xref: /openbmc/openbmc-test-automation/docs/redfish_request_via_mTLS.md (revision 42c84ea5d0dd320e1a1d57bcba34fcb788c7788c)
1# Redfish Request Via mTLS
2
3When the BMC only enables mTLS type for authentication. Redfish request in robot
4test should be tested normally.
5
6## Required environment variables in Robot
7
8- **MTLS_ENABLED** indicates whether mTLS is enabled in BMC. False by default:
9
10  ```
11      ${MTLS_ENABLED}        False
12  ```
13
14- **VALID_CERT** indicates valid mTLS certificate for authentication. When a
15  redfish request doesn't specify a certificate, no certificate by default.
16
17  ```
18      ${VALID_CERT}        ${EMPTY}
19  ```
20
21- **CERT_DIR_PATH** indicates path of mTLS certificates directory:
22
23  ```
24      ${CERT_DIR_PATH}        ${EMPTY}
25  ```
26
27## How to send a redfish request with certificate
28
29- When a redfish request is executed, it will be executed through the python
30  library **requests** with certificate. It supports for all Redfish REST
31  requests (get, head, post, put, patch, delete):
32
33  ```
34       import requests
35
36       cert_dict = kwargs.pop('certificate', {"certificate_name":VALID_CERT})
37       response = requests.get(
38                   url='https://'+ host + args[0],
39                   cert=CERT_DIR_PATH + '/' + cert_dict['certificate_name'],
40                   verify=False,
41                   headers={"Cache-Control": "no-cache"})
42  ```
43
44- Original robot code of redfish request doesn’t need to modify. It will send
45  the request with the default certificate ${VALID_CERT}.
46
47- The example provides Redfish request to use other certificate in the Robot
48  code below:
49
50  ```
51  ${certificate_dict}=  Create Dictionary  certificate_name=${CERT}
52  Redfish.Get  ${VALID_URL}  certificate=&{certificate_dict}
53  ...  valid_status_codes=[${HTTP_OK}]
54  ```
55
56## Test Cases for mTLS authentication
57
58mTLS authentication is only a means to connect to the BMC, not for testing
59purposes. Therefore, some test cases need to write a new one to match it for
60mTLS authentication. (Requires test certificate with different privileges or
61username) Some cases don’t need to be tested because the purpose of them are
62inapplicable to mTLS. Case studies are as follows:
63
64- **Create_IPMI_User_And_Verify_Login_Via_Redfish**
65
66  In this case, it uses IPMI to create a random user with password and
67  privilege, and then verifies the login via Redfish. Therefore, it will logout
68  the default user and then login with the user just created by IPMI. So it does
69  not need to use mTLS to authenticate login and logout. It can be replaced as
70  follows: Prepare a certificate with the user name "admin_user" in advance. Use
71  IPMI to create a user named admin_user. Then you can use the Redfish request
72  with the admin_user certificate to provide the server for verification.
73
74- **Attempt_Login_With_Expired_Session**
75
76  Most cases related to sessions don't require mTLS because Redfish requests
77  don't need to create a session first. Therefore, there is no need to test
78  these cases when mTLS is enabled.
79