1*** Settings *** 2 3Documentation VMI certificate exchange tests. 4 5Library ../../lib/jobs_processing.py 6Resource ../../lib/resource.robot 7Resource ../../lib/bmc_redfish_resource.robot 8Resource ../../lib/openbmc_ffdc.robot 9Resource ../../lib/bmc_redfish_utils.robot 10Resource ../../lib/utils.robot 11 12Suite Setup Suite Setup Execution 13Test Teardown FFDC On Test Case Fail 14Suite Teardown Suite Teardown Execution 15 16 17*** Variables *** 18 19# users User Name password 20@{ADMIN} admin_user TestPwd123 21@{OPERATOR} operator_user TestPwd123 22@{ReadOnly} readonly_user TestPwd123 23@{NoAccess} noaccess_user TestPwd123 24&{USERS} Administrator=${ADMIN} Operator=${OPERATOR} ReadOnly=${ReadOnly} 25... NoAccess=${NoAccess} 26${VMI_BASE_URI} /ibm/v1/ 27 28 29*** Test Cases *** 30 31Get CSR Request Signed By VMI And Verify 32 [Documentation] Get CSR request signed by VMI using different user roles and verify. 33 [Tags] Get_CSR_Request_Signed_By_VMI_And_Verify 34 [Setup] Redfish Power On 35 [Template] Get Certificate Signed By VMI 36 37 # username password force_create valid_csr valid_status_code 38 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 39 40 # Send CSR request from operator user. 41 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 42 43 # Send CSR request from ReadOnly user. 44 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 45 46 # Send CSR request from NoAccess user. 47 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 48 49 50Get Root Certificate Using Different Privilege Users Roles 51 [Documentation] Get root certificate using different users. 52 [Tags] Get_Root_Certificate_Using_Different_Users 53 [Setup] Redfish Power On 54 [Template] Get Root Certificate 55 56 # username password force_create valid_csr valid_status_code 57 # Request root certificate from admin user. 58 admin_user TestPwd123 ${True} ${True} ${HTTP_OK} 59 60 # Request root certificate from operator user. 61 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 62 63 # Request root certificate from ReadOnly user. 64 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 65 66 # Request root certificate from NoAccess user. 67 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 68 69 70Send CSR Request When VMI Is Off And Verify 71 [Documentation] Send CSR signing request to VMI when it is off and expect an error. 72 [Tags] Get_CSR_Request_When_VMI_Is_Off_And_verify 73 [Setup] Redfish Power Off 74 [Template] Get Certificate Signed By VMI 75 76 # username password force_create valid_csr valid_status_code 77 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 78 79 # Send CSR request from operator user. 80 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 81 82 # Send CSR request from ReadOnly user. 83 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 84 85 # Send CSR request from NoAccess user. 86 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 87 88Get Corrupted CSR Request Signed By VMI And Verify 89 [Documentation] Send corrupted CSR for signing and expect an error. 90 [Tags] Get_Corrupted_CSR_Request_Signed_By_VMI_And_Verify 91 [Setup] Redfish Power On 92 [Template] Get Certificate Signed By VMI 93 94 # username password force_create valid_csr valid_status_code 95 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 96 97 # Send CSR request from operator user. 98 operator_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 99 100 # Send CSR request from ReadOnly user. 101 readonly_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 102 103 # Send CSR request from NoAccess user. 104 noaccess_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 105 106Get Root Certificate When VMI Is Off And Verify 107 [Documentation] Get root certificate when vmi is off and verify. 108 [Tags] Get_Root_Certificate_When_VMI_Is_Off_And_Verify 109 [Setup] Redfish Power Off 110 [Template] Get Root Certificate 111 112 # username password force_create valid_csr valid_status_code 113 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 114 115 # Request root certificate from operator user. 116 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 117 118 # Request root certificate from ReadOnly user. 119 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 120 121 # Request root certificate from NoAccess user. 122 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 123 124 125Get Root Certificate After BMC Reboot And Verify 126 [Documentation] Get root certificate after bmc reboot and verify. 127 [Tags] Get_Root_Certificate_After_BMC_Reboot_And_Verify 128 [Setup] Run Keywords OBMC Reboot (off) AND Redfish Power On 129 [Template] Get Root Certificate 130 131 # username password force_create valid_csr valid_status_code 132 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 133 134 # Request root certificate from operator user. 135 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 136 137 # Request root certificate from ReadOnly user. 138 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 139 140 # Request root certificate from NoAccess user. 141 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 142 143Get Concurrent Root Certificate Requests From Multiple Admin Users 144 [Documentation] Get multiple concurrent root certificate requests from multiple admins 145 ... and verify no errors. 146 [Tags] Get_Concurrent_Root_Certificate_Requests_From_Multiple_Admin_Users 147 148 FOR ${i} IN RANGE ${5} 149 ${dict}= Execute Process Multi Keyword ${5} 150 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 151 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 152 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 153 Dictionary Should Not Contain Value ${dict} False 154 ... msg=One or more operations has failed. 155 END 156 157Get Concurrent CSR Requests From Multiple Admin Users 158 [Documentation] Get multiple concurrent csr requests from multiple admins and verify no errors. 159 [Tags] Get_Concurrent_CSR_Requests_From_Multiple_Admin_Users 160 161 FOR ${i} IN RANGE ${5} 162 ${dict}= Execute Process Multi Keyword ${5} 163 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 164 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 165 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 166 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 167 Dictionary Should Not Contain Value ${dict} False 168 ... msg=One or more operations has failed. 169 END 170 171Get Concurrent Corrupted CSR Requests From Multiple Admin Users 172 [Documentation] Get multiple concurrent corrupted csr requests from multiple admins and verify no errors. 173 [Tags] Get_Concurrent_Corrupted_CSR_Requests_From_Multiple_Admin_Users 174 175 FOR ${i} IN RANGE ${5} 176 ${dict}= Execute Process Multi Keyword ${5} 177 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 178 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 179 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 180 Dictionary Should Not Contain Value ${dict} False 181 ... msg=One or more operations has failed. 182 END 183 184Get Concurrent Root Certificate Request From Operator Users 185 [Documentation] Get multiple concurrent root certificate from non admin users and verify no errors. 186 [Tags] Get_Concurrent_Root_Certificate_Request_From_Operator_Users 187 188 FOR ${i} IN RANGE ${5} 189 ${dict}= Execute Process Multi Keyword ${5} 190 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 191 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 192 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 193 Dictionary Should Not Contain Value ${dict} False 194 ... msg=One or more operations has failed. 195 END 196 197Get Concurrent Root Certificate Request From Admin And Non Admin Users 198 [Documentation] Get multiple concurrent root certificate from admin and non admin users 199 ... and verify no errors. 200 [Tags] Get_Concurrent_Root_Certificate_Request_From_Admin_And_Non_Admin_Users 201 202 FOR ${i} IN RANGE ${5} 203 ${dict}= Execute Process Multi Keyword ${5} 204 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 205 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 206 ... Get Root Certificate readonly_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 207 Dictionary Should Not Contain Value ${dict} False 208 ... msg=One or more operations has failed. 209 END 210 211Get Concurrent Root Certificate Request From Different Non Admin Users 212 [Documentation] Get multiple concurrent root certificate from different non admin users 213 ... and verify no errors. 214 [Tags] Get_Concurrent_Root_Certificate_Request_From_Different_Non_Admin_Users 215 216 FOR ${i} IN RANGE ${5} 217 ${dict}= Execute Process Multi Keyword ${5} 218 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 219 ... Get Root Certificate readonly_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 220 ... Get Root Certificate noaccess_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 221 Dictionary Should Not Contain Value ${dict} False 222 ... msg=One or more operations has failed. 223 END 224 225Get Concurrent CSR Request From Operator Users 226 [Documentation] Get multiple concurrent csr request from non admin users and verify no errors. 227 [Tags] Get_Concurrent_CSR_Request_From_Operator_Users 228 229 FOR ${i} IN RANGE ${5} 230 ${dict}= Execute Process Multi Keyword ${5} 231 ... Get Certificate Signed By VMI operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 232 ... Get Certificate Signed By VMI operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 233 ... Get Certificate Signed By VMI operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 234 Dictionary Should Not Contain Value ${dict} False 235 ... msg=One or more operations has failed. 236 END 237 238*** Keywords *** 239 240Generate CSR String 241 [Documentation] Generate a csr string. 242 243 # Note: Generates and returns csr string. 244 ${csr_gen_time} = Get Current Date Time 245 ${CSR_FILE}= Catenate SEPARATOR=_ ${csr_gen_time} csr_server.csr 246 ${CSR_KEY}= Catenate SEPARATOR=_ ${csr_gen_time} csr_server.key 247 Set Test Variable ${CSR_FILE} 248 Set Test Variable ${CSR_KEY} 249 ${ssl_cmd}= Set Variable openssl req -new -newkey rsa:2048 -nodes -keyout ${CSR_KEY} -out ${CSR_FILE} 250 ${ssl_sub}= Set Variable 251 ... -subj "/C=XY/ST=Abcd/L=Efgh/O=ABC/OU=Systems/CN=abc.com/emailAddress=xyz@xx.ABC.com" 252 253 # Run openssl command to create a new private key and use that to generate a CSR string 254 # in server.csr file. 255 ${output}= Run ${ssl_cmd} ${ssl_sub} 256 ${csr}= OperatingSystem.Get File ${CSR_FILE} 257 258 [Return] ${csr} 259 260 261Send CSR To VMI And Get Signed 262 [Documentation] Upload CSR to VMI and get signed. 263 [Arguments] ${csr} ${force_create} ${username} ${password} 264 265 # Description of argument(s): 266 # csr Certificate request from client to VMI. 267 # force_create Create a new REST session if True. 268 # username Username to create a REST session. 269 # password Password to create a REST session. 270 271 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 272 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 273 274 ${data}= Create Dictionary 275 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 276 ... Content-Type=application/json 277 278 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Actions/SignCSR 279 280 # For SignCSR request, we need to pass CSR string generated by openssl command. 281 ${csr_data}= Create Dictionary CsrString ${csr} 282 Set To Dictionary ${data} data ${csr_data} 283 284 ${resp}= Post Request openbmc ${cert_uri} &{data} headers=${headers} 285 Log to console ${resp.content} 286 287 [Return] ${resp} 288 289 290Get Root Certificate 291 [Documentation] Get root certificate from VMI. 292 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 293 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 294 295 # Description of argument(s): 296 # cert_type Type of the certificate requesting. eg. root or SignCSR. 297 # username Username to create a REST session. 298 # password Password to create a REST session. 299 # force_create Create a new REST session if True. 300 # valid_csr Uses valid CSR string in the REST request if True. 301 # This is not applicable for root certificate. 302 # valid_status_code Expected status code from REST request. 303 304 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 305 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 306 307 ${data}= Create Dictionary 308 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 309 ... Content-Type=application/json 310 311 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Certificate/root 312 313 ${resp}= Get Request openbmc ${cert_uri} &{data} headers=${headers} 314 315 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 316 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 317 318 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 319 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 320 Should Contain ${cert["Certificate"]} END CERTIFICATE 321 322 323Get Subject 324 [Documentation] Generate a csr string. 325 [Arguments] ${file_name} ${is_csr_file} 326 327 # Description of argument(s): 328 # file_name Name of CSR or signed CERT file. 329 # is_csr_file A True value means a CSR while a False is for signed CERT file. 330 331 ${subject}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -text -noout | grep Subject: 332 ... ELSE Run openssl x509 -in ${file_name} -text -noout | grep Subject: 333 334 [Return] ${subject} 335 336 337Get Public Key 338 [Documentation] Generate a csr string. 339 [Arguments] ${file_name} ${is_csr_file} 340 341 # Description of argument(s): 342 # file_name Name of CSR or CERT file. 343 # is_csr_file A True value means a CSR while a False is for signed CERT file. 344 345 ${PublicKey}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -noout -pubkey 346 ... ELSE Run openssl x509 -in ${file_name} -noout -pubkey 347 348 [Return] ${PublicKey} 349 350 351Get Certificate Signed By VMI 352 [Documentation] Get signed certificate from VMI. 353 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 354 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 355 356 # Description of argument(s): 357 # cert_type Type of the certificate requesting. eg. root or SignCSR. 358 # username Username to create a REST session. 359 # password Password to create a REST session. 360 # force_create Create a new REST session if True. 361 # valid_csr Uses valid CSR string in the REST request if True. 362 # This is not applicable for root certificate. 363 # valid_status_code Expected status code from REST request. 364 365 Set Test Variable ${CSR} CSR 366 Set Test Variable ${CORRUPTED_CSR} CORRUPTED_CSR 367 368 ${CSR}= Generate CSR String 369 ${csr_left} ${csr_right}= Split String From Right ${CSR} == 1 370 ${CORRUPTED_CSR}= Catenate SEPARATOR= ${csr_left} \N ${csr_right} 371 372 # For SignCSR request, we need to pass CSR string generated by openssl command 373 ${csr_str}= Set Variable If ${valid_csr} == ${True} ${CSR} ${CORRUPTED_CSR} 374 375 ${resp}= Send CSR To VMI And Get Signed ${csr_str} ${force_create} ${username} ${password} 376 377 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 378 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 379 380 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 381 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 382 Should Contain ${cert["Certificate"]} END CERTIFICATE 383 384 # Now do subject and public key verification 385 ${subject_csr}= Get Subject ${CSR_FILE} True 386 ${pubKey_csr}= Get Public Key ${CSR_FILE} True 387 388 # create a crt file with certificate string 389 ${signed_cert}= Set Variable ${cert["Certificate"]} 390 ${testcert_gen_time} = Get Current Date Time 391 ${test_cert_file}= Catenate SEPARATOR=_ ${testcert_gen_time} test_certificate.cert 392 393 Create File ${test_cert_file} ${signed_cert} 394 ${subject_signed_csr}= Get Subject ${test_cert_file} False 395 ${pubKey_signed_csr}= Get Public Key ${test_cert_file} False 396 397 Should be equal as strings ${subject_signed_csr} ${subject_csr} 398 Should be equal as strings ${pubKey_signed_csr} ${pubKey_csr} 399 400 401Suite Setup Execution 402 [Documentation] Suite setup execution. 403 404 Remove Files *.csr *.key *.cert 405 # Create different user accounts. 406 Redfish.Login 407 Redfish Power On 408 Create Users With Different Roles users=${USERS} force=${True} 409 410 411Suite Teardown Execution 412 [Documentation] Suite teardown execution. 413 414 Remove Files *.csr *.key *.cert 415 Delete BMC Users Via Redfish users=${USERS} 416 Delete All Sessions 417 Redfish.Logout 418