1*** Settings *** 2Documentation Test Redfish LDAP user configuration. 3 4Library ../../lib/gen_robot_valid.py 5Resource ../../lib/resource.robot 6Resource ../../lib/bmc_redfish_resource.robot 7Resource ../../lib/openbmc_ffdc.robot 8Library ../../lib/gen_robot_valid.py 9 10Suite Setup Suite Setup Execution 11Suite Teardown Run Keywords Restore LDAP Privilege AND Redfish.Logout 12Test Teardown FFDC On Test Case Fail 13 14Force Tags LDAP_Test 15 16*** Variables *** 17${old_ldap_privilege} ${EMPTY} 18&{old_account_service} &{EMPTY} 19 20** Test Cases ** 21 22Verify LDAP Configuration Exist 23 [Documentation] Verify LDAP configuration is available. 24 [Tags] Verify_LDAP_Configuration_Exist 25 26 ${resp}= Redfish.Get Attribute ${REDFISH_BASE_URI}AccountService 27 ... ${LDAP_TYPE} default=${EMPTY} 28 Should Not Be Empty ${resp} msg=LDAP configuration is not defined. 29 30 31Verify LDAP User Login 32 [Documentation] Verify LDAP user able to login into BMC. 33 [Tags] Verify_LDAP_User_Login 34 35 ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 36 ... ${LDAP_USER_PASSWORD} 37 Should Be Equal ${resp} ${True} msg=LDAP user is not able to login. 38 Redfish.Logout 39 Redfish.Login 40 41 42Verify LDAP Service Available 43 [Documentation] Verify LDAP service is available. 44 [Tags] Verify_LDAP_Service_Available 45 46 @{ldap_configuration}= Get LDAP Configuration ${LDAP_TYPE} 47 Should Contain ${ldap_configuration} LDAPService 48 ... msg=LDAPService is not available. 49 50 51Verify LDAP Login Works After BMC Reboot 52 [Documentation] Verify LDAP login works after BMC reboot. 53 [Tags] Verify_LDAP_Login_Works_After_BMC_Reboot 54 55 Redfish OBMC Reboot (off) 56 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 57 Redfish.Logout 58 Redfish.Login 59 60 61Verify LDAP User With Admin Privilege Able To Do BMC Reboot 62 [Documentation] Verify LDAP user with administrator privilege able to do BMC reboot. 63 [Tags] Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot 64 65 66 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 67 ... ${GROUP_PRIVILEGE} ${GROUP_NAME} 68 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 69 # With LDAP user and with right privilege trying to do BMC reboot. 70 Redfish OBMC Reboot (off) 71 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 72 Redfish.Logout 73 Redfish.Login 74 75 76Verify LDAP User With Operator Privilege Able To Do Host Poweroff 77 [Documentation] Verify LDAP user with operator privilege can do host power off. 78 [Tags] Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff 79 [Teardown] Restore LDAP Privilege 80 81 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 82 ... Operator ${GROUP_NAME} 83 84 ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService 85 ${new_ldap_privilege}= Set Variable 86 ... ${ldap_config["LDAP"]["RemoteRoleMapping"][0]["LocalRole"]} 87 Should Be Equal ${new_ldap_privilege} Operator 88 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 89 # Verify that the LDAP user with operator privilege is able to power the system off. 90 Redfish.Post ${REDFISH_POWER_URI} 91 ... body={'ResetType': 'ForceOff'} valid_status_codes=[200] 92 Redfish.Logout 93 Redfish.Login 94 95 96Verify AccountLockout Attributes Set To Zero 97 [Documentation] Verify attribute AccountLockoutDuration and 98 ... AccountLockoutThreshold are set to 0. 99 [Teardown] Run Keywords Restore AccountLockout Attributes AND 100 ... FFDC On Test Case Fail 101 [Tags] Verify_AccountLockout_Attributes_Set_To_Zero 102 103 ${old_account_service}= Redfish.Get Properties 104 ... ${REDFISH_BASE_URI}AccountService 105 Rprint Vars old_account_service fmt=terse 106 Redfish.Patch ${REDFISH_BASE_URI}AccountService 107 ... body=[('AccountLockoutDuration', 0)] 108 Redfish.Patch ${REDFISH_BASE_URI}AccountService 109 ... body=[('AccountLockoutThreshold', 0)] 110 111 112Verify LDAP User With Read Privilege Able To Check Inventory 113 [Documentation] Verify LDAP user with read privilege able to 114 ... read firmware inventory. 115 [Tags] Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory 116 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 117 [Template] Set Read Privilege And Check Firmware Inventory 118 119 User 120 Callback 121 122 123Verify LDAP User With Read Privilege Should Not Do Host Poweron 124 [Documentation] Verify LDAP user with read privilege should not be 125 ... allowed to power on the host. 126 [Tags] Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron 127 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 128 [Template] Set Read Privilege And Check Poweron 129 130 User 131 Callback 132 133 134*** Keywords *** 135 136Restore AccountLockout Attributes 137 [Documentation] Restore AccountLockout Attributes. 138 139 Return From Keyword If &{old_account_service} == &{EMPTY} 140 Redfish.Patch ${REDFISH_BASE_URI}AccountService 141 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})] 142 Redfish.Patch ${REDFISH_BASE_URI}AccountService 143 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})] 144 145 146Suite Setup Execution 147 [Documentation] Do suite setup tasks. 148 149 Rvalid Value LDAP_TYPE valid_values=["ActiveDirectory", "LDAP"] 150 Rvalid Value LDAP_USER 151 Rvalid Value LDAP_USER_PASSWORD 152 Rvalid Value GROUP_PRIVILEGE 153 Rvalid Value GROUP_NAME 154 Redfish.Login 155 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 156 Get LDAP Configuration ${LDAP_TYPE} 157 ${old_ldap_privilege}= Get LDAP Privilege 158 159 160Set Read Privilege And Check Firmware Inventory 161 [Documentation] Set read privilege and check firmware inventory. 162 [Arguments] ${read_privilege} 163 164 # Description of argument(s): 165 # read_privilege The read privilege role (e.g. "User" / "Callback"). 166 167 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 168 ... ${read_privilege} ${GROUP_NAME} 169 170 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 171 # Verify that the LDAP user with read privilege is able to read inventory. 172 ${resp}= Redfish.Get /redfish/v1/UpdateService/FirmwareInventory 173 Should Be True ${resp.dict["Members@odata.count"]} >= ${1} 174 Length Should Be ${resp.dict["Members"]} ${resp.dict["Members@odata.count"]} 175 Redfish.Logout 176 Redfish.Login 177 178 179Set Read Privilege And Check Poweron 180 [Documentation] Set read privilege and power on should not be possible. 181 [Arguments] ${read_privilege} 182 183 # Description of argument(s): 184 # read_privilege The read privilege role (e.g. "User" / "Callback"). 185 186 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 187 ... ${read_privilege} ${GROUP_NAME} 188 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 189 Redfish.Post ${REDFISH_POWER_URI} 190 ... body={'ResetType': 'On'} valid_status_codes=[401, 403] 191 Redfish.Logout 192 Redfish.Login 193 194 195Get LDAP Configuration 196 [Documentation] Retrieve LDAP Configuration. 197 [Arguments] ${ldap_type} 198 199 # Description of argument(s): 200 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 201 202 ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService 203 [Return] ${ldap_config["${ldap_type}"]} 204 205 206Update LDAP Configuration with LDAP User Role And Group 207 [Documentation] Update LDAP configuration update with LDAP user Role and group. 208 [Arguments] ${ldap_type} ${group_privilege} ${group_name} 209 210 # Description of argument(s): 211 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 212 # group_privilege The group privilege ("Administrator", "Operator", "User" or "Callback"). 213 # group_name The group name of user. 214 215 ${local_role_remote_group}= Create Dictionary LocalRole=${group_privilege} RemoteGroup=${group_name} 216 ${remote_role_mapping}= Create List ${local_role_remote_group} 217 ${ldap_data}= Create Dictionary RemoteRoleMapping=${remote_role_mapping} 218 ${payload}= Create Dictionary ${ldap_type}=${ldap_data} 219 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=&{payload} 220 # Provide adequate time for LDAP daemon to restart after the update. 221 Sleep 10s 222 223 224Get LDAP Privilege 225 [Documentation] Get LDAP privilege and return it. 226 227 ${ldap_config}= Get LDAP Configuration ${LDAP_TYPE} 228 [Return] ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]} 229 230 231Restore LDAP Privilege 232 [Documentation] Restore the LDAP privilege to its original value. 233 234 Return From Keyword If '${old_ldap_privilege}' == '${EMPTY}' 235 # Log back in to restore the original privilege. 236 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 237 ... ${old_ldap_privilege} ${GROUP_NAME} 238