1*** Settings *** 2 3Documentation VMI certificate exchange tests. 4 5Resource ../../lib/resource.robot 6Resource ../../lib/bmc_redfish_resource.robot 7Resource ../../lib/openbmc_ffdc.robot 8Resource ../../lib/bmc_redfish_utils.robot 9Resource ../../lib/utils.robot 10 11Suite Setup Suite Setup Execution 12Test Teardown FFDC On Test Case Fail 13Suite Teardown Suite Teardown Execution 14 15 16*** Variables *** 17 18# users User Name password 19@{ADMIN} admin_user TestPwd123 20@{OPERATOR} operator_user TestPwd123 21@{ReadOnly} readonly_user TestPwd123 22@{NoAccess} noaccess_user TestPwd123 23&{USERS} Administrator=${ADMIN} Operator=${OPERATOR} ReadOnly=${ReadOnly} 24... NoAccess=${NoAccess} 25${VMI_BASE_URI} /ibm/v1/ 26${CSR_FILE} csr_server.csr 27${CSR_KEY} csr_server.key 28 29*** Test Cases *** 30 31Get CSR Request Signed By VMI And Verify 32 [Documentation] Get CSR request signed by VMI using different user roles and verify. 33 [Tags] Get_CSR_Request_Signed_By_VMI_And_Verify 34 [Setup] Redfish Power On 35 [Template] Get Certificate Signed By VMI 36 37 # username password force_create valid_csr valid_status_code 38 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 39 40 # Send CSR request from operator user. 41 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 42 43 # Send CSR request from ReadOnly user. 44 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 45 46 # Send CSR request from NoAccess user. 47 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 48 49 50Get Root Certificate Using Different Privilege Users Roles 51 [Documentation] Get root certificate using different users. 52 [Tags] Get_Root_Certificate_Using_Different_Users 53 [Setup] Redfish Power On 54 [Template] Get Root Certificate 55 56 # username password force_create valid_csr valid_status_code 57 # Request root certificate from admin user. 58 admin_user TestPwd123 ${True} ${True} ${HTTP_OK} 59 60 # Request root certificate from operator user. 61 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 62 63 # Request root certificate from ReadOnly user. 64 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 65 66 # Request root certificate from NoAccess user. 67 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 68 69 70Send CSR Request When VMI Is Off And Verify 71 [Documentation] Send CSR signing request to VMI when it is off and expect an error. 72 [Tags] Get_CSR_Request_When_VMI_Is_Off_And_verify 73 [Setup] Redfish Power Off 74 [Template] Get Certificate Signed By VMI 75 76 # username password force_create valid_csr valid_status_code 77 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 78 79 # Send CSR request from operator user. 80 operator_user TestPwd123 ${False} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 81 82 # Send CSR request from ReadOnly user. 83 readonly_user TestPwd123 ${False} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 84 85 # Send CSR request from NoAccess user. 86 noaccess_user TestPwd123 ${False} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 87 88Get Corrupted CSR Request Signed By VMI And Verify 89 [Documentation] Send corrupted CSR for signing and expect an error. 90 [Tags] Get_Corrupted_CSR_Request_Signed_By_VMI_And_Verify 91 [Setup] Redfish Power On 92 [Template] Get Certificate Signed By VMI 93 94 # username password force_create valid_csr valid_status_code 95 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 96 97 # Send CSR request from operator user. 98 operator_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 99 100 # Send CSR request from ReadOnly user. 101 readonly_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 102 103 # Send CSR request from NoAccess user. 104 noaccess_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 105 106 107 108*** Keywords *** 109 110Generate CSR String 111 [Documentation] Generate a csr string. 112 113 # Note: Generates and returns csr string. 114 ${ssl_cmd}= Set Variable openssl req -new -newkey rsa:2048 -nodes -keyout ${CSR_KEY} -out ${CSR_FILE} 115 ${ssl_sub}= Set Variable 116 ... -subj "/C=XY/ST=Abcd/L=Efgh/O=ABC/OU=Systems/CN=abc.com/emailAddress=xyz@xx.ABC.com" 117 118 # Run openssl command to create a new private key and use that to generate a CSR string 119 # in server.csr file. 120 ${output}= Run ${ssl_cmd} ${ssl_sub} 121 ${csr}= OperatingSystem.Get File ${CSR_FILE} 122 123 [Return] ${csr} 124 125 126Send CSR To VMI And Get Signed 127 [Arguments] ${csr} ${force_create} ${username} ${password} 128 129 # Description of argument(s): 130 # csr Certificate request from client to VMI. 131 # force_create Create a new REST session if True. 132 # username Username to create a REST session. 133 # password Password to create a REST session. 134 135 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 136 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 137 138 ${data}= Create Dictionary 139 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 140 ... Content-Type=application/json 141 142 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Actions/SignCSR 143 144 # For SignCSR request, we need to pass CSR string generated by openssl command. 145 ${csr_data}= Create Dictionary CsrString ${csr} 146 Set To Dictionary ${data} data ${csr_data} 147 148 ${resp}= Post Request openbmc ${cert_uri} &{data} headers=${headers} 149 150 [Return] ${resp} 151 152 153Get Root Certificate 154 [Documentation] Get root certificate from VMI. 155 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 156 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 157 158 # Description of argument(s): 159 # cert_type Type of the certificate requesting. eg. root or SignCSR. 160 # username Username to create a REST session. 161 # password Password to create a REST session. 162 # force_create Create a new REST session if True. 163 # valid_csr Uses valid CSR string in the REST request if True. 164 # This is not applicable for root certificate. 165 # valid_status_code Expected status code from REST request. 166 167 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 168 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 169 170 ${data}= Create Dictionary 171 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 172 ... Content-Type=application/json 173 174 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Certificate/root 175 176 ${resp}= Get Request openbmc ${cert_uri} &{data} headers=${headers} 177 178 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 179 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 180 181 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 182 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 183 Should Contain ${cert["Certificate"]} END CERTIFICATE 184 185 186Get Subject 187 [Documentation] Generate a csr string. 188 [Arguments] ${file_name} ${is_csr_file} 189 190 # Description of argument(s): 191 # file_name Name of CSR or signed CERT file. 192 # is_csr_file A True value means a CSR while a False is for signed CERT file. 193 194 ${subject}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -text -noout | grep Subject: 195 ... ELSE Run openssl x509 -in ${file_name} -text -noout | grep Subject: 196 197 [Return] ${subject} 198 199 200Get Public Key 201 [Documentation] Generate a csr string. 202 [Arguments] ${file_name} ${is_csr_file} 203 204 # Description of argument(s): 205 # file_name Name of CSR or CERT file. 206 # is_csr_file A True value means a CSR while a False is for signed CERT file. 207 208 ${PublicKey}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -noout -pubkey 209 ... ELSE Run openssl x509 -in ${file_name} -noout -pubkey 210 211 [Return] ${PublicKey} 212 213 214Get Certificate Signed By VMI 215 [Documentation] Get signed certificate from VMI. 216 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 217 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 218 219 # Description of argument(s): 220 # cert_type Type of the certificate requesting. eg. root or SignCSR. 221 # username Username to create a REST session. 222 # password Password to create a REST session. 223 # force_create Create a new REST session if True. 224 # valid_csr Uses valid CSR string in the REST request if True. 225 # This is not applicable for root certificate. 226 # valid_status_code Expected status code from REST request. 227 228 Set Test Variable ${CSR} CSR 229 Set Test Variable ${CORRUPTED_CSR} CORRUPTED_CSR 230 231 ${CSR}= Generate CSR String 232 ${csr_left} ${csr_right}= Split String From Right ${CSR} == 1 233 ${CORRUPTED_CSR}= Catenate SEPARATOR= ${csr_left} \N ${csr_right} 234 235 # For SignCSR request, we need to pass CSR string generated by openssl command 236 ${csr_str}= Set Variable If ${valid_csr} == ${True} ${CSR} ${CORRUPTED_CSR} 237 238 ${resp}= Send CSR To VMI And Get Signed ${csr_str} ${force_create} ${username} ${password} 239 240 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 241 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 242 243 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 244 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 245 Should Contain ${cert["Certificate"]} END CERTIFICATE 246 247 # Now do subject and public key verification 248 ${subject_csr}= Get Subject ${CSR_FILE} True 249 ${pubKey_csr}= Get Public Key ${CSR_FILE} True 250 251 # create a crt file with certificate string 252 ${signed_cert}= Set Variable ${cert["Certificate"]} 253 254 Create File test_certificate.crt ${signed_cert} 255 ${subject_signed_csr}= Get Subject test_certificate.crt False 256 ${pubKey_signed_csr}= Get Public Key test_certificate.crt False 257 258 Should be equal as strings ${subject_signed_csr} ${subject_csr} 259 Should be equal as strings ${pubKey_signed_csr} ${pubKey_csr} 260 261 262Suite Setup Execution 263 [Documentation] Suite setup execution. 264 265 # Create different user accounts. 266 Redfish.Login 267 Create Users With Different Roles users=${USERS} force=${True} 268 269 270Suite Teardown Execution 271 [Documentation] Suite teardown execution. 272 273 Delete BMC Users Via Redfish users=${USERS} 274 Delete All Sessions 275 Redfish.Logout 276