1*** Settings *** 2 3Documentation VMI certificate exchange tests. 4 5Library ../../lib/jobs_processing.py 6Resource ../../lib/resource.robot 7Resource ../../lib/bmc_redfish_resource.robot 8Resource ../../lib/openbmc_ffdc.robot 9Resource ../../lib/bmc_redfish_utils.robot 10Resource ../../lib/utils.robot 11 12Suite Setup Suite Setup Execution 13Test Teardown FFDC On Test Case Fail 14Suite Teardown Suite Teardown Execution 15 16 17*** Variables *** 18 19# users User Name password 20@{ADMIN} admin_user TestPwd123 21@{OPERATOR} operator_user TestPwd123 22@{ReadOnly} readonly_user TestPwd123 23@{NoAccess} noaccess_user TestPwd123 24&{USERS} Administrator=${ADMIN} Operator=${OPERATOR} ReadOnly=${ReadOnly} 25... NoAccess=${NoAccess} 26${VMI_BASE_URI} /ibm/v1/ 27 28 29*** Test Cases *** 30 31Get CSR Request Signed By VMI And Verify 32 [Documentation] Get CSR request signed by VMI using different user roles and verify. 33 [Tags] Get_CSR_Request_Signed_By_VMI_And_Verify 34 [Setup] Redfish Power On 35 [Template] Get Certificate Signed By VMI 36 37 # username password force_create valid_csr valid_status_code 38 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 39 40 # Send CSR request from operator user. 41 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 42 43 # Send CSR request from ReadOnly user. 44 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 45 46 # Send CSR request from NoAccess user. 47 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 48 49 50Get Root Certificate Using Different Privilege Users Roles 51 [Documentation] Get root certificate using different users. 52 [Tags] Get_Root_Certificate_Using_Different_Users 53 [Setup] Redfish Power On 54 [Template] Get Root Certificate 55 56 # username password force_create valid_csr valid_status_code 57 # Request root certificate from admin user. 58 admin_user TestPwd123 ${True} ${True} ${HTTP_OK} 59 60 # Request root certificate from operator user. 61 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 62 63 # Request root certificate from ReadOnly user. 64 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 65 66 # Request root certificate from NoAccess user. 67 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 68 69 70Send CSR Request When VMI Is Off And Verify 71 [Documentation] Send CSR signing request to VMI when it is off and expect an error. 72 [Tags] Get_CSR_Request_When_VMI_Is_Off_And_verify 73 [Setup] Redfish Power Off 74 [Template] Get Certificate Signed By VMI 75 76 # username password force_create valid_csr valid_status_code 77 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 78 79 # Send CSR request from operator user. 80 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 81 82 # Send CSR request from ReadOnly user. 83 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 84 85 # Send CSR request from NoAccess user. 86 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 87 88Get Corrupted CSR Request Signed By VMI And Verify 89 [Documentation] Send corrupted CSR for signing and expect an error. 90 [Tags] Get_Corrupted_CSR_Request_Signed_By_VMI_And_Verify 91 [Setup] Redfish Power On 92 [Template] Get Certificate Signed By VMI 93 94 # username password force_create valid_csr valid_status_code 95 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 96 97 # Send CSR request from operator user. 98 operator_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 99 100 # Send CSR request from ReadOnly user. 101 readonly_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 102 103 # Send CSR request from NoAccess user. 104 noaccess_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 105 106Get Root Certificate When VMI Is Off And Verify 107 [Documentation] Get root certificate when vmi is off and verify. 108 [Tags] Get_Root_Certificate_When_VMI_Is_Off_And_Verify 109 [Setup] Redfish Power Off 110 [Template] Get Root Certificate 111 112 # username password force_create valid_csr valid_status_code 113 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 114 115 # Request root certificate from operator user. 116 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 117 118 # Request root certificate from ReadOnly user. 119 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 120 121 # Request root certificate from NoAccess user. 122 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 123 124 125Get Root Certificate After BMC Reboot And Verify 126 [Documentation] Get root certificate after bmc reboot and verify. 127 [Tags] Get_Root_Certificate_After_BMC_Reboot_And_Verify 128 [Setup] Run Keywords OBMC Reboot (off) AND Redfish Power On 129 [Template] Get Root Certificate 130 131 # username password force_create valid_csr valid_status_code 132 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 133 134 # Request root certificate from operator user. 135 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 136 137 # Request root certificate from ReadOnly user. 138 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 139 140 # Request root certificate from NoAccess user. 141 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 142 143Get Concurrent Root Certificate Requests From Multiple Admin Users 144 [Documentation] Get multiple concurrent root certificate requests from multiple admins 145 ... and verify no errors. 146 [Tags] Get_Concurrent_Root_Certificate_Requests_From_Multiple_Admin_Users 147 148 FOR ${i} IN RANGE ${5} 149 ${dict}= Execute Process Multi Keyword ${5} 150 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 151 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 152 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 153 Dictionary Should Not Contain Value ${dict} False 154 ... msg=One or more operations has failed. 155 END 156 157Get Concurrent CSR Requests From Multiple Admin Users 158 [Documentation] Get multiple concurrent csr requests from multiple admins and verify no errors. 159 [Tags] Get_Concurrent_CSR_Requests_From_Multiple_Admin_Users 160 161 FOR ${i} IN RANGE ${5} 162 ${dict}= Execute Process Multi Keyword ${5} 163 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 164 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 165 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 166 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 167 Dictionary Should Not Contain Value ${dict} False 168 ... msg=One or more operations has failed. 169 END 170 171Get Concurrent Corrupted CSR Requests From Multiple Admin Users 172 [Documentation] Get multiple concurrent corrupted csr requests from multiple admins and verify no errors. 173 [Tags] Get_Concurrent_Corrupted_CSR_Requests_From_Multiple_Admin_Users 174 175 FOR ${i} IN RANGE ${5} 176 ${dict}= Execute Process Multi Keyword ${5} 177 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 178 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 179 ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 180 Dictionary Should Not Contain Value ${dict} False 181 ... msg=One or more operations has failed. 182 END 183 184Get Concurrent Root Certificate Request From Operator Users 185 [Documentation] Get multiple concurrent root certificate from non admin users and verify no errors. 186 [Tags] Get_Concurrent_Root_Certificate_Request_From_Operator_Users 187 188 FOR ${i} IN RANGE ${5} 189 ${dict}= Execute Process Multi Keyword ${5} 190 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 191 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 192 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 193 Dictionary Should Not Contain Value ${dict} False 194 ... msg=One or more operations has failed. 195 END 196 197Get Concurrent Root Certificate Request From Admin And Non Admin Users 198 [Documentation] Get multiple concurrent root certificate from admin and non admin users 199 ... and verify no errors. 200 [Tags] Get_Concurrent_Root_Certificate_Request_From_Admin_And_Non_Admin_Users 201 202 FOR ${i} IN RANGE ${5} 203 ${dict}= Execute Process Multi Keyword ${5} 204 ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 205 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 206 ... Get Root Certificate readonly_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 207 Dictionary Should Not Contain Value ${dict} False 208 ... msg=One or more operations has failed. 209 END 210 211Get Concurrent Root Certificate Request From Different Non Admin Users 212 [Documentation] Get multiple concurrent root certificate from different non admin users 213 ... and verify no errors. 214 [Tags] Get_Concurrent_Root_Certificate_Request_From_Different_Non_Admin_Users 215 216 FOR ${i} IN RANGE ${5} 217 ${dict}= Execute Process Multi Keyword ${5} 218 ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 219 ... Get Root Certificate readonly_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 220 ... Get Root Certificate noaccess_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 221 Dictionary Should Not Contain Value ${dict} False 222 ... msg=One or more operations has failed. 223 END 224 225Get Concurrent CSR Request From Operator Users 226 [Documentation] Get multiple concurrent csr request from non admin users and verify no errors. 227 [Tags] Get_Concurrent_CSR_Request_From_Operator_Users 228 229 FOR ${i} IN RANGE ${5} 230 ${dict}= Execute Process Multi Keyword ${5} 231 ... Get Certificate Signed By VMI operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 232 ... Get Certificate Signed By VMI operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 233 ... Get Certificate Signed By VMI operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} 234 Dictionary Should Not Contain Value ${dict} False 235 ... msg=One or more operations has failed. 236 END 237 238*** Keywords *** 239 240Generate CSR String 241 [Documentation] Generate a csr string. 242 243 # Note: Generates and returns csr string. 244 ${csr_gen_time} = Get Current Date Time 245 ${CSR_FILE}= Catenate SEPARATOR=_ ${csr_gen_time} csr_server.csr 246 ${CSR_KEY}= Catenate SEPARATOR=_ ${csr_gen_time} csr_server.key 247 Set Test Variable ${CSR_FILE} 248 Set Test Variable ${CSR_KEY} 249 ${ssl_cmd}= Set Variable openssl req -new -newkey rsa:2048 -nodes -keyout ${CSR_KEY} -out ${CSR_FILE} 250 ${ssl_sub}= Set Variable 251 ... -subj "/C=XY/ST=Abcd/L=Efgh/O=ABC/OU=Systems/CN=abc.com/emailAddress=xyz@xx.ABC.com" 252 253 # Run openssl command to create a new private key and use that to generate a CSR string 254 # in server.csr file. 255 ${output}= Run ${ssl_cmd} ${ssl_sub} 256 ${csr}= OperatingSystem.Get File ${CSR_FILE} 257 258 [Return] ${csr} 259 260 261Send CSR To VMI And Get Signed 262 [Arguments] ${csr} ${force_create} ${username} ${password} 263 264 # Description of argument(s): 265 # csr Certificate request from client to VMI. 266 # force_create Create a new REST session if True. 267 # username Username to create a REST session. 268 # password Password to create a REST session. 269 270 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 271 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 272 273 ${data}= Create Dictionary 274 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 275 ... Content-Type=application/json 276 277 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Actions/SignCSR 278 279 # For SignCSR request, we need to pass CSR string generated by openssl command. 280 ${csr_data}= Create Dictionary CsrString ${csr} 281 Set To Dictionary ${data} data ${csr_data} 282 283 ${resp}= Post Request openbmc ${cert_uri} &{data} headers=${headers} 284 Log to console ${resp.content} 285 286 [Return] ${resp} 287 288 289Get Root Certificate 290 [Documentation] Get root certificate from VMI. 291 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 292 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 293 294 # Description of argument(s): 295 # cert_type Type of the certificate requesting. eg. root or SignCSR. 296 # username Username to create a REST session. 297 # password Password to create a REST session. 298 # force_create Create a new REST session if True. 299 # valid_csr Uses valid CSR string in the REST request if True. 300 # This is not applicable for root certificate. 301 # valid_status_code Expected status code from REST request. 302 303 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 304 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 305 306 ${data}= Create Dictionary 307 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 308 ... Content-Type=application/json 309 310 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Certificate/root 311 312 ${resp}= Get Request openbmc ${cert_uri} &{data} headers=${headers} 313 314 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 315 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 316 317 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 318 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 319 Should Contain ${cert["Certificate"]} END CERTIFICATE 320 321 322Get Subject 323 [Documentation] Generate a csr string. 324 [Arguments] ${file_name} ${is_csr_file} 325 326 # Description of argument(s): 327 # file_name Name of CSR or signed CERT file. 328 # is_csr_file A True value means a CSR while a False is for signed CERT file. 329 330 ${subject}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -text -noout | grep Subject: 331 ... ELSE Run openssl x509 -in ${file_name} -text -noout | grep Subject: 332 333 [Return] ${subject} 334 335 336Get Public Key 337 [Documentation] Generate a csr string. 338 [Arguments] ${file_name} ${is_csr_file} 339 340 # Description of argument(s): 341 # file_name Name of CSR or CERT file. 342 # is_csr_file A True value means a CSR while a False is for signed CERT file. 343 344 ${PublicKey}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -noout -pubkey 345 ... ELSE Run openssl x509 -in ${file_name} -noout -pubkey 346 347 [Return] ${PublicKey} 348 349 350Get Certificate Signed By VMI 351 [Documentation] Get signed certificate from VMI. 352 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 353 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 354 355 # Description of argument(s): 356 # cert_type Type of the certificate requesting. eg. root or SignCSR. 357 # username Username to create a REST session. 358 # password Password to create a REST session. 359 # force_create Create a new REST session if True. 360 # valid_csr Uses valid CSR string in the REST request if True. 361 # This is not applicable for root certificate. 362 # valid_status_code Expected status code from REST request. 363 364 Set Test Variable ${CSR} CSR 365 Set Test Variable ${CORRUPTED_CSR} CORRUPTED_CSR 366 367 ${CSR}= Generate CSR String 368 ${csr_left} ${csr_right}= Split String From Right ${CSR} == 1 369 ${CORRUPTED_CSR}= Catenate SEPARATOR= ${csr_left} \N ${csr_right} 370 371 # For SignCSR request, we need to pass CSR string generated by openssl command 372 ${csr_str}= Set Variable If ${valid_csr} == ${True} ${CSR} ${CORRUPTED_CSR} 373 374 ${resp}= Send CSR To VMI And Get Signed ${csr_str} ${force_create} ${username} ${password} 375 376 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 377 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 378 379 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 380 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 381 Should Contain ${cert["Certificate"]} END CERTIFICATE 382 383 # Now do subject and public key verification 384 ${subject_csr}= Get Subject ${CSR_FILE} True 385 ${pubKey_csr}= Get Public Key ${CSR_FILE} True 386 387 # create a crt file with certificate string 388 ${signed_cert}= Set Variable ${cert["Certificate"]} 389 ${testcert_gen_time} = Get Current Date Time 390 ${test_cert_file}= Catenate SEPARATOR=_ ${testcert_gen_time} test_certificate.cert 391 392 Create File ${test_cert_file} ${signed_cert} 393 ${subject_signed_csr}= Get Subject ${test_cert_file} False 394 ${pubKey_signed_csr}= Get Public Key ${test_cert_file} False 395 396 Should be equal as strings ${subject_signed_csr} ${subject_csr} 397 Should be equal as strings ${pubKey_signed_csr} ${pubKey_csr} 398 399 400Suite Setup Execution 401 [Documentation] Suite setup execution. 402 403 Remove Files *.csr *.key *.cert 404 # Create different user accounts. 405 Redfish.Login 406 Redfish Power On 407 Create Users With Different Roles users=${USERS} force=${True} 408 409 410Suite Teardown Execution 411 [Documentation] Suite teardown execution. 412 413 Remove Files *.csr *.key *.cert 414 Delete BMC Users Via Redfish users=${USERS} 415 Delete All Sessions 416 Redfish.Logout 417