1*** Settings *** 2 3Documentation VMI certificate exchange tests. 4 5Resource ../../lib/resource.robot 6Resource ../../lib/bmc_redfish_resource.robot 7Resource ../../lib/openbmc_ffdc.robot 8Resource ../../lib/bmc_redfish_utils.robot 9Resource ../../lib/utils.robot 10 11Suite Setup Suite Setup Execution 12Test Teardown FFDC On Test Case Fail 13Suite Teardown Suite Teardown Execution 14 15 16*** Variables *** 17 18# users User Name password 19@{ADMIN} admin_user TestPwd123 20@{OPERATOR} operator_user TestPwd123 21@{ReadOnly} readonly_user TestPwd123 22@{NoAccess} noaccess_user TestPwd123 23&{USERS} Administrator=${ADMIN} Operator=${OPERATOR} ReadOnly=${ReadOnly} 24... NoAccess=${NoAccess} 25${VMI_BASE_URI} /ibm/v1/ 26${CSR_FILE} csr_server.csr 27${CSR_KEY} csr_server.key 28 29*** Test Cases *** 30 31Get CSR Request Signed By VMI And Verify 32 [Documentation] Get CSR request signed by VMI using different user roles and verify. 33 [Tags] Get_CSR_Request_Signed_By_VMI_And_Verify 34 [Setup] Redfish Power On 35 [Template] Get Certificate Signed By VMI 36 37 # username password force_create valid_csr valid_status_code 38 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 39 40 # Send CSR request from operator user. 41 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 42 43 # Send CSR request from ReadOnly user. 44 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 45 46 # Send CSR request from NoAccess user. 47 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 48 49 50Get Root Certificate Using Different Privilege Users Roles 51 [Documentation] Get root certificate using different users. 52 [Tags] Get_Root_Certificate_Using_Different_Users 53 [Setup] Redfish Power On 54 [Template] Get Root Certificate 55 56 # username password force_create valid_csr valid_status_code 57 # Request root certificate from admin user. 58 admin_user TestPwd123 ${True} ${True} ${HTTP_OK} 59 60 # Request root certificate from operator user. 61 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 62 63 # Request root certificate from ReadOnly user. 64 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 65 66 # Request root certificate from NoAccess user. 67 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 68 69 70Send CSR Request When VMI Is Off And Verify 71 [Documentation] Send CSR signing request to VMI when it is off and expect an error. 72 [Tags] Get_CSR_Request_When_VMI_Is_Off_And_verify 73 [Setup] Redfish Power Off 74 [Template] Get Certificate Signed By VMI 75 76 # username password force_create valid_csr valid_status_code 77 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 78 79 # Send CSR request from operator user. 80 operator_user TestPwd123 ${False} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 81 82 # Send CSR request from ReadOnly user. 83 readonly_user TestPwd123 ${False} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 84 85 # Send CSR request from NoAccess user. 86 noaccess_user TestPwd123 ${False} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 87 88 89*** Keywords *** 90 91Generate CSR String 92 [Documentation] Generate a csr string. 93 94 # Note: Generates and returns csr string. 95 ${ssl_cmd}= Set Variable openssl req -new -newkey rsa:2048 -nodes -keyout ${CSR_KEY} -out ${CSR_FILE} 96 ${ssl_sub}= Set Variable 97 ... -subj "/C=XY/ST=Abcd/L=Efgh/O=ABC/OU=Systems/CN=abc.com/emailAddress=xyz@xx.ABC.com" 98 99 # Run openssl command to create a new private key and use that to generate a CSR string 100 # in server.csr file. 101 ${output}= Run ${ssl_cmd} ${ssl_sub} 102 ${csr}= OperatingSystem.Get File ${CSR_FILE} 103 104 [Return] ${csr} 105 106 107Send CSR To VMI And Get Signed 108 [Arguments] ${csr} ${force_create} ${username} ${password} 109 110 # Description of argument(s): 111 # csr Certificate request from client to VMI. 112 # force_create Create a new REST session if True. 113 # username Username to create a REST session. 114 # password Password to create a REST session. 115 116 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 117 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 118 119 ${data}= Create Dictionary 120 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 121 ... Content-Type=application/json 122 123 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Actions/SignCSR 124 125 # For SignCSR request, we need to pass CSR string generated by openssl command. 126 ${csr_data}= Create Dictionary CsrString ${csr} 127 Set To Dictionary ${data} data ${csr_data} 128 129 ${resp}= Post Request openbmc ${cert_uri} &{data} headers=${headers} 130 131 [Return] ${resp} 132 133 134Get Root Certificate 135 [Documentation] Get root certificate from VMI. 136 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 137 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 138 139 # Description of argument(s): 140 # cert_type Type of the certificate requesting. eg. root or SignCSR. 141 # username Username to create a REST session. 142 # password Password to create a REST session. 143 # force_create Create a new REST session if True. 144 # valid_csr Uses valid CSR string in the REST request if True. 145 # This is not applicable for root certificate. 146 # valid_status_code Expected status code from REST request. 147 148 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 149 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 150 151 ${data}= Create Dictionary 152 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 153 ... Content-Type=application/json 154 155 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Certificate/root 156 157 ${resp}= Get Request openbmc ${cert_uri} &{data} headers=${headers} 158 159 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 160 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 161 162 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 163 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 164 Should Contain ${cert["Certificate"]} END CERTIFICATE 165 166 167Get Subject 168 [Documentation] Generate a csr string. 169 [Arguments] ${file_name} ${is_csr_file} 170 171 # Description of argument(s): 172 # file_name Name of CSR or signed CERT file. 173 # is_csr_file A True value means a CSR while a False is for signed CERT file. 174 175 ${subject}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -text -noout | grep Subject: 176 ... ELSE Run openssl x509 -in ${file_name} -text -noout | grep Subject: 177 178 [Return] ${subject} 179 180 181Get Public Key 182 [Documentation] Generate a csr string. 183 [Arguments] ${file_name} ${is_csr_file} 184 185 # Description of argument(s): 186 # file_name Name of CSR or CERT file. 187 # is_csr_file A True value means a CSR while a False is for signed CERT file. 188 189 ${PublicKey}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -noout -pubkey 190 ... ELSE Run openssl x509 -in ${file_name} -noout -pubkey 191 192 [Return] ${PublicKey} 193 194 195Get Certificate Signed By VMI 196 [Documentation] Get signed certificate from VMI. 197 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 198 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 199 200 # Description of argument(s): 201 # cert_type Type of the certificate requesting. eg. root or SignCSR. 202 # username Username to create a REST session. 203 # password Password to create a REST session. 204 # force_create Create a new REST session if True. 205 # valid_csr Uses valid CSR string in the REST request if True. 206 # This is not applicable for root certificate. 207 # valid_status_code Expected status code from REST request. 208 209 Set Test Variable ${CSR} CSR 210 Set Test Variable ${CORRUPTED_CSR} CORRUPTED_CSR 211 212 ${CSR}= Generate CSR String 213 214 # For SignCSR request, we need to pass CSR string generated by openssl command 215 ${csr_str}= Set Variable If ${valid_csr} == ${True} ${CSR} ${CORRUPTED_CSR} 216 217 ${resp}= Send CSR To VMI And Get Signed ${csr_str} ${force_create} ${username} ${password} 218 219 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 220 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 221 222 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 223 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 224 Should Contain ${cert["Certificate"]} END CERTIFICATE 225 226 # Now do subject and public key verification 227 ${subject_csr}= Get Subject ${CSR_FILE} True 228 ${pubKey_csr}= Get Public Key ${CSR_FILE} True 229 230 # create a crt file with certificate string 231 ${signed_cert}= Set Variable ${cert["Certificate"]} 232 233 Create File test_certificate.crt ${signed_cert} 234 ${subject_signed_csr}= Get Subject test_certificate.crt False 235 ${pubKey_signed_csr}= Get Public Key test_certificate.crt False 236 237 Should be equal as strings ${subject_signed_csr} ${subject_csr} 238 Should be equal as strings ${pubKey_signed_csr} ${pubKey_csr} 239 240 241Suite Setup Execution 242 [Documentation] Suite setup execution. 243 244 # Create different user accounts. 245 Redfish.Login 246 Create Users With Different Roles users=${USERS} force=${True} 247 248 249Suite Teardown Execution 250 [Documentation] Suite teardown execution. 251 252 Delete BMC Users Via Redfish users=${USERS} 253 Delete All Sessions 254 Redfish.Logout 255