1*** Settings *** 2Documentation Test Redfish LDAP user configuration. 3 4Library ../../lib/gen_robot_valid.py 5Resource ../../lib/bmc_redfish_resource.robot 6Resource ../../lib/utils.robot 7Resource ../../lib/openbmc_ffdc.robot 8Resource ../../lib/bmc_network_utils.robot 9Resource ../../lib/bmc_ldap_utils.robot 10 11Suite Setup Suite Setup Execution 12Suite Teardown LDAP Suite Teardown Execution 13Test Teardown Run Keywords Redfish.Login AND FFDC On Test Case Fail 14Force Tags LDAP_Test 15 16*** Variables *** 17${old_ldap_privilege} Administrator 18&{old_account_service} &{EMPTY} 19&{old_ldap_config} &{EMPTY} 20${hostname} ${EMPTY} 21${test_ip} 10.6.6.6 22${test_mask} 255.255.255.0 23 24** Test Cases ** 25 26Verify LDAP Configuration Created 27 [Documentation] Verify that LDAP configuration created. 28 [Tags] Verify_LDAP_Configuration_Created 29 30 Create LDAP Configuration 31 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 32 Get LDAP Configuration ${LDAP_TYPE} 33 Sleep 10s 34 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 35 Redfish.Logout 36 37 38Verify Redfish LDAP Service Disable 39 [Documentation] Verify that LDAP is disabled and that LDAP user cannot 40 ... login. 41 [Tags] Verify_Redfish_LDAP_Service_Disable 42 43 Redfish.Patch ${REDFISH_BASE_URI}AccountService 44 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}} 45 Sleep 15s 46 ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 47 ... ${LDAP_USER_PASSWORD} 48 Should Be Equal ${resp} ${False} 49 ... msg=LDAP user was able to login even though the LDAP service was disabled. 50 Redfish.Logout 51 Redfish.Login 52 # Enabling LDAP so that LDAP user works. 53 Redfish.Patch ${REDFISH_BASE_URI}AccountService 54 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 55 Redfish.Logout 56 57 58Verify LDAP Login With ServiceEnabled 59 [Documentation] Verify that LDAP Login with ServiceEnabled. 60 [Tags] Verify_LDAP_Login_With_ServiceEnabled 61 62 Disable Other LDAP 63 # Actual service enablement. 64 Redfish.Patch ${REDFISH_BASE_URI}AccountService 65 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 66 Sleep 15s 67 # After update, LDAP login. 68 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 69 Redfish.Logout 70 71 72Verify LDAP Login With Correct AuthenticationType 73 [Documentation] Verify that LDAP Login with right AuthenticationType. 74 [Tags] Verify_LDAP_Login_With_Correct_AuthenticationType 75 76 Redfish.Patch ${REDFISH_BASE_URI}AccountService 77 ... body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}} 78 Sleep 15s 79 # After update, LDAP login. 80 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 81 Redfish.Logout 82 83 84Verify LDAP Config Update With Incorrect AuthenticationType 85 [Documentation] Verify that invalid AuthenticationType is not updated. 86 [Tags] Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType 87 88 ${body}= Catenate {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}} 89 90 Redfish.Patch ${REDFISH_BASE_URI}AccountService 91 ... body=${body} valid_status_codes=[400] 92 93 94Verify LDAP Login With Correct LDAP URL 95 [Documentation] Verify LDAP Login with right LDAP URL. 96 [Tags] Verify_LDAP_Login_With_Correct_LDAP_URL 97 98 Config LDAP URL ${LDAP_SERVER_URI} 99 100 101Verify LDAP Config Update With Incorrect LDAP URL 102 [Documentation] Verify that LDAP Login fails with invalid LDAP URL. 103 [Tags] Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL 104 [Teardown] Run Keywords Restore LDAP URL AND 105 ... FFDC On Test Case Fail 106 107 Config LDAP URL ldap://1.2.3.4/ ${FALSE} 108 109Verify LDAP Configuration Exist 110 [Documentation] Verify that LDAP configuration is available. 111 [Tags] Verify_LDAP_Configuration_Exist 112 113 ${resp}= Redfish.Get Attribute ${REDFISH_BASE_URI}AccountService 114 ... ${LDAP_TYPE} default=${EMPTY} 115 Should Not Be Empty ${resp} msg=LDAP configuration is not defined. 116 117 118Verify LDAP User Login 119 [Documentation] Verify that LDAP user able to login into BMC. 120 [Tags] Verify_LDAP_User_Login 121 122 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 123 Redfish.Logout 124 125 126Verify LDAP Service Available 127 [Documentation] Verify that LDAP service is available. 128 [Tags] Verify_LDAP_Service_Available 129 130 @{ldap_configuration}= Get LDAP Configuration ${LDAP_TYPE} 131 Should Contain ${ldap_configuration} LDAPService 132 ... msg=LDAPService is not available. 133 134 135Verify LDAP Login Works After BMC Reboot 136 [Documentation] Verify that LDAP login works after BMC reboot. 137 [Tags] Verify_LDAP_Login_Works_After_BMC_Reboot 138 139 Redfish OBMC Reboot (off) 140 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 141 Redfish.Logout 142 143 144Verify LDAP User With Admin Privilege Able To Do BMC Reboot 145 [Documentation] Verify that LDAP user with administrator privilege able to do BMC reboot. 146 [Tags] Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot 147 148 149 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 150 ... ${GROUP_PRIVILEGE} ${GROUP_NAME} 151 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 152 # With LDAP user and with right privilege trying to do BMC reboot. 153 Redfish OBMC Reboot (off) 154 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 155 Redfish.Logout 156 157 158Verify LDAP User With Operator Privilege Able To Do Host Poweroff 159 [Documentation] Verify that LDAP user with operator privilege can do host 160 ... power off. 161 [Tags] Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff 162 [Teardown] Restore LDAP Privilege 163 164 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 165 ... Operator ${GROUP_NAME} 166 167 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 168 # Verify that the LDAP user with operator privilege is able to power the system off. 169 Redfish.Post ${REDFISH_POWER_URI} 170 ... body={'ResetType': 'ForceOff'} valid_status_codes=[200] 171 Redfish.Logout 172 Redfish.Login 173 174 175Verify AccountLockout Attributes Set To Zero By LDAP User 176 [Documentation] Verify that attribute AccountLockoutDuration and 177 ... AccountLockoutThreshold are set to 0 by LDAP user. 178 [Teardown] Run Keywords Restore AccountLockout Attributes AND 179 ... FFDC On Test Case Fail 180 [Tags] Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User 181 182 ${old_account_service}= Redfish.Get Properties 183 ... ${REDFISH_BASE_URI}AccountService 184 Rprint Vars old_account_service 185 186 # Create LDAP user and create session using LDAP user. 187 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 188 ... Administrator ${GROUP_NAME} 189 190 # Clear existing Redfish sessions. 191 Redfish.Logout 192 193 # Login using LDAP user. 194 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 195 196 # Set Account Lockout attributes using LDAP user. 197 Redfish.Patch ${REDFISH_BASE_URI}AccountService 198 ... body=[('AccountLockoutDuration', 0)] 199 Redfish.Patch ${REDFISH_BASE_URI}AccountService 200 ... body=[('AccountLockoutThreshold', 0)] 201 202 203Verify LDAP User With Read Privilege Able To Check Inventory 204 [Documentation] Verify that LDAP user with read privilege able to 205 ... read firmware inventory. 206 [Tags] Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory 207 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 208 [Template] Set Read Privilege And Check Firmware Inventory 209 210 ReadOnly 211 212 213Verify LDAP User With Read Privilege Should Not Do Host Poweron 214 [Documentation] Verify that LDAP user with read privilege should not be 215 ... allowed to power on the host. 216 [Tags] Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron 217 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 218 [Template] Set Read Privilege And Check Poweron 219 220 ReadOnly 221 222 223Update LDAP Group Name And Verify Operations 224 [Documentation] Verify that LDAP group name update and able to do right 225 ... operations. 226 [Tags] Update_LDAP_Group_Name_And_Verify_Operations 227 [Template] Update LDAP Config And Verify Set Host Name 228 [Teardown] Restore LDAP Privilege 229 230 # group_name group_privilege valid_status_codes 231 ${GROUP_NAME} Administrator [${HTTP_OK}, ${HTTP_NO_CONTENT}] 232 ${GROUP_NAME} Operator [${HTTP_OK}, ${HTTP_NO_CONTENT}] 233 ${GROUP_NAME} ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 234 ${GROUP_NAME} NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 235 Invalid_LDAP_Group_Name Administrator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 236 Invalid_LDAP_Group_Name Operator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 237 Invalid_LDAP_Group_Name ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 238 Invalid_LDAP_Group_Name NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 239 240 241Verify LDAP BaseDN Update And LDAP Login 242 [Documentation] Update LDAP BaseDN of LDAP configuration and verify 243 ... that LDAP login works. 244 [Tags] Verify_LDAP_BaseDN_Update_And_LDAP_Login 245 246 247 ${body}= Catenate {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings': 248 ... {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}} 249 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 250 Sleep 15s 251 Redfish Verify LDAP Login 252 253 254Verify LDAP BindDN Update And LDAP Login 255 [Documentation] Update LDAP BindDN of LDAP configuration and verify 256 ... that LDAP login works. 257 [Tags] Verify_LDAP_BindDN_Update_And_LDAP_Login 258 259 ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': 260 ... {'AuthenticationType':'UsernameAndPassword', 'Username': 261 ... '${LDAP_BIND_DN}'}}} 262 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 263 Sleep 15s 264 Redfish Verify LDAP Login 265 266 267Verify LDAP BindDN Password Update And LDAP Login 268 [Documentation] Update LDAP BindDN password of LDAP configuration and 269 ... verify that LDAP login works. 270 [Tags] Verify_LDAP_BindDN_Password_Update_And_LDAP_Login 271 272 273 ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': 274 ... {'AuthenticationType':'UsernameAndPassword', 'Password': 275 ... '${LDAP_BIND_DN_PASSWORD}'}}} 276 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 277 Sleep 15s 278 Redfish Verify LDAP Login 279 280 281Verify LDAP Type Update And LDAP Login 282 [Documentation] Update LDAP type of LDAP configuration and verify 283 ... that LDAP login works. 284 [Tags] Verify_LDAP_Type_Update_And_LDAP_Login 285 286 Disable Other LDAP 287 Redfish.Patch ${REDFISH_BASE_URI}AccountService 288 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 289 Sleep 15s 290 Redfish Verify LDAP Login 291 292 293Verify LDAP Authorization With Null Privilege 294 [Documentation] Verify the failure of LDAP authorization with empty 295 ... privilege. 296 [Tags] Verify_LDAP_Authorization_With_Null_Privilege 297 [Teardown] Restore LDAP Privilege 298 299 Update LDAP Config And Verify Set Host Name ${GROUP_NAME} ${EMPTY} 300 ... [${HTTP_FORBIDDEN}] 301 302 303Verify LDAP Authorization With Invalid Privilege 304 [Documentation] Verify that LDAP user authorization with wrong privilege 305 ... fails. 306 [Tags] Verify_LDAP_Authorization_With_Invalid_Privilege 307 [Teardown] Restore LDAP Privilege 308 309 Update LDAP Config And Verify Set Host Name ${GROUP_NAME} 310 ... Invalid_Privilege [${HTTP_FORBIDDEN}] 311 312 313Verify LDAP Login With Invalid Data 314 [Documentation] Verify that LDAP login with Invalid LDAP data and 315 ... right LDAP user fails. 316 [Tags] Verify_LDAP_Login_With_Invalid_Data 317 [Teardown] Run Keywords FFDC On Test Case Fail AND 318 ... Redfish.Login AND 319 ... Create LDAP Configuration 320 321 Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI 322 ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD 323 ... Invalid_LDAP_BASE_DN 324 Sleep 15s 325 Redfish Verify LDAP Login ${False} 326 327 328Verify LDAP Config Creation Without BASE DN 329 [Documentation] Verify that LDAP login with LDAP configuration 330 ... created without BASE_DN fails. 331 [Tags] Verify_LDAP_Config_Creation_Without_BASE_DN 332 [Teardown] Run Keywords FFDC On Test Case Fail AND 333 ... Redfish.Login AND 334 ... Create LDAP Configuration 335 336 Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI 337 ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD ${EMPTY} 338 Sleep 15s 339 Redfish Verify LDAP Login ${False} 340 341 342Verify LDAP Authentication Without Password 343 [Documentation] Verify that LDAP user authentication without LDAP 344 ... user password fails. 345 [Tags] Verify_LDAP_Authentication_Without_Password 346 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 347 348 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 349 Valid Value status [${False}] 350 351 352Verify LDAP Login With Invalid BASE DN 353 [Documentation] Verify that LDAP login with invalid BASE_DN and 354 ... valid LDAP user fails. 355 [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN 356 [Teardown] Run Keywords FFDC On Test Case Fail AND 357 ... Redfish.Login AND 358 ... Create LDAP Configuration 359 360 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 361 ... ${LDAP_BIND_DN} ${LDAP_BIND_DN_PASSWORD} Invalid_LDAP_BASE_DN 362 Sleep 15s 363 Redfish Verify LDAP Login ${False} 364 365 366Verify LDAP Login With Invalid BIND_DN_PASSWORD 367 [Documentation] Verify that LDAP login with invalid BIND_DN_PASSWORD and 368 ... valid LDAP user fails. 369 [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD 370 [Teardown] Run Keywords FFDC On Test Case Fail AND 371 ... Redfish.Login AND 372 ... Create LDAP Configuration 373 374 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 375 ... ${LDAP_BIND_DN} INVALID_LDAP_BIND_DN_PASSWORD ${LDAP_BASE_DN} 376 Sleep 15s 377 Redfish Verify LDAP Login ${False} 378 379 380Verify LDAP Login With Invalid BASE DN And Invalid BIND DN 381 [Documentation] Verify that LDAP login with invalid BASE_DN and invalid 382 ... BIND_DN and valid LDAP user fails. 383 [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN 384 [Teardown] Run Keywords FFDC On Test Case Fail AND 385 ... Redfish.Login AND 386 ... Create LDAP Configuration 387 388 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 389 ... INVALID_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} INVALID_LDAP_BASE_DN 390 Sleep 15s 391 Redfish Verify LDAP Login ${False} 392 393 394Verify Group Name And Group Privilege Able To Modify 395 [Documentation] Verify that LDAP group name and group privilege able to 396 ... modify. 397 [Tags] Verify_Group_Name_And_Group_Privilege_Able_To_Modify 398 [Setup] Update LDAP Configuration with LDAP User Role And Group 399 ... ${LDAP_TYPE} Operator ${GROUP_NAME} 400 401 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 402 ... Administrator ${GROUP_NAME} 403 404 405Verify LDAP Login With Invalid BIND DN 406 [Documentation] Verify that LDAP login with invalid BIND_DN and 407 ... valid LDAP user fails. 408 [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN 409 [Teardown] Run Keywords FFDC On Test Case Fail AND 410 ... Redfish.Login AND 411 ... Create LDAP Configuration 412 413 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 414 ... Invalid_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} ${LDAP_BASE_DN} 415 Sleep 15s 416 Redfish Verify LDAP Login ${False} 417 418 419Verify LDAP Authentication With Invalid LDAP User 420 [Documentation] Verify that LDAP user authentication for user not exist 421 ... in LDAP server and fails. 422 [Tags] Verify_LDAP_Authentication_With_Invalid_LDAP_User 423 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 424 425 ${status}= Run Keyword And Return Status Redfish.Login INVALID_LDAP_USER 426 ... ${LDAP_USER_PASSWORD} 427 Valid Value status [${False}] 428 429 430Update LDAP User Roles And Verify Host Poweroff Operation 431 [Documentation] Update LDAP user roles and verify host poweroff operation. 432 [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation 433 [Teardown] Restore LDAP Privilege 434 435 [Template] Update LDAP User Role And Host Poweroff 436 # ldap_type group_privilege group_name valid_status_codes 437 438 # Verify LDAP user with NoAccess privilege not able to do host poweroff. 439 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 440 441 # Verify LDAP user with ReadOnly privilege not able to do host poweroff. 442 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 443 444 # Verify LDAP user with Operator privilege able to do host poweroff. 445 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 446 447 # Verify LDAP user with Administrator privilege able to do host poweroff. 448 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 449 450 451Update LDAP User Roles And Verify Host Poweron Operation 452 [Documentation] Update LDAP user roles and verify host poweron operation. 453 [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation 454 [Teardown] Restore LDAP Privilege 455 456 [Template] Update LDAP User Role And Host Poweron 457 # ldap_type group_privilege group_name valid_status_codes 458 459 # Verify LDAP user with NoAccess privilege not able to do host poweron. 460 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 461 462 # Verify LDAP user with ReadOnly privilege not able to do host poweron. 463 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 464 465 # Verify LDAP user with Operator privilege able to do host poweron. 466 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 467 468 # Verify LDAP user with Administrator privilege able to do host poweron. 469 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 470 471 472Configure IP Address Via Different User Roles And Verify 473 [Documentation] Configure IP address via different user roles and verify. 474 [Tags] Configure_IP_Address_Via_Different_User_Roles_And_Verify 475 [Teardown] Restore LDAP Privilege 476 477 [Template] Update LDAP User Role And Configure IP Address 478 # Verify LDAP user with Administrator privilege is able to configure IP address. 479 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 480 481 # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address. 482 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 483 484 # Verify LDAP user with NoAccess privilege is forbidden to configure IP address. 485 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 486 487 # Verify LDAP user with Operator privilege is able to configure IP address. 488 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_FORBIDDEN} 489 490 491Delete IP Address Via Different User Roles And Verify 492 [Documentation] Delete IP address via different user roles and verify. 493 [Tags] Delete_IP_Address_Via_Different_User_Roles_And_Verify 494 [Teardown] Run Keywords Restore LDAP Privilege AND FFDC On Test Case Fail 495 496 [Template] Update LDAP User Role And Delete IP Address 497 # Verify LDAP user with Administrator privilege is able to delete IP address. 498 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 499 500 # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address. 501 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 502 503 # Verify LDAP user with NoAccess privilege is forbidden to delete IP address. 504 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 505 506 # Verify LDAP user with Operator privilege is able to delete IP address. 507 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_FORBIDDEN} 508 509 510Read Network Configuration Via Different User Roles And Verify 511 [Documentation] Read network configuration via different user roles and verify. 512 [Tags] Read_Network_Configuration_Via_Different_User_Roles_And_Verify 513 [Teardown] Restore LDAP Privilege 514 515 [Template] Update LDAP User Role And Read Network Configuration 516 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 517 518 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_OK} 519 520 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 521 522 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 523 524Switch LDAP Type And Verify Login Fails 525 [Documentation] Switch LDAP type and verify login fails. 526 [Tags] Switch_LDAP_Type_And_Verify_Login_Fails 527 528 # Check Login with LDAP Type is working 529 Create LDAP Configuration 530 Redfish Verify LDAP Login 531 532 # Disable the LDAP Type from OpenLDAP to ActiveDirectory or vice-versa 533 Redfish.Patch ${REDFISH_BASE_URI}AccountService 534 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}} 535 536 # Enable the inverse LDAP type 537 Disable Other LDAP ${True} 538 Create LDAP Configuration ${LDAP_TYPE_1} ${LDAP_SERVER_URI_1} ${LDAP_BIND_DN_1} ${LDAP_BIND_DN_PASSWORD_1} ${LDAP_BASE_DN_1} 539 Redfish.Logout 540 Sleep 10s 541 542 # Check if Login works via Inverse LDAP 543 Redfish.Login ${LDAP_USER_1} ${LDAP_USER_PASSWORD_1} 544 Redfish.Logout 545 Sleep 10s 546 547 # Login using LDAP type must fail 548 Redfish Verify LDAP Login ${False} 549 Redfish.Logout 550 551*** Keywords *** 552 553Redfish Verify LDAP Login 554 [Documentation] LDAP user log into BMC. 555 [Arguments] ${valid_status}=${True} 556 557 # Description of argument(s): 558 # valid_status Expected status of LDAP login ("True" or "False"). 559 560 # According to our repo coding rules, Redfish.Login is to be done in Suite 561 # Setup and Redfish.Logout is to be done in Suite Teardown. For any 562 # deviation from this rule (such as in this keyword), the deviant code 563 # must take steps to restore us to our original logged-in state. 564 565 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 566 ... ${LDAP_USER_PASSWORD} 567 Valid Value status [${valid_status}] 568 Redfish.Logout 569 Redfish.Login 570 571 572Update LDAP Config And Verify Set Host Name 573 [Documentation] Update LDAP config and verify by attempting to set host name. 574 [Arguments] ${group_name} ${group_privilege}=Administrator 575 ... ${valid_status_codes}=[${HTTP_OK}] 576 [Teardown] Run Keyword If '${group_privilege}'=='NoAccess' Redfish.Login 577 ... ELSE Run Keywords Redfish.Logout AND Redfish.Login 578 579 # Description of argument(s): 580 # group_name The group name of user. 581 # group_privilege The group privilege ("Administrator", 582 # "Operator", "User" or "Callback"). 583 # valid_status_codes Expected return code(s) from patch 584 # operation (e.g. "200") used to update 585 # HostName. See prolog of rest_request 586 # method in redfish_plus.py for details. 587 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 588 ... ${group_privilege} ${group_name} 589 590 Run Keyword If '${group_privilege}'=='NoAccess' 591 ... Run Keyword And Return Verify Redfish Login for LDAP Userrole NoAccess 592 593 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 594 # Verify that the LDAP user in ${group_name} with the given privilege is 595 # allowed to change the hostname. 596 Redfish.Patch ${REDFISH_NW_ETH0_URI} body={'HostName': '${hostname}'} 597 ... valid_status_codes=${valid_status_codes} 598 599Verify Redfish Login for LDAP Userrole NoAccess 600 [Documentation] Verify Redfish login should not be able to login for LDAP Userrole NoAccess. 601 602 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 603 Valid Value status [${False}] 604 605Disable Other LDAP 606 [Documentation] Disable other LDAP configuration. 607 [Arguments] ${service_state}=${False} 608 609 # First disable other LDAP. 610 ${inverse_ldap_type}= Set Variable If '${LDAP_TYPE}' == 'LDAP' ActiveDirectory LDAP 611 Redfish.Patch ${REDFISH_BASE_URI}AccountService 612 ... body={'${inverse_ldap_type}': {'ServiceEnabled': ${service_state}}} 613 Sleep 15s 614 615 616Config LDAP URL 617 [Documentation] Config LDAP URL. 618 [Arguments] ${ldap_server_uri}=${LDAP_SERVER_URI} ${expected_status}=${TRUE} 619 620 # Description of argument(s): 621 # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/"). 622 623 Redfish.Patch ${REDFISH_BASE_URI}AccountService 624 ... body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}} 625 Sleep 15s 626 # After update, LDAP login. 627 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 628 Valid Value status [${expected_status}] 629 630 Redfish.Logout 631 Redfish.Login 632 633 634Restore LDAP URL 635 [Documentation] Restore LDAP URL. 636 637 # Restoring the working LDAP server uri. 638 Redfish.Patch ${REDFISH_BASE_URI}AccountService 639 ... body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}} 640 Sleep 15s 641 642 643Restore AccountLockout Attributes 644 [Documentation] Restore AccountLockout Attributes. 645 646 Return From Keyword If &{old_account_service} == &{EMPTY} 647 Redfish.Patch ${REDFISH_BASE_URI}AccountService 648 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})] 649 Redfish.Patch ${REDFISH_BASE_URI}AccountService 650 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})] 651 652 653Suite Setup Execution 654 [Documentation] Do suite setup tasks. 655 656 Valid Value LDAP_TYPE valid_values=["ActiveDirectory", "LDAP"] 657 Valid Value LDAP_USER 658 Valid Value LDAP_USER_PASSWORD 659 Valid Value GROUP_PRIVILEGE 660 Valid Value GROUP_NAME 661 Valid Value LDAP_SERVER_URI 662 Valid Value LDAP_BIND_DN_PASSWORD 663 Valid Value LDAP_BIND_DN 664 Valid Value LDAP_BASE_DN 665 666 Redfish.Login 667 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 668 Get LDAP Configuration ${LDAP_TYPE} 669 Set Suite Variable ${old_ldap_privilege} 670 Disable Other LDAP 671 Create LDAP Configuration 672 ${hostname}= Redfish.Get Attribute ${REDFISH_NW_PROTOCOL_URI} HostName 673 674 675LDAP Suite Teardown Execution 676 [Documentation] Restore ldap configuration, delete unused redfish session. 677 678 Restore LDAP Privilege 679 Redfish.Logout 680 Run Keyword And Ignore Error Delete All Redfish Sessions 681 682 683Set Read Privilege And Check Firmware Inventory 684 [Documentation] Set read privilege and check firmware inventory. 685 [Arguments] ${read_privilege} 686 687 # Description of argument(s): 688 # read_privilege The read privilege role (e.g. "User" / "Callback"). 689 690 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 691 ... ${read_privilege} ${GROUP_NAME} 692 693 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 694 # Verify that the LDAP user with read privilege is able to read inventory. 695 ${resp}= Redfish.Get /redfish/v1/UpdateService/FirmwareInventory 696 Should Be True ${resp.dict["Members@odata.count"]} >= ${1} 697 Length Should Be ${resp.dict["Members"]} ${resp.dict["Members@odata.count"]} 698 Redfish.Logout 699 Redfish.Login 700 701 702Set Read Privilege And Check Poweron 703 [Documentation] Set read privilege and power on should not be possible. 704 [Arguments] ${read_privilege} 705 706 # Description of argument(s): 707 # read_privilege The read privilege role (e.g. "User" / "Callback"). 708 709 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 710 ... ${read_privilege} ${GROUP_NAME} 711 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 712 Redfish.Post ${REDFISH_POWER_URI} 713 ... body={'ResetType': 'On'} valid_status_codes=[401, 403] 714 Redfish.Logout 715 Redfish.Login 716 717 718Get LDAP Configuration 719 [Documentation] Retrieve LDAP Configuration. 720 [Arguments] ${ldap_type} 721 722 # Description of argument(s): 723 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 724 725 ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService 726 [Return] ${ldap_config["${ldap_type}"]} 727 728 729Update LDAP Configuration with LDAP User Role And Group 730 [Documentation] Update LDAP configuration update with LDAP user Role and group. 731 [Arguments] ${ldap_type} ${group_privilege} ${group_name} 732 733 # Description of argument(s): 734 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 735 # group_privilege The group privilege ("Administrator", "Operator", "User" or "Callback"). 736 # group_name The group name of user. 737 738 ${local_role_remote_group}= Create Dictionary LocalRole=${group_privilege} RemoteGroup=${group_name} 739 ${remote_role_mapping}= Create List ${local_role_remote_group} 740 ${ldap_data}= Create Dictionary RemoteRoleMapping=${remote_role_mapping} 741 ${payload}= Create Dictionary ${ldap_type}=${ldap_data} 742 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=&{payload} 743 # Provide adequate time for LDAP daemon to restart after the update. 744 Sleep 15s 745 746 747Get LDAP Privilege 748 [Documentation] Get LDAP privilege and return it. 749 750 ${ldap_config}= Get LDAP Configuration ${LDAP_TYPE} 751 ${num_list_entries}= Get Length ${ldap_config["RemoteRoleMapping"]} 752 Return From Keyword If ${num_list_entries} == ${0} @{EMPTY} 753 754 [Return] ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]} 755 756 757Restore LDAP Privilege 758 [Documentation] Restore the LDAP privilege to its original value. 759 760 Redfish.Login 761 Return From Keyword If '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]' 762 # Log back in to restore the original privilege. 763 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 764 ... ${old_ldap_privilege} ${GROUP_NAME} 765 766 Sleep 18s 767 768Verify Host Power Status 769 [Documentation] Verify the Host power status and do host power on/off respectively. 770 [Arguments] ${expected_power_status} 771 772 # Description of argument(s): 773 # expected_power_status State of Host e.g. Off or On. 774 775 ${power_status}= Redfish.Get Attribute /redfish/v1/Chassis/${CHASSIS_ID} PowerState 776 Return From Keyword If '${power_status}' == '${expected_power_status}' 777 778 Run Keyword If '${power_status}' == 'Off' Redfish Power On 779 ... ELSE Redfish Power Off 780 781Update LDAP User Role And Host Poweroff 782 [Documentation] Update LDAP user role and do host poweroff. 783 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} 784 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 785 786 # Description of argument(s): 787 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 788 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 789 # group_name The group name of user. 790 # valid_status_code The expected valid status code. 791 792 # check Host state and do the power on/off if needed. 793 Verify Host Power Status On 794 795 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 796 ... ${group_privilege} ${group_name} 797 798 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 799 800 Redfish.Post ${REDFISH_POWER_URI} 801 ... body={'ResetType': 'ForceOff'} valid_status_codes=[${valid_status_code}] 802 803 Return From Keyword If ${valid_status_code} == ${HTTP_FORBIDDEN} 804 Wait Until Keyword Succeeds 1 min 10 sec Verify Host Power State Off 805 806 807Update LDAP User Role And Host Poweron 808 [Documentation] Update LDAP user role and do host poweron. 809 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} 810 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 811 812 # Description of argument(s): 813 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 814 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 815 # group_name The group name of user. 816 # valid_status_code The expected valid status code. 817 818 # check Host state and do the power on/off if needed. 819 Verify Host Power Status Off 820 821 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 822 ... ${group_privilege} ${group_name} 823 824 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 825 826 Redfish.Post ${REDFISH_POWER_URI} 827 ... body={'ResetType': 'On'} valid_status_codes=[${valid_status_code}] 828 829 Return From Keyword If ${valid_status_code} == ${HTTP_FORBIDDEN} 830 Verify Host Is Up 831 832 833Update LDAP User Role And Configure IP Address 834 [Documentation] Update LDAP user role and configure IP address. 835 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 836 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} 837 838 # Description of argument(s): 839 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 840 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 841 # group_name The group name of user. 842 # valid_status_code The expected valid status code. 843 844 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 845 ... ${group_privilege} ${group_name} 846 847 Redfish.Logout 848 849 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 850 851 ${test_gateway}= Get BMC Default Gateway 852 853 Run Keyword If '${group_privilege}' == 'NoAccess' 854 ... Add IP Address With NoAccess User ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} 855 ... ELSE 856 ... Add IP Address ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} 857 858 859Update LDAP User Role And Delete IP Address 860 [Documentation] Update LDAP user role and delete IP address. 861 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 862 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} 863 864 # Description of argument(s): 865 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 866 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 867 # group_name The group name of user. 868 # valid_status_code The expected valid status code. 869 870 ${test_gateway}= Get BMC Default Gateway 871 872 # Configure IP address before deleting via LDAP user roles. 873 Add IP Address ${test_ip} ${test_mask} ${test_gateway} 874 875 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 876 ... ${group_privilege} ${group_name} 877 878 Redfish.Logout 879 880 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 881 882 Run Keyword If '${group_privilege}' == 'NoAccess' 883 ... Delete IP Address With NoAccess User ${test_ip} ${valid_status_code} 884 ... ELSE 885 ... Delete IP Address ${test_ip} ${valid_status_code} 886 887 888Update LDAP User Role And Read Network Configuration 889 [Documentation] Update LDAP user role and read network configuration. 890 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 891 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 892 893 # Description of argument(s): 894 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 895 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 896 # group_name The group name of user. 897 # valid_status_code The expected valid status code. 898 899 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 900 ... ${group_privilege} ${group_name} 901 902 Redfish.Logout 903 904 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 905 Redfish.Get ${REDFISH_NW_ETH0_URI} valid_status_codes=[${valid_status_code}] 906 907 908Add IP Address With NoAccess User 909 [Documentation] Add IP Address To BMC. 910 [Arguments] ${ip} ${subnet_mask} ${gateway} 911 ... ${valid_status_codes}=${HTTP_OK} 912 913 # Description of argument(s): 914 # ip IP address to be added (e.g. "10.7.7.7"). 915 # subnet_mask Subnet mask for the IP to be added 916 # (e.g. "255.255.0.0"). 917 # gateway Gateway for the IP to be added (e.g. "10.7.7.1"). 918 # valid_status_codes Expected return code from patch operation 919 # (e.g. "200"). See prolog of rest_request 920 # method in redfish_plus.py for details. 921 922 # Logout from LDAP user. 923 Redfish.Logout 924 925 # Login with local user. 926 Redfish.Login 927 928 ${empty_dict}= Create Dictionary 929 ${ip_data}= Create Dictionary Address=${ip} 930 ... SubnetMask=${subnet_mask} Gateway=${gateway} 931 932 ${patch_list}= Create List 933 ${network_configurations}= Get Network Configuration 934 ${num_entries}= Get Length ${network_configurations} 935 936 FOR ${INDEX} IN RANGE 0 ${num_entries} 937 Append To List ${patch_list} ${empty_dict} 938 END 939 940 ${valid_status_codes}= Run Keyword If '${valid_status_codes}' == '${HTTP_OK}' 941 ... Set Variable ${HTTP_OK},${HTTP_NO_CONTENT} 942 ... ELSE Set Variable ${valid_status_codes} 943 944 # We need not check for existence of IP on BMC while adding. 945 Append To List ${patch_list} ${ip_data} 946 ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} 947 948 ${active_channel_config}= Get Active Channel Config 949 ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} 950 951 # Logout from local user. 952 Redfish.Logout 953 954 # Login from LDAP user and check if we can configure IP address. 955 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 956 957 Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} 958 ... valid_status_codes=[${valid_status_codes}] 959 960 961Delete IP Address With NoAccess User 962 [Documentation] Delete IP Address Of BMC. 963 [Arguments] ${ip} ${valid_status_codes}=${HTTP_OK} 964 965 # Description of argument(s): 966 # ip IP address to be deleted (e.g. "10.7.7.7"). 967 # valid_status_codes Expected return code from patch operation 968 # (e.g. "200"). See prolog of rest_request 969 # method in redfish_plus.py for details. 970 971 # Logout from LDAP user. 972 Redfish.Logout 973 974 # Login with local user. 975 Redfish.Login 976 977 ${empty_dict}= Create Dictionary 978 ${patch_list}= Create List 979 980 @{network_configurations}= Get Network Configuration 981 FOR ${network_configuration} IN @{network_configurations} 982 Run Keyword If '${network_configuration['Address']}' == '${ip}' 983 ... Append To List ${patch_list} ${null} 984 ... ELSE Append To List ${patch_list} ${empty_dict} 985 END 986 987 ${ip_found}= Run Keyword And Return Status List Should Contain Value 988 ... ${patch_list} ${null} msg=${ip} does not exist on BMC 989 Pass Execution If ${ip_found} == ${False} ${ip} does not exist on BMC 990 991 # Run patch command only if given IP is found on BMC 992 ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} 993 994 ${active_channel_config}= Get Active Channel Config 995 ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} 996 997 # Logout from local user. 998 Redfish.Logout 999 1000 # Login from LDAP user and check if we can delete IP address. 1001 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 1002 1003 Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} 1004 ... valid_status_codes=[${valid_status_codes}] 1005 1006 # Note: Network restart takes around 15-18s after patch request processing 1007 Sleep ${NETWORK_TIMEOUT}s 1008 Wait For Host To Ping ${OPENBMC_HOST} ${NETWORK_TIMEOUT} 1009