1*** Settings *** 2Documentation Test Redfish LDAP user configuration. 3 4Library ../../lib/gen_robot_valid.py 5Resource ../../lib/resource.robot 6Resource ../../lib/bmc_redfish_resource.robot 7Resource ../../lib/openbmc_ffdc.robot 8Library ../../lib/gen_robot_valid.py 9 10Suite Setup Suite Setup Execution 11Suite Teardown Run Keywords Restore LDAP Privilege AND Redfish.Logout 12Test Teardown FFDC On Test Case Fail 13 14Force Tags LDAP_Test 15 16*** Variables *** 17${old_ldap_privilege} ${EMPTY} 18&{old_account_service} &{EMPTY} 19&{old_ldap_config} &{EMPTY} 20 21** Test Cases ** 22 23Verify LDAP Configuration Created 24 [Documentation] Verify LDAP configuration created. 25 [Tags] Verify_LDAP_Configuration_Created 26 27 Create LDAP Configuration 28 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 29 Get LDAP Configuration ${LDAP_TYPE} 30 Sleep 10s 31 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 32 Redfish.Logout 33 Redfish.Login 34 35 36Verify LDAP Service Disable 37 [Documentation] Verify LDAP is disabled and that LDAP user cannot login. 38 [Tags] Verify_LDAP_Service_Disable 39 40 Redfish.Patch ${REDFISH_BASE_URI}AccountService 41 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}} 42 Sleep 15s 43 ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 44 ... ${LDAP_USER_PASSWORD} 45 Should Be Equal ${resp} ${False} msg=LDAP user was able to login even though the LDAP service was disabled. 46 Redfish.Logout 47 Redfish.Login 48 # Enabling LDAP so that LDAP user works. 49 Redfish.Patch ${REDFISH_BASE_URI}AccountService 50 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 51 Redfish.Logout 52 Redfish.Login 53 54 55Verify LDAP Login With ServiceEnabled 56 [Documentation] Verify LDAP Login with ServiceEnabled. 57 [Tags] Verify_LDAP_Login_With_ServiceEnabled 58 59 Disable Other LDAP 60 # Actual service enablement. 61 Redfish.Patch ${REDFISH_BASE_URI}AccountService 62 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 63 Sleep 15s 64 # After update, LDAP login. 65 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 66 Redfish.Logout 67 Redfish.Login 68 69 70Verify LDAP Login With Correct AuthenticationType 71 [Documentation] Verify LDAP Login with right AuthenticationType. 72 [Tags] Verify_LDAP_Login_With_Correct_AuthenticationType 73 74 Redfish.Patch ${REDFISH_BASE_URI}AccountService 75 ... body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}} 76 Sleep 15s 77 # After update, LDAP login. 78 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 79 Redfish.Logout 80 Redfish.Login 81 82 83Verify LDAP Config Update With Incorrect AuthenticationType 84 [Documentation] Verify invalid AuthenticationType is not updated. 85 [Tags] Verify_LDAP_Update_With_Incorrect_AuthenticationType 86 87 Redfish.Patch ${REDFISH_BASE_URI}AccountService 88 ... body={'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}} valid_status_codes=[400] 89 90 91Verify LDAP Login With Correct LDAP URL 92 [Documentation] Verify LDAP Login with right LDAP URL. 93 [Tags] Verify_LDAP_Login_With_Correct_LDAP_URL 94 95 Config LDAP URL ${LDAP_SERVER_URI} 96 97 98Verify LDAP Config Update With Incorrect LDAP URL 99 [Documentation] Verify LDAP Login fails with invalid LDAP URL. 100 [Tags] Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL 101 [Teardown] Run Keywords Restore LDAP URL AND 102 ... FFDC On Test Case Fail 103 104 Config LDAP URL "ldap://1.2.3.4" 105 106 107Verify LDAP Configuration Exist 108 [Documentation] Verify LDAP configuration is available. 109 [Tags] Verify_LDAP_Configuration_Exist 110 111 ${resp}= Redfish.Get Attribute ${REDFISH_BASE_URI}AccountService 112 ... ${LDAP_TYPE} default=${EMPTY} 113 Should Not Be Empty ${resp} msg=LDAP configuration is not defined. 114 115 116Verify LDAP User Login 117 [Documentation] Verify LDAP user able to login into BMC. 118 [Tags] Verify_LDAP_User_Login 119 120 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 121 Redfish.Logout 122 Redfish.Login 123 124 125Verify LDAP Service Available 126 [Documentation] Verify LDAP service is available. 127 [Tags] Verify_LDAP_Service_Available 128 129 @{ldap_configuration}= Get LDAP Configuration ${LDAP_TYPE} 130 Should Contain ${ldap_configuration} LDAPService 131 ... msg=LDAPService is not available. 132 133 134Verify LDAP Login Works After BMC Reboot 135 [Documentation] Verify LDAP login works after BMC reboot. 136 [Tags] Verify_LDAP_Login_Works_After_BMC_Reboot 137 138 Redfish OBMC Reboot (off) 139 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 140 Redfish.Logout 141 Redfish.Login 142 143 144Verify LDAP User With Admin Privilege Able To Do BMC Reboot 145 [Documentation] Verify LDAP user with administrator privilege able to do BMC reboot. 146 [Tags] Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot 147 148 149 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 150 ... ${GROUP_PRIVILEGE} ${GROUP_NAME} 151 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 152 # With LDAP user and with right privilege trying to do BMC reboot. 153 Redfish OBMC Reboot (off) 154 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 155 Redfish.Logout 156 Redfish.Login 157 158 159Verify LDAP User With Operator Privilege Able To Do Host Poweroff 160 [Documentation] Verify LDAP user with operator privilege can do host power off. 161 [Tags] Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff 162 [Teardown] Restore LDAP Privilege 163 164 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 165 ... Operator ${GROUP_NAME} 166 167 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 168 # Verify that the LDAP user with operator privilege is able to power the system off. 169 Redfish.Post ${REDFISH_POWER_URI} 170 ... body={'ResetType': 'ForceOff'} valid_status_codes=[200] 171 Redfish.Logout 172 Redfish.Login 173 174 175Verify AccountLockout Attributes Set To Zero 176 [Documentation] Verify attribute AccountLockoutDuration and 177 ... AccountLockoutThreshold are set to 0. 178 [Teardown] Run Keywords Restore AccountLockout Attributes AND 179 ... FFDC On Test Case Fail 180 [Tags] Verify_AccountLockout_Attributes_Set_To_Zero 181 182 ${old_account_service}= Redfish.Get Properties 183 ... ${REDFISH_BASE_URI}AccountService 184 Rprint Vars old_account_service 185 Redfish.Patch ${REDFISH_BASE_URI}AccountService 186 ... body=[('AccountLockoutDuration', 0)] 187 Redfish.Patch ${REDFISH_BASE_URI}AccountService 188 ... body=[('AccountLockoutThreshold', 0)] 189 190 191Verify LDAP User With Read Privilege Able To Check Inventory 192 [Documentation] Verify LDAP user with read privilege able to 193 ... read firmware inventory. 194 [Tags] Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory 195 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 196 [Template] Set Read Privilege And Check Firmware Inventory 197 198 User 199 Callback 200 201 202Verify LDAP User With Read Privilege Should Not Do Host Poweron 203 [Documentation] Verify LDAP user with read privilege should not be 204 ... allowed to power on the host. 205 [Tags] Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron 206 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 207 [Template] Set Read Privilege And Check Poweron 208 209 User 210 Callback 211 212 213*** Keywords *** 214 215Disable Other LDAP 216 [Documentation] Disable other LDAP configuration. 217 218 # First disable other LDAP. 219 ${inverse_ldap_type}= Set Variable If '${LDAP_TYPE}' == 'LDAP' ActiveDirectory LDAP 220 Redfish.Patch ${REDFISH_BASE_URI}AccountService 221 ... body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}} 222 Sleep 15s 223 224 225Create LDAP Configuration 226 [Documentation] Create LDAP configuration. 227 [Arguments] ${ldap_type}=${LDAP_TYPE} ${ldap_server_uri}=${LDAP_SERVER_URI} 228 ... ${ldap_bind_dn}=${LDAP_BIND_DN} ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD} 229 ... ${ldap_base_dn}=${LDAP_BASE_DN} 230 231 # Description of argument(s): 232 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 233 # ldap_server_uri LDAP server uri (e.g. ldap://XX.XX.XX.XX). 234 # ldap_bind_dn The LDAP bind distinguished name. 235 # ldap_bind_dn_password The LDAP bind distinguished name password. 236 # ldap_base_dn The LDAP base distinguished name. 237 238 Disable Other LDAP 239 Redfish.Patch ${REDFISH_BASE_URI}AccountService 240 ... body={'${ldap_type}': {'ServiceEnabled': ${True}, 'ServiceAddresses': ['${ldap_server_uri}'], 'Authentication': {'AuthenticationType':'UsernameAndPassword', 'Username':'${ldap_bind_dn}', 'Password':'${ldap_bind_dn_password}'}, 'LDAPService': {'SearchSettings': {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}} 241 Sleep 15s 242 243 244Config LDAP URL 245 [Documentation] Config LDAP URL. 246 [Arguments] ${ldap_server_uri}=${LDAP_SERVER_URI} 247 248 # Description of argument(s): 249 # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/"). 250 251 Redfish.Patch ${REDFISH_BASE_URI}AccountService 252 ... body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}} 253 Sleep 15s 254 # After update, LDAP login. 255 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 256 Redfish.Logout 257 Redfish.Login 258 259 260Restore LDAP URL 261 [Documentation] Restore LDAP URL. 262 263 # Restoring the working LDAP server uri. 264 Redfish.Patch ${REDFISH_BASE_URI}AccountService 265 ... body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}} 266 Sleep 15s 267 268 269Restore AccountLockout Attributes 270 [Documentation] Restore AccountLockout Attributes. 271 272 Return From Keyword If &{old_account_service} == &{EMPTY} 273 Redfish.Patch ${REDFISH_BASE_URI}AccountService 274 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})] 275 Redfish.Patch ${REDFISH_BASE_URI}AccountService 276 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})] 277 278 279Suite Setup Execution 280 [Documentation] Do suite setup tasks. 281 282 Rvalid Value LDAP_TYPE valid_values=["ActiveDirectory", "LDAP"] 283 Rvalid Value LDAP_USER 284 Rvalid Value LDAP_USER_PASSWORD 285 Rvalid Value GROUP_PRIVILEGE 286 Rvalid Value GROUP_NAME 287 Redfish.Login 288 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 289 Get LDAP Configuration ${LDAP_TYPE} 290 ${old_ldap_privilege}= Get LDAP Privilege 291 292 293Set Read Privilege And Check Firmware Inventory 294 [Documentation] Set read privilege and check firmware inventory. 295 [Arguments] ${read_privilege} 296 297 # Description of argument(s): 298 # read_privilege The read privilege role (e.g. "User" / "Callback"). 299 300 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 301 ... ${read_privilege} ${GROUP_NAME} 302 303 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 304 # Verify that the LDAP user with read privilege is able to read inventory. 305 ${resp}= Redfish.Get /redfish/v1/UpdateService/FirmwareInventory 306 Should Be True ${resp.dict["Members@odata.count"]} >= ${1} 307 Length Should Be ${resp.dict["Members"]} ${resp.dict["Members@odata.count"]} 308 Redfish.Logout 309 Redfish.Login 310 311 312Set Read Privilege And Check Poweron 313 [Documentation] Set read privilege and power on should not be possible. 314 [Arguments] ${read_privilege} 315 316 # Description of argument(s): 317 # read_privilege The read privilege role (e.g. "User" / "Callback"). 318 319 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 320 ... ${read_privilege} ${GROUP_NAME} 321 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 322 Redfish.Post ${REDFISH_POWER_URI} 323 ... body={'ResetType': 'On'} valid_status_codes=[401, 403] 324 Redfish.Logout 325 Redfish.Login 326 327 328Get LDAP Configuration 329 [Documentation] Retrieve LDAP Configuration. 330 [Arguments] ${ldap_type} 331 332 # Description of argument(s): 333 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 334 335 ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService 336 [Return] ${ldap_config["${ldap_type}"]} 337 338 339Update LDAP Configuration with LDAP User Role And Group 340 [Documentation] Update LDAP configuration update with LDAP user Role and group. 341 [Arguments] ${ldap_type} ${group_privilege} ${group_name} 342 343 # Description of argument(s): 344 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 345 # group_privilege The group privilege ("Administrator", "Operator", "User" or "Callback"). 346 # group_name The group name of user. 347 348 ${local_role_remote_group}= Create Dictionary LocalRole=${group_privilege} RemoteGroup=${group_name} 349 ${remote_role_mapping}= Create List ${local_role_remote_group} 350 ${ldap_data}= Create Dictionary RemoteRoleMapping=${remote_role_mapping} 351 ${payload}= Create Dictionary ${ldap_type}=${ldap_data} 352 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=&{payload} 353 # Provide adequate time for LDAP daemon to restart after the update. 354 Sleep 15s 355 356 357Get LDAP Privilege 358 [Documentation] Get LDAP privilege and return it. 359 360 ${ldap_config}= Get LDAP Configuration ${LDAP_TYPE} 361 [Return] ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]} 362 363 364Restore LDAP Privilege 365 [Documentation] Restore the LDAP privilege to its original value. 366 367 Return From Keyword If '${old_ldap_privilege}' == '${EMPTY}' 368 # Log back in to restore the original privilege. 369 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 370 ... ${old_ldap_privilege} ${GROUP_NAME} 371