xref: /openbmc/openbmc-test-automation/docs/redfish_request_via_mTLS.md (revision e7e9171e96b36ae0214bb577bf7cf74b3f6a8359)
1Redfish Request Via mTLS
2=========================
3
4When the BMC only enables mTLS type for authentication. Redfish request in robot
5test should be tested normally.
6
7## Required environment variables in Robot
8
9  -  **MTLS_ENABLED** indicates whether mTLS is enabled in BMC.
10       False by default:
11
12        ```
13            ${MTLS_ENABLED}        False
14        ```
15
16  -  **VALID_CERT** indicates valid mTLS certificate for authentication.
17       When a redfish request doesn't specify a certificate, no certificate by
18       default.
19
20        ```
21            ${VALID_CERT}        ${EMPTY}
22        ```
23
24  -  **CERT_DIR_PATH** indicates path of mTLS certificates directory:
25
26        ```
27            ${CERT_DIR_PATH}        ${EMPTY}
28        ```
29## How to send a redfish request with certificate
30
31- When a redfish request is executed, it will be executed through the python
32   library **requests** with certificate. It supports for all Redfish REST
33   requests (get, head, post, put, patch, delete):
34
35   ```
36        import requests
37
38        cert_dict = kwargs.pop('certificate', {"certificate_name":VALID_CERT})
39        response = requests.get(
40                    url='https://'+ host + args[0],
41                    cert=CERT_DIR_PATH + '/' + cert_dict['certificate_name'],
42                    verify=False,
43                    headers={"Cache-Control": "no-cache"})
44   ```
45
46- Original robot code of redfish request doesn’t need to modify. It will send
47   the request with the default certificate ${VALID_CERT}.
48
49- The example provides Redfish request to use other certificate in the Robot
50  code below:
51
52    ```
53    ${certificate_dict}=  Create Dictionary  certificate_name=${CERT}
54    Redfish.Get  ${VALID_URL}  certificate=&{certificate_dict}
55    ...  valid_status_codes=[${HTTP_OK}]
56    ```
57
58## Test Cases for mTLS authentication
59
60mTLS authentication is only a means to connect to the BMC, not for testing
61purposes. Therefore, some test cases need to write a new one to match it for
62mTLS authentication. (Requires test certificate with different privileges or
63username) Some cases don’t need to be tested because the purpose of
64them are inapplicable to mTLS. Case studies are as follows:
65
66- **Create_IPMI_User_And_Verify_Login_Via_Redfish**
67
68    In this case, it uses IPMI to create a random user with password and
69    privilege, and then verifies the login via Redfish. Therefore, it will
70    logout the default user and then login with the user just created by IPMI.
71    So it does not need to use mTLS to authenticate login and logout.
72    It can be replaced as follows: Prepare a certificate with the user name
73    "admin_user" in advance. Use IPMI to create a user named admin_user. Then
74    you can use the Redfish request with the admin_user certificate to provide
75    the server for verification.
76
77- **Attempt_Login_With_Expired_Session**
78
79    Most cases related to sessions don't require mTLS because Redfish requests
80    don't need to create a session first. Therefore, there is no need to test
81    these cases when mTLS is enabled.
82