xref: /openbmc/openbmc-test-automation/redfish/service_root/test_service_root_security.robot (revision 76adf447fec4f9c42cc8ef6980a1ee00463853d3) 
14c394018SGeorge Keishing*** Settings ***
2dbfe97dbSJoy OnyerikwuDocumentation    Test Redfish service root login security.
3dbfe97dbSJoy Onyerikwu
44c394018SGeorge KeishingResource         ../../lib/bmc_redfish_resource.robot
53298d5c3SGeorge KeishingResource         ../../lib/openbmc_ffdc.robot
63298d5c3SGeorge Keishing
73298d5c3SGeorge KeishingTest Teardown    FFDC On Test Case Fail
8c108e429SMichael WalshTest Setup       Printn
94c394018SGeorge Keishing
10374e684cSGeorge Keishing*** Variables ***
11374e684cSGeorge Keishing
12374e684cSGeorge Keishing${LOGIN_SESSION_COUNT}   ${50}
13374e684cSGeorge Keishing
14c2837c98SGeorge Keishing&{header_requirements}  Strict-Transport-Security=max-age=31536000; includeSubdomains
1535e0bba2SGeorge Keishing...                     X-Frame-Options=DENY
1635e0bba2SGeorge Keishing...                     Pragma=no-cache
17c2837c98SGeorge Keishing...                     Cache-Control=no-store, max-age=0
18c2837c98SGeorge Keishing...                     Referrer-Policy=no-referrer
1935e0bba2SGeorge Keishing...                     X-Content-Type-Options=nosniff
20c2837c98SGeorge Keishing...                     X-Permitted-Cross-Domain-Policies=none
21c2837c98SGeorge Keishing...                     Cross-Origin-Embedder-Policy=require-corp
22c2837c98SGeorge Keishing...                     Cross-Origin-Opener-Policy=same-origin
23c2837c98SGeorge Keishing...                     Cross-Origin-Resource-Policy=same-origin
24c2837c98SGeorge Keishing...                     Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
259edf5bc7SGeorge Keishing
26*76adf447SGeorge Keishing${ERROR_RESPONSE_MSG}  *Connection refused*
27*76adf447SGeorge Keishing
284c394018SGeorge Keishing*** Test Cases ***
294c394018SGeorge Keishing
305ee33d93SGeorge KeishingRedfish Login With Invalid Credentials
314c394018SGeorge Keishing    [Documentation]  Login to BMC web using invalid credential.
325ee33d93SGeorge Keishing    [Tags]  Redfish_Login_With_Invalid_Credentials
334c394018SGeorge Keishing    [Template]  Login And Verify Redfish Response
344c394018SGeorge Keishing
3532616047SGeorge Keishing    # Username                Password               Expect status
3632616047SGeorge Keishing    ${OPENBMC_USERNAME}       deadpassword           InvalidCredentialsError
3732616047SGeorge Keishing    groot                     ${OPENBMC_PASSWORD}    InvalidCredentialsError
3832616047SGeorge Keishing    ${EMPTY}                  ${OPENBMC_PASSWORD}    SessionCreationError
3932616047SGeorge Keishing    ${OPENBMC_USERNAME}       ${EMPTY}               SessionCreationError
4032616047SGeorge Keishing    ${EMPTY}                  ${EMPTY}               SessionCreationError
414c394018SGeorge Keishing
424c394018SGeorge Keishing
435ee33d93SGeorge KeishingRedfish Login Using Unsecured HTTP
44a8116939SGeorge Keishing    [Documentation]  Login to BMC web through http unsecured.
455ee33d93SGeorge Keishing    [Tags]  Redfish_Login_Using_Unsecured_HTTP
46a8116939SGeorge Keishing
47a8116939SGeorge Keishing    Create Session  openbmc  http://${OPENBMC_HOST}
48a8116939SGeorge Keishing    ${data}=  Create Dictionary
49a8116939SGeorge Keishing    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
50a8116939SGeorge Keishing
51a8116939SGeorge Keishing    ${headers}=  Create Dictionary  Content-Type=application/json
52a8116939SGeorge Keishing
53a8116939SGeorge Keishing    Run Keyword And Expect Error  *Connection refused*
54fbd67007SGeorge Keishing    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
55a8116939SGeorge Keishing    ...  data=${data}  headers=${headers}
56a8116939SGeorge Keishing
57a8116939SGeorge Keishing
58b2f0734bSGeorge KeishingRedfish Login Using HTTPS Wrong Port 80 Protocol
59b2f0734bSGeorge Keishing    [Documentation]  Login to BMC web through wrong protocol port 80.
60b2f0734bSGeorge Keishing    [Tags]  Redfish_Login_Using_HTTPS_Wrong_Port_80_Protocol
61b2f0734bSGeorge Keishing
62b2f0734bSGeorge Keishing    Create Session  openbmc  https://${OPENBMC_HOST}:80
63b2f0734bSGeorge Keishing    ${data}=  Create Dictionary
64b2f0734bSGeorge Keishing    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
65b2f0734bSGeorge Keishing
66b2f0734bSGeorge Keishing    ${headers}=  Create Dictionary  Content-Type=application/json
67b2f0734bSGeorge Keishing
68*76adf447SGeorge Keishing    Run Keyword And Expect Error  ${ERROR_RESPONSE_MSG}
69fbd67007SGeorge Keishing    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
70b2f0734bSGeorge Keishing    ...  data=${data}  headers=${headers}
71b2f0734bSGeorge Keishing
72b2f0734bSGeorge Keishing
73374e684cSGeorge KeishingCreate Multiple Login Sessions And Verify
74374e684cSGeorge Keishing    [Documentation]  Create 50 login instances and verify.
75374e684cSGeorge Keishing    [Tags]  Create_Multiple_Login_Sessions_And_Verify
76d1a35acdSSushil Singh    [Teardown]  Run Keyword And Ignore Error  Multiple Session Cleanup
77374e684cSGeorge Keishing
7897c93945SGeorge Keishing    Redfish.Login
79374e684cSGeorge Keishing    # Example:
80374e684cSGeorge Keishing    #    {
81374e684cSGeorge Keishing    #      'key': 'L0XEsZAXpNdF147jJaOD',
82374e684cSGeorge Keishing    #      'location': '/redfish/v1/SessionService/Sessions/qWn2JOJSOs'
83374e684cSGeorge Keishing    #    }
84374e684cSGeorge Keishing    ${saved_session_info}=  Get Redfish Session Info
85374e684cSGeorge Keishing
86374e684cSGeorge Keishing    # Sessions book keeping for cleanup once done.
87374e684cSGeorge Keishing    ${session_list}=  Create List
88374e684cSGeorge Keishing    Set Test Variable  ${session_list}
89374e684cSGeorge Keishing
90374e684cSGeorge Keishing    Repeat Keyword  ${LOGIN_SESSION_COUNT} times  Create New Login Session
91374e684cSGeorge Keishing
92374e684cSGeorge Keishing    # Update the redfish session object with the first login key and location
93374e684cSGeorge Keishing    # and verify if it is still working.
9497c93945SGeorge Keishing    Redfish.Set Session Key  ${saved_session_info["key"]}
9597c93945SGeorge Keishing    Redfish.Set Session Location  ${saved_session_info["location"]}
9697c93945SGeorge Keishing    Redfish.Get  ${saved_session_info["location"]}
970b9d8ab6SGeorge Keishing
980b9d8ab6SGeorge Keishing
990b9d8ab6SGeorge KeishingAttempt Login With Expired Session
1000b9d8ab6SGeorge Keishing    [Documentation]  Authenticate to redfish, then log out and attempt to
1010b9d8ab6SGeorge Keishing    ...   use the session.
1020b9d8ab6SGeorge Keishing    [Tags]  Attempt_Login_With_Expired_Session
1030b9d8ab6SGeorge Keishing
10497c93945SGeorge Keishing    Redfish.Login
1050b9d8ab6SGeorge Keishing    ${saved_session_info}=  Get Redfish Session Info
10697c93945SGeorge Keishing    Redfish.Logout
1070b9d8ab6SGeorge Keishing
1080b9d8ab6SGeorge Keishing    # Attempt login with expired session.
1090b9d8ab6SGeorge Keishing    # By default 60 minutes of inactivity closes the session.
11097c93945SGeorge Keishing    Redfish.Set Session Key  ${saved_session_info["key"]}
11197c93945SGeorge Keishing    Redfish.Set Session Location  ${saved_session_info["location"]}
1120b9d8ab6SGeorge Keishing
11397c93945SGeorge Keishing    Redfish.Get  ${saved_session_info["location"]}  valid_status_codes=[${HTTP_UNAUTHORIZED}]
114374e684cSGeorge Keishing
115374e684cSGeorge Keishing
1169edf5bc7SGeorge KeishingLogin And Verify HTTP Response Header
1179edf5bc7SGeorge Keishing    [Documentation]  Login and verify redfish HTTP response header.
1189edf5bc7SGeorge Keishing    [Tags]  Login_And_Verify_HTTP_Response_Header
1199edf5bc7SGeorge Keishing
1209edf5bc7SGeorge Keishing    # Example of HTTP redfish response header.
121c2837c98SGeorge Keishing    # Strict-Transport-Security: max-age=31536000; includeSubdomains
1229edf5bc7SGeorge Keishing    # X-Frame-Options: DENY
1239edf5bc7SGeorge Keishing    # Pragma: no-cache
124c2837c98SGeorge Keishing    # Cache-Control: no-store, max-age=0
1259edf5bc7SGeorge Keishing    # X-Content-Type-Options: nosniff
126c2837c98SGeorge Keishing    # Referrer-Policy: no-referrer
127c2837c98SGeorge Keishing    # X-Permitted-Cross-Domain-Policies: none
128c2837c98SGeorge Keishing    # Cross-Origin-Embedder-Policy: require-corp
129c2837c98SGeorge Keishing    # Cross-Origin-Opener-Policy: same-origin
130c2837c98SGeorge Keishing    # Cross-Origin-Resource-Policy: same-origin
131c2837c98SGeorge Keishing    # Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
132c2837c98SGeorge Keishing
1339edf5bc7SGeorge Keishing
1340d5f96a4SMichael Walsh    Rprint Vars  header_requirements  fmt=1
1359edf5bc7SGeorge Keishing
1369edf5bc7SGeorge Keishing    Redfish.Login
1379edf5bc7SGeorge Keishing    ${resp}=  Redfish.Get  /redfish/v1/SessionService/Sessions
1389edf5bc7SGeorge Keishing
1399edf5bc7SGeorge Keishing    # The getheaders() method returns the headers as a list of tuples:
1409edf5bc7SGeorge Keishing    # headers:
141c2837c98SGeorge Keishing
142c2837c98SGeorge Keishing    # [Strict-Transport-Security]:             max-age=31536000; includeSubdomains
1439edf5bc7SGeorge Keishing    # [X-Frame-Options]:                       DENY
1449edf5bc7SGeorge Keishing    # [Pragma]:                                no-cache
145c2837c98SGeorge Keishing    # [Cache-Control]:                         no-store, max-age=0
1469edf5bc7SGeorge Keishing    # [X-Content-Type-Options]:                nosniff
147c2837c98SGeorge Keishing    # [Referrer-Policy]:                       no-referrer
148c2837c98SGeorge Keishing    # [X-Permitted-Cross-Domain-Policies]:     none
149c2837c98SGeorge Keishing    # [Cross-Origin-Embedder-Policy]:          require-corp
150c2837c98SGeorge Keishing    # [Cross-Origin-Opener-Policy]:            same-origin
151c2837c98SGeorge Keishing    # [Cross-Origin-Resource-Policy]:          same-origin
152c2837c98SGeorge Keishing    # [Content-Security-Policy]:               default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
1539edf5bc7SGeorge Keishing    # [Content-Type]:                          application/json
154c2837c98SGeorge Keishing    # [Content-Length]:                        394
1559edf5bc7SGeorge Keishing
1569edf5bc7SGeorge Keishing    ${headers}=  Key Value List To Dict  ${resp.getheaders()}
1570d5f96a4SMichael Walsh    Rprint Vars  headers  fmt=1
1589edf5bc7SGeorge Keishing
1599edf5bc7SGeorge Keishing    Dictionary Should Contain Sub Dictionary   ${headers}  ${header_requirements}
1609edf5bc7SGeorge Keishing
1619edf5bc7SGeorge Keishing
1624c394018SGeorge Keishing*** Keywords ***
1634c394018SGeorge Keishing
1644c394018SGeorge KeishingLogin And Verify Redfish Response
1654c394018SGeorge Keishing    [Documentation]  Login and verify redfish response.
16632616047SGeorge Keishing    [Arguments]   ${username}  ${password}  ${expected_response}
1674c394018SGeorge Keishing
1684c394018SGeorge Keishing    # Description of arguments:
1694c394018SGeorge Keishing    # expected_response    Expected REST status.
1704c394018SGeorge Keishing    # username             The username to be used to connect to the server.
1714c394018SGeorge Keishing    # password             The password to be used to connect to the server.
1724c394018SGeorge Keishing
1735e6515e9SGeorge Keishing    # The redfish object may preserve a valid username or password from the
1745e6515e9SGeorge Keishing    # last failed login attempt.  If we then try to login with a null username
1755e6515e9SGeorge Keishing    # or password value, the redfish object may prefer the preserved value.
1765e6515e9SGeorge Keishing    # Since we're testing bad path, we wish to avoid this scenario so we will
1775e6515e9SGeorge Keishing    # clear these values.
1785e6515e9SGeorge Keishing
1795e6515e9SGeorge Keishing    Redfish.Set Username  ${EMPTY}
1805e6515e9SGeorge Keishing    Redfish.Set Password  ${EMPTY}
1815e6515e9SGeorge Keishing
18232616047SGeorge Keishing    ${msg}=  Run Keyword And Expect Error  *  Redfish.Login  ${username}  ${password}
18332616047SGeorge Keishing
18432616047SGeorge Keishing    # redfish package version <=3.1.6 default response is InvalidCredentialsError.
18532616047SGeorge Keishing    Should Contain Any   ${msg}  InvalidCredentialsError  ${expected_response}
186374e684cSGeorge Keishing
187374e684cSGeorge Keishing
188374e684cSGeorge KeishingCreate New Login Session
189374e684cSGeorge Keishing    [Documentation]  Multiple login session keys.
190374e684cSGeorge Keishing
19197c93945SGeorge Keishing    Redfish.Login
192374e684cSGeorge Keishing    ${session_info}=  Get Redfish Session Info
193374e684cSGeorge Keishing
194374e684cSGeorge Keishing    # Append the session location to the list.
195374e684cSGeorge Keishing    # ['/redfish/v1/SessionService/Sessions/uDzihgDecs',
196374e684cSGeorge Keishing    #  '/redfish/v1/SessionService/Sessions/PaHF5brPPd']
197374e684cSGeorge Keishing    Append To List  ${session_list}  ${session_info["location"]}
198374e684cSGeorge Keishing
199374e684cSGeorge Keishing
200374e684cSGeorge KeishingMultiple Session Cleanup
201374e684cSGeorge Keishing    [Documentation]  Do the teardown for multiple sessions.
202374e684cSGeorge Keishing
203374e684cSGeorge Keishing    FFDC On Test Case Fail
204374e684cSGeorge Keishing
20550621144SSushil Singh    FOR  ${item}  IN  @{session_list}
20650621144SSushil Singh      Redfish.Delete  ${item}
20750621144SSushil Singh    END
208