1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Library          ../../lib/gen_robot_valid.py
9Resource         ../../lib/bmc_network_utils.robot
10Resource         ../../lib/bmc_ldap_utils.robot
11
12Suite Setup      Suite Setup Execution
13Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
14Test Teardown    FFDC On Test Case Fail
15
16Force Tags       LDAP_Test
17
18*** Variables ***
19${old_ldap_privilege}   ${EMPTY}
20&{old_account_service}  &{EMPTY}
21&{old_ldap_config}      &{EMPTY}
22${hostname}             ${EMPTY}
23${test_ip}              10.6.6.6
24${test_mask}            255.255.255.0
25
26** Test Cases **
27
28Verify LDAP Configuration Created
29    [Documentation]  Verify that LDAP configuration created.
30    [Tags]  Verify_LDAP_Configuration_Created
31
32    Create LDAP Configuration
33    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
34    Get LDAP Configuration  ${LDAP_TYPE}
35    Sleep  10s
36    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
37    Redfish.Logout
38    Redfish.Login
39
40
41Verify LDAP Service Disable
42    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
43    ...  login.
44    [Tags]  Verify_LDAP_Service_Disable
45
46    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
47    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
48    Sleep  15s
49    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
50    ...  ${LDAP_USER_PASSWORD}
51    Should Be Equal  ${resp}  ${False}
52    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
53    Redfish.Logout
54    Redfish.Login
55    # Enabling LDAP so that LDAP user works.
56    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
57    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
58    Redfish.Logout
59    Redfish.Login
60
61
62Verify LDAP Login With ServiceEnabled
63    [Documentation]  Verify that LDAP Login with ServiceEnabled.
64    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
65
66    Disable Other LDAP
67    # Actual service enablement.
68    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
69    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
70    Sleep  15s
71    # After update, LDAP login.
72    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
73    Redfish.Logout
74    Redfish.Login
75
76
77Verify LDAP Login With Correct AuthenticationType
78    [Documentation]  Verify that LDAP Login with right AuthenticationType.
79    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
80
81    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
82    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
83    Sleep  15s
84    # After update, LDAP login.
85    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
86    Redfish.Logout
87    Redfish.Login
88
89
90Verify LDAP Config Update With Incorrect AuthenticationType
91    [Documentation]  Verify that invalid AuthenticationType is not updated.
92    [Tags]  Verify_LDAP_Update_With_Incorrect_AuthenticationType
93
94    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
95
96    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
97    ...  body=${body}  valid_status_codes=[400]
98
99
100Verify LDAP Login With Correct LDAP URL
101    [Documentation]  Verify LDAP Login with right LDAP URL.
102    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
103
104    Config LDAP URL  ${LDAP_SERVER_URI}
105
106
107Verify LDAP Config Update With Incorrect LDAP URL
108    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
109    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
110    [Teardown]  Run Keywords  Restore LDAP URL  AND
111    ...  FFDC On Test Case Fail
112
113    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
114
115Verify LDAP Configuration Exist
116    [Documentation]  Verify that LDAP configuration is available.
117    [Tags]  Verify_LDAP_Configuration_Exist
118
119    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
120    ...  ${LDAP_TYPE}  default=${EMPTY}
121    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
122
123
124Verify LDAP User Login
125    [Documentation]  Verify that LDAP user able to login into BMC.
126    [Tags]  Verify_LDAP_User_Login
127
128    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
129    Redfish.Logout
130    Redfish.Login
131
132
133Verify LDAP Service Available
134    [Documentation]  Verify that LDAP service is available.
135    [Tags]  Verify_LDAP_Service_Available
136
137    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
138    Should Contain  ${ldap_configuration}  LDAPService
139    ...  msg=LDAPService is not available.
140
141
142Verify LDAP Login Works After BMC Reboot
143    [Documentation]  Verify that LDAP login works after BMC reboot.
144    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
145
146    Redfish OBMC Reboot (off)
147    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
148    Redfish.Logout
149    Redfish.Login
150
151
152Verify LDAP User With Admin Privilege Able To Do BMC Reboot
153    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
154    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
155
156
157    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
158    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
159    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
160    # With LDAP user and with right privilege trying to do BMC reboot.
161    Redfish OBMC Reboot (off)
162    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
163    Redfish.Logout
164    Redfish.Login
165
166
167Verify LDAP User With Operator Privilege Able To Do Host Poweroff
168    [Documentation]  Verify that LDAP user with operator privilege can do host
169    ...  power off.
170    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
171    [Teardown]  Restore LDAP Privilege
172
173    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
174    ...  Operator  ${GROUP_NAME}
175
176    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
177    # Verify that the LDAP user with operator privilege is able to power the system off.
178    Redfish.Post  ${REDFISH_POWER_URI}
179    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
180    Redfish.Logout
181    Redfish.Login
182
183
184Verify AccountLockout Attributes Set To Zero
185    [Documentation]  Verify that attribute AccountLockoutDuration and
186    ...  AccountLockoutThreshold are set to 0.
187    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
188    ...  FFDC On Test Case Fail
189    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero
190
191    ${old_account_service}=  Redfish.Get Properties
192    ...  ${REDFISH_BASE_URI}AccountService
193    Rprint Vars  old_account_service
194    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
195    ...  body=[('AccountLockoutDuration', 0)]
196    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
197    ...  body=[('AccountLockoutThreshold', 0)]
198
199
200Verify LDAP User With Read Privilege Able To Check Inventory
201    [Documentation]  Verify that LDAP user with read privilege able to
202    ...  read firmware inventory.
203    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
204    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
205    [Template]  Set Read Privilege And Check Firmware Inventory
206
207    ReadOnly
208
209
210Verify LDAP User With Read Privilege Should Not Do Host Poweron
211    [Documentation]  Verify that LDAP user with read privilege should not be
212    ...  allowed to power on the host.
213    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
214    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
215    [Template]  Set Read Privilege And Check Poweron
216
217    ReadOnly
218
219
220Update LDAP Group Name And Verify Operations
221    [Documentation]  Verify that LDAP group name update and able to do right
222    ...  operations.
223    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
224    [Template]  Update LDAP Config And Verify Set Host Name
225    [Teardown]  Restore LDAP Privilege
226
227    # group_name             group_privilege  valid_status_codes
228    ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
229    ${GROUP_NAME}            Operator         [${HTTP_OK}, ${HTTP_NO_CONTENT}]
230    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
231    ${GROUP_NAME}            NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
232    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
233    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
234    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
235    Invalid_LDAP_Group_Name  NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
236
237
238Verify LDAP BaseDN Update And LDAP Login
239    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
240    ...  that LDAP login works.
241    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
242
243
244    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
245    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
246    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
247    Sleep  15s
248    Redfish Verify LDAP Login
249
250
251Verify LDAP BindDN Update And LDAP Login
252    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
253    ...  that LDAP login works.
254    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
255
256    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
257    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
258    ...  '${LDAP_BIND_DN}'}}}
259    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
260    Sleep  15s
261    Redfish Verify LDAP Login
262
263
264Verify LDAP BindDN Password Update And LDAP Login
265    [Documentation]  Update LDAP BindDN password of LDAP configuration and
266    ...  verify that LDAP login works.
267    [Tags]  Verify_LDAP_BindDN_Passsword_Update_And_LDAP_Login
268
269
270    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
271    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
272    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
273    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
274    Sleep  15s
275    Redfish Verify LDAP Login
276
277
278Verify LDAP Type Update And LDAP Login
279    [Documentation]  Update LDAP type of LDAP configuration and verify
280    ...  that LDAP login works.
281    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
282
283    Disable Other LDAP
284    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
285    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
286    Sleep  15s
287    Redfish Verify LDAP Login
288
289
290Verify Authorization With Null Privilege
291    [Documentation]  Verify the failure of LDAP authorization with empty
292    ...  privilege.
293    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
294    [Teardown]  Restore LDAP Privilege
295
296    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
297    ...  [${HTTP_FORBIDDEN}]
298
299
300Verify Authorization With Invalid Privilege
301    [Documentation]  Verify that LDAP user authorization with wrong privilege
302    ...  fails.
303    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
304    [Teardown]  Restore LDAP Privilege
305
306    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
307    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
308
309
310Verify LDAP Login With Invalid Data
311    [Documentation]  Verify that LDAP login with Invalid LDAP data and
312    ...  right LDAP user fails.
313    [Tags]  Verify_LDAP_Login_With_Invalid_Data
314    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
315    ...  Create LDAP Configuration
316
317    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
318    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
319    ...  Invalid_LDAP_BASE_DN
320    Sleep  15s
321    Redfish Verify LDAP Login  ${False}
322
323
324Verify LDAP Config Creation Without BASE_DN
325    [Documentation]  Verify that LDAP login with LDAP configuration
326    ...  created without BASE_DN fails.
327    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
328    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
329    ...  Create LDAP Configuration
330
331    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
332    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
333    Sleep  15s
334    Redfish Verify LDAP Login  ${False}
335
336
337Verify LDAP Authentication Without Password
338    [Documentation]  Verify that LDAP user authentication without LDAP
339    ...  user password fails.
340    [Tags]  Verify_LDAP_Authentication_Without_Password
341    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
342
343    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
344    Valid Value  status  [${False}]
345
346
347Verify LDAP Login With Invalid BASE_DN
348    [Documentation]  Verify that LDAP login with invalid BASE_DN and
349    ...  valid LDAP user fails.
350    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
351    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
352    ...  Create LDAP Configuration
353
354    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
355    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
356    Sleep  15s
357    Redfish Verify LDAP Login  ${False}
358
359
360Verify LDAP Login With Invalid BIND_DN_PASSWORD
361    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
362    ...  valid LDAP user fails.
363    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
364    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
365    ...  Create LDAP Configuration
366
367    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
368    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
369    Sleep  15s
370    Redfish Verify LDAP Login  ${False}
371
372
373Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
374    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
375    ...  BIND_DN and valid LDAP user fails.
376    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
377    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
378    ...  Create LDAP Configuration
379
380    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
381    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
382    Sleep  15s
383    Redfish Verify LDAP Login  ${False}
384
385
386Verify Group Name And Group Privilege Able To Modify
387    [Documentation]  Verify that LDAP group name and group privilege able to
388    ...  modify.
389    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
390    [Setup]  Update LDAP Configuration with LDAP User Role And Group
391    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
392
393    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
394    ...  Administrator  ${GROUP_NAME}
395
396
397Verify LDAP Login With Invalid BIND_DN
398    [Documentation]  Verify that LDAP login with invalid BIND_DN and
399    ...  valid LDAP user fails.
400    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
401    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
402    ...  Create LDAP Configuration
403
404    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
405    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
406    Sleep  15s
407    Redfish Verify LDAP Login  ${False}
408
409
410Verify LDAP Authentication With Invalid LDAP User
411    [Documentation]  Verify that LDAP user authentication for user not exist
412    ...  in LDAP server and fails.
413    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
414    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
415
416    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
417    ...  ${LDAP_USER_PASSWORD}
418    Valid Value  status  [${False}]
419
420
421Update LDAP User Roles And Verify Host Poweroff Operation
422    [Documentation]  Update LDAP user roles and verify host poweroff operation.
423    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
424    [Teardown]  Restore LDAP Privilege
425
426    [Template]  Update LDAP User Role And Host Poweroff
427    # ldap_type   group_privilege  group_name     valid_status_codes
428
429    # Verify LDAP user with NoAccess privilege not able to do host poweroff.
430    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
431
432    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
433    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
434
435    # Verify LDAP user with Operator privilege able to do host poweroff.
436    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
437
438    # Verify LDAP user with Administrator privilege able to do host poweroff.
439    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
440
441
442Update LDAP User Roles And Verify Host Poweron Operation
443    [Documentation]  Update LDAP user roles and verify host poweron operation.
444    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
445    [Teardown]  Restore LDAP Privilege
446
447    [Template]  Update LDAP User Role And Host Poweron
448    # ldap_type   group_privilege  group_name     valid_status_codes
449
450    # Verify LDAP user with NoAccess privilege not able to do host poweron.
451    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
452
453    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
454    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
455
456    # Verify LDAP user with Operator privilege able to do host poweron.
457    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
458
459    # Verify LDAP user with Administrator privilege able to do host poweron.
460    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
461
462
463Configure IP Address Via Different User Roles And Verify
464    [Documentation]  Configure IP address via different user roles and verify.
465    [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
466    [Teardown]  Restore LDAP Privilege
467
468    [Template]  Update LDAP User Role And Configure IP Address
469    # Verify LDAP user with Administrator privilege is able to configure IP address.
470    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
471
472    # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
473    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
474
475    # Verify LDAP user with NoAccess privilege is forbidden to configure IP address.
476    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
477
478    # Verify LDAP user with Operator privilege is able to configure IP address.
479    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
480
481
482Delete IP Address Via Different User Roles And Verify
483    [Documentation]  Delete IP address via different user roles and verify.
484    [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
485    [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail
486
487    [Template]  Update LDAP User Role And Delete IP Address
488    # Verify LDAP user with Administrator privilege is able to delete IP address.
489    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
490
491    # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
492    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
493
494    # Verify LDAP user with NoAccess privilege is forbidden to delete IP address.
495    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
496
497    # Verify LDAP user with Operator privilege is able to delete IP address.
498    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
499
500
501Read Network Configuration Via Different User Roles And Verify
502    [Documentation]  Read network configuration via different user roles and verify.
503    [Tags]  Read_Network_configuration_Via_Different_User_Roles_And_Verify
504    [Teardown]  Restore LDAP Privilege
505
506    [Template]  Update LDAP User Role And Read Network Configuration
507    ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}
508
509    ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}
510
511    ${LDAP_TYPE}  NoAccess       ${GROUP_NAME}  ${HTTP_FORBIDDEN}
512
513    ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}
514
515
516*** Keywords ***
517
518Redfish Verify LDAP Login
519    [Documentation]  LDAP user log into BMC.
520    [Arguments]  ${valid_status}=${True}
521
522    # Description of argument(s):
523    # valid_status  Expected status of LDAP login ("True" or "False").
524
525    # According to our repo coding rules, Redfish.Login is to be done in Suite
526    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
527    # deviation from this rule (such as in this keyword), the deviant code
528    # must take steps to restore us to our original logged-in state.
529
530    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
531    ...  ${LDAP_USER_PASSWORD}
532    Valid Value  status  [${valid_status}]
533    Redfish.Logout
534    Redfish.Login
535
536
537Update LDAP Config And Verify Set Host Name
538    [Documentation]  Update LDAP config and verify by attempting to set host name.
539    [Arguments]  ${group_name}  ${group_privilege}=Administrator
540    ...  ${valid_status_codes}=[${HTTP_OK}]
541    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
542
543    # Description of argument(s):
544    # group_name                    The group name of user.
545    # group_privilege               The group privilege ("Administrator",
546    #                               "Operator", "User" or "Callback").
547    # valid_status_codes            Expected return code(s) from patch
548    #                               operation (e.g. "200") used to update
549    #                               HostName.  See prolog of rest_request
550    #                               method in redfish_plut.py for details.
551    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
552    ...  ${group_privilege}  ${group_name}
553    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
554    # Verify that the LDAP user in ${group_name} with the given privilege is
555    # allowed to change the hostname.
556    Redfish.Patch  ${REDFISH_NW_ETH0_URI}  body={'HostName': '${hostname}'}
557    ...  valid_status_codes=${valid_status_codes}
558
559
560Disable Other LDAP
561    [Documentation]  Disable other LDAP configuration.
562
563    # First disable other LDAP.
564    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
565    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
566    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
567    Sleep  15s
568
569
570Config LDAP URL
571    [Documentation]  Config LDAP URL.
572    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
573
574    # Description of argument(s):
575    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
576
577    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
578    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
579    Sleep  15s
580    # After update, LDAP login.
581    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
582    Valid Value  status  [${expected_status}]
583
584    Redfish.Logout
585    Redfish.Login
586
587
588Restore LDAP URL
589    [Documentation]  Restore LDAP URL.
590
591    # Restoring the working LDAP server uri.
592    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
593    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
594    Sleep  15s
595
596
597Restore AccountLockout Attributes
598    [Documentation]  Restore AccountLockout Attributes.
599
600    Return From Keyword If  &{old_account_service} == &{EMPTY}
601    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
602    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
603    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
604    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
605
606
607Suite Setup Execution
608    [Documentation]  Do suite setup tasks.
609
610    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
611    Valid Value  LDAP_USER
612    Valid Value  LDAP_USER_PASSWORD
613    Valid Value  GROUP_PRIVILEGE
614    Valid Value  GROUP_NAME
615    Valid Value  LDAP_SERVER_URI
616    Valid Value  LDAP_BIND_DN_PASSWORD
617    Valid Value  LDAP_BIND_DN
618    Valid Value  LDAP_BASE_DN
619
620    Redfish.Login
621    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
622    Get LDAP Configuration  ${LDAP_TYPE}
623    ${old_ldap_privilege}=  Get LDAP Privilege
624    Set Suite Variable  ${old_ldap_privilege}
625    Disable Other LDAP
626    Create LDAP Configuration
627    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
628
629
630Set Read Privilege And Check Firmware Inventory
631    [Documentation]  Set read privilege and check firmware inventory.
632    [Arguments]  ${read_privilege}
633
634    # Description of argument(s):
635    # read_privilege  The read privilege role (e.g. "User" / "Callback").
636
637    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
638    ...  ${read_privilege}  ${GROUP_NAME}
639
640    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
641    # Verify that the LDAP user with read privilege is able to read inventory.
642    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
643    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
644    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
645    Redfish.Logout
646    Redfish.Login
647
648
649Set Read Privilege And Check Poweron
650    [Documentation]  Set read privilege and power on should not be possible.
651    [Arguments]  ${read_privilege}
652
653    # Description of argument(s):
654    # read_privilege  The read privilege role (e.g. "User" / "Callback").
655
656    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
657    ...  ${read_privilege}  ${GROUP_NAME}
658    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
659    Redfish.Post  ${REDFISH_POWER_URI}
660    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
661    Redfish.Logout
662    Redfish.Login
663
664
665Get LDAP Configuration
666    [Documentation]  Retrieve LDAP Configuration.
667    [Arguments]   ${ldap_type}
668
669    # Description of argument(s):
670    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
671
672    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
673    [Return]  ${ldap_config["${ldap_type}"]}
674
675
676Update LDAP Configuration with LDAP User Role And Group
677    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
678    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
679
680    # Description of argument(s):
681    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
682    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
683    # group_name       The group name of user.
684
685    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
686    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
687    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
688    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
689    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
690    # Provide adequate time for LDAP daemon to restart after the update.
691    Sleep  15s
692
693
694Get LDAP Privilege
695    [Documentation]  Get LDAP privilege and return it.
696
697    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
698    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
699    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
700
701    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
702
703
704Restore LDAP Privilege
705    [Documentation]  Restore the LDAP privilege to its original value.
706
707    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'
708    # Log back in to restore the original privilege.
709    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
710    ...  ${old_ldap_privilege}  ${GROUP_NAME}
711
712    Sleep  18s
713
714
715Update LDAP User Role And Host Poweroff
716    [Documentation]  Update LDAP user role and do host poweroff.
717    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
718    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
719
720    # Description of argument(s):
721    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
722    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
723    # group_name         The group name of user.
724    # valid_status_code  The expected valid status code.
725
726    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
727    ...  ${group_privilege}  ${group_name}
728
729    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
730
731    Redfish.Post  ${REDFISH_POWER_URI}
732    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
733
734
735Update LDAP User Role And Host Poweron
736    [Documentation]  Update LDAP user role and do host poweron.
737    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
738    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
739
740    # Description of argument(s):
741    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
742    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
743    # group_name         The group name of user.
744    # valid_status_code  The expected valid status code.
745
746    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
747    ...  ${group_privilege}  ${group_name}
748
749    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
750
751    Redfish.Post  ${REDFISH_POWER_URI}
752    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
753
754
755Update LDAP User Role And Configure IP Address
756    [Documentation]  Update LDAP user role and configure IP address.
757    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
758    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
759
760    # Description of argument(s):
761    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
762    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
763    # group_name         The group name of user.
764    # valid_status_code  The expected valid status code.
765
766    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
767    ...  ${group_privilege}  ${group_name}
768
769    Redfish.Logout
770
771    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
772
773    ${test_gateway}=  Get BMC Default Gateway
774
775    Run Keyword If  '${group_privilege}' == 'NoAccess'
776    ...  Add IP Address With NoAccess User  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
777    ...  ELSE
778    ...  Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
779
780
781Update LDAP User Role And Delete IP Address
782    [Documentation]  Update LDAP user role and delete IP address.
783    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
784    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
785
786    # Description of argument(s):
787    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
788    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
789    # group_name         The group name of user.
790    # valid_status_code  The expected valid status code.
791
792    ${test_gateway}=  Get BMC Default Gateway
793
794    # Configure IP address before deleting via LDAP user roles.
795    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}
796
797    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
798    ...  ${group_privilege}  ${group_name}
799
800    Redfish.Logout
801
802    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
803
804    Run Keyword If  '${group_privilege}' == 'NoAccess'
805    ...  Delete IP Address With NoAccess User  ${test_ip}  ${valid_status_code}
806    ...  ELSE
807    ...  Delete IP Address  ${test_ip}  ${valid_status_code}
808
809
810Update LDAP User Role And Read Network Configuration
811    [Documentation]  Update LDAP user role and read network configuration.
812    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
813    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
814
815    # Description of argument(s):
816    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
817    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
818    # group_name         The group name of user.
819    # valid_status_code  The expected valid status code.
820
821    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
822    ...  ${group_privilege}  ${group_name}
823
824    Redfish.Logout
825
826    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
827    Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]
828
829
830Add IP Address With NoAccess User
831    [Documentation]  Add IP Address To BMC.
832    [Arguments]  ${ip}  ${subnet_mask}  ${gateway}
833    ...  ${valid_status_codes}=${HTTP_OK}
834
835    # Description of argument(s):
836    # ip                  IP address to be added (e.g. "10.7.7.7").
837    # subnet_mask         Subnet mask for the IP to be added
838    #                     (e.g. "255.255.0.0").
839    # gateway             Gateway for the IP to be added (e.g. "10.7.7.1").
840    # valid_status_codes  Expected return code from patch operation
841    #                     (e.g. "200").  See prolog of rest_request
842    #                     method in redfish_plus.py for details.
843
844    # Logout from LDAP user.
845    Redfish.Logout
846
847    # Login with local user.
848    Redfish.Login
849
850    ${empty_dict}=  Create Dictionary
851    ${ip_data}=  Create Dictionary  Address=${ip}
852    ...  SubnetMask=${subnet_mask}  Gateway=${gateway}
853
854    ${patch_list}=  Create List
855    ${network_configurations}=  Get Network Configuration
856    ${num_entries}=  Get Length  ${network_configurations}
857
858    FOR  ${INDEX}  IN RANGE  0  ${num_entries}
859      Append To List  ${patch_list}  ${empty_dict}
860    END
861
862    ${valid_status_codes}=  Run Keyword If  '${valid_status_codes}' == '${HTTP_OK}'
863    ...  Set Variable   ${HTTP_OK},${HTTP_NO_CONTENT}
864    ...  ELSE  Set Variable  ${valid_status_codes}
865
866    # We need not check for existence of IP on BMC while adding.
867    Append To List  ${patch_list}  ${ip_data}
868    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
869
870    ${active_channel_config}=  Get Active Channel Config
871    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
872
873    # Logout from local user.
874    Redfish.Logout
875
876    # Login from LDAP user and check if we can configure IP address.
877    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
878
879    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
880    ...  valid_status_codes=[${valid_status_codes}]
881
882
883Delete IP Address With NoAccess User
884    [Documentation]  Delete IP Address Of BMC.
885    [Arguments]  ${ip}  ${valid_status_codes}=${HTTP_OK}
886
887    # Description of argument(s):
888    # ip                  IP address to be deleted (e.g. "10.7.7.7").
889    # valid_status_codes  Expected return code from patch operation
890    #                     (e.g. "200").  See prolog of rest_request
891    #                     method in redfish_plus.py for details.
892
893    # Logout from LDAP user.
894    Redfish.Logout
895
896    # Login with local user.
897    Redfish.Login
898
899    ${empty_dict}=  Create Dictionary
900    ${patch_list}=  Create List
901
902    @{network_configurations}=  Get Network Configuration
903    FOR  ${network_configuration}  IN  @{network_configurations}
904      Run Keyword If  '${network_configuration['Address']}' == '${ip}'
905      ...  Append To List  ${patch_list}  ${null}
906      ...  ELSE  Append To List  ${patch_list}  ${empty_dict}
907    END
908
909    ${ip_found}=  Run Keyword And Return Status  List Should Contain Value
910    ...  ${patch_list}  ${null}  msg=${ip} does not exist on BMC
911    Pass Execution If  ${ip_found} == ${False}  ${ip} does not exist on BMC
912
913    # Run patch command only if given IP is found on BMC
914    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
915
916    ${active_channel_config}=  Get Active Channel Config
917    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
918
919    # Logout from local user.
920    Redfish.Logout
921
922    # Login from LDAP user and check if we can delete IP address.
923    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
924
925    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
926    ...  valid_status_codes=[${valid_status_codes}]
927
928    # Note: Network restart takes around 15-18s after patch request processing
929    Sleep  ${NETWORK_TIMEOUT}s
930    Wait For Host To Ping  ${OPENBMC_HOST}  ${NETWORK_TIMEOUT}
931