def test_secret_added_to_set(core_session, text_secret, set_cleaner): set_1_name = guid() + ' Secret Set' set_2_name = guid() + ' Secret Set' success, set_1_id = SetsManager.create_manual_collection( core_session, set_1_name, 'DataVault', object_ids=[text_secret['ID']]) assert success is True, f'Failed to create manual set with one initial member {set_1_id}' set_cleaner.append(set_1_id) success, set_2_id = SetsManager.create_manual_collection( core_session, set_2_name, 'DataVault', object_ids=[text_secret['ID']]) assert success is True, f'Failed to create manual set with one initial member {set_2_id}' set_cleaner.append(set_2_id) results = SetsManager.search_object_in_set(core_session, set_1_name, text_secret['SecretName'], 'DataVault', search_columns=['SecretName']) assert results[0]['Row']['ID'] == text_secret[ 'ID'], 'Searching for new secret in set 1 and could not find it. {json.dumps(results)}' results = SetsManager.search_object_in_set(core_session, set_2_name, text_secret['SecretName'], 'DataVault', search_columns=['SecretName']) assert results[0]['Row']['ID'] == text_secret['ID'], \ f'Searching for new secret in set 2 and could not find it. {json.dumps(results)}'
def test_bulk_system_by_api_set_correct_systems_and_accounts_fast_track(clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems): batch1 = ResourceManager.add_multiple_systems_with_accounts(core_session, 3, 4, list_of_created_systems) batch2 = ResourceManager.add_multiple_systems_with_accounts(core_session, 1, 2, list_of_created_systems, sys_type="Unix") batch3 = ResourceManager.add_multiple_systems_with_accounts(core_session, 5, 1, list_of_created_systems, sys_type="Unix") delete_system_ids, delete_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch2]) keep_system_ids, keep_account_ids = DataManipulation.aggregate_lists_in_dict_values([batch1, batch3]) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values([batch1, batch2, batch3]) some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "Server", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server") SetsManager.update_members_collection(core_session, 'add', list(delete_system_ids), 'Server', set_id) collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server") filters = collection_and_filters['Filters'] logger.info(f'Manual set {collection_and_filters} - members - {delete_system_ids}') result, success = ResourceManager.del_multiple_systems_by_query(core_session, filters, savepasswords=False, secretname="", run_sync=True) assert success is True, f'Delete systems job failed when expected success' SetsManager.delete_collection(core_session, set_id) assert set(ResourceManager.get_multi_added_system_ids(core_session, all_systems).values()) == keep_system_ids, "Set of expected remaining systems did not match search" assert set(ResourceManager.get_multi_added_account_ids(core_session, all_systems)) == keep_account_ids, "Set of expected remaining accounts did not match search"
def test_option_all_system_admins_option_has_no_effect_on_non_admins(core_session, cds_session, set_cleaner, global_option, _modifying_setting_mutex): update_result, update_success = ServerManager.update_server_security_settings(core_session, all_system_admin_see_all_sets_created_by_sys_admin=global_option) assert update_success, f"Failed to update security Settings {update_result}" results, success = ServerManager.get_server_settings(core_session, key='policy') assert success, f"Failed to retrieve policy settings {results}" assert results["AllSystemAdminSeeAllSetsCreatedBySysAdmin"] is global_option, f"Policy key AllSystemAdminSeeAllSetsCreatedBySysAdmin should be {global_option} {results}" non_admin_session, api_user = cds_session admin1_session = core_session set_name1 = f"test_visibility_{guid()}" set_name2 = f"test_visibility_{guid()}" success, set_id1 = SetsManager.create_manual_collection(admin1_session, set_name1, 'DataVault', object_ids=None) assert success is True, f'Failed to create manual set {set_id1}' set_cleaner.append(set_id1) success, set_id2 = SetsManager.create_manual_collection(non_admin_session, set_name2, 'DataVault', object_ids=None) assert success is True, f'Failed to create manual set {set_id2}' set_cleaner.append(set_id2) assert SetsManager.get_collection_id(admin1_session, set_name1, "DataVault", reduce_sys_admin=True) is not None, "Admin 1 should be able to see own set" assert SetsManager.get_collection_id(non_admin_session, set_name2, "DataVault", reduce_sys_admin=True) is not None, "Non admin should be able to see own set" assert SetsManager.get_collection_id(non_admin_session, set_name1, "DataVault", reduce_sys_admin=True) is None, "Non admin should NOT be able to see Admin 1 set" assert SetsManager.get_collection_id(admin1_session, set_name2, "DataVault", reduce_sys_admin=True) is None, "Admin 1 should NOT be able to see non admin set" assert SetsManager.get_collection_id(non_admin_session, set_name1, "DataVault", reduce_sys_admin=False) is None, "Non admin should not be able to see Admin 1 set when reduce_sys_admin is False (because lacking permission)" assert SetsManager.get_collection_id(admin1_session, set_name2, "DataVault", reduce_sys_admin=False) is not None, "Admin 1 should be able to see Admin 2 set when reduce_sys_admin is False"
def test_bulk_system_unenroll_by_api_set_correct_systems_fast_track(core_session, test_four_virtual_aapm_agents): agents, _ = test_four_virtual_aapm_agents all_agent_ids, all_server_ids = _setup_agents(core_session, agents) unenroll_agent_ids = all_agent_ids[:2] unenroll_server_ids = all_server_ids[:2] keep_agent_ids = all_agent_ids[2:] _validate_aapm_agent_details(core_session, all_agent_ids, True) some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "Server", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "Server") SetsManager.update_members_collection(core_session, 'add', list(unenroll_server_ids), 'Server', set_id) collection_and_filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "Server") filters = collection_and_filters['Filters'] logger.info(f'Manual set {collection_and_filters} - members - {unenroll_server_ids}') _, success = ResourceManager.unenroll_multiple_systems_by_query(core_session, filters, wait_time=0, SkipIfAgentReconciliationEnabled=True, run_sync=True) assert success, f'Unenroll systems job failed when expected success: {unenroll_server_ids}' SetsManager.delete_collection(core_session, set_id) _validate_aapm_agent_details(core_session, unenroll_agent_ids, False) _validate_aapm_agent_details(core_session, keep_agent_ids, True)
def test_bulk_manage_works_with_different_methods_of_specifying_systems( core_session, remote_unmanaged_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method): account_ids = remote_unmanaged_users_with_mirrored_managed_local_users_qty3 job_result = None if change_method == "ids": job_result, success = ResourceManager.manage_multiple_accounts( core_session, account_ids) assert success, "Did not bulk manage account" elif change_method == "ids_with_invalid": job_result, success = ResourceManager.manage_multiple_accounts( core_session, ["foo"] + list(account_ids)) assert success, "Did not bulk manage account" elif change_method == "sql": sql_query = 'SELECT * FROM VaultAccount WHERE ' + ' OR '.join( ('VaultAccount.ID = "' + str(n) + '"' for n in account_ids)) job_result, success = ResourceManager.manage_multiple_accounts( core_session, [], set_query=sql_query) assert success, "Did not bulk manage accounts" elif change_method == "group": some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount") SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id) filters = SetsManager.get_object_collection_and_filter_by_name( core_session, some_set_name, "VaultAccount")['Filters'] job_result, success = ResourceManager.manage_multiple_accounts( core_session, [], set_query=filters) assert success, "Did not bulk manage accounts" else: raise Exception(f"Bad input variable change_method {change_method}") _validate_accounts_are_managed(core_session, account_ids, job_result) user_info = core_session.get_current_session_user_info().json()['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.AccountBulkManagement.Success.Multi' start_message = f'{username} initiated management of {len(account_ids)} accounts' end_message = f'{username} successfully managed {len(account_ids)} accounts' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_select_more_than_one_domain(core_session, domain_setup, cleanup_resources, clean_up_collections): """ TC:C2215 Select more than one domains. :param core_session: Returns API session. :param domain_setup: Fixture for domain creation. :param cleanup_resources: cleaner for domain. """ # Creating a parent domain. parent_domain_id, domain_info = domain_setup set_list = clean_up_collections # Create a child domain. child_domain_name = f"{'child'}{guid()}" domain_cleanup_list = cleanup_resources[1] new_child_domain_id, add_child_domain_success = ResourceManager.add_child_domain(core_session, child_domain_name, description='test_child_domain', parent_id=parent_domain_id) assert add_child_domain_success, f'Failed to create child domain:API response result:{new_child_domain_id}' logger.info(f"Successfully created child domain:API response result: {new_child_domain_id}") domain_cleanup_list.append(new_child_domain_id) Result, success = ResourceManager.get_administrative_account(core_session, "administrator") logger.info(f" Successfully get Domain for adding Administrative account.") assert success, f'Failed to get Domain account {Result}' # set name created with guid and add it in the domain set set_name = f'set_name{guid()}' add_success, add_result = SetsManager.create_manual_collection(core_session, set_name, "VaultDomain", object_ids=[parent_domain_id]) assert add_success, f'Failed to create set and addition of member to set as: {add_result}' logger.info(f'Successfully created set with member:{add_result}') # cleanup the set and account set_list.append(add_result)
def test_bulk_rotate_works_with_different_methods_of_specifying_systems( core_session, remote_users_with_mirrored_managed_local_users_qty3, windows_test_machine_config, change_method): remote_ip = windows_test_machine_config['ip_address'] account_ids, accounts = BulkOperations.grab_relevant_users(core_session, remote_users_with_mirrored_managed_local_users_qty3) passwords_fetched = BulkOperations.checkout_users(core_session, accounts) BulkOperations.validate_users_with_login(remote_ip, passwords_fetched) if change_method == "checkin": # disabled, out of scope BulkOperations.check_in_users(core_session, passwords_fetched) elif change_method == "ids": result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids) assert success, "Did not bulk rotate passwords" elif change_method == "ids_with_invalid": result, success = ResourceManager.rotate_multiple_passwords(core_session, account_ids) assert success, "Did not bulk rotate passwords" elif change_method == "sql": sql_query = 'SELECT * FROM VaultAccount ' \ 'WHERE ' + ' OR '.join(('VaultAccount.ID = "' + str(n) + '"' for n in account_ids)) result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=sql_query) assert success, "Did not bulk rotate passwords" elif change_method == "group": some_set_name = "ApiSet" + guid() SetsManager.create_manual_collection(core_session, some_set_name, "VaultAccount", None) set_id = SetsManager.get_collection_id(core_session, some_set_name, "VaultAccount") SetsManager.update_members_collection(core_session, 'add', account_ids, 'VaultAccount', set_id) filters = SetsManager.get_object_collection_and_filter_by_name(core_session, some_set_name, "VaultAccount")['Filters'] result, success = ResourceManager.rotate_multiple_passwords(core_session, [], set_query=filters) assert success, "Did not bulk rotate passwords" else: raise Exception(f"Bad input variable change_method {change_method}") BulkOperations.validate_users_with_login(remote_ip, passwords_fetched, [False] * len(passwords_fetched), change_method) # Verify passwords are no longer right user_info = core_session.get_current_session_user_info().json()['Result'] username = user_info['Name'] start_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Start.Multi' end_type = 'Cloud.Core.AsyncOperation.BulkPasswordRotationJob.Success.Multi' start_message = f'{username} initiated password rotation of {len(account_ids)} accounts' end_message = f'{username} successfully rotated {len(account_ids)} account passwords' RedrockController.expect_event_message_by_type(core_session, start_type, start_message) RedrockController.expect_event_message_by_type(core_session, end_type, end_message)
def test_check_ui_after_changing_setting(core_session, pas_setup, clean_up_collections): """ Test case: C2206 Check permission for set :param core_session: Authenticated centrify session :param pas_setup: Creating a new system with accounts """ # Adding Systems for test execution created_system_id, created_account_id, system_details = pas_setup user_details = core_session.__dict__ collection_name = "testManualCollection" + guid() # Get list of permission get_sys_result, get_sys_success = ResourceManager.get_system_permissions( core_session, created_system_id) assert get_sys_success, f"Failed to get system permissions for resource, API result:{get_sys_result}" permission = get_sys_result[0]['Rights'] permission_list = list(chain(*zip(permission.split())))[:-1] permission_index_value = [ list((i, permission_list[i])) for i in range(len(permission_list)) ] assert (permission_index_value[3][0] < permission_index_value[4][0] ), f"Failed to get permission 'Grant' is in front of 'View'" logger.info( f'Grant is successfully shows in front of View. as Grant index is {permission_index_value[3][0]} and View index is {permission_index_value[4][0]}' ) # Create set add_set_success, new_set_id = SetsManager.create_manual_collection( core_session, collection_name, "Server") assert add_set_success, "Collection " + new_set_id + " Failed to Create" # Set cleanup list clean_up_collections.append(new_set_id) # Assign permission to the set set_permissions_result = SetsManager.set_collection_permissions( core_session, "Grant,View,Edit,Delete", user_details["auth_details"]["User"], user_details['auth_details']['UserId'], new_set_id) logger.info( f'Successfully set collection Permissions for the set page :{set_permissions_result}' ) # Get collection permission rights get_permissions_result = SetsManager.get_collection_rights( core_session, new_set_id) set_permission = get_permissions_result['Result'] # Actual set permission rights list actual_set_permission_list = 'View, Edit, Delete, Grant' assert set_permission == actual_set_permission_list, f'Failed to verify permissions:{actual_set_permission_list}' logger.info( f'Successfully verify Permissions for the set page created:{actual_set_permission_list}' )
def test_pe_del_assignment_on_set_delete(core_session, setup_generic_pe_command_with_no_rules, create_resources): commandName, commandID = setup_generic_pe_command_with_no_rules admin_user = core_session.get_user() admin_user_name = admin_user.get_login_name() admin_user_id = admin_user.get_id() # Add System added_system_id = create_resources(core_session, 1, "Unix")[0]['ID'] logger.debug(f"Successfully added a System: {added_system_id}") # Create Set and the system to this set set_name = "set_" + Util.random_string() is_create, set_id = SetsManager.create_manual_collection( core_session, set_name, "Server", object_ids=[added_system_id]) assert is_create, f"Successfully created a set and added system to that set: {set_id}" # Give all permissions to admin user on this set permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \ 'ManagePrivilegeElevationAssignment' result = SetsManager.set_collection_resource_permissions(core_session, permission_string, admin_user_name, admin_user_id, set_id, "User") logger.info(result) assert result['success'], "setting collection permissions failed: " + result # Add assignment principalType = "User" principal = admin_user_name scopeType = "Collection" scope = set_id ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID, scopeType=scopeType, scope=scope, principalType=principalType, principal=principal) assert isSuccess, f" Adding rule assignment failed" # Make sure rule assignment is available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}" logger.info(results) # Delete Set isSuccess, results = SetsManager.delete_collection(core_session, set_id) assert isSuccess, f"Deleting set failed: {results}" # Make sure rule assignment is not available results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName) assert isSuccess and len(results['Result']) == 0, f"List assignments API call failed: {results}" logger.info(results)
def test_set_visibility_of_non_admin_set_from_ui(cds_session, set_cleaner, core_ui): non_admin_session, api_user = cds_session ui = core_ui set_name = f"test_visibility_{guid()}" success, set_id = SetsManager.create_manual_collection(non_admin_session, set_name, 'Server', object_ids=None) assert success is True, f'Failed to create manual set {set_id}' set_cleaner.append(set_id) ui.navigate('Resources', 'Systems') # this will ensure that the set container is visible and updated ui.expect(SetRow("All Systems"), "All systems set should be visible") ui.missing(SetRow(set_name), f"{set_name} should not be visible") assert ui.check_exists( Button("Show All Sets")), "Show All Sets link should be visible" assert not ui.check_exists( Button("Show My Sets"), time_to_wait=0), "Show My Sets button should be hidden" ui.button("Show All Sets") ui.expect_disappear(SetRow(set_name), f'{set_name} did not disappear when it should have') assert ui.check_exists(Button("Show My Sets"), 10), "Show My Sets button should be visible" ui.button("Show My Sets") assert ui.check_exists(Button("Show All Sets"), 10), "Show All Sets button should be visible" ui.missing(SetRow(set_name), f"{set_name} should not be visible") # ensure button does not erroneously appear ui.navigate('Access', 'Users') show_all_button = Button("Show All Sets").inside(ActiveMainContentArea()) show_my_button = Button("Show My Sets").inside(ActiveMainContentArea()) ui.missing(show_all_button, f'Show All Sets Button should not be present on users tab') ui.missing(show_my_button, f'Show My Sets Button should not be present on users tab')
def test_bulk_account_delete_job_fails_due_to_invalid_request_missing_secret( clean_bulk_delete_systems_and_accounts, core_session, simulate_failure, list_of_created_systems): batch = ResourceManager.add_multiple_systems_with_accounts( core_session, 1, 1, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch]) some_set_name = "ApiSet" + guid() success, set_id = SetsManager.create_manual_collection( core_session, some_set_name, "VaultAccount", None) assert success, "Did not create collection" SetsManager.update_members_collection(core_session, 'add', list(all_accounts), 'VaultAccount', set_id) params = Util.scrub_dict({ 'Ids': list(all_accounts), 'SaveToSecrets': simulate_failure, 'SecretName': "Bulk Account Delete", 'SetQuery': "", 'SkipIfHasAppsOrServices': simulate_failure }) if simulate_failure: request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE, params) request_json = request.json() result, success = request_json['Result'], request_json['success'] ResourceManager.wait_for_job_state_succeeded(core_session, result) assert simulate_failure == success, f"Query success was unexpected value, with message {result}" else: request = core_session.apirequest(EndPoints.ACCOUNT_MULTI_DELETE, params) request_json = request.json() result, success = request_json['Result'], request_json['success'] ResourceManager.wait_for_job_state_succeeded(core_session, result) assert not simulate_failure == success, f"Query success was unexpected value, with message {result}" total_account = RedrockController.get_accounts(core_session) SetsManager.delete_collection(core_session, set_id) list_account = [] for get_account in total_account: if get_account['ID'] == all_accounts: list_account.append(get_account['ID']) assert 0 == len( list_account ), "Number of remaining added accounts was unexpected number"
def agent_get_set(core_session_global): """Creates a resource set to be used for agent enrollment :return: set name """ session = core_session_global set_name = "set_" + Util.random_string() is_create, set_id = SetsManager.create_manual_collection( session, set_name, "Server", None) if is_create: logger.debug("Resource set created: " + set_name) yield set_name else: logger.error("Error in creating resource set: " + set_name) is_create, response = SetsManager.delete_collection(session, set_id) if is_create: logger.debug("Resource set deleted: " + set_name)
def test_a_secret_can_belong_to_multiple_sets(core_session, create_set_manual, added_secrets, pas_general_secrets, cleanup_secrets_and_folders, set_cleaner): """test method to check that a secret belongs to multiple set""" added_secret_id, added_secret_name = added_secrets set_params = pas_general_secrets prefix = guid() set_success, set_id = create_set_manual """Api to create another set manually""" success, setid = SetsManager.create_manual_collection( core_session, prefix + set_params['set_name'], 'DataVault') logger.info(f'creating manual set:{success} with setid as: {setid}') assert success is True, f'Failed to create manual set with one initial member {setid}' text_secret_id = added_secret_id[0] """Api to add set to existing secret""" added_to_set_success, added_to_set_result = SetsManager.update_members_collection( core_session, 'add', [text_secret_id], "DataVault", set_id) assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}' logger.info(f'Adding secret to one set: {added_to_set_success}') """Api to add another set to same secret""" added_to_set_success, added_to_set_result = SetsManager.update_members_collection( core_session, 'add', [text_secret_id], "DataVault", setid) assert added_to_set_success, f'Failed to add secret to set{added_to_set_result}' logger.info(f'Adding secret to another set: {added_to_set_success}') """Redrock query to fetch set related details""" get_set_1 = RedrockController.verify_set_secret(core_session, set_id, text_secret_id) logger.info(f'{get_set_1}') logger.info( f'Verifiying secret name {get_set_1[0]["Row"]["SecretName"]} in ' f'set 1 with ID {get_set_1[0]["Row"]["CollectionID"]} ') get_set_2 = RedrockController.verify_set_secret(core_session, setid, text_secret_id) logger.info( f'Verifiying secret name {get_set_2[0]["Row"]["SecretName"]} in another ' f'set with ID {get_set_2[0]["Row"]["CollectionID"]}') """to verify that same secret is added to multiple sets""" text_to_verify = 'secret1' assert (text_to_verify in get_set_1[0]["Row"]["SecretName"]) and ( text_to_verify in get_set_2[0]["Row"]["SecretName"] ), f'secret doesnt belong to multiple set' set_cleaner.append(setid)
def test_add_new_sub_folder_and_set_with_same_name(core_session, set_cleaner, create_secret_folder, pas_general_secrets, cleanup_secrets_and_folders): """ test method to add a set with same name as Sub Folder :param core_session: Authenticated Centrify Session :param set_cleaner: Fixture to cleanup the sets created :param create_secret_folder: Fixture to create a folder & yields folder related details :param pas_general_secrets: Fixture to read secret data from yaml file :param cleanup_secrets_and_folders: Fixture to cleanup the secrets & folder created """ secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] folder_params = pas_general_secrets folders_list = cleanup_secrets_and_folders[1] folder_prefix = guid() folder_success, folder_parameters, sub_folder_id = create_folder(core_session, folder_prefix + folder_params['name'], folder_params['description'], parent=folder_id) assert folder_success, f'Failed to add sub folder:{folder_parameters["Result"]}' logger.info(f'Folder added successfully: {folder_success}') folders_list.insert(0, sub_folder_id) success, set_id = SetsManager.create_manual_collection(core_session, folder_prefix + folder_params['name'], 'DataVault') assert success is True, f'Failed to create manual set with same name as Sub Folder {set_id}' logger.info(f'creating manual set:{success} with setid as: {set_id}') set_cleaner.append(set_id) logger.info(f'Added set deleted successfully:{set_cleaner}') # Getting permissions of the set created permissions = SetsManager.get_collection_rights(core_session, set_id) verify_permissions = 'View, Edit, Delete, Grant' assert verify_permissions == permissions["Result"], \ f'Failed to verify permissions for the set:{permissions["Result"]}' logger.info(f'Permissions of the set created: {permissions}')
def test_bulk_account_by_api_set_correct_accounts( clean_bulk_delete_systems_and_accounts, core_session, list_of_created_systems, core_admin_ui): batch = ResourceManager.add_multiple_systems_with_accounts( core_session, 2, 2, list_of_created_systems) all_systems, all_accounts = DataManipulation.aggregate_lists_in_dict_values( [batch]) delete_ids, keep_ids = DataManipulation.shuffle_and_split_into_two_lists( all_accounts) some_set_name = "ApiSet" + guid() success, set_id = SetsManager.create_manual_collection( core_session, some_set_name, "VaultAccount", None) assert success, "Did not create collection" SetsManager.update_members_collection(core_session, 'add', list(delete_ids), 'VaultAccount', set_id) filters = SetsManager.get_object_collection_and_filter_by_name( core_session, some_set_name, "VaultAccount")['Filters'] result, success = ResourceManager.del_multiple_accounts_by_query( core_session, filters) assert success, "del_multiple_accounts_by_query failed " + result SetsManager.delete_collection(core_session, set_id) assert set( ResourceManager.get_multi_added_system_ids( core_session, all_systems).values()) == set( all_systems), "Wrong set of added systems found" assert set( ResourceManager.get_multi_added_account_ids( core_session, all_systems)) == set(keep_ids), "Wrong set of added accounts found"
def test_accounts_set_my_system_accounts(core_session, pas_windows_setup, users_and_roles, clean_up_collections): """ TC:C2067 Add account to set on "My System Accounts". :param:core_session: Returns a API session. :param:users_and_roles:Fixture to manage roles and user. :param pas_windows_setup:Returns a fixture. :param:clean_up_collections: Cleans up Set. """ # Creating a system and account. system_id, account_id, sys_info, connector_id, user_password = pas_windows_setup() # Cloud user session with "Privileged Access Service Administrator". cloud_user_session = users_and_roles.get_session_for_user('Privileged Access Service Administrator') user_name = cloud_user_session.auth_details['User'] user_id = cloud_user_session.auth_details['UserId'] # Assigning "Workspace Login" permission for account to limited user. rights = "View,Login,UserPortalLogin" assign_account_perm_res, assign_account_perm_success = \ ResourceManager.assign_account_permissions(core_session, rights, user_name, user_id, 'User', account_id) assert assign_account_perm_success, f'Failed to assign "Workspace Login" permission:' \ f'API response result:{assign_account_perm_res}' logger.info(f'Successfully "Workspace Login" of account permission to user"{assign_account_perm_res}"') # Assigning "View" permission for system to limited user. assign_system_perm_res, assign_system_perm_success = ResourceManager.assign_system_permissions(core_session, "View", user_name, user_id, 'User', system_id) assert assign_system_perm_success, f'Failed to assign "View" permissions: ' \ f'API response result {assign_system_perm_res}.' logger.info(f"Successfully assign system permission to user'{assign_system_perm_res}'") # Getting the details from "My System Accounts" in workspace and validating account not in "My System Accounts" # list. workspace_result, workspace_success = ResourceManager.get_my_system_accounts_from_workspace(cloud_user_session) assert sys_info[4] not in workspace_result, f'Could find the account:API response result:{workspace_result}' logger.info("Failed to display on Account on workspace") # Creating a set and adding a account to set. account_set_name = f'Set_test{guid()}' success, account_set_result = SetsManager.create_manual_collection(core_session, account_set_name, 'VaultAccount', object_ids=[account_id]) assert success, f"Failed to create system set {account_set_result}" logger.info(f'Successfully created set:{account_set_result}') # Getting the details of created_account_set in Accounts page and validating account is in created set. account_set_details = RedrockController.get_set_account_details(core_session, account_id=account_id, set_id=account_set_result) assert account_set_details[0]['User'] == sys_info[4], f'Fail to find the account{sys_info[4]}' logger.info(f'Successfully find "{account_set_details[0]["User"]}" in created set" {account_set_name}".') # Cleanup the created set. clean_up_collections.append(RedrockController.get_id_from_name(core_session, account_set_name, "Sets")) logger.info(f'Successfully deleted created set" {account_set_name}".')
def test_needs_edit_permission_to_replace_contents(core_session, users_and_roles, added_secrets_file, added_secrets, pas_general_secrets): """ C283887: User needs edit permission on the secret to replace the contents. :param core_session: Authenticated Centrify Session :param users_and_roles: Fixture to create New user with PAS Power User & PAS User Rights :param added_secrets_file: Fixture to create file type secret :param added_secrets: Fixture to create text type secret :param pas_general_secrets: Fixture to read secret data from yaml file """ secrets_params = pas_general_secrets added_file_secret_id = added_secrets_file added_text_secret_id, added_text_secret_name = added_secrets suffix = guid() # API to get new session for User A pas_power_user_session = users_and_roles.get_session_for_user('Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info(f'User with PAS Power User Rights login successfully: user_Name:{user_name}') # setting user permissions for file_type_secret""" file_type_secret_result, file_type_secret_success = set_users_effective_permissions(core_session, user_name, 'View,Grant', user_id, added_file_secret_id) assert file_type_secret_success, f'setting permissions for file type secret failed: {file_type_secret_result}' logger.info(f'setting permissions for file type secret: {file_type_secret_success}') # setting user permissions for file_type_secret""" text_type_secret_result, text_type_secret_success = set_users_effective_permissions(core_session, user_name, 'View,Grant,Edit', user_id, added_text_secret_id[0]) assert text_type_secret_success, f'setting permissions for text type secret:{text_type_secret_result}' logger.info(f'setting permissions for text type secret: : {text_type_secret_success}') # Replacing the content of the secret secret_updated = update_secret(pas_power_user_session, added_text_secret_id[0], secrets_params['mfa_secret_name_update'] + suffix, description=secrets_params['mfa_secret_description'], secret_text=secrets_params['secret_text_updated'] + suffix) assert secret_updated['success'], f'Failed to update secret: {secret_updated["Result"]["ID"]}' logger.info(f' Successfully updated text type secret: {secret_updated}') # Verifying replaced secret get_secret_details, get_secret_success, get_secret_created_date, get_secret_text = get_secret_contents( core_session, added_text_secret_id[0]) logger.info(f'Secret Updated details: {get_secret_details}') replaced_content = get_secret_details['SecretText'] assert secrets_params['secret_text_updated'] in replaced_content, \ f'Failed to replace the secrets:{replaced_content}' secret_name = get_secret_details['SecretName'] # creating set manually success, set_id = SetsManager.create_manual_collection(pas_power_user_session, secrets_params['set_name'] + suffix, 'DataVault') assert success, f'Failed to create manual set: {set_id}' logger.info(f'creating manual set:{success} with setid as: {set_id}') # Adding set to secret added_to_set_success, added_to_set_result = SetsManager.update_members_collection(pas_power_user_session, 'add', [added_text_secret_id[0]], "DataVault", set_id) assert added_to_set_success, f'Failed to add secret to set: {added_to_set_result}' logger.info(f'Adding secret to set: {added_to_set_success}') # Redrock query to fetch "Add to set" related details get_set_info = RedrockController.verify_set_secret(pas_power_user_session, set_id, added_text_secret_id[0]) logger.info(f'{get_set_info}') assert get_set_info[0]["Row"]["SecretName"] == secret_name, f' Failed to get "ADD to Set" inside "Actions"' logger.info(f'Verifiying secret name {get_set_info[0]["Row"]["SecretName"]} in ' f'set with ID {get_set_info[0]["Row"]["CollectionID"]} ')
def test_inherited_member_permissions(core_session, create_secret_folder, pas_general_secrets, users_and_roles, cleanup_secrets_and_folders): """ C284058: Inherited member permissions :param core_session: Authenticated Centrify session :param create_secret_folder: Fixture to create secret folder & yields folder details :param pas_general_secrets: Fixture to read secret data from yaml file :param users_and_roles: Fixture to create New user with PAS Power User & PAS User Rights :param cleanup_secrets_and_folders: Fixture to clean-up the secrets & folders created. """ secrets_list = cleanup_secrets_and_folders[0] secret_folder_details = create_secret_folder folder_id = secret_folder_details['ID'] secret_params = pas_general_secrets suffix = guid() # Getting new session for User A pas_power_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service Power User') assert pas_power_user_session.auth_details, 'Failed to Login with PAS Power User' user_name = pas_power_user_session.auth_details['User'] user_id = pas_power_user_session.auth_details['UserId'] logger.info( f'User with PAS Power User Rights login successfully: user_Name:{user_name}' ) # Setting user A permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name, user_id, folder_id, 'View, Add') assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Setting member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name, 'View,Grant,Edit', user_id, folder_id) assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Getting new session for User B pas_user_session = users_and_roles.get_session_for_user( 'Privileged Access Service User') assert pas_user_session.auth_details, 'Failed to Login with PAS Power User' user_name_pas = pas_user_session.auth_details['User'] user_id_pas = pas_user_session.auth_details['UserId'] logger.info( f'User with PAS User Rights login successfully: user_Name:{user_name}') # Setting user B permissions to folder user_permissions_result = give_user_permissions_to_folder( core_session, user_name_pas, user_id_pas, folder_id, 'View, Add') assert user_permissions_result, f'Failed to set user permissions to folder:{user_permissions_result}' logger.info(f'User Permissions to folder: {user_permissions_result}') # Setting member permissions to folder member_perm_result, member_perm_success = set_member_permissions_to_folder( core_session, user_name_pas, 'View,Grant,Edit', user_id_pas, folder_id) assert member_perm_success, f'Failed to set member permissions to Folder:{member_perm_result["Result"]}' logger.info(f'Member permissions to folder:{member_perm_result}') # Creating set for UserA success, set_id = SetsManager.create_manual_collection( pas_power_user_session, secret_params['set_name'] + suffix, 'DataVault') logger.info(f'creating manual set:{success} with set id as: {set_id}') assert success, f'Failed to create manual set for User A: {set_id}' # Create text type secret within folder for User A added_text_secret_success, added_text_secret_result = create_text_secret_within_folder( pas_power_user_session, secret_params['secret_name'] + suffix, secret_params['secret_text'], secret_params['secret_description'], folder_id, set_id) assert added_text_secret_success, f'Failed to create secret for User A:{added_text_secret_result}' logger.info(f'Secret Created successfully: {added_text_secret_success}') # Verifying inherited permissions for User B get_permission_result = get_rows_acl(pas_power_user_session, added_text_secret_result) assert get_permission_result, f'Failed to inherit permissions for User B:{get_permission_result}' logger.info( f' Successfully inherited permissions for User B: {get_permission_result}' ) secrets_list.append(added_text_secret_result) rows_returned = get_permission_result['Result'] for rows in rows_returned: if rows['PrincipalName'] == user_name_pas: assert rows[ 'Inherited'], "Failed to verify the inherited permissions"
def test_check_permission_name_on_portal(core_session, pas_setup, clean_up_collections): """ Test case: C2059 :param core_session: Authenticated Centrify Session :param pas_setup: fixture to create system with accounts in portal :param core_admin_ui: Authenticated Centrify ui session """ system_id, account_id, sys_info = pas_setup # Getting the Id of the user. user_details = core_session.__dict__ user_id = user_details['auth_details']['UserId'] User_name = user_details['auth_details']['User'] # Assigning 'UserPortalLogin' permission to user for account. account_result, account_success = ResourceManager.assign_account_permissions(core_session, 'UserPortalLogin', User_name, user_id, 'User', account_id) assert account_success, f"Failed to give 'UserPortalLogin' permission to user: {User_name} for " \ f"Account: {account_id}. API response 'Result': {account_result}" logger.info(f"'UserPortalLogin' permission given to user: {User_name} for Account:{account_id}.") # Fetching account information to validate desired account is un managed result, status = ResourceManager.get_account_information(core_session, account_id) assert status, f"failed to retrieve account information, returned result is {result}" set_name = f"test_setname{guid()}" status, set_result = SetsManager.create_manual_collection(core_session, set_name, "VaultAccount", object_ids=[account_id]) assert status, f"failed to create set {set_name}, returned result is {set_result}" logger.info(f"set {set_name} created for account {sys_info[4]} of system {sys_info[0]}") clean_up_collections.append(set_result) # Set cleanup list # "Workspace Login" rather than "Portal Login" in granted permission activity result, success = ResourceManager.assign_account_permissions(core_session, "UserPortalLogin", User_name, user_id, pvid=account_id) assert success, f'failed to assign permissions "UserPortalLogin" to ' \ f'{User_name} for account {sys_info[4]} ' \ f'for system {sys_info[0]}' activity = RedrockController.get_account_activity(core_session, account_id) assert activity[0]['Detail'] == f'{User_name} granted User "{User_name}" to have "Workspace Login" permissions ' \ f'on local account "{sys_info[4]}" for "{sys_info[0]}"({sys_info[1]})' \ f' with credential type Password ', 'No Workspace Login keyword found in ' \ 'retrieved permission activity ' logger.info(f'Displayed "Workspace Login" rather than "Portal Login" in granted permission activity for ' f'account {sys_info[4]}') status, result, SetsManager.set_collection_member_permission(core_session, User_name, user_id, "UserPortalLogin", set_result) assert status, f'failed to assign workspace login permission to ' \ f'user {User_name} for set {set_name}' logger.info(f'successfully assigned work space login permission to user {User_name}.') # "Workspace Login" in set activity set_activity_rows = ResourceManager.get_activity_for_collection(core_session, set_result) assert set_activity_rows[0]['Detail'] == f'{User_name} granted User ' \ f'"{User_name}" to have ' \ f'"Workspace Login" permissions on the account set "{set_name}"', \ f'failed to get {set_name} activity for permissions' logger.info(f'displayed "Workspace Login" in activity in set {set_name} activity') # displayed "Workspace Login" in user profile activity user_profile_activity = RedrockController.get_user_activity_profile(core_session, user_id) counter = 0 while counter < 10: user_profile_activity = RedrockController.get_user_activity_profile(core_session, user_id) if user_profile_activity[0]['EventMessage'].__contains__(sys_info[0]): break counter += 1 assert user_profile_activity[0]['EventMessage'] == f'{User_name} ' \ f'granted User "{User_name}" to have "Workspace Login" ' \ f'permissions on local account "{sys_info[4]}" ' \ f'for "{sys_info[0]}"({sys_info[1]}) with credential type ' \ f'Password ', \ f'No Workspace Login keyword found in retrieved permission activity ' logger.info('displayed "Workspace Login" in user profile activity')