1Redfish Request Via mTLS 2========================= 3 4When the BMC only enables mTLS type for authentication. Redfish request in robot 5test should be tested normally. 6 7## Required environment variables in Robot 8 9 - **MTLS_ENABLED** indicates whether mTLS is enabled in BMC. 10 False by default: 11 12 ``` 13 ${MTLS_ENABLED} False 14 ``` 15 16 - **VALID_CERT** indicates valid mTLS certificate for authentication. 17 When a redfish request doesn't specify a certificate, no certificate by 18 default. 19 20 ``` 21 ${VALID_CERT} ${EMPTY} 22 ``` 23 24 - **CERT_DIR_PATH** indicates path of mTLS certificates directory: 25 26 ``` 27 ${CERT_DIR_PATH} ${EMPTY} 28 ``` 29## How to send a redfish request with certificate 30 31- When a redfish request is executed, it will be executed through the python 32 library **requests** with certificate. It supports for all Redfish REST 33 requests (get, head, post, put, patch, delete): 34 35 ``` 36 import requests 37 38 cert_dict = kwargs.pop('certificate', {"certificate_name":VALID_CERT}) 39 response = requests.get( 40 url='https://'+ host + args[0], 41 cert=CERT_DIR_PATH + '/' + cert_dict['certificate_name'], 42 verify=False, 43 headers={"Cache-Control": "no-cache"}) 44 ``` 45 46- Original robot code of redfish request doesn’t need to modify. It will send 47 the request with the default certificate ${VALID_CERT}. 48 49- The example provides Redfish request to use other certificate in the Robot 50 code below: 51 52 ``` 53 ${certificate_dict}= Create Dictionary certificate_name=${CERT} 54 Redfish.Get ${VALID_URL} certificate=&{certificate_dict} 55 ... valid_status_codes=[${HTTP_OK}] 56 ``` 57 58## Test Cases for mTLS authentication 59 60mTLS authentication is only a means to connect to the BMC, not for testing 61purposes. Therefore, some test cases need to write a new one to match it for 62mTLS authentication. (Requires test certificate with different privileges or 63username) Some cases don’t need to be tested because the purpose of 64them are inapplicable to mTLS. Case studies are as follows: 65 66- **Create_IPMI_User_And_Verify_Login_Via_Redfish** 67 68 In this case, it uses IPMI to create a random user with password and 69 privilege, and then verifies the login via Redfish. Therefore, it will 70 logout the default user and then login with the user just created by IPMI. 71 So it does not need to use mTLS to authenticate login and logout. 72 It can be replaced as follows: Prepare a certificate with the user name 73 "admin_user" in advance. Use IPMI to create a user named admin_user. Then 74 you can use the Redfish request with the admin_user certificate to provide 75 the server for verification. 76 77- **Attempt_Login_With_Expired_Session** 78 79 Most cases related to sessions don't require mTLS because Redfish requests 80 don't need to create a session first. Therefore, there is no need to test 81 these cases when mTLS is enabled. 82