*** Settings *** Documentation Test Redfish LDAP user configuration. Library ../../lib/gen_robot_valid.py Resource ../../lib/bmc_redfish_resource.robot Resource ../../lib/utils.robot Resource ../../lib/openbmc_ffdc.robot Resource ../../lib/bmc_network_utils.robot Resource ../../lib/bmc_ldap_utils.robot Suite Setup Suite Setup Execution Suite Teardown LDAP Suite Teardown Execution Test Teardown Run Keywords Redfish.Login AND FFDC On Test Case Fail Force Tags LDAP_Test *** Variables *** ${old_ldap_privilege} Administrator &{old_account_service} &{EMPTY} &{old_ldap_config} &{EMPTY} ${hostname} ${EMPTY} ${test_ip} 10.6.6.6 ${test_mask} 255.255.255.0 ** Test Cases ** Verify LDAP Configuration Created [Documentation] Verify that LDAP configuration created. [Tags] Verify_LDAP_Configuration_Created Create LDAP Configuration # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. Get LDAP Configuration ${LDAP_TYPE} Sleep 10s Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Logout Verify Redfish LDAP Service Disable [Documentation] Verify that LDAP is disabled and that LDAP user cannot ... login. [Tags] Verify_Redfish_LDAP_Service_Disable Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}} Sleep 15s ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} ... ${LDAP_USER_PASSWORD} Should Be Equal ${resp} ${False} ... msg=LDAP user was able to login even though the LDAP service was disabled. Redfish.Logout Redfish.Login # Enabling LDAP so that LDAP user works. Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} Redfish.Logout Verify LDAP Login With ServiceEnabled [Documentation] Verify that LDAP Login with ServiceEnabled. [Tags] Verify_LDAP_Login_With_ServiceEnabled Disable Other LDAP # Actual service enablement. Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} Sleep 15s # After update, LDAP login. Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Logout Verify LDAP Login With Correct AuthenticationType [Documentation] Verify that LDAP Login with right AuthenticationType. [Tags] Verify_LDAP_Login_With_Correct_AuthenticationType Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}} Sleep 15s # After update, LDAP login. Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Logout Verify LDAP Config Update With Incorrect AuthenticationType [Documentation] Verify that invalid AuthenticationType is not updated. [Tags] Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType ${body}= Catenate {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}} Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body=${body} valid_status_codes=[400] Verify LDAP Login With Correct LDAP URL [Documentation] Verify LDAP Login with right LDAP URL. [Tags] Verify_LDAP_Login_With_Correct_LDAP_URL Config LDAP URL ${LDAP_SERVER_URI} Verify LDAP Config Update With Incorrect LDAP URL [Documentation] Verify that LDAP Login fails with invalid LDAP URL. [Tags] Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL [Teardown] Run Keywords Restore LDAP URL AND ... FFDC On Test Case Fail Config LDAP URL ldap://1.2.3.4/ ${FALSE} Verify LDAP Configuration Exist [Documentation] Verify that LDAP configuration is available. [Tags] Verify_LDAP_Configuration_Exist ${resp}= Redfish.Get Attribute ${REDFISH_BASE_URI}AccountService ... ${LDAP_TYPE} default=${EMPTY} Should Not Be Empty ${resp} msg=LDAP configuration is not defined. Verify LDAP User Login [Documentation] Verify that LDAP user able to login into BMC. [Tags] Verify_LDAP_User_Login Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Logout Verify LDAP Service Available [Documentation] Verify that LDAP service is available. [Tags] Verify_LDAP_Service_Available @{ldap_configuration}= Get LDAP Configuration ${LDAP_TYPE} Should Contain ${ldap_configuration} LDAPService ... msg=LDAPService is not available. Verify LDAP Login Works After BMC Reboot [Documentation] Verify that LDAP login works after BMC reboot. [Tags] Verify_LDAP_Login_Works_After_BMC_Reboot Redfish OBMC Reboot (off) Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Logout Verify LDAP User With Admin Privilege Able To Do BMC Reboot [Documentation] Verify that LDAP user with administrator privilege able to do BMC reboot. [Tags] Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} ... ${GROUP_PRIVILEGE} ${GROUP_NAME} Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} # With LDAP user and with right privilege trying to do BMC reboot. Redfish OBMC Reboot (off) Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Logout Verify LDAP User With Operator Privilege Able To Do Host Poweroff [Documentation] Verify that LDAP user with operator privilege can do host ... power off. [Tags] Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff [Teardown] Restore LDAP Privilege Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} ... Operator ${GROUP_NAME} Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} # Verify that the LDAP user with operator privilege is able to power the system off. Redfish.Post ${REDFISH_POWER_URI} ... body={'ResetType': 'ForceOff'} valid_status_codes=[200] Redfish.Logout Redfish.Login Verify AccountLockout Attributes Set To Zero By LDAP User [Documentation] Verify that attribute AccountLockoutDuration and ... AccountLockoutThreshold are set to 0 by LDAP user. [Teardown] Run Keywords Restore AccountLockout Attributes AND ... FFDC On Test Case Fail [Tags] Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User ${old_account_service}= Redfish.Get Properties ... ${REDFISH_BASE_URI}AccountService Rprint Vars old_account_service # Create LDAP user and create session using LDAP user. Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} ... Administrator ${GROUP_NAME} # Clear existing Redfish sessions. Redfish.Logout # Login using LDAP user. Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} # Set Account Lockout attributes using LDAP user. Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body=[('AccountLockoutDuration', 0)] Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body=[('AccountLockoutThreshold', 0)] Verify LDAP User With Read Privilege Able To Check Inventory [Documentation] Verify that LDAP user with read privilege able to ... read firmware inventory. [Tags] Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege [Template] Set Read Privilege And Check Firmware Inventory ReadOnly Verify LDAP User With Read Privilege Should Not Do Host Poweron [Documentation] Verify that LDAP user with read privilege should not be ... allowed to power on the host. [Tags] Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege [Template] Set Read Privilege And Check Poweron ReadOnly Update LDAP Group Name And Verify Operations [Documentation] Verify that LDAP group name update and able to do right ... operations. [Tags] Update_LDAP_Group_Name_And_Verify_Operations [Template] Update LDAP Config And Verify Set Host Name [Teardown] Restore LDAP Privilege # group_name group_privilege valid_status_codes ${GROUP_NAME} Administrator [${HTTP_OK}, ${HTTP_NO_CONTENT}] ${GROUP_NAME} Operator [${HTTP_OK}, ${HTTP_NO_CONTENT}] ${GROUP_NAME} ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] ${GROUP_NAME} NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] Invalid_LDAP_Group_Name Administrator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] Invalid_LDAP_Group_Name Operator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] Invalid_LDAP_Group_Name ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] Invalid_LDAP_Group_Name NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] Verify LDAP BaseDN Update And LDAP Login [Documentation] Update LDAP BaseDN of LDAP configuration and verify ... that LDAP login works. [Tags] Verify_LDAP_BaseDN_Update_And_LDAP_Login ${body}= Catenate {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings': ... {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}} Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} Sleep 15s Redfish Verify LDAP Login Verify LDAP BindDN Update And LDAP Login [Documentation] Update LDAP BindDN of LDAP configuration and verify ... that LDAP login works. [Tags] Verify_LDAP_BindDN_Update_And_LDAP_Login ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': ... {'AuthenticationType':'UsernameAndPassword', 'Username': ... '${LDAP_BIND_DN}'}}} Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} Sleep 15s Redfish Verify LDAP Login Verify LDAP BindDN Password Update And LDAP Login [Documentation] Update LDAP BindDN password of LDAP configuration and ... verify that LDAP login works. [Tags] Verify_LDAP_BindDN_Password_Update_And_LDAP_Login ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': ... {'AuthenticationType':'UsernameAndPassword', 'Password': ... '${LDAP_BIND_DN_PASSWORD}'}}} Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} Sleep 15s Redfish Verify LDAP Login Verify LDAP Type Update And LDAP Login [Documentation] Update LDAP type of LDAP configuration and verify ... that LDAP login works. [Tags] Verify_LDAP_Type_Update_And_LDAP_Login Disable Other LDAP Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} Sleep 15s Redfish Verify LDAP Login Verify LDAP Authorization With Null Privilege [Documentation] Verify the failure of LDAP authorization with empty ... privilege. [Tags] Verify_LDAP_Authorization_With_Null_Privilege [Teardown] Restore LDAP Privilege Update LDAP Config And Verify Set Host Name ${GROUP_NAME} ${EMPTY} ... [${HTTP_FORBIDDEN}] Verify LDAP Authorization With Invalid Privilege [Documentation] Verify that LDAP user authorization with wrong privilege ... fails. [Tags] Verify_LDAP_Authorization_With_Invalid_Privilege [Teardown] Restore LDAP Privilege Update LDAP Config And Verify Set Host Name ${GROUP_NAME} ... Invalid_Privilege [${HTTP_FORBIDDEN}] Verify LDAP Login With Invalid Data [Documentation] Verify that LDAP login with Invalid LDAP data and ... right LDAP user fails. [Tags] Verify_LDAP_Login_With_Invalid_Data [Teardown] Run Keywords FFDC On Test Case Fail AND ... Redfish.Login AND ... Create LDAP Configuration Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD ... Invalid_LDAP_BASE_DN Sleep 15s Redfish Verify LDAP Login ${False} Verify LDAP Config Creation Without BASE DN [Documentation] Verify that LDAP login with LDAP configuration ... created without BASE_DN fails. [Tags] Verify_LDAP_Config_Creation_Without_BASE_DN [Teardown] Run Keywords FFDC On Test Case Fail AND ... Redfish.Login AND ... Create LDAP Configuration Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD ${EMPTY} Sleep 15s Redfish Verify LDAP Login ${False} Verify LDAP Authentication Without Password [Documentation] Verify that LDAP user authentication without LDAP ... user password fails. [Tags] Verify_LDAP_Authentication_Without_Password [Teardown] Run Keywords Redfish.Logout AND Redfish.Login ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} Valid Value status [${False}] Verify LDAP Login With Invalid BASE DN [Documentation] Verify that LDAP login with invalid BASE_DN and ... valid LDAP user fails. [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN [Teardown] Run Keywords FFDC On Test Case Fail AND ... Redfish.Login AND ... Create LDAP Configuration Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} ... ${LDAP_BIND_DN} ${LDAP_BIND_DN_PASSWORD} Invalid_LDAP_BASE_DN Sleep 15s Redfish Verify LDAP Login ${False} Verify LDAP Login With Invalid BIND_DN_PASSWORD [Documentation] Verify that LDAP login with invalid BIND_DN_PASSWORD and ... valid LDAP user fails. [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD [Teardown] Run Keywords FFDC On Test Case Fail AND ... Redfish.Login AND ... Create LDAP Configuration Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} ... ${LDAP_BIND_DN} INVALID_LDAP_BIND_DN_PASSWORD ${LDAP_BASE_DN} Sleep 15s Redfish Verify LDAP Login ${False} Verify LDAP Login With Invalid BASE DN And Invalid BIND DN [Documentation] Verify that LDAP login with invalid BASE_DN and invalid ... BIND_DN and valid LDAP user fails. [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN [Teardown] Run Keywords FFDC On Test Case Fail AND ... Redfish.Login AND ... Create LDAP Configuration Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} ... INVALID_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} INVALID_LDAP_BASE_DN Sleep 15s Redfish Verify LDAP Login ${False} Verify Group Name And Group Privilege Able To Modify [Documentation] Verify that LDAP group name and group privilege able to ... modify. [Tags] Verify_Group_Name_And_Group_Privilege_Able_To_Modify [Setup] Update LDAP Configuration with LDAP User Role And Group ... ${LDAP_TYPE} Operator ${GROUP_NAME} Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} ... Administrator ${GROUP_NAME} Verify LDAP Login With Invalid BIND DN [Documentation] Verify that LDAP login with invalid BIND_DN and ... valid LDAP user fails. [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN [Teardown] Run Keywords FFDC On Test Case Fail AND ... Redfish.Login AND ... Create LDAP Configuration Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} ... Invalid_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} ${LDAP_BASE_DN} Sleep 15s Redfish Verify LDAP Login ${False} Verify LDAP Authentication With Invalid LDAP User [Documentation] Verify that LDAP user authentication for user not exist ... in LDAP server and fails. [Tags] Verify_LDAP_Authentication_With_Invalid_LDAP_User [Teardown] Run Keywords Redfish.Logout AND Redfish.Login ${status}= Run Keyword And Return Status Redfish.Login INVALID_LDAP_USER ... ${LDAP_USER_PASSWORD} Valid Value status [${False}] Update LDAP User Roles And Verify Host Poweroff Operation [Documentation] Update LDAP user roles and verify host poweroff operation. [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation [Teardown] Restore LDAP Privilege [Template] Update LDAP User Role And Host Poweroff # ldap_type group_privilege group_name valid_status_codes # Verify LDAP user with NoAccess privilege not able to do host poweroff. ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} # Verify LDAP user with ReadOnly privilege not able to do host poweroff. ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} # Verify LDAP user with Operator privilege able to do host poweroff. ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} # Verify LDAP user with Administrator privilege able to do host poweroff. ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} Update LDAP User Roles And Verify Host Poweron Operation [Documentation] Update LDAP user roles and verify host poweron operation. [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation [Teardown] Restore LDAP Privilege [Template] Update LDAP User Role And Host Poweron # ldap_type group_privilege group_name valid_status_codes # Verify LDAP user with NoAccess privilege not able to do host poweron. ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} # Verify LDAP user with ReadOnly privilege not able to do host poweron. ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} # Verify LDAP user with Operator privilege able to do host poweron. ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} # Verify LDAP user with Administrator privilege able to do host poweron. ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} Configure IP Address Via Different User Roles And Verify [Documentation] Configure IP address via different user roles and verify. [Tags] Configure_IP_Address_Via_Different_User_Roles_And_Verify [Teardown] Restore LDAP Privilege [Template] Update LDAP User Role And Configure IP Address # Verify LDAP user with Administrator privilege is able to configure IP address. ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address. ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} # Verify LDAP user with NoAccess privilege is forbidden to configure IP address. ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} # Verify LDAP user with Operator privilege is able to configure IP address. ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_FORBIDDEN} Delete IP Address Via Different User Roles And Verify [Documentation] Delete IP address via different user roles and verify. [Tags] Delete_IP_Address_Via_Different_User_Roles_And_Verify [Teardown] Run Keywords Restore LDAP Privilege AND FFDC On Test Case Fail [Template] Update LDAP User Role And Delete IP Address # Verify LDAP user with Administrator privilege is able to delete IP address. ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address. ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} # Verify LDAP user with NoAccess privilege is forbidden to delete IP address. ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} # Verify LDAP user with Operator privilege is able to delete IP address. ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_FORBIDDEN} Read Network Configuration Via Different User Roles And Verify [Documentation] Read network configuration via different user roles and verify. [Tags] Read_Network_Configuration_Via_Different_User_Roles_And_Verify [Teardown] Restore LDAP Privilege [Template] Update LDAP User Role And Read Network Configuration ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_OK} ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} Switch LDAP Type And Verify Login Fails [Documentation] Switch LDAP type and verify login fails. [Tags] Switch_LDAP_Type_And_Verify_Login_Fails # Check Login with LDAP Type is working Create LDAP Configuration Redfish Verify LDAP Login # Disable the LDAP Type from OpenLDAP to ActiveDirectory or vice-versa Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}} # Enable the inverse LDAP type Disable Other LDAP ${True} Create LDAP Configuration ${LDAP_TYPE_1} ${LDAP_SERVER_URI_1} ${LDAP_BIND_DN_1} ${LDAP_BIND_DN_PASSWORD_1} ${LDAP_BASE_DN_1} Redfish.Logout Sleep 10s # Check if Login works via Inverse LDAP Redfish.Login ${LDAP_USER_1} ${LDAP_USER_PASSWORD_1} Redfish.Logout Sleep 10s # Login using LDAP type must fail Redfish Verify LDAP Login ${False} Redfish.Logout *** Keywords *** Redfish Verify LDAP Login [Documentation] LDAP user log into BMC. [Arguments] ${valid_status}=${True} # Description of argument(s): # valid_status Expected status of LDAP login ("True" or "False"). # According to our repo coding rules, Redfish.Login is to be done in Suite # Setup and Redfish.Logout is to be done in Suite Teardown. For any # deviation from this rule (such as in this keyword), the deviant code # must take steps to restore us to our original logged-in state. ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} ... ${LDAP_USER_PASSWORD} Valid Value status [${valid_status}] Redfish.Logout Redfish.Login Update LDAP Config And Verify Set Host Name [Documentation] Update LDAP config and verify by attempting to set host name. [Arguments] ${group_name} ${group_privilege}=Administrator ... ${valid_status_codes}=[${HTTP_OK}] [Teardown] Run Keyword If '${group_privilege}'=='NoAccess' Redfish.Login ... ELSE Run Keywords Redfish.Logout AND Redfish.Login # Description of argument(s): # group_name The group name of user. # group_privilege The group privilege ("Administrator", # "Operator", "User" or "Callback"). # valid_status_codes Expected return code(s) from patch # operation (e.g. "200") used to update # HostName. See prolog of rest_request # method in redfish_plus.py for details. Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} ... ${group_privilege} ${group_name} Run Keyword If '${group_privilege}'=='NoAccess' ... Run Keyword And Return Verify Redfish Login for LDAP Userrole NoAccess Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} # Verify that the LDAP user in ${group_name} with the given privilege is # allowed to change the hostname. Redfish.Patch ${REDFISH_NW_ETH0_URI} body={'HostName': '${hostname}'} ... valid_status_codes=${valid_status_codes} Verify Redfish Login for LDAP Userrole NoAccess [Documentation] Verify Redfish login should not be able to login for LDAP Userrole NoAccess. ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Valid Value status [${False}] Disable Other LDAP [Documentation] Disable other LDAP configuration. [Arguments] ${service_state}=${False} # First disable other LDAP. ${inverse_ldap_type}= Set Variable If '${LDAP_TYPE}' == 'LDAP' ActiveDirectory LDAP Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body={'${inverse_ldap_type}': {'ServiceEnabled': ${service_state}}} Sleep 15s Config LDAP URL [Documentation] Config LDAP URL. [Arguments] ${ldap_server_uri}=${LDAP_SERVER_URI} ${expected_status}=${TRUE} # Description of argument(s): # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/"). Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}} Sleep 15s # After update, LDAP login. ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Valid Value status [${expected_status}] Redfish.Logout Redfish.Login Restore LDAP URL [Documentation] Restore LDAP URL. # Restoring the working LDAP server uri. Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}} Sleep 15s Restore AccountLockout Attributes [Documentation] Restore AccountLockout Attributes. Return From Keyword If &{old_account_service} == &{EMPTY} Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})] Redfish.Patch ${REDFISH_BASE_URI}AccountService ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})] Suite Setup Execution [Documentation] Do suite setup tasks. Valid Value LDAP_TYPE valid_values=["ActiveDirectory", "LDAP"] Valid Value LDAP_USER Valid Value LDAP_USER_PASSWORD Valid Value GROUP_PRIVILEGE Valid Value GROUP_NAME Valid Value LDAP_SERVER_URI Valid Value LDAP_BIND_DN_PASSWORD Valid Value LDAP_BIND_DN Valid Value LDAP_BASE_DN Redfish.Login # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. Get LDAP Configuration ${LDAP_TYPE} Set Suite Variable ${old_ldap_privilege} Disable Other LDAP Create LDAP Configuration ${hostname}= Redfish.Get Attribute ${REDFISH_NW_PROTOCOL_URI} HostName LDAP Suite Teardown Execution [Documentation] Restore ldap configuration, delete unused redfish session. Restore LDAP Privilege Redfish.Logout Run Keyword And Ignore Error Delete All Redfish Sessions Set Read Privilege And Check Firmware Inventory [Documentation] Set read privilege and check firmware inventory. [Arguments] ${read_privilege} # Description of argument(s): # read_privilege The read privilege role (e.g. "User" / "Callback"). Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} ... ${read_privilege} ${GROUP_NAME} Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} # Verify that the LDAP user with read privilege is able to read inventory. ${resp}= Redfish.Get /redfish/v1/UpdateService/FirmwareInventory Should Be True ${resp.dict["Members@odata.count"]} >= ${1} Length Should Be ${resp.dict["Members"]} ${resp.dict["Members@odata.count"]} Redfish.Logout Redfish.Login Set Read Privilege And Check Poweron [Documentation] Set read privilege and power on should not be possible. [Arguments] ${read_privilege} # Description of argument(s): # read_privilege The read privilege role (e.g. "User" / "Callback"). Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} ... ${read_privilege} ${GROUP_NAME} Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Post ${REDFISH_POWER_URI} ... body={'ResetType': 'On'} valid_status_codes=[401, 403] Redfish.Logout Redfish.Login Get LDAP Configuration [Documentation] Retrieve LDAP Configuration. [Arguments] ${ldap_type} # Description of argument(s): # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService [Return] ${ldap_config["${ldap_type}"]} Update LDAP Configuration with LDAP User Role And Group [Documentation] Update LDAP configuration update with LDAP user Role and group. [Arguments] ${ldap_type} ${group_privilege} ${group_name} # Description of argument(s): # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). # group_privilege The group privilege ("Administrator", "Operator", "User" or "Callback"). # group_name The group name of user. ${local_role_remote_group}= Create Dictionary LocalRole=${group_privilege} RemoteGroup=${group_name} ${remote_role_mapping}= Create List ${local_role_remote_group} ${ldap_data}= Create Dictionary RemoteRoleMapping=${remote_role_mapping} ${payload}= Create Dictionary ${ldap_type}=${ldap_data} Redfish.Patch ${REDFISH_BASE_URI}AccountService body=&{payload} # Provide adequate time for LDAP daemon to restart after the update. Sleep 15s Get LDAP Privilege [Documentation] Get LDAP privilege and return it. ${ldap_config}= Get LDAP Configuration ${LDAP_TYPE} ${num_list_entries}= Get Length ${ldap_config["RemoteRoleMapping"]} Return From Keyword If ${num_list_entries} == ${0} @{EMPTY} [Return] ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]} Restore LDAP Privilege [Documentation] Restore the LDAP privilege to its original value. Redfish.Login Return From Keyword If '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]' # Log back in to restore the original privilege. Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} ... ${old_ldap_privilege} ${GROUP_NAME} Sleep 18s Verify Host Power Status [Documentation] Verify the Host power status and do host power on/off respectively. [Arguments] ${expected_power_status} # Description of argument(s): # expected_power_status State of Host e.g. Off or On. ${power_status}= Redfish.Get Attribute /redfish/v1/Chassis/${CHASSIS_ID} PowerState Return From Keyword If '${power_status}' == '${expected_power_status}' Run Keyword If '${power_status}' == 'Off' Redfish Power On ... ELSE Redfish Power Off Update LDAP User Role And Host Poweroff [Documentation] Update LDAP user role and do host poweroff. [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} [Teardown] Run Keywords Redfish.Logout AND Redfish.Login # Description of argument(s): # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). # group_name The group name of user. # valid_status_code The expected valid status code. # check Host state and do the power on/off if needed. Verify Host Power Status On Update LDAP Configuration with LDAP User Role And Group ${ldap_type} ... ${group_privilege} ${group_name} Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Post ${REDFISH_POWER_URI} ... body={'ResetType': 'ForceOff'} valid_status_codes=[${valid_status_code}] Return From Keyword If ${valid_status_code} == ${HTTP_FORBIDDEN} Wait Until Keyword Succeeds 1 min 10 sec Verify Host Power State Off Update LDAP User Role And Host Poweron [Documentation] Update LDAP user role and do host poweron. [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} [Teardown] Run Keywords Redfish.Logout AND Redfish.Login # Description of argument(s): # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). # group_name The group name of user. # valid_status_code The expected valid status code. # check Host state and do the power on/off if needed. Verify Host Power Status Off Update LDAP Configuration with LDAP User Role And Group ${ldap_type} ... ${group_privilege} ${group_name} Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Post ${REDFISH_POWER_URI} ... body={'ResetType': 'On'} valid_status_codes=[${valid_status_code}] Return From Keyword If ${valid_status_code} == ${HTTP_FORBIDDEN} Verify Host Is Up Update LDAP User Role And Configure IP Address [Documentation] Update LDAP user role and configure IP address. [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} # Description of argument(s): # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). # group_name The group name of user. # valid_status_code The expected valid status code. Update LDAP Configuration with LDAP User Role And Group ${ldap_type} ... ${group_privilege} ${group_name} Redfish.Logout Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} ${test_gateway}= Get BMC Default Gateway Run Keyword If '${group_privilege}' == 'NoAccess' ... Add IP Address With NoAccess User ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} ... ELSE ... Add IP Address ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} Update LDAP User Role And Delete IP Address [Documentation] Update LDAP user role and delete IP address. [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} # Description of argument(s): # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). # group_name The group name of user. # valid_status_code The expected valid status code. ${test_gateway}= Get BMC Default Gateway # Configure IP address before deleting via LDAP user roles. Add IP Address ${test_ip} ${test_mask} ${test_gateway} Update LDAP Configuration with LDAP User Role And Group ${ldap_type} ... ${group_privilege} ${group_name} Redfish.Logout Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Run Keyword If '${group_privilege}' == 'NoAccess' ... Delete IP Address With NoAccess User ${test_ip} ${valid_status_code} ... ELSE ... Delete IP Address ${test_ip} ${valid_status_code} Update LDAP User Role And Read Network Configuration [Documentation] Update LDAP user role and read network configuration. [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} [Teardown] Run Keywords Redfish.Logout AND Redfish.Login # Description of argument(s): # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). # group_name The group name of user. # valid_status_code The expected valid status code. Update LDAP Configuration with LDAP User Role And Group ${ldap_type} ... ${group_privilege} ${group_name} Redfish.Logout Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.Get ${REDFISH_NW_ETH0_URI} valid_status_codes=[${valid_status_code}] Add IP Address With NoAccess User [Documentation] Add IP Address To BMC. [Arguments] ${ip} ${subnet_mask} ${gateway} ... ${valid_status_codes}=${HTTP_OK} # Description of argument(s): # ip IP address to be added (e.g. "10.7.7.7"). # subnet_mask Subnet mask for the IP to be added # (e.g. "255.255.0.0"). # gateway Gateway for the IP to be added (e.g. "10.7.7.1"). # valid_status_codes Expected return code from patch operation # (e.g. "200"). See prolog of rest_request # method in redfish_plus.py for details. # Logout from LDAP user. Redfish.Logout # Login with local user. Redfish.Login ${empty_dict}= Create Dictionary ${ip_data}= Create Dictionary Address=${ip} ... SubnetMask=${subnet_mask} Gateway=${gateway} ${patch_list}= Create List ${network_configurations}= Get Network Configuration ${num_entries}= Get Length ${network_configurations} FOR ${INDEX} IN RANGE 0 ${num_entries} Append To List ${patch_list} ${empty_dict} END ${valid_status_codes}= Run Keyword If '${valid_status_codes}' == '${HTTP_OK}' ... Set Variable ${HTTP_OK},${HTTP_NO_CONTENT} ... ELSE Set Variable ${valid_status_codes} # We need not check for existence of IP on BMC while adding. Append To List ${patch_list} ${ip_data} ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} ${active_channel_config}= Get Active Channel Config ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} # Logout from local user. Redfish.Logout # Login from LDAP user and check if we can configure IP address. Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} ... valid_status_codes=[${valid_status_codes}] Delete IP Address With NoAccess User [Documentation] Delete IP Address Of BMC. [Arguments] ${ip} ${valid_status_codes}=${HTTP_OK} # Description of argument(s): # ip IP address to be deleted (e.g. "10.7.7.7"). # valid_status_codes Expected return code from patch operation # (e.g. "200"). See prolog of rest_request # method in redfish_plus.py for details. # Logout from LDAP user. Redfish.Logout # Login with local user. Redfish.Login ${empty_dict}= Create Dictionary ${patch_list}= Create List @{network_configurations}= Get Network Configuration FOR ${network_configuration} IN @{network_configurations} Run Keyword If '${network_configuration['Address']}' == '${ip}' ... Append To List ${patch_list} ${null} ... ELSE Append To List ${patch_list} ${empty_dict} END ${ip_found}= Run Keyword And Return Status List Should Contain Value ... ${patch_list} ${null} msg=${ip} does not exist on BMC Pass Execution If ${ip_found} == ${False} ${ip} does not exist on BMC # Run patch command only if given IP is found on BMC ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} ${active_channel_config}= Get Active Channel Config ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} # Logout from local user. Redfish.Logout # Login from LDAP user and check if we can delete IP address. Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} ... valid_status_codes=[${valid_status_codes}] # Note: Network restart takes around 15-18s after patch request processing Sleep ${NETWORK_TIMEOUT}s Wait For Host To Ping ${OPENBMC_HOST} ${NETWORK_TIMEOUT}