1*** Settings *** 2Documentation Test Redfish LDAP user configuration. 3 4Library ../../lib/gen_robot_valid.py 5Resource ../../lib/resource.robot 6Resource ../../lib/bmc_redfish_resource.robot 7Resource ../../lib/openbmc_ffdc.robot 8Library ../../lib/gen_robot_valid.py 9Resource ../../lib/bmc_network_utils.robot 10Resource ../../lib/bmc_ldap_utils.robot 11 12Suite Setup Suite Setup Execution 13Suite Teardown Run Keywords Restore LDAP Privilege AND Redfish.Logout 14Test Teardown FFDC On Test Case Fail 15 16Force Tags LDAP_Test 17 18*** Variables *** 19${old_ldap_privilege} ${EMPTY} 20&{old_account_service} &{EMPTY} 21&{old_ldap_config} &{EMPTY} 22${hostname} ${EMPTY} 23${test_ip} 10.6.6.6 24${test_mask} 255.255.255.0 25 26** Test Cases ** 27 28Verify LDAP Configuration Created 29 [Documentation] Verify that LDAP configuration created. 30 [Tags] Verify_LDAP_Configuration_Created 31 32 Create LDAP Configuration 33 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 34 Get LDAP Configuration ${LDAP_TYPE} 35 Sleep 10s 36 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 37 Redfish.Logout 38 Redfish.Login 39 40 41Verify LDAP Service Disable 42 [Documentation] Verify that LDAP is disabled and that LDAP user cannot 43 ... login. 44 [Tags] Verify_LDAP_Service_Disable 45 46 Redfish.Patch ${REDFISH_BASE_URI}AccountService 47 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}} 48 Sleep 15s 49 ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 50 ... ${LDAP_USER_PASSWORD} 51 Should Be Equal ${resp} ${False} 52 ... msg=LDAP user was able to login even though the LDAP service was disabled. 53 Redfish.Logout 54 Redfish.Login 55 # Enabling LDAP so that LDAP user works. 56 Redfish.Patch ${REDFISH_BASE_URI}AccountService 57 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 58 Redfish.Logout 59 Redfish.Login 60 61 62Verify LDAP Login With ServiceEnabled 63 [Documentation] Verify that LDAP Login with ServiceEnabled. 64 [Tags] Verify_LDAP_Login_With_ServiceEnabled 65 66 Disable Other LDAP 67 # Actual service enablement. 68 Redfish.Patch ${REDFISH_BASE_URI}AccountService 69 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 70 Sleep 15s 71 # After update, LDAP login. 72 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 73 Redfish.Logout 74 Redfish.Login 75 76 77Verify LDAP Login With Correct AuthenticationType 78 [Documentation] Verify that LDAP Login with right AuthenticationType. 79 [Tags] Verify_LDAP_Login_With_Correct_AuthenticationType 80 81 Redfish.Patch ${REDFISH_BASE_URI}AccountService 82 ... body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}} 83 Sleep 15s 84 # After update, LDAP login. 85 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 86 Redfish.Logout 87 Redfish.Login 88 89 90Verify LDAP Config Update With Incorrect AuthenticationType 91 [Documentation] Verify that invalid AuthenticationType is not updated. 92 [Tags] Verify_LDAP_Update_With_Incorrect_AuthenticationType 93 94 ${body}= Catenate {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}} 95 96 Redfish.Patch ${REDFISH_BASE_URI}AccountService 97 ... body=${body} valid_status_codes=[400] 98 99 100Verify LDAP Login With Correct LDAP URL 101 [Documentation] Verify LDAP Login with right LDAP URL. 102 [Tags] Verify_LDAP_Login_With_Correct_LDAP_URL 103 104 Config LDAP URL ${LDAP_SERVER_URI} 105 106 107Verify LDAP Config Update With Incorrect LDAP URL 108 [Documentation] Verify that LDAP Login fails with invalid LDAP URL. 109 [Tags] Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL 110 [Teardown] Run Keywords Restore LDAP URL AND 111 ... FFDC On Test Case Fail 112 113 Config LDAP URL ldap://1.2.3.4/ ${FALSE} 114 115Verify LDAP Configuration Exist 116 [Documentation] Verify that LDAP configuration is available. 117 [Tags] Verify_LDAP_Configuration_Exist 118 119 ${resp}= Redfish.Get Attribute ${REDFISH_BASE_URI}AccountService 120 ... ${LDAP_TYPE} default=${EMPTY} 121 Should Not Be Empty ${resp} msg=LDAP configuration is not defined. 122 123 124Verify LDAP User Login 125 [Documentation] Verify that LDAP user able to login into BMC. 126 [Tags] Verify_LDAP_User_Login 127 128 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 129 Redfish.Logout 130 Redfish.Login 131 132 133Verify LDAP Service Available 134 [Documentation] Verify that LDAP service is available. 135 [Tags] Verify_LDAP_Service_Available 136 137 @{ldap_configuration}= Get LDAP Configuration ${LDAP_TYPE} 138 Should Contain ${ldap_configuration} LDAPService 139 ... msg=LDAPService is not available. 140 141 142Verify LDAP Login Works After BMC Reboot 143 [Documentation] Verify that LDAP login works after BMC reboot. 144 [Tags] Verify_LDAP_Login_Works_After_BMC_Reboot 145 146 Redfish OBMC Reboot (off) 147 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 148 Redfish.Logout 149 Redfish.Login 150 151 152Verify LDAP User With Admin Privilege Able To Do BMC Reboot 153 [Documentation] Verify that LDAP user with administrator privilege able to do BMC reboot. 154 [Tags] Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot 155 156 157 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 158 ... ${GROUP_PRIVILEGE} ${GROUP_NAME} 159 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 160 # With LDAP user and with right privilege trying to do BMC reboot. 161 Redfish OBMC Reboot (off) 162 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 163 Redfish.Logout 164 Redfish.Login 165 166 167Verify LDAP User With Operator Privilege Able To Do Host Poweroff 168 [Documentation] Verify that LDAP user with operator privilege can do host 169 ... power off. 170 [Tags] Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff 171 [Teardown] Restore LDAP Privilege 172 173 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 174 ... Operator ${GROUP_NAME} 175 176 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 177 # Verify that the LDAP user with operator privilege is able to power the system off. 178 Redfish.Post ${REDFISH_POWER_URI} 179 ... body={'ResetType': 'ForceOff'} valid_status_codes=[200] 180 Redfish.Logout 181 Redfish.Login 182 183 184Verify AccountLockout Attributes Set To Zero 185 [Documentation] Verify that attribute AccountLockoutDuration and 186 ... AccountLockoutThreshold are set to 0. 187 [Teardown] Run Keywords Restore AccountLockout Attributes AND 188 ... FFDC On Test Case Fail 189 [Tags] Verify_AccountLockout_Attributes_Set_To_Zero 190 191 ${old_account_service}= Redfish.Get Properties 192 ... ${REDFISH_BASE_URI}AccountService 193 Rprint Vars old_account_service 194 Redfish.Patch ${REDFISH_BASE_URI}AccountService 195 ... body=[('AccountLockoutDuration', 0)] 196 Redfish.Patch ${REDFISH_BASE_URI}AccountService 197 ... body=[('AccountLockoutThreshold', 0)] 198 199 200Verify LDAP User With Read Privilege Able To Check Inventory 201 [Documentation] Verify that LDAP user with read privilege able to 202 ... read firmware inventory. 203 [Tags] Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory 204 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 205 [Template] Set Read Privilege And Check Firmware Inventory 206 207 ReadOnly 208 209 210Verify LDAP User With Read Privilege Should Not Do Host Poweron 211 [Documentation] Verify that LDAP user with read privilege should not be 212 ... allowed to power on the host. 213 [Tags] Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron 214 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 215 [Template] Set Read Privilege And Check Poweron 216 217 ReadOnly 218 219 220Update LDAP Group Name And Verify Operations 221 [Documentation] Verify that LDAP group name update and able to do right 222 ... operations. 223 [Tags] Update_LDAP_Group_Name_And_Verify_Operations 224 [Template] Update LDAP Config And Verify Set Host Name 225 [Teardown] Restore LDAP Privilege 226 227 # group_name group_privilege valid_status_codes 228 ${GROUP_NAME} Administrator [${HTTP_OK}, ${HTTP_NO_CONTENT}] 229 ${GROUP_NAME} Operator [${HTTP_OK}, ${HTTP_NO_CONTENT}] 230 ${GROUP_NAME} ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 231 ${GROUP_NAME} NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 232 Invalid_LDAP_Group_Name Administrator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 233 Invalid_LDAP_Group_Name Operator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 234 Invalid_LDAP_Group_Name ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 235 Invalid_LDAP_Group_Name NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 236 237 238Verify LDAP BaseDN Update And LDAP Login 239 [Documentation] Update LDAP BaseDN of LDAP configuration and verify 240 ... that LDAP login works. 241 [Tags] Verify_LDAP_BaseDN_Update_And_LDAP_Login 242 243 244 ${body}= Catenate {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings': 245 ... {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}} 246 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 247 Sleep 15s 248 Redfish Verify LDAP Login 249 250 251Verify LDAP BindDN Update And LDAP Login 252 [Documentation] Update LDAP BindDN of LDAP configuration and verify 253 ... that LDAP login works. 254 [Tags] Verify_LDAP_BindDN_Update_And_LDAP_Login 255 256 ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': 257 ... {'AuthenticationType':'UsernameAndPassword', 'Username': 258 ... '${LDAP_BIND_DN}'}}} 259 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 260 Sleep 15s 261 Redfish Verify LDAP Login 262 263 264Verify LDAP BindDN Password Update And LDAP Login 265 [Documentation] Update LDAP BindDN password of LDAP configuration and 266 ... verify that LDAP login works. 267 [Tags] Verify_LDAP_BindDN_Passsword_Update_And_LDAP_Login 268 269 270 ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': 271 ... {'AuthenticationType':'UsernameAndPassword', 'Password': 272 ... '${LDAP_BIND_DN_PASSWORD}'}}} 273 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 274 Sleep 15s 275 Redfish Verify LDAP Login 276 277 278Verify LDAP Type Update And LDAP Login 279 [Documentation] Update LDAP type of LDAP configuration and verify 280 ... that LDAP login works. 281 [Tags] Verify_LDAP_Type_Update_And_LDAP_Login 282 283 Disable Other LDAP 284 Redfish.Patch ${REDFISH_BASE_URI}AccountService 285 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 286 Sleep 15s 287 Redfish Verify LDAP Login 288 289 290Verify Authorization With Null Privilege 291 [Documentation] Verify the failure of LDAP authorization with empty 292 ... privilege. 293 [Tags] Verify_LDAP_Authorization_With_Null_Privilege 294 [Teardown] Restore LDAP Privilege 295 296 Update LDAP Config And Verify Set Host Name ${GROUP_NAME} ${EMPTY} 297 ... [${HTTP_FORBIDDEN}] 298 299 300Verify Authorization With Invalid Privilege 301 [Documentation] Verify that LDAP user authorization with wrong privilege 302 ... fails. 303 [Tags] Verify_LDAP_Authorization_With_Invalid_Privilege 304 [Teardown] Restore LDAP Privilege 305 306 Update LDAP Config And Verify Set Host Name ${GROUP_NAME} 307 ... Invalid_Privilege [${HTTP_FORBIDDEN}] 308 309 310Verify LDAP Login With Invalid Data 311 [Documentation] Verify that LDAP login with Invalid LDAP data and 312 ... right LDAP user fails. 313 [Tags] Verify_LDAP_Login_With_Invalid_Data 314 [Teardown] Run Keywords FFDC On Test Case Fail AND 315 ... Create LDAP Configuration 316 317 Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI 318 ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD 319 ... Invalid_LDAP_BASE_DN 320 Sleep 15s 321 Redfish Verify LDAP Login ${False} 322 323 324Verify LDAP Config Creation Without BASE_DN 325 [Documentation] Verify that LDAP login with LDAP configuration 326 ... created without BASE_DN fails. 327 [Tags] Verify_LDAP_Config_Creation_Without_BASE_DN 328 [Teardown] Run Keywords FFDC On Test Case Fail AND 329 ... Create LDAP Configuration 330 331 Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI 332 ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD ${EMPTY} 333 Sleep 15s 334 Redfish Verify LDAP Login ${False} 335 336 337Verify LDAP Authentication Without Password 338 [Documentation] Verify that LDAP user authentication without LDAP 339 ... user password fails. 340 [Tags] Verify_LDAP_Authentication_Without_Password 341 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 342 343 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 344 Valid Value status [${False}] 345 346 347Verify LDAP Login With Invalid BASE_DN 348 [Documentation] Verify that LDAP login with invalid BASE_DN and 349 ... valid LDAP user fails. 350 [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN 351 [Teardown] Run Keywords FFDC On Test Case Fail AND 352 ... Create LDAP Configuration 353 354 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 355 ... ${LDAP_BIND_DN} ${LDAP_BIND_DN_PASSWORD} Invalid_LDAP_BASE_DN 356 Sleep 15s 357 Redfish Verify LDAP Login ${False} 358 359 360Verify LDAP Login With Invalid BIND_DN_PASSWORD 361 [Documentation] Verify that LDAP login with invalid BIND_DN_PASSWORD and 362 ... valid LDAP user fails. 363 [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD 364 [Teardown] Run Keywords FFDC On Test Case Fail AND 365 ... Create LDAP Configuration 366 367 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 368 ... ${LDAP_BIND_DN} INVALID_LDAP_BIND_DN_PASSWORD ${LDAP_BASE_DN} 369 Sleep 15s 370 Redfish Verify LDAP Login ${False} 371 372 373Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN 374 [Documentation] Verify that LDAP login with invalid BASE_DN and invalid 375 ... BIND_DN and valid LDAP user fails. 376 [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN 377 [Teardown] Run Keywords FFDC On Test Case Fail AND 378 ... Create LDAP Configuration 379 380 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 381 ... INVALID_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} INVALID_LDAP_BASE_DN 382 Sleep 15s 383 Redfish Verify LDAP Login ${False} 384 385 386Verify Group Name And Group Privilege Able To Modify 387 [Documentation] Verify that LDAP group name and group privilege able to 388 ... modify. 389 [Tags] Verify_Group_Name_And_Group_Privilege_Able_To_Modify 390 [Setup] Update LDAP Configuration with LDAP User Role And Group 391 ... ${LDAP_TYPE} Operator ${GROUP_NAME} 392 393 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 394 ... Administrator ${GROUP_NAME} 395 396 397Verify LDAP Login With Invalid BIND_DN 398 [Documentation] Verify that LDAP login with invalid BIND_DN and 399 ... valid LDAP user fails. 400 [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN 401 [Teardown] Run Keywords FFDC On Test Case Fail AND 402 ... Create LDAP Configuration 403 404 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 405 ... Invalid_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} ${LDAP_BASE_DN} 406 Sleep 15s 407 Redfish Verify LDAP Login ${False} 408 409 410Verify LDAP Authentication With Invalid LDAP User 411 [Documentation] Verify that LDAP user authentication for user not exist 412 ... in LDAP server and fails. 413 [Tags] Verify_LDAP_Authentication_With_Invalid_LDAP_User 414 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 415 416 ${status}= Run Keyword And Return Status Redfish.Login INVALID_LDAP_USER 417 ... ${LDAP_USER_PASSWORD} 418 Valid Value status [${False}] 419 420 421Update LDAP User Roles And Verify Host Poweroff Operation 422 [Documentation] Update LDAP user roles and verify host poweroff operation. 423 [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation 424 [Teardown] Restore LDAP Privilege 425 426 [Template] Update LDAP User Role And Host Poweroff 427 # ldap_type group_privilege group_name valid_status_codes 428 429 # Verify LDAP user with NoAccess privilege not able to do host poweroff. 430 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 431 432 # Verify LDAP user with ReadOnly privilege not able to do host poweroff. 433 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 434 435 # Verify LDAP user with Operator privilege able to do host poweroff. 436 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 437 438 # Verify LDAP user with Administrator privilege able to do host poweroff. 439 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 440 441 442Update LDAP User Roles And Verify Host Poweron Operation 443 [Documentation] Update LDAP user roles and verify host poweron operation. 444 [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation 445 [Teardown] Restore LDAP Privilege 446 447 [Template] Update LDAP User Role And Host Poweron 448 # ldap_type group_privilege group_name valid_status_codes 449 450 # Verify LDAP user with NoAccess privilege not able to do host poweron. 451 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 452 453 # Verify LDAP user with ReadOnly privilege not able to do host poweron. 454 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 455 456 # Verify LDAP user with Operator privilege able to do host poweron. 457 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 458 459 # Verify LDAP user with Administrator privilege able to do host poweron. 460 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 461 462 463Configure IP Address Via Different User Roles And Verify 464 [Documentation] Configure IP address via different user roles and verify. 465 [Tags] Configure_IP_Address_Via_Different_User_Roles_And_Verify 466 [Teardown] Restore LDAP Privilege 467 468 [Template] Update LDAP User Role And Configure IP Address 469 # Verify LDAP user with Administrator privilege is able to configure IP address. 470 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 471 472 # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address. 473 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 474 475 # Verify LDAP user with NoAccess privilege is forbidden to configure IP address. 476 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 477 478 # Verify LDAP user with Operator privilege is able to configure IP address. 479 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 480 481 482Delete IP Address Via Different User Roles And Verify 483 [Documentation] Delete IP address via different user roles and verify. 484 [Tags] Delete_IP_Address_Via_Different_User_Roles_And_Verify 485 [Teardown] Run Keywords Restore LDAP Privilege AND FFDC On Test Case Fail 486 487 [Template] Update LDAP User Role And Delete IP Address 488 # Verify LDAP user with Administrator privilege is able to delete IP address. 489 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 490 491 # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address. 492 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 493 494 # Verify LDAP user with NoAccess privilege is forbidden to delete IP address. 495 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 496 497 # Verify LDAP user with Operator privilege is able to delete IP address. 498 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 499 500 501Read Network Configuration Via Different User Roles And Verify 502 [Documentation] Read network configuration via different user roles and verify. 503 [Tags] Read_Network_configuration_Via_Different_User_Roles_And_Verify 504 [Teardown] Restore LDAP Privilege 505 506 [Template] Update LDAP User Role And Read Network Configuration 507 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 508 509 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_OK} 510 511 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 512 513 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 514 515 516*** Keywords *** 517 518Redfish Verify LDAP Login 519 [Documentation] LDAP user log into BMC. 520 [Arguments] ${valid_status}=${True} 521 522 # Description of argument(s): 523 # valid_status Expected status of LDAP login ("True" or "False"). 524 525 # According to our repo coding rules, Redfish.Login is to be done in Suite 526 # Setup and Redfish.Logout is to be done in Suite Teardown. For any 527 # deviation from this rule (such as in this keyword), the deviant code 528 # must take steps to restore us to our original logged-in state. 529 530 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 531 ... ${LDAP_USER_PASSWORD} 532 Valid Value status [${valid_status}] 533 Redfish.Logout 534 Redfish.Login 535 536 537Update LDAP Config And Verify Set Host Name 538 [Documentation] Update LDAP config and verify by attempting to set host name. 539 [Arguments] ${group_name} ${group_privilege}=Administrator 540 ... ${valid_status_codes}=[${HTTP_OK}] 541 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 542 543 # Description of argument(s): 544 # group_name The group name of user. 545 # group_privilege The group privilege ("Administrator", 546 # "Operator", "User" or "Callback"). 547 # valid_status_codes Expected return code(s) from patch 548 # operation (e.g. "200") used to update 549 # HostName. See prolog of rest_request 550 # method in redfish_plut.py for details. 551 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 552 ... ${group_privilege} ${group_name} 553 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 554 # Verify that the LDAP user in ${group_name} with the given privilege is 555 # allowed to change the hostname. 556 Redfish.Patch ${REDFISH_NW_ETH0_URI} body={'HostName': '${hostname}'} 557 ... valid_status_codes=${valid_status_codes} 558 559 560Disable Other LDAP 561 [Documentation] Disable other LDAP configuration. 562 563 # First disable other LDAP. 564 ${inverse_ldap_type}= Set Variable If '${LDAP_TYPE}' == 'LDAP' ActiveDirectory LDAP 565 Redfish.Patch ${REDFISH_BASE_URI}AccountService 566 ... body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}} 567 Sleep 15s 568 569 570Config LDAP URL 571 [Documentation] Config LDAP URL. 572 [Arguments] ${ldap_server_uri}=${LDAP_SERVER_URI} ${expected_status}=${TRUE} 573 574 # Description of argument(s): 575 # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/"). 576 577 Redfish.Patch ${REDFISH_BASE_URI}AccountService 578 ... body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}} 579 Sleep 15s 580 # After update, LDAP login. 581 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 582 Valid Value status [${expected_status}] 583 584 Redfish.Logout 585 Redfish.Login 586 587 588Restore LDAP URL 589 [Documentation] Restore LDAP URL. 590 591 # Restoring the working LDAP server uri. 592 Redfish.Patch ${REDFISH_BASE_URI}AccountService 593 ... body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}} 594 Sleep 15s 595 596 597Restore AccountLockout Attributes 598 [Documentation] Restore AccountLockout Attributes. 599 600 Return From Keyword If &{old_account_service} == &{EMPTY} 601 Redfish.Patch ${REDFISH_BASE_URI}AccountService 602 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})] 603 Redfish.Patch ${REDFISH_BASE_URI}AccountService 604 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})] 605 606 607Suite Setup Execution 608 [Documentation] Do suite setup tasks. 609 610 Valid Value LDAP_TYPE valid_values=["ActiveDirectory", "LDAP"] 611 Valid Value LDAP_USER 612 Valid Value LDAP_USER_PASSWORD 613 Valid Value GROUP_PRIVILEGE 614 Valid Value GROUP_NAME 615 Valid Value LDAP_SERVER_URI 616 Valid Value LDAP_BIND_DN_PASSWORD 617 Valid Value LDAP_BIND_DN 618 Valid Value LDAP_BASE_DN 619 620 Redfish.Login 621 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 622 Get LDAP Configuration ${LDAP_TYPE} 623 ${old_ldap_privilege}= Get LDAP Privilege 624 Set Suite Variable ${old_ldap_privilege} 625 Disable Other LDAP 626 Create LDAP Configuration 627 ${hostname}= Redfish.Get Attribute ${REDFISH_NW_PROTOCOL_URI} HostName 628 629 630Set Read Privilege And Check Firmware Inventory 631 [Documentation] Set read privilege and check firmware inventory. 632 [Arguments] ${read_privilege} 633 634 # Description of argument(s): 635 # read_privilege The read privilege role (e.g. "User" / "Callback"). 636 637 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 638 ... ${read_privilege} ${GROUP_NAME} 639 640 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 641 # Verify that the LDAP user with read privilege is able to read inventory. 642 ${resp}= Redfish.Get /redfish/v1/UpdateService/FirmwareInventory 643 Should Be True ${resp.dict["Members@odata.count"]} >= ${1} 644 Length Should Be ${resp.dict["Members"]} ${resp.dict["Members@odata.count"]} 645 Redfish.Logout 646 Redfish.Login 647 648 649Set Read Privilege And Check Poweron 650 [Documentation] Set read privilege and power on should not be possible. 651 [Arguments] ${read_privilege} 652 653 # Description of argument(s): 654 # read_privilege The read privilege role (e.g. "User" / "Callback"). 655 656 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 657 ... ${read_privilege} ${GROUP_NAME} 658 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 659 Redfish.Post ${REDFISH_POWER_URI} 660 ... body={'ResetType': 'On'} valid_status_codes=[401, 403] 661 Redfish.Logout 662 Redfish.Login 663 664 665Get LDAP Configuration 666 [Documentation] Retrieve LDAP Configuration. 667 [Arguments] ${ldap_type} 668 669 # Description of argument(s): 670 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 671 672 ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService 673 [Return] ${ldap_config["${ldap_type}"]} 674 675 676Update LDAP Configuration with LDAP User Role And Group 677 [Documentation] Update LDAP configuration update with LDAP user Role and group. 678 [Arguments] ${ldap_type} ${group_privilege} ${group_name} 679 680 # Description of argument(s): 681 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 682 # group_privilege The group privilege ("Administrator", "Operator", "User" or "Callback"). 683 # group_name The group name of user. 684 685 ${local_role_remote_group}= Create Dictionary LocalRole=${group_privilege} RemoteGroup=${group_name} 686 ${remote_role_mapping}= Create List ${local_role_remote_group} 687 ${ldap_data}= Create Dictionary RemoteRoleMapping=${remote_role_mapping} 688 ${payload}= Create Dictionary ${ldap_type}=${ldap_data} 689 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=&{payload} 690 # Provide adequate time for LDAP daemon to restart after the update. 691 Sleep 15s 692 693 694Get LDAP Privilege 695 [Documentation] Get LDAP privilege and return it. 696 697 ${ldap_config}= Get LDAP Configuration ${LDAP_TYPE} 698 ${num_list_entries}= Get Length ${ldap_config["RemoteRoleMapping"]} 699 Return From Keyword If ${num_list_entries} == ${0} @{EMPTY} 700 701 [Return] ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]} 702 703 704Restore LDAP Privilege 705 [Documentation] Restore the LDAP privilege to its original value. 706 707 Return From Keyword If '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]' 708 # Log back in to restore the original privilege. 709 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 710 ... ${old_ldap_privilege} ${GROUP_NAME} 711 712 Sleep 18s 713 714 715Update LDAP User Role And Host Poweroff 716 [Documentation] Update LDAP user role and do host poweroff. 717 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} 718 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 719 720 # Description of argument(s): 721 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 722 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 723 # group_name The group name of user. 724 # valid_status_code The expected valid status code. 725 726 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 727 ... ${group_privilege} ${group_name} 728 729 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 730 731 Redfish.Post ${REDFISH_POWER_URI} 732 ... body={'ResetType': 'ForceOff'} valid_status_codes=[${valid_status_code}] 733 734 735Update LDAP User Role And Host Poweron 736 [Documentation] Update LDAP user role and do host poweron. 737 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} 738 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 739 740 # Description of argument(s): 741 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 742 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 743 # group_name The group name of user. 744 # valid_status_code The expected valid status code. 745 746 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 747 ... ${group_privilege} ${group_name} 748 749 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 750 751 Redfish.Post ${REDFISH_POWER_URI} 752 ... body={'ResetType': 'On'} valid_status_codes=[${valid_status_code}] 753 754 755Update LDAP User Role And Configure IP Address 756 [Documentation] Update LDAP user role and configure IP address. 757 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 758 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} 759 760 # Description of argument(s): 761 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 762 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 763 # group_name The group name of user. 764 # valid_status_code The expected valid status code. 765 766 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 767 ... ${group_privilege} ${group_name} 768 769 Redfish.Logout 770 771 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 772 773 ${test_gateway}= Get BMC Default Gateway 774 775 Run Keyword If '${group_privilege}' == 'NoAccess' 776 ... Add IP Address With NoAccess User ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} 777 ... ELSE 778 ... Add IP Address ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} 779 780 781Update LDAP User Role And Delete IP Address 782 [Documentation] Update LDAP user role and delete IP address. 783 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 784 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} 785 786 # Description of argument(s): 787 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 788 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 789 # group_name The group name of user. 790 # valid_status_code The expected valid status code. 791 792 ${test_gateway}= Get BMC Default Gateway 793 794 # Configure IP address before deleting via LDAP user roles. 795 Add IP Address ${test_ip} ${test_mask} ${test_gateway} 796 797 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 798 ... ${group_privilege} ${group_name} 799 800 Redfish.Logout 801 802 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 803 804 Run Keyword If '${group_privilege}' == 'NoAccess' 805 ... Delete IP Address With NoAccess User ${test_ip} ${valid_status_code} 806 ... ELSE 807 ... Delete IP Address ${test_ip} ${valid_status_code} 808 809 810Update LDAP User Role And Read Network Configuration 811 [Documentation] Update LDAP user role and read network configuration. 812 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 813 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 814 815 # Description of argument(s): 816 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 817 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 818 # group_name The group name of user. 819 # valid_status_code The expected valid status code. 820 821 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 822 ... ${group_privilege} ${group_name} 823 824 Redfish.Logout 825 826 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 827 Redfish.Get ${REDFISH_NW_ETH0_URI} valid_status_codes=[${valid_status_code}] 828 829 830Add IP Address With NoAccess User 831 [Documentation] Add IP Address To BMC. 832 [Arguments] ${ip} ${subnet_mask} ${gateway} 833 ... ${valid_status_codes}=${HTTP_OK} 834 835 # Description of argument(s): 836 # ip IP address to be added (e.g. "10.7.7.7"). 837 # subnet_mask Subnet mask for the IP to be added 838 # (e.g. "255.255.0.0"). 839 # gateway Gateway for the IP to be added (e.g. "10.7.7.1"). 840 # valid_status_codes Expected return code from patch operation 841 # (e.g. "200"). See prolog of rest_request 842 # method in redfish_plus.py for details. 843 844 # Logout from LDAP user. 845 Redfish.Logout 846 847 # Login with local user. 848 Redfish.Login 849 850 ${empty_dict}= Create Dictionary 851 ${ip_data}= Create Dictionary Address=${ip} 852 ... SubnetMask=${subnet_mask} Gateway=${gateway} 853 854 ${patch_list}= Create List 855 ${network_configurations}= Get Network Configuration 856 ${num_entries}= Get Length ${network_configurations} 857 858 FOR ${INDEX} IN RANGE 0 ${num_entries} 859 Append To List ${patch_list} ${empty_dict} 860 END 861 862 ${valid_status_codes}= Run Keyword If '${valid_status_codes}' == '${HTTP_OK}' 863 ... Set Variable ${HTTP_OK},${HTTP_NO_CONTENT} 864 ... ELSE Set Variable ${valid_status_codes} 865 866 # We need not check for existence of IP on BMC while adding. 867 Append To List ${patch_list} ${ip_data} 868 ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} 869 870 ${active_channel_config}= Get Active Channel Config 871 ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} 872 873 # Logout from local user. 874 Redfish.Logout 875 876 # Login from LDAP user and check if we can configure IP address. 877 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 878 879 Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} 880 ... valid_status_codes=[${valid_status_codes}] 881 882 883Delete IP Address With NoAccess User 884 [Documentation] Delete IP Address Of BMC. 885 [Arguments] ${ip} ${valid_status_codes}=${HTTP_OK} 886 887 # Description of argument(s): 888 # ip IP address to be deleted (e.g. "10.7.7.7"). 889 # valid_status_codes Expected return code from patch operation 890 # (e.g. "200"). See prolog of rest_request 891 # method in redfish_plus.py for details. 892 893 # Logout from LDAP user. 894 Redfish.Logout 895 896 # Login with local user. 897 Redfish.Login 898 899 ${empty_dict}= Create Dictionary 900 ${patch_list}= Create List 901 902 @{network_configurations}= Get Network Configuration 903 FOR ${network_configuration} IN @{network_configurations} 904 Run Keyword If '${network_configuration['Address']}' == '${ip}' 905 ... Append To List ${patch_list} ${null} 906 ... ELSE Append To List ${patch_list} ${empty_dict} 907 END 908 909 ${ip_found}= Run Keyword And Return Status List Should Contain Value 910 ... ${patch_list} ${null} msg=${ip} does not exist on BMC 911 Pass Execution If ${ip_found} == ${False} ${ip} does not exist on BMC 912 913 # Run patch command only if given IP is found on BMC 914 ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} 915 916 ${active_channel_config}= Get Active Channel Config 917 ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} 918 919 # Logout from local user. 920 Redfish.Logout 921 922 # Login from LDAP user and check if we can delete IP address. 923 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 924 925 Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} 926 ... valid_status_codes=[${valid_status_codes}] 927 928 # Note: Network restart takes around 15-18s after patch request processing 929 Sleep ${NETWORK_TIMEOUT}s 930 Wait For Host To Ping ${OPENBMC_HOST} ${NETWORK_TIMEOUT} 931