1*** Settings *** 2 3Documentation VMI certificate exchange tests. 4 5Library ../../lib/jobs_processing.py 6Resource ../../lib/resource.robot 7Resource ../../lib/bmc_redfish_resource.robot 8Resource ../../lib/openbmc_ffdc.robot 9Resource ../../lib/bmc_redfish_utils.robot 10Resource ../../lib/utils.robot 11 12Suite Setup Suite Setup Execution 13Test Teardown FFDC On Test Case Fail 14Suite Teardown Suite Teardown Execution 15 16 17*** Variables *** 18 19# users User Name password 20@{ADMIN} admin_user TestPwd123 21@{OPERATOR} operator_user TestPwd123 22@{ReadOnly} readonly_user TestPwd123 23@{NoAccess} noaccess_user TestPwd123 24&{USERS} Administrator=${ADMIN} Operator=${OPERATOR} ReadOnly=${ReadOnly} 25... NoAccess=${NoAccess} 26${VMI_BASE_URI} /ibm/v1/ 27 28 29*** Test Cases *** 30 31Get CSR Request Signed By VMI And Verify 32 [Documentation] Get CSR request signed by VMI using different user roles and verify. 33 [Tags] Get_CSR_Request_Signed_By_VMI_And_Verify 34 [Setup] Redfish Power On 35 [Template] Get Certificate Signed By VMI 36 37 # username password force_create valid_csr valid_status_code 38 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 39 40 # Send CSR request from operator user. 41 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 42 43 # Send CSR request from ReadOnly user. 44 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 45 46 # Send CSR request from NoAccess user. 47 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 48 49 50Get Root Certificate Using Different Privilege Users Roles 51 [Documentation] Get root certificate using different users. 52 [Tags] Get_Root_Certificate_Using_Different_Users 53 [Setup] Redfish Power On 54 [Template] Get Root Certificate 55 56 # username password force_create valid_csr valid_status_code 57 # Request root certificate from admin user. 58 admin_user TestPwd123 ${True} ${True} ${HTTP_OK} 59 60 # Request root certificate from operator user. 61 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 62 63 # Request root certificate from ReadOnly user. 64 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 65 66 # Request root certificate from NoAccess user. 67 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 68 69 70Send CSR Request When VMI Is Off And Verify 71 [Documentation] Send CSR signing request to VMI when it is off and expect an error. 72 [Tags] Get_CSR_Request_When_VMI_Is_Off_And_verify 73 [Setup] Redfish Power Off 74 [Template] Get Certificate Signed By VMI 75 76 # username password force_create valid_csr valid_status_code 77 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 78 79 # Send CSR request from operator user. 80 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 81 82 # Send CSR request from ReadOnly user. 83 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 84 85 # Send CSR request from NoAccess user. 86 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 87 88Get Corrupted CSR Request Signed By VMI And Verify 89 [Documentation] Send corrupted CSR for signing and expect an error. 90 [Tags] Get_Corrupted_CSR_Request_Signed_By_VMI_And_Verify 91 [Setup] Redfish Power On 92 [Template] Get Certificate Signed By VMI 93 94 # username password force_create valid_csr valid_status_code 95 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 96 97 # Send CSR request from operator user. 98 operator_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 99 100 # Send CSR request from ReadOnly user. 101 readonly_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 102 103 # Send CSR request from NoAccess user. 104 noaccess_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 105 106Get Root Certificate When VMI Is Off And Verify 107 [Documentation] Get root certificate when vmi is off and verify. 108 [Tags] Get_Root_Certificate_When_VMI_Is_Off_And_Verify 109 [Setup] Redfish Power Off 110 [Template] Get Root Certificate 111 112 # username password force_create valid_csr valid_status_code 113 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 114 115 # Request root certificate from operator user. 116 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 117 118 # Request root certificate from ReadOnly user. 119 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 120 121 # Request root certificate from NoAccess user. 122 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 123 124 125Get Root Certificate After BMC Reboot And Verify 126 [Documentation] Get root certificate after bmc reboot and verify. 127 [Tags] Get_Root_Certificate_After_BMC_Reboot_And_Verify 128 [Setup] Run Keywords OBMC Reboot (off) AND Redfish Power On 129 [Template] Get Root Certificate 130 131 # username password force_create valid_csr valid_status_code 132 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 133 134 # Request root certificate from operator user. 135 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 136 137 # Request root certificate from ReadOnly user. 138 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 139 140 # Request root certificate from NoAccess user. 141 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 142 143Get Concurrent Root Certificate Requests From Multiple Admin Users 144 [Documentation] Get multiple concurrent root certificate requests from multiple admins 145 ... and verify no errors. 146 [Tags] Get_Concurrent_Root_Certificate_Requests_From_Multiple_Admin_Users 147 148 FOR ${i} IN RANGE ${5} 149 ${dict}= Execute Process Multi Keyword ${5} 150 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 151 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 152 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 153 Dictionary Should Not Contain Value ${dict} False 154 ... msg=One or more operations has failed. 155 END 156 157Get Concurrent CSR Requests From Multiple Admin Users 158 [Documentation] Get multiple concurrent csr requests from multiple admins and verify no errors. 159 [Tags] Get_Concurrent_CSR_Requests_From_Multiple_Admin_Users 160 161 FOR ${i} IN RANGE ${5} 162 ${dict}= Execute Process Multi Keyword ${5} 163 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 164 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 165 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 166 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 167 Dictionary Should Not Contain Value ${dict} False 168 ... msg=One or more operations has failed. 169 END 170 171Get Concurrent Corrupted CSR Requests From Multiple Admin Users 172 [Documentation] Get multiple concurrent corrupted csr requests from multiple admins and verify no errors. 173 [Tags] Get_Concurrent_Corrupted_CSR_Requests_From_Multiple_Admin_Users 174 175 FOR ${i} IN RANGE ${5} 176 ${dict}= Execute Process Multi Keyword ${5} 177 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 178 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 179 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 180 Dictionary Should Not Contain Value ${dict} False 181 ... msg=One or more operations has failed. 182 END 183 184*** Keywords *** 185 186Generate CSR String 187 [Documentation] Generate a csr string. 188 189 # Note: Generates and returns csr string. 190 ${csr_gen_time} = Get Current Date Time 191 ${CSR_FILE}= Catenate SEPARATOR=_ ${csr_gen_time} csr_server.csr 192 ${CSR_KEY}= Catenate SEPARATOR=_ ${csr_gen_time} csr_server.key 193 Set Test Variable ${CSR_FILE} 194 Set Test Variable ${CSR_KEY} 195 ${ssl_cmd}= Set Variable openssl req -new -newkey rsa:2048 -nodes -keyout ${CSR_KEY} -out ${CSR_FILE} 196 ${ssl_sub}= Set Variable 197 ... -subj "/C=XY/ST=Abcd/L=Efgh/O=ABC/OU=Systems/CN=abc.com/emailAddress=xyz@xx.ABC.com" 198 199 # Run openssl command to create a new private key and use that to generate a CSR string 200 # in server.csr file. 201 ${output}= Run ${ssl_cmd} ${ssl_sub} 202 ${csr}= OperatingSystem.Get File ${CSR_FILE} 203 204 [Return] ${csr} 205 206 207Send CSR To VMI And Get Signed 208 [Arguments] ${csr} ${force_create} ${username} ${password} 209 210 # Description of argument(s): 211 # csr Certificate request from client to VMI. 212 # force_create Create a new REST session if True. 213 # username Username to create a REST session. 214 # password Password to create a REST session. 215 216 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 217 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 218 219 ${data}= Create Dictionary 220 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 221 ... Content-Type=application/json 222 223 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Actions/SignCSR 224 225 # For SignCSR request, we need to pass CSR string generated by openssl command. 226 ${csr_data}= Create Dictionary CsrString ${csr} 227 Set To Dictionary ${data} data ${csr_data} 228 229 ${resp}= Post Request openbmc ${cert_uri} &{data} headers=${headers} 230 Log to console ${resp.content} 231 232 [Return] ${resp} 233 234 235Get Root Certificate 236 [Documentation] Get root certificate from VMI. 237 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 238 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 239 240 # Description of argument(s): 241 # cert_type Type of the certificate requesting. eg. root or SignCSR. 242 # username Username to create a REST session. 243 # password Password to create a REST session. 244 # force_create Create a new REST session if True. 245 # valid_csr Uses valid CSR string in the REST request if True. 246 # This is not applicable for root certificate. 247 # valid_status_code Expected status code from REST request. 248 249 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 250 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 251 252 ${data}= Create Dictionary 253 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 254 ... Content-Type=application/json 255 256 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Certificate/root 257 258 ${resp}= Get Request openbmc ${cert_uri} &{data} headers=${headers} 259 260 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 261 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 262 263 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 264 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 265 Should Contain ${cert["Certificate"]} END CERTIFICATE 266 267 268Get Subject 269 [Documentation] Generate a csr string. 270 [Arguments] ${file_name} ${is_csr_file} 271 272 # Description of argument(s): 273 # file_name Name of CSR or signed CERT file. 274 # is_csr_file A True value means a CSR while a False is for signed CERT file. 275 276 ${subject}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -text -noout | grep Subject: 277 ... ELSE Run openssl x509 -in ${file_name} -text -noout | grep Subject: 278 279 [Return] ${subject} 280 281 282Get Public Key 283 [Documentation] Generate a csr string. 284 [Arguments] ${file_name} ${is_csr_file} 285 286 # Description of argument(s): 287 # file_name Name of CSR or CERT file. 288 # is_csr_file A True value means a CSR while a False is for signed CERT file. 289 290 ${PublicKey}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -noout -pubkey 291 ... ELSE Run openssl x509 -in ${file_name} -noout -pubkey 292 293 [Return] ${PublicKey} 294 295 296Get Certificate Signed By VMI 297 [Documentation] Get signed certificate from VMI. 298 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 299 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 300 301 # Description of argument(s): 302 # cert_type Type of the certificate requesting. eg. root or SignCSR. 303 # username Username to create a REST session. 304 # password Password to create a REST session. 305 # force_create Create a new REST session if True. 306 # valid_csr Uses valid CSR string in the REST request if True. 307 # This is not applicable for root certificate. 308 # valid_status_code Expected status code from REST request. 309 310 Set Test Variable ${CSR} CSR 311 Set Test Variable ${CORRUPTED_CSR} CORRUPTED_CSR 312 313 ${CSR}= Generate CSR String 314 ${csr_left} ${csr_right}= Split String From Right ${CSR} == 1 315 ${CORRUPTED_CSR}= Catenate SEPARATOR= ${csr_left} \N ${csr_right} 316 317 # For SignCSR request, we need to pass CSR string generated by openssl command 318 ${csr_str}= Set Variable If ${valid_csr} == ${True} ${CSR} ${CORRUPTED_CSR} 319 320 ${resp}= Send CSR To VMI And Get Signed ${csr_str} ${force_create} ${username} ${password} 321 322 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 323 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 324 325 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 326 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 327 Should Contain ${cert["Certificate"]} END CERTIFICATE 328 329 # Now do subject and public key verification 330 ${subject_csr}= Get Subject ${CSR_FILE} True 331 ${pubKey_csr}= Get Public Key ${CSR_FILE} True 332 333 # create a crt file with certificate string 334 ${signed_cert}= Set Variable ${cert["Certificate"]} 335 ${testcert_gen_time} = Get Current Date Time 336 ${test_cert_file}= Catenate SEPARATOR=_ ${testcert_gen_time} test_certificate.cert 337 338 Create File ${test_cert_file} ${signed_cert} 339 ${subject_signed_csr}= Get Subject ${test_cert_file} False 340 ${pubKey_signed_csr}= Get Public Key ${test_cert_file} False 341 342 Should be equal as strings ${subject_signed_csr} ${subject_csr} 343 Should be equal as strings ${pubKey_signed_csr} ${pubKey_csr} 344 345 346Suite Setup Execution 347 [Documentation] Suite setup execution. 348 349 Remove Files *.csr *.key *.cert 350 # Create different user accounts. 351 Redfish.Login 352 Redfish Power On 353 Create Users With Different Roles users=${USERS} force=${True} 354 355 356Suite Teardown Execution 357 [Documentation] Suite teardown execution. 358 359 Remove Files *.csr *.key *.cert 360 Delete BMC Users Via Redfish users=${USERS} 361 Delete All Sessions 362 Redfish.Logout 363