xref: /openbmc/openbmc-test-automation/redfish/service_root/test_service_root_security.robot (revision c2837c9839705ce7dc942688bc76fd4199749d68)
1*** Settings ***
2Documentation    Test Redfish service root login security.
3
4Resource         ../../lib/bmc_redfish_resource.robot
5Resource         ../../lib/openbmc_ffdc.robot
6
7Test Teardown    FFDC On Test Case Fail
8Test Setup       Printn
9
10*** Variables ***
11
12${LOGIN_SESSION_COUNT}   ${50}
13
14&{header_requirements}  Strict-Transport-Security=max-age=31536000; includeSubdomains
15...                     X-Frame-Options=DENY
16...                     Pragma=no-cache
17...                     Cache-Control=no-store, max-age=0
18...                     Referrer-Policy=no-referrer
19...                     X-Content-Type-Options=nosniff
20...                     X-Permitted-Cross-Domain-Policies=none
21...                     Cross-Origin-Embedder-Policy=require-corp
22...                     Cross-Origin-Opener-Policy=same-origin
23...                     Cross-Origin-Resource-Policy=same-origin
24...                     Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
25
26*** Test Cases ***
27
28Redfish Login With Invalid Credentials
29    [Documentation]  Login to BMC web using invalid credential.
30    [Tags]  Redfish_Login_With_Invalid_Credentials
31    [Template]  Login And Verify Redfish Response
32
33    # Username                Password               Expect status
34    ${OPENBMC_USERNAME}       deadpassword           InvalidCredentialsError
35    groot                     ${OPENBMC_PASSWORD}    InvalidCredentialsError
36    ${EMPTY}                  ${OPENBMC_PASSWORD}    SessionCreationError
37    ${OPENBMC_USERNAME}       ${EMPTY}               SessionCreationError
38    ${EMPTY}                  ${EMPTY}               SessionCreationError
39
40
41Redfish Login Using Unsecured HTTP
42    [Documentation]  Login to BMC web through http unsecured.
43    [Tags]  Redfish_Login_Using_Unsecured_HTTP
44
45    Create Session  openbmc  http://${OPENBMC_HOST}
46    ${data}=  Create Dictionary
47    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
48
49    ${headers}=  Create Dictionary  Content-Type=application/json
50
51    Run Keyword And Expect Error  *Connection refused*
52    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
53    ...  data=${data}  headers=${headers}
54
55
56Redfish Login Using HTTPS Wrong Port 80 Protocol
57    [Documentation]  Login to BMC web through wrong protocol port 80.
58    [Tags]  Redfish_Login_Using_HTTPS_Wrong_Port_80_Protocol
59
60    Create Session  openbmc  https://${OPENBMC_HOST}:80
61    ${data}=  Create Dictionary
62    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
63
64    ${headers}=  Create Dictionary  Content-Type=application/json
65
66    Run Keyword And Expect Error  *Connection refused*
67    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
68    ...  data=${data}  headers=${headers}
69
70
71Create Multiple Login Sessions And Verify
72    [Documentation]  Create 50 login instances and verify.
73    [Tags]  Create_Multiple_Login_Sessions_And_Verify
74    [Teardown]  Run Keyword And Ignore Error  Multiple Session Cleanup
75
76    Redfish.Login
77    # Example:
78    #    {
79    #      'key': 'L0XEsZAXpNdF147jJaOD',
80    #      'location': '/redfish/v1/SessionService/Sessions/qWn2JOJSOs'
81    #    }
82    ${saved_session_info}=  Get Redfish Session Info
83
84    # Sessions book keeping for cleanup once done.
85    ${session_list}=  Create List
86    Set Test Variable  ${session_list}
87
88    Repeat Keyword  ${LOGIN_SESSION_COUNT} times  Create New Login Session
89
90    # Update the redfish session object with the first login key and location
91    # and verify if it is still working.
92    Redfish.Set Session Key  ${saved_session_info["key"]}
93    Redfish.Set Session Location  ${saved_session_info["location"]}
94    Redfish.Get  ${saved_session_info["location"]}
95
96
97Attempt Login With Expired Session
98    [Documentation]  Authenticate to redfish, then log out and attempt to
99    ...   use the session.
100    [Tags]  Attempt_Login_With_Expired_Session
101
102    Redfish.Login
103    ${saved_session_info}=  Get Redfish Session Info
104    Redfish.Logout
105
106    # Attempt login with expired session.
107    # By default 60 minutes of inactivity closes the session.
108    Redfish.Set Session Key  ${saved_session_info["key"]}
109    Redfish.Set Session Location  ${saved_session_info["location"]}
110
111    Redfish.Get  ${saved_session_info["location"]}  valid_status_codes=[${HTTP_UNAUTHORIZED}]
112
113
114Login And Verify HTTP Response Header
115    [Documentation]  Login and verify redfish HTTP response header.
116    [Tags]  Login_And_Verify_HTTP_Response_Header
117
118    # Example of HTTP redfish response header.
119    # Strict-Transport-Security: max-age=31536000; includeSubdomains
120    # X-Frame-Options: DENY
121    # Pragma: no-cache
122    # Cache-Control: no-store, max-age=0
123    # X-Content-Type-Options: nosniff
124    # Referrer-Policy: no-referrer
125    # X-Permitted-Cross-Domain-Policies: none
126    # Cross-Origin-Embedder-Policy: require-corp
127    # Cross-Origin-Opener-Policy: same-origin
128    # Cross-Origin-Resource-Policy: same-origin
129    # Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
130
131
132    Rprint Vars  header_requirements  fmt=1
133
134    Redfish.Login
135    ${resp}=  Redfish.Get  /redfish/v1/SessionService/Sessions
136
137    # The getheaders() method returns the headers as a list of tuples:
138    # headers:
139
140    # [Strict-Transport-Security]:             max-age=31536000; includeSubdomains
141    # [X-Frame-Options]:                       DENY
142    # [Pragma]:                                no-cache
143    # [Cache-Control]:                         no-store, max-age=0
144    # [X-Content-Type-Options]:                nosniff
145    # [Referrer-Policy]:                       no-referrer
146    # [X-Permitted-Cross-Domain-Policies]:     none
147    # [Cross-Origin-Embedder-Policy]:          require-corp
148    # [Cross-Origin-Opener-Policy]:            same-origin
149    # [Cross-Origin-Resource-Policy]:          same-origin
150    # [Content-Security-Policy]:               default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
151    # [Content-Type]:                          application/json
152    # [Content-Length]:                        394
153
154    ${headers}=  Key Value List To Dict  ${resp.getheaders()}
155    Rprint Vars  headers  fmt=1
156
157    Dictionary Should Contain Sub Dictionary   ${headers}  ${header_requirements}
158
159
160*** Keywords ***
161
162Login And Verify Redfish Response
163    [Documentation]  Login and verify redfish response.
164    [Arguments]   ${username}  ${password}  ${expected_response}
165
166    # Description of arguments:
167    # expected_response    Expected REST status.
168    # username             The username to be used to connect to the server.
169    # password             The password to be used to connect to the server.
170
171    # The redfish object may preserve a valid username or password from the
172    # last failed login attempt.  If we then try to login with a null username
173    # or password value, the redfish object may prefer the preserved value.
174    # Since we're testing bad path, we wish to avoid this scenario so we will
175    # clear these values.
176
177    Redfish.Set Username  ${EMPTY}
178    Redfish.Set Password  ${EMPTY}
179
180    ${msg}=  Run Keyword And Expect Error  *  Redfish.Login  ${username}  ${password}
181
182    # redfish package version <=3.1.6 default response is InvalidCredentialsError.
183    Should Contain Any   ${msg}  InvalidCredentialsError  ${expected_response}
184
185
186Create New Login Session
187    [Documentation]  Multiple login session keys.
188
189    Redfish.Login
190    ${session_info}=  Get Redfish Session Info
191
192    # Append the session location to the list.
193    # ['/redfish/v1/SessionService/Sessions/uDzihgDecs',
194    #  '/redfish/v1/SessionService/Sessions/PaHF5brPPd']
195    Append To List  ${session_list}  ${session_info["location"]}
196
197
198Multiple Session Cleanup
199    [Documentation]  Do the teardown for multiple sessions.
200
201    FFDC On Test Case Fail
202
203    FOR  ${item}  IN  @{session_list}
204      Redfish.Delete  ${item}
205    END
206