1*** Settings ***
2Documentation  Certificate utilities keywords.
3
4Library        OperatingSystem
5Resource       rest_client.robot
6Resource       resource.robot
7
8
9*** Keywords ***
10
11Install Certificate File On BMC
12    [Documentation]  Install certificate file in BMC using POST operation.
13    [Arguments]  ${uri}  ${status}=ok  &{kwargs}
14
15    # Description of argument(s):
16    # uri         URI for installing certificate file via Redfish
17    #             e.g. "/redfish/v1/AccountService/LDAP/Certificates".
18    # status      Expected status of certificate installation via Redfish
19    #             e.g. error, ok.
20    # kwargs      A dictionary of keys/values to be passed directly to
21    #             POST Request.
22
23    Initialize OpenBMC
24
25    ${headers}=  Create Dictionary  Content-Type=application/octet-stream
26    ...  X-Auth-Token=${XAUTH_TOKEN}
27    Set To Dictionary  ${kwargs}  headers  ${headers}
28
29    ${ret}=  Post Request  openbmc  ${uri}  &{kwargs}
30    ${content_json}=  To JSON  ${ret.content}
31    ${cert_id}=  Set Variable If  '${ret.status_code}' == '${HTTP_OK}'  ${content_json["Id"]}  -1
32
33    Run Keyword If  '${status}' == 'ok'
34    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_OK}
35    ...  ELSE IF  '${status}' == 'error'
36    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_INTERNAL_SERVER_ERROR}
37
38    Delete All Sessions
39
40    [Return]  ${cert_id}
41
42
43Get Certificate Content From BMC Via Openssl
44    [Documentation]  Get certificate content from BMC via openssl.
45
46    Check If Openssl Tool Exist
47
48    ${openssl_cmd}=  Catenate
49    ...  timeout 10  openssl s_client -connect ${OPENBMC_HOST}:${HTTPS_PORT} -showcerts
50    ${output}=  Run  ${openssl_cmd}
51
52    ${result}=  Fetch From Left
53    ...  ${output}  -----END CERTIFICATE-----
54    ${result}=  Fetch From Right  ${result}  -----BEGIN CERTIFICATE-----
55    [Return]  ${result}
56
57
58Get Certificate File Content From BMC
59    [Documentation]  Get required certificate file content from BMC.
60    [Arguments]  ${cert_type}=Client
61
62    # Description of argument(s):
63    # cert_type      Certificate type (e.g. "Client" or "CA").
64
65    ${certificate}  ${stderr}  ${rc}=  Run Keyword If  '${cert_type}' == 'Client'
66    ...    BMC Execute Command  cat /etc/nslcd/certs/cert.pem
67
68    [Return]  ${certificate}
69
70
71Generate Certificate File Via Openssl
72    [Documentation]  Create certificate file via openssl with required content
73    ...              and returns its path.
74    [Arguments]  ${cert_format}  ${time}=365  ${cert_dir_name}=certificate_dir
75
76    # Description of argument(s):
77    # cert_format          Certificate file format
78    #                      e.g. Valid_Certificate_Empty_Privatekey.
79    # time                 Number of days to certify the certificate for.
80    # cert_dir_name        The name of the sub-directory where the certificate
81    #                      is stored.
82
83    Check If Openssl Tool Exist
84
85    ${openssl_cmd}=  Catenate  openssl req -x509 -sha256 -newkey rsa:2048
86    ...  ${SPACE}-nodes -days ${time}
87    ...  ${SPACE}-keyout ${cert_dir_name}/cert.pem -out ${cert_dir_name}/cert.pem
88    ...  ${SPACE}-subj "/O=XYZ Corporation /CN=www.xyz.com"
89
90    ${rc}  ${output}=  Run And Return RC and Output  ${openssl_cmd}
91    Should Be Equal  ${rc}  ${0}  msg=${output}
92    OperatingSystem.File Should Exist
93    ...  ${EXECDIR}${/}${cert_dir_name}${/}cert.pem
94
95    ${file_content}=  OperatingSystem.Get File
96    ...  ${EXECDIR}${/}${cert_dir_name}${/}cert.pem
97    ${result}=  Fetch From Left  ${file_content}  -----END CERTIFICATE-----
98    ${cert_content}=  Fetch From Right  ${result}  -----BEGIN CERTIFICATE-----
99
100    ${result}=  Fetch From Left  ${file_content}  -----END PRIVATE KEY-----
101    ${private_key_content}=  Fetch From Right  ${result}  -----BEGIN PRIVATE KEY-----
102
103    ${cert_data}=
104    ...  Run Keyword if  '${cert_format}' == 'Valid Certificate Valid Privatekey'
105    ...  OperatingSystem.Get File  ${EXECDIR}${/}${cert_dir_name}${/}cert.pem
106    ...  ELSE IF  '${cert_format}' == 'Empty Certificate Valid Privatekey'
107    ...  Remove String  ${file_content}  ${cert_content}
108    ...  ELSE IF  '${cert_format}' == 'Valid Certificate Empty Privatekey'
109    ...  Remove String  ${file_content}  ${private_key_content}
110    ...  ELSE IF  '${cert_format}' == 'Empty Certificate Empty Privatekey'
111    ...  Remove String  ${file_content}  ${cert_content}  ${private_key_content}
112    ...  ELSE IF  '${cert_format}' == 'Expired Certificate' or '${cert_format}' == 'Not Yet Valid Certificate'
113    ...  OperatingSystem.Get File  ${EXECDIR}${/}${cert_dir_name}${/}cert.pem
114    ...  ELSE IF  '${cert_format}' == 'Valid Certificate'
115    ...  Remove String  ${file_content}  ${private_key_content}
116    ...  -----BEGIN PRIVATE KEY-----  -----END PRIVATE KEY-----
117    ...  ELSE IF  '${cert_format}' == 'Empty Certificate'
118    ...  Remove String  ${file_content}  ${cert_content}
119    ...  ${private_key_content}  -----BEGIN PRIVATE KEY-----
120    ...  -----END PRIVATE KEY-----
121
122    ${random_name}=  Generate Random String  8
123    ${cert_name}=  Catenate  SEPARATOR=  ${random_name}  .pem
124    Create File  ${cert_dir_name}/${cert_name}  ${cert_data}
125
126    [Return]  ${EXECDIR}${/}${cert_dir_name}${/}${cert_name}
127
128
129Get Certificate Content From File
130    [Documentation]  Get certificate content from certificate file.
131    [Arguments]  ${cert_file_path}
132
133    # Description of argument(s):
134    # cert_file_path  Downloaded certificate file path.
135
136    ${file_content}=  OperatingSystem.Get File  ${cert_file_path}
137    ${result}=  Fetch From Left  ${file_content}  -----END CERTIFICATE-----
138    ${result}=  Fetch From Right  ${result}  -----BEGIN CERTIFICATE-----
139    [Return]  ${result}
140
141
142Check If Openssl Tool Exist
143    [Documentation]  Check if openssl tool installed or not.
144
145    ${rc}  ${output}=  Run And Return RC and Output  which openssl
146    Should Not Be Empty  ${output}  msg=Openssl tool not installed.
147
148
149Verify Certificate Visible Via OpenSSL
150    [Documentation]  Checks if given certificate is visible via openssl's showcert command.
151    [Arguments]  ${cert_file_path}
152
153    # Description of argument(s):
154    # cert_file_path           Certificate file path.
155
156    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
157    ${openssl_cert_content}=  Get Certificate Content From BMC Via Openssl
158    Should Contain  ${cert_file_content}  ${openssl_cert_content}
159
160
161Delete All CA Certificate Via Redfish
162    [Documentation]  Delete all CA certificate via Redfish.
163    ${cert_list}=  Redfish_Utils.Get Member List  /redfish/v1/Managers/bmc/Truststore/Certificates
164    FOR  ${cert}  IN  @{cert_list}
165      Redfish.Delete  ${cert}  valid_status_codes=[${HTTP_NO_CONTENT}]
166    END
167
168
169Delete Certificate Via BMC CLI
170    [Documentation]  Delete certificate via BMC CLI.
171    [Arguments]  ${cert_type}
172
173    # Description of argument(s):
174    # cert_type           Certificate type (e.g. "Client" or "CA").
175
176    ${certificate_file_path}  ${certificate_service}  ${certificate_uri}=
177    ...  Run Keyword If  '${cert_type}' == 'Client'
178    ...    Set Variable  /etc/nslcd/certs/cert.pem  phosphor-certificate-manager@nslcd.service
179    ...    ${REDFISH_LDAP_CERTIFICATE_URI}
180    ...  ELSE IF  '${cert_type}' == 'CA'
181    ...    Set Variable  ${ROOT_CA_FILE_PATH}  phosphor-certificate-manager@authority.service
182    ...    ${REDFISH_CA_CERTIFICATE_URI}
183
184    ${file_status}  ${stderr}  ${rc}=  BMC Execute Command
185    ...  [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
186
187    Return From Keyword If  "${file_status}" != "Found"
188    BMC Execute Command  rm ${certificate_file_path}
189    BMC Execute Command  systemctl restart ${certificate_service}
190    BMC Execute Command  systemctl daemon-reload
191    Wait Until Keyword Succeeds  1 min  10 sec  Redfish.Get  ${certificate_uri}/1
192    ...  valid_status_codes=[${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}]
193
194
195Replace Certificate Via Redfish
196    [Documentation]  Test 'replace certificate' operation in the BMC via Redfish.
197    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}
198
199    # Description of argument(s):
200    # cert_type           Certificate type (e.g. "Server" or "Client").
201    # cert_format         Certificate file format
202    #                     (e.g. Valid_Certificate_Valid_Privatekey).
203    # expected_status     Expected status of certificate replace Redfish
204    #                     request (i.e. "ok" or "error").
205
206    # Install certificate before replacing client or CA certificate.
207    ${cert_id}=  Run Keyword If  '${cert_type}' == 'Client'
208    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate Valid Privatekey  ok
209    ...  ELSE IF  '${cert_type}' == 'CA'
210    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate  ok
211
212    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
213
214    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
215    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
216
217    Run Keyword If  '${cert_format}' == 'Expired Certificate'
218    ...    Modify BMC Date  future
219    ...  ELSE IF  '${cert_format}' == 'Not Yet Valid Certificate'
220    ...    Modify BMC Date  old
221
222
223    ${certificate_uri}=  Set Variable If
224    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
225    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
226    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/${cert_id}
227
228    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
229    ${payload}=  Create Dictionary  CertificateString=${file_data}
230    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
231
232    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
233    ...  '${expected_status}' == 'error'  ${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}
234    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
235    ...  body=${payload}  valid_status_codes=[${expected_resp}]
236
237    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
238    ${bmc_cert_content}=  redfish_utils.Get Attribute  ${certificate_uri}  CertificateString
239
240    Run Keyword If  '${expected_status}' == 'ok'
241    ...    Should Contain  ${cert_file_content}  ${bmc_cert_content}
242    ...  ELSE
243    ...    Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
244
245
246Install And Verify Certificate Via Redfish
247    [Documentation]  Install and verify certificate using Redfish.
248    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}  ${delete_cert}=${True}
249
250    # Description of argument(s):
251    # cert_type           Certificate type (e.g. "Client" or "CA").
252    # cert_format         Certificate file format
253    #                     (e.g. "Valid_Certificate_Valid_Privatekey").
254    # expected_status     Expected status of certificate replace Redfish
255    #                     request (i.e. "ok" or "error").
256    # delete_cert         Certificate will be deleted before installing if this True.
257
258    Run Keyword If  '${cert_type}' == 'CA' and '${delete_cert}' == '${True}'
259    ...  Delete All CA Certificate Via Redfish
260    ...  ELSE IF  '${cert_type}' == 'Client' and '${delete_cert}' == '${True}'
261    ...  Delete Certificate Via BMC CLI  ${cert_type}
262
263    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
264    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
265    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
266
267    ${certificate_uri}=  Set Variable If
268    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
269    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
270
271    Run Keyword If  '${cert_format}' == 'Expired Certificate'  Modify BMC Date  future
272    ...  ELSE IF  '${cert_format}' == 'Not Yet Valid Certificate'  Modify BMC Date  old
273
274    ${cert_id}=  Install Certificate File On BMC  ${certificate_uri}  ${expected_status}  data=${file_data}
275    Logging  Installed certificate id: ${cert_id}
276
277    # Adding delay after certificate installation.
278    Sleep  30s
279
280    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
281    ${bmc_cert_content}=  Run Keyword If  '${expected_status}' == 'ok'  redfish_utils.Get Attribute
282    ...  ${certificate_uri}/${cert_id}  CertificateString
283
284    Run Keyword If  '${expected_status}' == 'ok'  Should Contain  ${cert_file_content}  ${bmc_cert_content}
285    [Return]  ${cert_id}
286
287
288Modify BMC Date
289    [Documentation]  Modify date in BMC.
290    [Arguments]  ${date_set_type}=current
291
292    # Description of argument(s):
293    # date_set_type    Set BMC date to a current, future, old date by 375 days.
294    #                  current - Sets date to local system date.
295    #                  future - Sets to a future date from current date.
296    #                  old - Sets to a old date from current date.
297
298    Redfish Power Off  stack_mode=skip
299    ${current_date_time}=  Get Current Date
300    ${new_time}=  Run Keyword If  '${date_set_type}' == 'current'  Set Variable  ${current_date_time}
301    ...  ELSE IF  '${date_set_type}' == 'future'
302    ...  Add Time To Date  ${current_date_time}  375 days
303    ...  ELSE IF  '${date_set_type}' == 'old'
304    ...  Subtract Time From Date  ${current_date_time}  375 days
305
306    # Enable manual mode.
307    Redfish.Patch  ${REDFISH_NW_PROTOCOL_URI}
308    ...  body={'NTP':{'ProtocolEnabled': ${False}}}
309    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
310    Sleep  2s
311    Redfish.Patch  ${REDFISH_BASE_URI}Managers/bmc  body={'DateTime': '${new_time}'}
312    ...  valid_status_codes=[${HTTP_OK}]
313