCell(name)), "Missing server from view " + name
ui.action('Delete', names_of_servers)
core_ui.switch_context(Modal('System Delete'))
secret_name = "secret_e2e_name_" + guid()
core_ui.input("SecretName", secret_name)
core_ui.button('Delete')
ResourceManager.wait_for_systems_to_delete_or_timeout(core_session, server_ids)
assert len(ResourceManager.get_multi_added_account_ids(core_session, server_ids)) == 0, "All added accounts not removed"
assert len(ResourceManager.get_multi_added_system_ids(core_session, server_ids)) == 0, "All added systems not removed"
ResourceManager.wait_for_secret_to_exist_or_timeout(core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(core_session, secret_name)
assert secret_id is not None, "Secret not found"
secret_cleaner.append(secret_id)
def test_bulk_account_delete_job_fails_with_request_query_returning_zero_rows_fast_track(
clean_bulk_delete_systems_and_accounts, core_session, simulate_failure,
list_of_created_systems):
batch = ResourceManager.add_multiple_systems_with_accounts(
core_session, 1, 1, list_of_created_systems)
_, delete_account_ids = DataManipulation.aggregate_lists_in_dict_values(
[batch])
# Invalid query for the failure case.
if simulate_failure:
sql_query = f"select * from VaultAccount where ID = '{guid()}'"
else:
sql_query = RedrockController.get_query_for_ids(
'VaultAccount', delete_account_ids)
params = Util.scrub_dict({
'Ids': [],
'SaveToSecrets': False,
'SecretName': "",
'SetQuery': sql_query,
'RunSync': True
})
request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE, params)
request_json = request.json()
result, success = request_json['Result'], request_json['success']
assert not simulate_failure == success, \
f'Invalid query bulk account delete request succeeded even though it should fail {result}'
def test_add_account_unlock_account_permission(core_session,
domain_config_data,
get_admin_user_function):
"""
Steps for this scenario using API:
1)Get the domain that needs to be added managed account with add account permission
2)Set add account and unlock permission in the domain
"""
conf = domain_config_data
limited_sesh, limited_user = get_admin_user_function
name = conf['pas_bat_scenario1_infrastructure_data'][0]
script = "Select * FROM VaultDomain"
request = RedrockController.redrock_query(core_session, script)
for directory_service in request:
if directory_service['Row']['Name'] == name["Domain_name2"]:
directory_service = directory_service['Row']['ID']
break
permissions = "Grant,View,Edit,Delete,AddAccount,UnlockAccount"
result, add_domain_account_success = ResourceManager.set_domain_account_permissions(
core_session,
permissions,
limited_user.get_login_name(),
limited_user.get_id(),
id=directory_service,
pvid=directory_service,
rowkey=directory_service)
assert add_domain_account_success, f'Failed to set add account permission in the domain {result}'
logger.info(f"add account permission set successfully in the Domain.")
def test_add_managed_proxy_account(core_session, pas_windows_setup):
"""
:param core_session: Authenticated Centrify Session.
:param pas_windows_setup: Fixture for adding a system and an account associated with it.
TC: C2537 - Add system with managed account and Proxy account with WinRM https settings
trying to Add system with managed account and Proxy account with WinRM https settings
Steps:
Pre: Create system with 1 manage and proxy account
1. Try to fetch the management mode in setting page
-Assert Failure
2. Try to check out password from account
-Assert Failure
"""
system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup(True, True)
logger.info(f"System: {sys_info[0]} successfully added with UUID: {system_id} and account: {sys_info[4]} "
f"with UUID: {account_id} associated with it.")
managementmode = RedrockController.get_computer_with_ID(core_session, system_id)
assert managementmode['ManagementMode'] == "WinRMOverHttps", \
f"management mode is failed because of system doesnt have proxy account. API response result: {managementmode}"
logger.info(f"Fetch management mode successfully: {managementmode['ManagementMode']}")
password_checkout_result, password_checkout_success = ResourceManager.check_out_password(core_session, 1,
accountid=account_id)
assert password_checkout_result['Password'] is not user_password, \
f"password checkout Failed. API response result: {password_checkout_result}"
logger.info(f"password successfully checkout Account password: {password_checkout_result['COID']}")
def test_bulk_rotate_works_with_different_methods_of_specifying_systems(
core_session,
remote_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method):
remote_ip = windows_test_machine_config['ip_address']
account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3)
passwords_fetched = BulkOperations.checkout_users(core_session, accounts)
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched)
if change_method == "checkin": # disabled, out of scope
BulkOperations.check_in_users(core_session, passwords_fetched)
elif change_method == "ids":
result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids)
assert success, "Did not bulk rotate passwords"
elif change_method == "ids_with_invalid":
result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids)
assert success, "Did not bulk rotate passwords"
elif change_method == "sql":
sql_query = 'SELECT * FROM VaultAccount ' \
'WHERE ' + ' OR '.join(('VaultAccount.ID = "' + str(n) + '"' for n in account_ids))
result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=sql_query)
assert success, "Did not bulk rotate passwords"
elif change_method == "group":
some_set_name = "ApiSet" + guid()
SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None)
set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount")
SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id)
filters = SetsManager.get_object_collection_and_filter_by_name(core_session,
some_set_name, "VaultAccount")['Filters']
result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=filters)
assert success, "Did not bulk rotate passwords"
else:
raise Exception(f"Bad input variable change_method {change_method}")
BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [False] * len(passwords_fetched), change_method)
# Verify passwords are no longer right
user_info = core_session.get_current_session_user_info().json()['Result']
username = user_info['Name']
start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi'
end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Success.Multi'
start_message = f'{username} initiated password rotation of {len(account_ids)} accounts'
end_message = f'{username} successfully rotated {len(account_ids)} account passwords'
RedrockController.expect_event_message_by_type(core_session, start_type, start_message)
RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_a_secret_can_belong_to_multiple_sets(core_session, create_set_manual,
added_secrets,
pas_general_secrets,
cleanup_secrets_and_folders,
set_cleaner):
"""test method to check that a secret belongs to multiple set"""
added_secret_id, added_secret_name = added_secrets
set_params = pas_general_secrets
prefix = guid()
set_success, set_id = create_set_manual
"""Api to create another set manually"""
success, setid = SetsManager.create_manual_collection(
core_session, prefix + set_params['set_name'], 'DataVault')
logger.info(f'creating manual set:{success} with setid as: {setid}')
assert success is True, f'Failed to create manual set with one initial member {setid}'
text_secret_id = added_secret_id[0]
"""Api to add set to existing secret"""
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(
core_session, 'add', [text_secret_id], "DataVault", set_id)
assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}'
logger.info(f'Adding secret to one set: {added_to_set_success}')
"""Api to add another set to same secret"""
added_to_set_success, added_to_set_result = SetsManager.update_members_collection(
core_session, 'add', [text_secret_id], "DataVault", setid)
assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}'
logger.info(f'Adding secret to another set: {added_to_set_success}')
"""Redrock query to fetch set related details"""
get_set_1 = RedrockController.verify_set_secret(core_session, set_id,
text_secret_id)
logger.info(f'{get_set_1}')
logger.info(
f'Verifiying secret name {get_set_1[0]["Row"]["SecretName"]} in '
f'set 1 with ID {get_set_1[0]["Row"]["CollectionID"]} ')
get_set_2 = RedrockController.verify_set_secret(core_session, setid,
text_secret_id)
logger.info(
f'Verifiying secret name {get_set_2[0]["Row"]["SecretName"]} in another '
f'set with ID {get_set_2[0]["Row"]["CollectionID"]}')
"""to verify that same secret is added to multiple sets"""
text_to_verify = 'secret1'
assert (text_to_verify in get_set_1[0]["Row"]["SecretName"]) and (
text_to_verify in get_set_2[0]["Row"]["SecretName"]
), f'secret doesnt belong to multiple set'
set_cleaner.append(setid)
def _validate_accounts_are_not_managed(session, account_ids, job_id):
rows = RedrockController.get_rows_matching_ids(session, 'VaultAccount',
account_ids)
job_report = JobManager.get_job_report(session, job_id)
for row in rows:
assert row[
'IsManaged'] is False, f'Expected account to not be managed after bulk manage account but it was {row} {job_report}'
