1*** Settings ***
2
3Documentation    VMI certificate exchange tests.
4
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Resource         ../../lib/bmc_redfish_utils.robot
9Resource         ../../lib/utils.robot
10
11Suite Setup       Suite Setup Execution
12Test Teardown     FFDC On Test Case Fail
13Suite Teardown    Suite Teardown Execution
14
15
16*** Variables ***
17
18# users           User Name               password
19@{ADMIN}          admin_user              TestPwd123
20@{OPERATOR}       operator_user           TestPwd123
21@{ReadOnly}       readonly_user           TestPwd123
22@{NoAccess}       noaccess_user           TestPwd123
23&{USERS}          Administrator=${ADMIN}  Operator=${OPERATOR}  ReadOnly=${ReadOnly}
24...               NoAccess=${NoAccess}
25${VMI_BASE_URI}   /ibm/v1/
26${CSR_FILE}       csr_server.csr
27${CSR_KEY}        csr_server.key
28
29*** Test Cases ***
30
31Get CSR Request Signed By VMI And Verify
32    [Documentation]  Get CSR request signed by VMI using different user roles and verify.
33    [Tags]  Get_CSR_Request_Signed_By_VMI_And_Verify
34    [Setup]  Redfish Power On
35    [Template]  Get Certificate Signed By VMI
36
37    # username           password             force_create  valid_csr  valid_status_code
38    ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}  ${True}       ${True}    ${HTTP_OK}
39
40    # Send CSR request from operator user.
41    operator_user        TestPwd123           ${False}      ${True}    ${HTTP_FORBIDDEN}
42
43    # Send CSR request from ReadOnly user.
44    readonly_user        TestPwd123           ${False}      ${True}    ${HTTP_FORBIDDEN}
45
46    # Send CSR request from NoAccess user.
47    noaccess_user        TestPwd123           ${False}      ${True}    ${HTTP_FORBIDDEN}
48
49
50Get Root Certificate Using Different Privilege Users Roles
51    [Documentation]  Get root certificate using different users.
52    [Tags]  Get_Root_Certificate_Using_Different_Users
53    [Setup]  Redfish Power On
54    [Template]  Get Root Certificate
55
56    # username     password    force_create  valid_csr  valid_status_code
57    # Request root certificate from admin user.
58    admin_user     TestPwd123  ${True}       ${True}    ${HTTP_OK}
59
60    # Request root certificate from operator user.
61    operator_user  TestPwd123  ${False}      ${True}    ${HTTP_FORBIDDEN}
62
63    # Request root certificate from ReadOnly user.
64    readonly_user  TestPwd123  ${False}      ${True}    ${HTTP_FORBIDDEN}
65
66    # Request root certificate from NoAccess user.
67    noaccess_user  TestPwd123  ${False}      ${True}    ${HTTP_FORBIDDEN}
68
69
70Send CSR Request When VMI Is Off And Verify
71    [Documentation]  Send CSR signing request to VMI when it is off and expect an error.
72    [Tags]  Get_CSR_Request_When_VMI_Is_Off_And_verify
73    [Setup]  Redfish Power Off
74    [Template]  Get Certificate Signed By VMI
75
76    # username           password             force_create  valid_csr  valid_status_code
77    ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}  ${True}       ${True}    ${HTTP_INTERNAL_SERVER_ERROR}
78
79    # Send CSR request from operator user.
80    operator_user        TestPwd123           ${False}      ${True}    ${HTTP_INTERNAL_SERVER_ERROR}
81
82    # Send CSR request from ReadOnly user.
83    readonly_user        TestPwd123           ${False}      ${True}    ${HTTP_INTERNAL_SERVER_ERROR}
84
85    # Send CSR request from NoAccess user.
86    noaccess_user        TestPwd123           ${False}      ${True}    ${HTTP_INTERNAL_SERVER_ERROR}
87
88Get Corrupted CSR Request Signed By VMI And Verify
89    [Documentation]  Send corrupted CSR for signing and expect an error.
90    [Tags]  Get_Corrupted_CSR_Request_Signed_By_VMI_And_Verify
91    [Setup]  Redfish Power On
92    [Template]  Get Certificate Signed By VMI
93
94    # username           password             force_create  valid_csr   valid_status_code
95    ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}  ${True}       ${False}    ${HTTP_INTERNAL_SERVER_ERROR}
96
97    # Send CSR request from operator user.
98    operator_user        TestPwd123           ${False}      ${False}    ${HTTP_FORBIDDEN}
99
100    # Send CSR request from ReadOnly user.
101    readonly_user        TestPwd123           ${False}      ${False}    ${HTTP_FORBIDDEN}
102
103    # Send CSR request from NoAccess user.
104    noaccess_user        TestPwd123           ${False}      ${False}    ${HTTP_FORBIDDEN}
105
106
107
108*** Keywords ***
109
110Generate CSR String
111    [Documentation]  Generate a csr string.
112
113    # Note: Generates and returns csr string.
114    ${ssl_cmd}=  Set Variable  openssl req -new -newkey rsa:2048 -nodes -keyout ${CSR_KEY} -out ${CSR_FILE}
115    ${ssl_sub}=  Set Variable
116    ...  -subj "/C=XY/ST=Abcd/L=Efgh/O=ABC/OU=Systems/CN=abc.com/emailAddress=xyz@xx.ABC.com"
117
118    # Run openssl command to create a new private key and use that to generate a CSR string
119    # in server.csr file.
120    ${output}=  Run  ${ssl_cmd} ${ssl_sub}
121    ${csr}=  OperatingSystem.Get File  ${CSR_FILE}
122
123    [Return]  ${csr}
124
125
126Send CSR To VMI And Get Signed
127    [Arguments]  ${csr}  ${force_create}  ${username}  ${password}
128
129    # Description of argument(s):
130    # csr                    Certificate request from client to VMI.
131    # force_create           Create a new REST session if True.
132    # username               Username to create a REST session.
133    # password               Password to create a REST session.
134
135    Run Keyword If  "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True}
136    ...  Initialize OpenBMC  rest_username=${username}  rest_password=${password}
137
138    ${data}=  Create Dictionary
139    ${headers}=  Create Dictionary  X-Auth-Token=${XAUTH_TOKEN}
140    ...  Content-Type=application/json
141
142    ${cert_uri}=  Set Variable  ${VMI_BASE_URI}Host/Actions/SignCSR
143
144    # For SignCSR request, we need to pass CSR string generated by openssl command.
145    ${csr_data}=  Create Dictionary  CsrString  ${csr}
146    Set To Dictionary  ${data}  data  ${csr_data}
147
148    ${resp}=  Post Request  openbmc  ${cert_uri}  &{data}  headers=${headers}
149
150    [Return]  ${resp}
151
152
153Get Root Certificate
154    [Documentation]  Get root certificate from VMI.
155    [Arguments]  ${username}=${OPENBMC_USERNAME}  ${password}=${OPENBMC_PASSWORD}
156    ...  ${force_create}=${False}  ${valid_csr}=${True}  ${valid_status_code}=${HTTP_OK}
157
158    # Description of argument(s):
159    # cert_type          Type of the certificate requesting. eg. root or SignCSR.
160    # username           Username to create a REST session.
161    # password           Password to create a REST session.
162    # force_create       Create a new REST session if True.
163    # valid_csr          Uses valid CSR string in the REST request if True.
164    #                    This is not applicable for root certificate.
165    # valid_status_code  Expected status code from REST request.
166
167    Run Keyword If  "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True}
168    ...  Initialize OpenBMC  rest_username=${username}  rest_password=${password}
169
170    ${data}=  Create Dictionary
171    ${headers}=  Create Dictionary  X-Auth-Token=${XAUTH_TOKEN}
172    ...  Content-Type=application/json
173
174    ${cert_uri}=  Set Variable  ${VMI_BASE_URI}Host/Certificate/root
175
176    ${resp}=  Get Request  openbmc  ${cert_uri}  &{data}  headers=${headers}
177
178    Should Be Equal As Strings  ${resp.status_code}  ${valid_status_code}
179    Return From Keyword If  ${resp.status_code} != ${HTTP_OK}
180
181    ${cert}=  Evaluate  json.loads('''${resp.text}''', strict=False)  json
182    Should Contain  ${cert["Certificate"]}  BEGIN CERTIFICATE
183    Should Contain  ${cert["Certificate"]}  END CERTIFICATE
184
185
186Get Subject
187    [Documentation]  Generate a csr string.
188    [Arguments]  ${file_name}  ${is_csr_file}
189
190    # Description of argument(s):
191    # file_name          Name of CSR or signed CERT file.
192    # is_csr_file        A True value means a CSR while a False is for signed CERT file.
193
194    ${subject}=  Run Keyword If  ${is_csr_file}  Run  openssl req -in ${file_name} -text -noout | grep Subject:
195    ...   ELSE  Run  openssl x509 -in ${file_name} -text -noout | grep Subject:
196
197    [Return]  ${subject}
198
199
200Get Public Key
201    [Documentation]  Generate a csr string.
202    [Arguments]  ${file_name}  ${is_csr_file}
203
204    # Description of argument(s):
205    # file_name          Name of CSR or CERT file.
206    # is_csr_file        A True value means a CSR while a False is for signed CERT file.
207
208    ${PublicKey}=  Run Keyword If  ${is_csr_file}  Run  openssl req -in ${file_name} -noout -pubkey
209    ...   ELSE  Run  openssl x509 -in ${file_name} -noout -pubkey
210
211    [Return]  ${PublicKey}
212
213
214Get Certificate Signed By VMI
215    [Documentation]  Get signed certificate from VMI.
216    [Arguments]  ${username}=${OPENBMC_USERNAME}  ${password}=${OPENBMC_PASSWORD}
217    ...  ${force_create}=${False}  ${valid_csr}=${True}  ${valid_status_code}=${HTTP_OK}
218
219    # Description of argument(s):
220    # cert_type          Type of the certificate requesting. eg. root or SignCSR.
221    # username           Username to create a REST session.
222    # password           Password to create a REST session.
223    # force_create       Create a new REST session if True.
224    # valid_csr          Uses valid CSR string in the REST request if True.
225    #                    This is not applicable for root certificate.
226    # valid_status_code  Expected status code from REST request.
227
228    Set Test Variable  ${CSR}  CSR
229    Set Test Variable  ${CORRUPTED_CSR}  CORRUPTED_CSR
230
231    ${CSR}=  Generate CSR String
232    ${csr_left}  ${csr_right}=  Split String From Right  ${CSR}  ==  1
233    ${CORRUPTED_CSR}=  Catenate  SEPARATOR=  ${csr_left}  \N  ${csr_right}
234
235    # For SignCSR request, we need to pass CSR string generated by openssl command
236    ${csr_str}=  Set Variable If  ${valid_csr} == ${True}  ${CSR}  ${CORRUPTED_CSR}
237
238    ${resp}=  Send CSR To VMI And Get Signed  ${csr_str}  ${force_create}  ${username}  ${password}
239
240    Should Be Equal As Strings  ${resp.status_code}  ${valid_status_code}
241    Return From Keyword If  ${resp.status_code} != ${HTTP_OK}
242
243    ${cert}=  Evaluate  json.loads('''${resp.text}''', strict=False)  json
244    Should Contain  ${cert["Certificate"]}  BEGIN CERTIFICATE
245    Should Contain  ${cert["Certificate"]}  END CERTIFICATE
246
247    # Now do subject and public key verification
248    ${subject_csr}=  Get Subject  ${CSR_FILE}  True
249    ${pubKey_csr}=  Get Public Key  ${CSR_FILE}  True
250
251    # create a crt file with certificate string
252    ${signed_cert}=  Set Variable  ${cert["Certificate"]}
253
254    Create File  test_certificate.crt  ${signed_cert}
255    ${subject_signed_csr}=  Get Subject  test_certificate.crt  False
256    ${pubKey_signed_csr}=  Get Public Key  test_certificate.crt  False
257
258    Should be equal as strings    ${subject_signed_csr}    ${subject_csr}
259    Should be equal as strings    ${pubKey_signed_csr}     ${pubKey_csr}
260
261
262Suite Setup Execution
263    [Documentation]  Suite setup execution.
264
265    # Create different user accounts.
266    Redfish.Login
267    Create Users With Different Roles  users=${USERS}  force=${True}
268
269
270Suite Teardown Execution
271    [Documentation]  Suite teardown execution.
272
273    Delete BMC Users Via Redfish  users=${USERS}
274    Delete All Sessions
275    Redfish.Logout
276