1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/utils.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Resource         ../../lib/bmc_network_utils.robot
9Resource         ../../lib/bmc_ldap_utils.robot
10
11Suite Setup      Suite Setup Execution
12Suite Teardown   LDAP Suite Teardown Execution
13Test Teardown    Run Keywords  Redfish.Login  AND  FFDC On Test Case Fail
14Force Tags       LDAP_Test
15
16*** Variables ***
17${old_ldap_privilege}   Administrator
18&{old_account_service}  &{EMPTY}
19&{old_ldap_config}      &{EMPTY}
20${hostname}             ${EMPTY}
21${test_ip}              10.6.6.6
22${test_mask}            255.255.255.0
23
24** Test Cases **
25
26Verify LDAP Configuration Created
27    [Documentation]  Verify that LDAP configuration created.
28    [Tags]  Verify_LDAP_Configuration_Created
29
30    Create LDAP Configuration
31    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
32    Get LDAP Configuration  ${LDAP_TYPE}
33    Sleep  10s
34    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
35    Redfish.Logout
36
37
38Verify Redfish LDAP Service Disable
39    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
40    ...  login.
41    [Tags]  Verify_Redfish_LDAP_Service_Disable
42
43    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
44    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
45    Sleep  15s
46    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
47    ...  ${LDAP_USER_PASSWORD}
48    Should Be Equal  ${resp}  ${False}
49    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
50    Redfish.Logout
51    Redfish.Login
52    # Enabling LDAP so that LDAP user works.
53    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
54    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
55    Redfish.Logout
56
57
58Verify LDAP Login With ServiceEnabled
59    [Documentation]  Verify that LDAP Login with ServiceEnabled.
60    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
61
62    Disable Other LDAP
63    # Actual service enablement.
64    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
65    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
66    Sleep  15s
67    # After update, LDAP login.
68    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
69    Redfish.Logout
70
71
72Verify LDAP Login With Correct AuthenticationType
73    [Documentation]  Verify that LDAP Login with right AuthenticationType.
74    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
75
76    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
77    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
78    Sleep  15s
79    # After update, LDAP login.
80    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
81    Redfish.Logout
82
83
84Verify LDAP Config Update With Incorrect AuthenticationType
85    [Documentation]  Verify that invalid AuthenticationType is not updated.
86    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType
87
88    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
89
90    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
91    ...  body=${body}  valid_status_codes=[400]
92
93
94Verify LDAP Login With Correct LDAP URL
95    [Documentation]  Verify LDAP Login with right LDAP URL.
96    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
97
98    Config LDAP URL  ${LDAP_SERVER_URI}
99
100
101Verify LDAP Config Update With Incorrect LDAP URL
102    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
103    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
104    [Teardown]  Run Keywords  Restore LDAP URL  AND
105    ...  FFDC On Test Case Fail
106
107    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
108
109Verify LDAP Configuration Exist
110    [Documentation]  Verify that LDAP configuration is available.
111    [Tags]  Verify_LDAP_Configuration_Exist
112
113    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
114    ...  ${LDAP_TYPE}  default=${EMPTY}
115    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
116
117
118Verify LDAP User Login
119    [Documentation]  Verify that LDAP user able to login into BMC.
120    [Tags]  Verify_LDAP_User_Login
121
122    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
123    Redfish.Logout
124
125
126Verify LDAP Service Available
127    [Documentation]  Verify that LDAP service is available.
128    [Tags]  Verify_LDAP_Service_Available
129
130    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
131    Should Contain  ${ldap_configuration}  LDAPService
132    ...  msg=LDAPService is not available.
133
134
135Verify LDAP Login Works After BMC Reboot
136    [Documentation]  Verify that LDAP login works after BMC reboot.
137    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
138
139    Redfish OBMC Reboot (off)
140    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
141    Redfish.Logout
142
143
144Verify LDAP User With Admin Privilege Able To Do BMC Reboot
145    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
146    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
147
148
149    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
150    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
151    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
152    # With LDAP user and with right privilege trying to do BMC reboot.
153    Redfish OBMC Reboot (off)
154    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
155    Redfish.Logout
156
157
158Verify LDAP User With Operator Privilege Able To Do Host Poweroff
159    [Documentation]  Verify that LDAP user with operator privilege can do host
160    ...  power off.
161    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
162    [Teardown]  Restore LDAP Privilege
163
164    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
165    ...  Operator  ${GROUP_NAME}
166
167    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
168    # Verify that the LDAP user with operator privilege is able to power the system off.
169    Redfish.Post  ${REDFISH_POWER_URI}
170    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
171    Redfish.Logout
172    Redfish.Login
173
174
175Verify AccountLockout Attributes Set To Zero By LDAP User
176    [Documentation]  Verify that attribute AccountLockoutDuration and
177    ...  AccountLockoutThreshold are set to 0 by LDAP user.
178    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
179    ...  FFDC On Test Case Fail
180    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User
181
182    ${old_account_service}=  Redfish.Get Properties
183    ...  ${REDFISH_BASE_URI}AccountService
184    Rprint Vars  old_account_service
185
186    # Create LDAP user and create session using LDAP user.
187    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
188    ...  Administrator  ${GROUP_NAME}
189
190    # Clear existing Redfish sessions.
191    Redfish.Logout
192
193    # Login using LDAP user.
194    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
195
196    # Set Account Lockout attributes using LDAP user.
197    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
198    ...  body=[('AccountLockoutDuration', 0)]
199    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
200    ...  body=[('AccountLockoutThreshold', 0)]
201
202
203Verify LDAP User With Read Privilege Able To Check Inventory
204    [Documentation]  Verify that LDAP user with read privilege able to
205    ...  read firmware inventory.
206    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
207    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
208    [Template]  Set Read Privilege And Check Firmware Inventory
209
210    ReadOnly
211
212
213Verify LDAP User With Read Privilege Should Not Do Host Poweron
214    [Documentation]  Verify that LDAP user with read privilege should not be
215    ...  allowed to power on the host.
216    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
217    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
218    [Template]  Set Read Privilege And Check Poweron
219
220    ReadOnly
221
222
223Update LDAP Group Name And Verify Operations
224    [Documentation]  Verify that LDAP group name update and able to do right
225    ...  operations.
226    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
227    [Template]  Update LDAP Config And Verify Set Host Name
228    [Teardown]  Restore LDAP Privilege
229
230    # group_name             group_privilege  valid_status_codes
231    ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
232    ${GROUP_NAME}            Operator         [${HTTP_OK}, ${HTTP_NO_CONTENT}]
233    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
234    ${GROUP_NAME}            NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
235    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
236    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
237    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
238    Invalid_LDAP_Group_Name  NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
239
240
241Verify LDAP BaseDN Update And LDAP Login
242    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
243    ...  that LDAP login works.
244    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
245
246
247    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
248    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
249    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
250    Sleep  15s
251    Redfish Verify LDAP Login
252
253
254Verify LDAP BindDN Update And LDAP Login
255    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
256    ...  that LDAP login works.
257    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
258
259    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
260    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
261    ...  '${LDAP_BIND_DN}'}}}
262    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
263    Sleep  15s
264    Redfish Verify LDAP Login
265
266
267Verify LDAP BindDN Password Update And LDAP Login
268    [Documentation]  Update LDAP BindDN password of LDAP configuration and
269    ...  verify that LDAP login works.
270    [Tags]  Verify_LDAP_BindDN_Password_Update_And_LDAP_Login
271
272
273    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
274    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
275    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
276    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
277    Sleep  15s
278    Redfish Verify LDAP Login
279
280
281Verify LDAP Type Update And LDAP Login
282    [Documentation]  Update LDAP type of LDAP configuration and verify
283    ...  that LDAP login works.
284    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
285
286    Disable Other LDAP
287    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
288    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
289    Sleep  15s
290    Redfish Verify LDAP Login
291
292
293Verify LDAP Authorization With Null Privilege
294    [Documentation]  Verify the failure of LDAP authorization with empty
295    ...  privilege.
296    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
297    [Teardown]  Restore LDAP Privilege
298
299    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
300    ...  [${HTTP_FORBIDDEN}]
301
302
303Verify LDAP Authorization With Invalid Privilege
304    [Documentation]  Verify that LDAP user authorization with wrong privilege
305    ...  fails.
306    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
307    [Teardown]  Restore LDAP Privilege
308
309    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
310    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
311
312
313Verify LDAP Login With Invalid Data
314    [Documentation]  Verify that LDAP login with Invalid LDAP data and
315    ...  right LDAP user fails.
316    [Tags]  Verify_LDAP_Login_With_Invalid_Data
317    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
318    ...  Redfish.Login  AND
319    ...  Create LDAP Configuration
320
321    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
322    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
323    ...  Invalid_LDAP_BASE_DN
324    Sleep  15s
325    Redfish Verify LDAP Login  ${False}
326
327
328Verify LDAP Config Creation Without BASE DN
329    [Documentation]  Verify that LDAP login with LDAP configuration
330    ...  created without BASE_DN fails.
331    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
332    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
333    ...  Redfish.Login  AND
334    ...  Create LDAP Configuration
335
336    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
337    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
338    Sleep  15s
339    Redfish Verify LDAP Login  ${False}
340
341
342Verify LDAP Authentication Without Password
343    [Documentation]  Verify that LDAP user authentication without LDAP
344    ...  user password fails.
345    [Tags]  Verify_LDAP_Authentication_Without_Password
346    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
347
348    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
349    Valid Value  status  [${False}]
350
351
352Verify LDAP Login With Invalid BASE DN
353    [Documentation]  Verify that LDAP login with invalid BASE_DN and
354    ...  valid LDAP user fails.
355    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
356    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
357    ...  Redfish.Login  AND
358    ...  Create LDAP Configuration
359
360    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
361    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
362    Sleep  15s
363    Redfish Verify LDAP Login  ${False}
364
365
366Verify LDAP Login With Invalid BIND_DN_PASSWORD
367    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
368    ...  valid LDAP user fails.
369    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
370    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
371    ...  Redfish.Login  AND
372    ...  Create LDAP Configuration
373
374    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
375    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
376    Sleep  15s
377    Redfish Verify LDAP Login  ${False}
378
379
380Verify LDAP Login With Invalid BASE DN And Invalid BIND DN
381    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
382    ...  BIND_DN and valid LDAP user fails.
383    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
384    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
385    ...  Redfish.Login  AND
386    ...  Create LDAP Configuration
387
388    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
389    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
390    Sleep  15s
391    Redfish Verify LDAP Login  ${False}
392
393
394Verify Group Name And Group Privilege Able To Modify
395    [Documentation]  Verify that LDAP group name and group privilege able to
396    ...  modify.
397    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
398    [Setup]  Update LDAP Configuration with LDAP User Role And Group
399    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
400
401    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
402    ...  Administrator  ${GROUP_NAME}
403
404
405Verify LDAP Login With Invalid BIND DN
406    [Documentation]  Verify that LDAP login with invalid BIND_DN and
407    ...  valid LDAP user fails.
408    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
409    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
410    ...  Redfish.Login  AND
411    ...  Create LDAP Configuration
412
413    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
414    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
415    Sleep  15s
416    Redfish Verify LDAP Login  ${False}
417
418
419Verify LDAP Authentication With Invalid LDAP User
420    [Documentation]  Verify that LDAP user authentication for user not exist
421    ...  in LDAP server and fails.
422    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
423    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
424
425    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
426    ...  ${LDAP_USER_PASSWORD}
427    Valid Value  status  [${False}]
428
429
430Update LDAP User Roles And Verify Host Poweroff Operation
431    [Documentation]  Update LDAP user roles and verify host poweroff operation.
432    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
433    [Teardown]  Restore LDAP Privilege
434
435    [Template]  Update LDAP User Role And Host Poweroff
436    # ldap_type   group_privilege  group_name     valid_status_codes
437
438    # Verify LDAP user with NoAccess privilege not able to do host poweroff.
439    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
440
441    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
442    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
443
444    # Verify LDAP user with Operator privilege able to do host poweroff.
445    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
446
447    # Verify LDAP user with Administrator privilege able to do host poweroff.
448    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
449
450
451Update LDAP User Roles And Verify Host Poweron Operation
452    [Documentation]  Update LDAP user roles and verify host poweron operation.
453    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
454    [Teardown]  Restore LDAP Privilege
455
456    [Template]  Update LDAP User Role And Host Poweron
457    # ldap_type   group_privilege  group_name     valid_status_codes
458
459    # Verify LDAP user with NoAccess privilege not able to do host poweron.
460    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
461
462    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
463    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
464
465    # Verify LDAP user with Operator privilege able to do host poweron.
466    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
467
468    # Verify LDAP user with Administrator privilege able to do host poweron.
469    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
470
471
472Configure IP Address Via Different User Roles And Verify
473    [Documentation]  Configure IP address via different user roles and verify.
474    [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
475    [Teardown]  Restore LDAP Privilege
476
477    [Template]  Update LDAP User Role And Configure IP Address
478    # Verify LDAP user with Administrator privilege is able to configure IP address.
479    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
480
481    # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
482    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
483
484    # Verify LDAP user with NoAccess privilege is forbidden to configure IP address.
485    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
486
487    # Verify LDAP user with Operator privilege is able to configure IP address.
488    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
489
490
491Delete IP Address Via Different User Roles And Verify
492    [Documentation]  Delete IP address via different user roles and verify.
493    [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
494    [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail
495
496    [Template]  Update LDAP User Role And Delete IP Address
497    # Verify LDAP user with Administrator privilege is able to delete IP address.
498    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
499
500    # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
501    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
502
503    # Verify LDAP user with NoAccess privilege is forbidden to delete IP address.
504    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
505
506    # Verify LDAP user with Operator privilege is able to delete IP address.
507    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
508
509
510Read Network Configuration Via Different User Roles And Verify
511    [Documentation]  Read network configuration via different user roles and verify.
512    [Tags]  Read_Network_Configuration_Via_Different_User_Roles_And_Verify
513    [Teardown]  Restore LDAP Privilege
514
515    [Template]  Update LDAP User Role And Read Network Configuration
516    ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}
517
518    ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}
519
520    ${LDAP_TYPE}  NoAccess       ${GROUP_NAME}  ${HTTP_FORBIDDEN}
521
522    ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}
523
524Switch LDAP Type And Verify Login Fails
525    [Documentation]  Switch LDAP type and verify login fails.
526    [Tags]  Switch_LDAP_Type_And_Verify_Login_Fails
527
528    # Check Login with LDAP Type is working
529    Create LDAP Configuration
530    Redfish Verify LDAP Login
531
532    # Disable the LDAP Type from OpenLDAP to ActiveDirectory or vice-versa
533    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
534    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
535
536    # Enable the inverse LDAP type
537    Disable Other LDAP  ${True}
538    Create LDAP Configuration  ${LDAP_TYPE_1}  ${LDAP_SERVER_URI_1}  ${LDAP_BIND_DN_1}  ${LDAP_BIND_DN_PASSWORD_1}  ${LDAP_BASE_DN_1}
539    Redfish.Logout
540    Sleep  10s
541
542    # Check if Login works via Inverse LDAP
543    Redfish.Login  ${LDAP_USER_1}  ${LDAP_USER_PASSWORD_1}
544    Redfish.Logout
545    Sleep  10s
546
547    # Login using LDAP type must fail
548    Redfish Verify LDAP Login  ${False}
549    Redfish.Logout
550
551*** Keywords ***
552
553Redfish Verify LDAP Login
554    [Documentation]  LDAP user log into BMC.
555    [Arguments]  ${valid_status}=${True}
556
557    # Description of argument(s):
558    # valid_status  Expected status of LDAP login ("True" or "False").
559
560    # According to our repo coding rules, Redfish.Login is to be done in Suite
561    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
562    # deviation from this rule (such as in this keyword), the deviant code
563    # must take steps to restore us to our original logged-in state.
564
565    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
566    ...  ${LDAP_USER_PASSWORD}
567    Valid Value  status  [${valid_status}]
568    Redfish.Logout
569    Redfish.Login
570
571
572Update LDAP Config And Verify Set Host Name
573    [Documentation]  Update LDAP config and verify by attempting to set host name.
574    [Arguments]  ${group_name}  ${group_privilege}=Administrator
575    ...  ${valid_status_codes}=[${HTTP_OK}]
576    [Teardown]  Run Keyword If  '${group_privilege}'=='NoAccess'  Redfish.Login
577                ...  ELSE  Run Keywords  Redfish.Logout  AND  Redfish.Login
578
579    # Description of argument(s):
580    # group_name                    The group name of user.
581    # group_privilege               The group privilege ("Administrator",
582    #                               "Operator", "User" or "Callback").
583    # valid_status_codes            Expected return code(s) from patch
584    #                               operation (e.g. "200") used to update
585    #                               HostName.  See prolog of rest_request
586    #                               method in redfish_plus.py for details.
587    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
588    ...  ${group_privilege}  ${group_name}
589
590    Run Keyword If  '${group_privilege}'=='NoAccess'
591    ...  Run Keyword And Return  Verify Redfish Login for LDAP Userrole NoAccess
592
593    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
594    # Verify that the LDAP user in ${group_name} with the given privilege is
595    # allowed to change the hostname.
596    Redfish.Patch  ${REDFISH_NW_ETH0_URI}  body={'HostName': '${hostname}'}
597    ...  valid_status_codes=${valid_status_codes}
598
599Verify Redfish Login for LDAP Userrole NoAccess
600    [Documentation]  Verify Redfish login should not be able to login for LDAP Userrole NoAccess.
601
602    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
603    Valid Value  status  [${False}]
604
605Disable Other LDAP
606    [Documentation]  Disable other LDAP configuration.
607    [Arguments]  ${service_state}=${False}
608
609    # First disable other LDAP.
610    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
611    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
612    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${service_state}}}
613    Sleep  15s
614
615
616Config LDAP URL
617    [Documentation]  Config LDAP URL.
618    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
619
620    # Description of argument(s):
621    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
622
623    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
624    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
625    Sleep  15s
626    # After update, LDAP login.
627    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
628    Valid Value  status  [${expected_status}]
629
630    Redfish.Logout
631    Redfish.Login
632
633
634Restore LDAP URL
635    [Documentation]  Restore LDAP URL.
636
637    # Restoring the working LDAP server uri.
638    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
639    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
640    Sleep  15s
641
642
643Restore AccountLockout Attributes
644    [Documentation]  Restore AccountLockout Attributes.
645
646    Return From Keyword If  &{old_account_service} == &{EMPTY}
647    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
648    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
649    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
650    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
651
652
653Suite Setup Execution
654    [Documentation]  Do suite setup tasks.
655
656    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
657    Valid Value  LDAP_USER
658    Valid Value  LDAP_USER_PASSWORD
659    Valid Value  GROUP_PRIVILEGE
660    Valid Value  GROUP_NAME
661    Valid Value  LDAP_SERVER_URI
662    Valid Value  LDAP_BIND_DN_PASSWORD
663    Valid Value  LDAP_BIND_DN
664    Valid Value  LDAP_BASE_DN
665
666    Redfish.Login
667    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
668    Get LDAP Configuration  ${LDAP_TYPE}
669    Set Suite Variable  ${old_ldap_privilege}
670    Disable Other LDAP
671    Create LDAP Configuration
672    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
673
674
675LDAP Suite Teardown Execution
676    [Documentation]  Restore ldap configuration, delete unused redfish session.
677
678    Restore LDAP Privilege
679    Redfish.Logout
680    Run Keyword And Ignore Error  Delete All Redfish Sessions
681
682
683Set Read Privilege And Check Firmware Inventory
684    [Documentation]  Set read privilege and check firmware inventory.
685    [Arguments]  ${read_privilege}
686
687    # Description of argument(s):
688    # read_privilege  The read privilege role (e.g. "User" / "Callback").
689
690    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
691    ...  ${read_privilege}  ${GROUP_NAME}
692
693    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
694    # Verify that the LDAP user with read privilege is able to read inventory.
695    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
696    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
697    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
698    Redfish.Logout
699    Redfish.Login
700
701
702Set Read Privilege And Check Poweron
703    [Documentation]  Set read privilege and power on should not be possible.
704    [Arguments]  ${read_privilege}
705
706    # Description of argument(s):
707    # read_privilege  The read privilege role (e.g. "User" / "Callback").
708
709    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
710    ...  ${read_privilege}  ${GROUP_NAME}
711    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
712    Redfish.Post  ${REDFISH_POWER_URI}
713    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
714    Redfish.Logout
715    Redfish.Login
716
717
718Get LDAP Configuration
719    [Documentation]  Retrieve LDAP Configuration.
720    [Arguments]   ${ldap_type}
721
722    # Description of argument(s):
723    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
724
725    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
726    [Return]  ${ldap_config["${ldap_type}"]}
727
728
729Update LDAP Configuration with LDAP User Role And Group
730    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
731    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
732
733    # Description of argument(s):
734    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
735    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
736    # group_name       The group name of user.
737
738    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
739    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
740    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
741    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
742    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
743    # Provide adequate time for LDAP daemon to restart after the update.
744    Sleep  15s
745
746
747Get LDAP Privilege
748    [Documentation]  Get LDAP privilege and return it.
749
750    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
751    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
752    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
753
754    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
755
756
757Restore LDAP Privilege
758    [Documentation]  Restore the LDAP privilege to its original value.
759
760    Redfish.Login
761    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'
762    # Log back in to restore the original privilege.
763    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
764    ...  ${old_ldap_privilege}  ${GROUP_NAME}
765
766    Sleep  18s
767
768Verify Host Power Status
769    [Documentation]  Verify the Host power status and do host power on/off respectively.
770    [Arguments]  ${expected_power_status}
771
772    # Description of argument(s):
773    # expected_power_status  State of Host e.g. Off or On.
774
775    ${power_status}=  Redfish.Get Attribute  /redfish/v1/Chassis/${CHASSIS_ID}  PowerState
776    Return From Keyword If  '${power_status}' == '${expected_power_status}'
777
778    Run Keyword If  '${power_status}' == 'Off'  Redfish Power On
779    ...  ELSE  Redfish Power Off
780
781Update LDAP User Role And Host Poweroff
782    [Documentation]  Update LDAP user role and do host poweroff.
783    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
784    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
785
786    # Description of argument(s):
787    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
788    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
789    # group_name         The group name of user.
790    # valid_status_code  The expected valid status code.
791
792    # check Host state and do the power on/off if needed.
793    Verify Host Power Status  On
794
795    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
796    ...  ${group_privilege}  ${group_name}
797
798    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
799
800    Redfish.Post  ${REDFISH_POWER_URI}
801    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
802
803    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
804    Wait Until Keyword Succeeds  1 min  10 sec  Verify Host Power State  Off
805
806
807Update LDAP User Role And Host Poweron
808    [Documentation]  Update LDAP user role and do host poweron.
809    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
810    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
811
812    # Description of argument(s):
813    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
814    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
815    # group_name         The group name of user.
816    # valid_status_code  The expected valid status code.
817
818    # check Host state and do the power on/off if needed.
819    Verify Host Power Status  Off
820
821    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
822    ...  ${group_privilege}  ${group_name}
823
824    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
825
826    Redfish.Post  ${REDFISH_POWER_URI}
827    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
828
829    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
830    Verify Host Is Up
831
832
833Update LDAP User Role And Configure IP Address
834    [Documentation]  Update LDAP user role and configure IP address.
835    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
836    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
837
838    # Description of argument(s):
839    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
840    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
841    # group_name         The group name of user.
842    # valid_status_code  The expected valid status code.
843
844    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
845    ...  ${group_privilege}  ${group_name}
846
847    Redfish.Logout
848
849    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
850
851    ${test_gateway}=  Get BMC Default Gateway
852
853    Run Keyword If  '${group_privilege}' == 'NoAccess'
854    ...  Add IP Address With NoAccess User  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
855    ...  ELSE
856    ...  Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
857
858
859Update LDAP User Role And Delete IP Address
860    [Documentation]  Update LDAP user role and delete IP address.
861    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
862    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
863
864    # Description of argument(s):
865    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
866    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
867    # group_name         The group name of user.
868    # valid_status_code  The expected valid status code.
869
870    ${test_gateway}=  Get BMC Default Gateway
871
872    # Configure IP address before deleting via LDAP user roles.
873    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}
874
875    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
876    ...  ${group_privilege}  ${group_name}
877
878    Redfish.Logout
879
880    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
881
882    Run Keyword If  '${group_privilege}' == 'NoAccess'
883    ...  Delete IP Address With NoAccess User  ${test_ip}  ${valid_status_code}
884    ...  ELSE
885    ...  Delete IP Address  ${test_ip}  ${valid_status_code}
886
887
888Update LDAP User Role And Read Network Configuration
889    [Documentation]  Update LDAP user role and read network configuration.
890    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
891    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
892
893    # Description of argument(s):
894    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
895    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
896    # group_name         The group name of user.
897    # valid_status_code  The expected valid status code.
898
899    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
900    ...  ${group_privilege}  ${group_name}
901
902    Redfish.Logout
903
904    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
905    Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]
906
907
908Add IP Address With NoAccess User
909    [Documentation]  Add IP Address To BMC.
910    [Arguments]  ${ip}  ${subnet_mask}  ${gateway}
911    ...  ${valid_status_codes}=${HTTP_OK}
912
913    # Description of argument(s):
914    # ip                  IP address to be added (e.g. "10.7.7.7").
915    # subnet_mask         Subnet mask for the IP to be added
916    #                     (e.g. "255.255.0.0").
917    # gateway             Gateway for the IP to be added (e.g. "10.7.7.1").
918    # valid_status_codes  Expected return code from patch operation
919    #                     (e.g. "200").  See prolog of rest_request
920    #                     method in redfish_plus.py for details.
921
922    # Logout from LDAP user.
923    Redfish.Logout
924
925    # Login with local user.
926    Redfish.Login
927
928    ${empty_dict}=  Create Dictionary
929    ${ip_data}=  Create Dictionary  Address=${ip}
930    ...  SubnetMask=${subnet_mask}  Gateway=${gateway}
931
932    ${patch_list}=  Create List
933    ${network_configurations}=  Get Network Configuration
934    ${num_entries}=  Get Length  ${network_configurations}
935
936    FOR  ${INDEX}  IN RANGE  0  ${num_entries}
937      Append To List  ${patch_list}  ${empty_dict}
938    END
939
940    ${valid_status_codes}=  Run Keyword If  '${valid_status_codes}' == '${HTTP_OK}'
941    ...  Set Variable   ${HTTP_OK},${HTTP_NO_CONTENT}
942    ...  ELSE  Set Variable  ${valid_status_codes}
943
944    # We need not check for existence of IP on BMC while adding.
945    Append To List  ${patch_list}  ${ip_data}
946    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
947
948    ${active_channel_config}=  Get Active Channel Config
949    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
950
951    # Logout from local user.
952    Redfish.Logout
953
954    # Login from LDAP user and check if we can configure IP address.
955    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
956
957    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
958    ...  valid_status_codes=[${valid_status_codes}]
959
960
961Delete IP Address With NoAccess User
962    [Documentation]  Delete IP Address Of BMC.
963    [Arguments]  ${ip}  ${valid_status_codes}=${HTTP_OK}
964
965    # Description of argument(s):
966    # ip                  IP address to be deleted (e.g. "10.7.7.7").
967    # valid_status_codes  Expected return code from patch operation
968    #                     (e.g. "200").  See prolog of rest_request
969    #                     method in redfish_plus.py for details.
970
971    # Logout from LDAP user.
972    Redfish.Logout
973
974    # Login with local user.
975    Redfish.Login
976
977    ${empty_dict}=  Create Dictionary
978    ${patch_list}=  Create List
979
980    @{network_configurations}=  Get Network Configuration
981    FOR  ${network_configuration}  IN  @{network_configurations}
982      Run Keyword If  '${network_configuration['Address']}' == '${ip}'
983      ...  Append To List  ${patch_list}  ${null}
984      ...  ELSE  Append To List  ${patch_list}  ${empty_dict}
985    END
986
987    ${ip_found}=  Run Keyword And Return Status  List Should Contain Value
988    ...  ${patch_list}  ${null}  msg=${ip} does not exist on BMC
989    Pass Execution If  ${ip_found} == ${False}  ${ip} does not exist on BMC
990
991    # Run patch command only if given IP is found on BMC
992    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
993
994    ${active_channel_config}=  Get Active Channel Config
995    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
996
997    # Logout from local user.
998    Redfish.Logout
999
1000    # Login from LDAP user and check if we can delete IP address.
1001    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
1002
1003    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
1004    ...  valid_status_codes=[${valid_status_codes}]
1005
1006    # Note: Network restart takes around 15-18s after patch request processing
1007    Sleep  ${NETWORK_TIMEOUT}s
1008    Wait For Host To Ping  ${OPENBMC_HOST}  ${NETWORK_TIMEOUT}
1009