1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Library          ../../lib/gen_robot_valid.py
9
10Suite Setup      Suite Setup Execution
11Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
12Test Teardown    FFDC On Test Case Fail
13
14Force Tags       LDAP_Test
15
16*** Variables ***
17${old_ldap_privilege}  ${EMPTY}
18&{old_account_service}  &{EMPTY}
19
20** Test Cases **
21
22Verify LDAP Configuration Exist
23    [Documentation]  Verify LDAP configuration is available.
24    [Tags]  Verify_LDAP_Configuration_Exist
25
26    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
27    ...  ${LDAP_TYPE}  default=${EMPTY}
28    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
29
30
31Verify LDAP User Login
32    [Documentation]  Verify LDAP user able to login into BMC.
33    [Tags]  Verify_LDAP_User_Login
34
35    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
36    ...  ${LDAP_USER_PASSWORD}
37    Should Be Equal  ${resp}  ${True}  msg=LDAP user is not able to login.
38    Redfish.Logout
39    Redfish.Login
40
41
42Verify LDAP Service Available
43    [Documentation]  Verify LDAP service is available.
44    [Tags]  Verify_LDAP_Service_Available
45
46    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
47    Should Contain  ${ldap_configuration}  LDAPService
48    ...  msg=LDAPService is not available.
49
50
51Verify LDAP Login Works After BMC Reboot
52    [Documentation]  Verify LDAP login works after BMC reboot.
53    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
54
55    Redfish OBMC Reboot (off)
56    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
57    Redfish.Logout
58    Redfish.Login
59
60
61Verify LDAP User With Admin Privilege Able To Do BMC Reboot
62    [Documentation]  Verify LDAP user with administrator privilege able to do BMC reboot.
63    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
64
65
66    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
67    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
68    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
69    # With LDAP user and with right privilege trying to do BMC reboot.
70    Redfish OBMC Reboot (off)
71    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
72    Redfish.Logout
73    Redfish.Login
74
75
76Verify LDAP User With Operator Privilege Able To Do Host Poweroff
77    [Documentation]  Verify LDAP user with operator privilege can do host power off.
78    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
79    [Teardown]  Restore LDAP Privilege
80
81    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
82    ...  Operator  ${GROUP_NAME}
83
84    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
85    ${new_ldap_privilege}=  Set Variable
86    ...  ${ldap_config["LDAP"]["RemoteRoleMapping"][0]["LocalRole"]}
87    Should Be Equal  ${new_ldap_privilege}  Operator
88    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
89    # Verify that the LDAP user with operator privilege is able to power the system off.
90    Redfish.Post  ${REDFISH_POWER_URI}
91    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
92    Redfish.Logout
93    Redfish.Login
94
95
96Verify AccountLockout Attributes Set To Zero
97    [Documentation]  Verify attribute AccountLockoutDuration and
98    ...  AccountLockoutThreshold are set to 0.
99    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
100    ...  FFDC On Test Case Fail
101    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero
102
103    ${old_account_service}=  Redfish.Get Properties
104    ...  ${REDFISH_BASE_URI}AccountService
105    Rprint Vars  old_account_service  fmt=terse
106    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
107    ...  body=[('AccountLockoutDuration', 0)]
108    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
109    ...  body=[('AccountLockoutThreshold', 0)]
110
111
112Verify LDAP User With Read Privilege Able To Check Inventory
113    [Documentation]  Verify LDAP user with read privilege able to
114    ...  read firmware inventory.
115    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
116    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
117    [Template]  Set Read Privilege And Check Firmware Inventory
118
119    User
120    Callback
121
122
123Verify LDAP User With Read Privilege Should Not Do Host Poweron
124    [Documentation]  Verify LDAP user with read privilege should not be
125    ...  allowed to power on the host.
126    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
127    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
128    [Template]  Set Read Privilege And Check Poweron
129
130    User
131    Callback
132
133
134*** Keywords ***
135
136Restore AccountLockout Attributes
137    [Documentation]  Restore AccountLockout Attributes.
138
139    Return From Keyword If  &{old_account_service} == &{EMPTY}
140    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
141    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
142    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
143    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
144
145
146Suite Setup Execution
147    [Documentation]  Do suite setup tasks.
148
149    Rvalid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
150    Rvalid Value  LDAP_USER
151    Rvalid Value  LDAP_USER_PASSWORD
152    Rvalid Value  GROUP_PRIVILEGE
153    Rvalid Value  GROUP_NAME
154    Redfish.Login
155    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
156    Get LDAP Configuration  ${LDAP_TYPE}
157    ${old_ldap_privilege}=  Get LDAP Privilege
158
159
160Set Read Privilege And Check Firmware Inventory
161    [Documentation]  Set read privilege and check firmware inventory.
162    [Arguments]  ${read_privilege}
163
164    # Description of argument(s):
165    # read_privilege  The read privilege role (e.g. "User" / "Callback").
166
167    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
168    ...  ${read_privilege}  ${GROUP_NAME}
169
170    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
171    # Verify that the LDAP user with read privilege is able to read inventory.
172    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
173    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
174    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
175    Redfish.Logout
176    Redfish.Login
177
178
179Set Read Privilege And Check Poweron
180    [Documentation]  Set read privilege and power on should not be possible.
181    [Arguments]  ${read_privilege}
182
183    # Description of argument(s):
184    # read_privilege  The read privilege role (e.g. "User" / "Callback").
185
186    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
187    ...  ${read_privilege}  ${GROUP_NAME}
188    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
189    Redfish.Post  ${REDFISH_POWER_URI}
190    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
191    Redfish.Logout
192    Redfish.Login
193
194
195Get LDAP Configuration
196    [Documentation]  Retrieve LDAP Configuration.
197    [Arguments]   ${ldap_type}
198
199    # Description of argument(s):
200    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
201
202    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
203    [Return]  ${ldap_config["${ldap_type}"]}
204
205
206Update LDAP Configuration with LDAP User Role And Group
207    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
208    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
209
210    # Description of argument(s):
211    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
212    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
213    # group_name       The group name of user.
214
215    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
216    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
217    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
218    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
219    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
220    # Provide adequate time for LDAP daemon to restart after the update.
221    Sleep  10s
222
223
224Get LDAP Privilege
225    [Documentation]  Get LDAP privilege and return it.
226
227    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
228    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
229
230
231Restore LDAP Privilege
232    [Documentation]  Restore the LDAP privilege to its original value.
233
234    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}'
235    # Log back in to restore the original privilege.
236    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
237    ...  ${old_ldap_privilege}  ${GROUP_NAME}
238