1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/utils.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Resource         ../../lib/bmc_network_utils.robot
9Resource         ../../lib/bmc_ldap_utils.robot
10
11Suite Setup      Suite Setup Execution
12Suite Teardown   LDAP Suite Teardown Execution
13Test Teardown    Run Keywords  Redfish.Login  AND  FFDC On Test Case Fail
14Force Tags       Ldap_Configuration
15
16*** Variables ***
17${old_ldap_privilege}   Administrator
18&{old_account_service}  &{EMPTY}
19&{old_ldap_config}      &{EMPTY}
20${hostname}             ${EMPTY}
21${test_ip}              10.6.6.6
22${test_mask}            255.255.255.0
23
24** Test Cases **
25
26Verify LDAP Configuration Created
27    [Documentation]  Verify that LDAP configuration created.
28    [Tags]  Verify_LDAP_Configuration_Created
29
30    Create LDAP Configuration
31    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
32    Get LDAP Configuration  ${LDAP_TYPE}
33    Sleep  10s
34    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
35    Redfish.Logout
36
37
38Verify Redfish LDAP Service Disable
39    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
40    ...  login.
41    [Tags]  Verify_Redfish_LDAP_Service_Disable
42
43    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
44    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
45    Sleep  15s
46    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
47    ...  ${LDAP_USER_PASSWORD}
48    Should Be Equal  ${resp}  ${False}
49    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
50    Redfish.Logout
51    Redfish.Login
52    # Enabling LDAP so that LDAP user works.
53    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
54    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
55    Redfish.Logout
56
57
58Verify LDAP Login With ServiceEnabled
59    [Documentation]  Verify that LDAP Login with ServiceEnabled.
60    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
61
62    Disable Other LDAP
63    # Actual service enablement.
64    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
65    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
66    Sleep  15s
67    # After update, LDAP login.
68    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
69    Redfish.Logout
70
71
72Verify LDAP Login With Correct AuthenticationType
73    [Documentation]  Verify that LDAP Login with right AuthenticationType.
74    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
75
76    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
77    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
78    Sleep  15s
79    # After update, LDAP login.
80    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
81    Redfish.Logout
82
83
84Verify LDAP Config Update With Incorrect AuthenticationType
85    [Documentation]  Verify that invalid AuthenticationType is not updated.
86    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType
87
88    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
89
90    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
91    ...  body=${body}  valid_status_codes=[400]
92
93
94Verify LDAP Login With Correct LDAP URL
95    [Documentation]  Verify LDAP Login with right LDAP URL.
96    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
97
98    Config LDAP URL  ${LDAP_SERVER_URI}
99
100
101Verify LDAP Config Update With Incorrect LDAP URL
102    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
103    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
104    [Teardown]  Run Keywords  Restore LDAP URL  AND
105    ...  FFDC On Test Case Fail
106
107    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
108
109Verify LDAP Configuration Exist
110    [Documentation]  Verify that LDAP configuration is available.
111    [Tags]  Verify_LDAP_Configuration_Exist
112
113    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
114    ...  ${LDAP_TYPE}  default=${EMPTY}
115    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
116
117
118Verify LDAP User Login
119    [Documentation]  Verify that LDAP user able to login into BMC.
120    [Tags]  Verify_LDAP_User_Login
121
122    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
123    Redfish.Logout
124
125
126Verify LDAP Service Available
127    [Documentation]  Verify that LDAP service is available.
128    [Tags]  Verify_LDAP_Service_Available
129
130    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
131    Should Contain  ${ldap_configuration}  LDAPService
132    ...  msg=LDAPService is not available.
133
134
135Verify LDAP Login Works After BMC Reboot
136    [Documentation]  Verify that LDAP login works after BMC reboot.
137    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
138
139    Redfish OBMC Reboot (off)
140    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
141    Redfish.Logout
142
143
144Verify LDAP User With Admin Privilege Able To Do BMC Reboot
145    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
146    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
147
148
149    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
150    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
151    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
152    # With LDAP user and with right privilege trying to do BMC reboot.
153    Redfish OBMC Reboot (off)
154    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
155    Redfish.Logout
156
157
158Verify LDAP User With Operator Privilege Able To Do Host Poweroff
159    [Documentation]  Verify that LDAP user with operator privilege can do host
160    ...  power off.
161    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
162    [Teardown]  Restore LDAP Privilege
163
164    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
165    ...  Operator  ${GROUP_NAME}
166
167    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
168    # Verify that the LDAP user with operator privilege is able to power the system off.
169    Redfish.Post  ${REDFISH_POWER_URI}
170    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
171    Redfish.Logout
172    Redfish.Login
173
174
175Verify AccountLockout Attributes Set To Zero By LDAP User
176    [Documentation]  Verify that attribute AccountLockoutDuration and
177    ...  AccountLockoutThreshold are set to 0 by LDAP user.
178    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
179    ...  FFDC On Test Case Fail
180    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User
181
182    ${old_account_service}=  Redfish.Get Properties
183    ...  ${REDFISH_BASE_URI}AccountService
184    Rprint Vars  old_account_service
185
186    # Create LDAP user and create session using LDAP user.
187    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
188    ...  Administrator  ${GROUP_NAME}
189
190    # Clear existing Redfish sessions.
191    Redfish.Logout
192
193    # Login using LDAP user.
194    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
195
196    # Set Account Lockout attributes using LDAP user.
197    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
198    ...  body=[('AccountLockoutDuration', 0)]
199    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
200    ...  body=[('AccountLockoutThreshold', 0)]
201
202
203Verify LDAP User With Read Privilege Able To Check Inventory
204    [Documentation]  Verify that LDAP user with read privilege able to
205    ...  read firmware inventory.
206    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
207    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
208    [Template]  Set Read Privilege And Check Firmware Inventory
209
210    ReadOnly
211
212
213Verify LDAP User With Read Privilege Should Not Do Host Poweron
214    [Documentation]  Verify that LDAP user with read privilege should not be
215    ...  allowed to power on the host.
216    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
217    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
218    [Template]  Set Read Privilege And Check Poweron
219
220    ReadOnly
221
222
223Update LDAP Group Name And Verify Operations
224    [Documentation]  Verify that LDAP group name update and able to do right
225    ...  operations.
226    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
227    [Template]  Update LDAP Config And Verify Set Host Name
228    [Teardown]  Restore LDAP Privilege
229
230    # group_name             group_privilege  valid_status_codes
231    ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
232    ${GROUP_NAME}            Operator         [${HTTP_OK}, ${HTTP_NO_CONTENT}]
233    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
234    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
235    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
236    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
237
238
239Verify LDAP BaseDN Update And LDAP Login
240    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
241    ...  that LDAP login works.
242    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
243
244
245    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
246    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
247    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
248    Sleep  15s
249    Redfish Verify LDAP Login
250
251
252Verify LDAP BindDN Update And LDAP Login
253    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
254    ...  that LDAP login works.
255    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
256
257    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
258    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
259    ...  '${LDAP_BIND_DN}'}}}
260    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
261    Sleep  15s
262    Redfish Verify LDAP Login
263
264
265Verify LDAP BindDN Password Update And LDAP Login
266    [Documentation]  Update LDAP BindDN password of LDAP configuration and
267    ...  verify that LDAP login works.
268    [Tags]  Verify_LDAP_BindDN_Password_Update_And_LDAP_Login
269
270
271    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
272    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
273    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
274    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
275    Sleep  15s
276    Redfish Verify LDAP Login
277
278
279Verify LDAP Type Update And LDAP Login
280    [Documentation]  Update LDAP type of LDAP configuration and verify
281    ...  that LDAP login works.
282    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
283
284    Disable Other LDAP
285    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
286    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
287    Sleep  15s
288    Redfish Verify LDAP Login
289
290
291Verify LDAP Authorization With Null Privilege
292    [Documentation]  Verify the failure of LDAP authorization with empty
293    ...  privilege.
294    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
295    [Teardown]  Restore LDAP Privilege
296
297    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
298    ...  [${HTTP_FORBIDDEN}]
299
300
301Verify LDAP Authorization With Invalid Privilege
302    [Documentation]  Verify that LDAP user authorization with wrong privilege
303    ...  fails.
304    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
305    [Teardown]  Restore LDAP Privilege
306
307    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
308    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
309
310
311Verify LDAP Login With Invalid Data
312    [Documentation]  Verify that LDAP login with Invalid LDAP data and
313    ...  right LDAP user fails.
314    [Tags]  Verify_LDAP_Login_With_Invalid_Data
315    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
316    ...  Redfish.Login  AND
317    ...  Create LDAP Configuration
318
319    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
320    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
321    ...  Invalid_LDAP_BASE_DN
322    Sleep  15s
323    Redfish Verify LDAP Login  ${False}
324
325
326Verify LDAP Config Creation Without BASE DN
327    [Documentation]  Verify that LDAP login with LDAP configuration
328    ...  created without BASE_DN fails.
329    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
330    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
331    ...  Redfish.Login  AND
332    ...  Create LDAP Configuration
333
334    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
335    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
336    Sleep  15s
337    Redfish Verify LDAP Login  ${False}
338
339
340Verify LDAP Authentication Without Password
341    [Documentation]  Verify that LDAP user authentication without LDAP
342    ...  user password fails.
343    [Tags]  Verify_LDAP_Authentication_Without_Password
344    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
345
346    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
347    Valid Value  status  [${False}]
348
349
350Verify LDAP Login With Invalid BASE DN
351    [Documentation]  Verify that LDAP login with invalid BASE_DN and
352    ...  valid LDAP user fails.
353    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
354    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
355    ...  Redfish.Login  AND
356    ...  Create LDAP Configuration
357
358    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
359    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
360    Sleep  15s
361    Redfish Verify LDAP Login  ${False}
362
363
364Verify LDAP Login With Invalid BIND_DN_PASSWORD
365    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
366    ...  valid LDAP user fails.
367    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
368    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
369    ...  Redfish.Login  AND
370    ...  Create LDAP Configuration
371
372    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
373    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
374    Sleep  15s
375    Redfish Verify LDAP Login  ${False}
376
377
378Verify LDAP Login With Invalid BASE DN And Invalid BIND DN
379    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
380    ...  BIND_DN and valid LDAP user fails.
381    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
382    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
383    ...  Redfish.Login  AND
384    ...  Create LDAP Configuration
385
386    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
387    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
388    Sleep  15s
389    Redfish Verify LDAP Login  ${False}
390
391
392Verify Group Name And Group Privilege Able To Modify
393    [Documentation]  Verify that LDAP group name and group privilege able to
394    ...  modify.
395    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
396    [Setup]  Update LDAP Configuration with LDAP User Role And Group
397    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
398
399    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
400    ...  Administrator  ${GROUP_NAME}
401
402
403Verify LDAP Login With Invalid BIND DN
404    [Documentation]  Verify that LDAP login with invalid BIND_DN and
405    ...  valid LDAP user fails.
406    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
407    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
408    ...  Redfish.Login  AND
409    ...  Create LDAP Configuration
410
411    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
412    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
413    Sleep  15s
414    Redfish Verify LDAP Login  ${False}
415
416
417Verify LDAP Authentication With Invalid LDAP User
418    [Documentation]  Verify that LDAP user authentication for user not exist
419    ...  in LDAP server and fails.
420    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
421    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
422
423    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
424    ...  ${LDAP_USER_PASSWORD}
425    Valid Value  status  [${False}]
426
427
428Update LDAP User Roles And Verify Host Poweroff Operation
429    [Documentation]  Update LDAP user roles and verify host poweroff operation.
430    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
431    [Teardown]  Restore LDAP Privilege
432
433    [Template]  Update LDAP User Role And Host Poweroff
434    # ldap_type   group_privilege  group_name     valid_status_codes
435
436    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
437    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
438
439    # Verify LDAP user with Operator privilege able to do host poweroff.
440    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
441
442    # Verify LDAP user with Administrator privilege able to do host poweroff.
443    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
444
445
446Update LDAP User Roles And Verify Host Poweron Operation
447    [Documentation]  Update LDAP user roles and verify host poweron operation.
448    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
449    [Teardown]  Restore LDAP Privilege
450
451    [Template]  Update LDAP User Role And Host Poweron
452    # ldap_type   group_privilege  group_name     valid_status_codes
453
454    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
455    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
456
457    # Verify LDAP user with Operator privilege able to do host poweron.
458    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
459
460    # Verify LDAP user with Administrator privilege able to do host poweron.
461    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
462
463
464Configure IP Address Via Different User Roles And Verify
465    [Documentation]  Configure IP address via different user roles and verify.
466    [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
467    [Teardown]  Restore LDAP Privilege
468
469    [Template]  Update LDAP User Role And Configure IP Address
470    # Verify LDAP user with Administrator privilege is able to configure IP address.
471    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
472
473    # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
474    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
475
476    # Verify LDAP user with Operator privilege is able to configure IP address.
477    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
478
479
480Delete IP Address Via Different User Roles And Verify
481    [Documentation]  Delete IP address via different user roles and verify.
482    [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
483    [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail
484
485    [Template]  Update LDAP User Role And Delete IP Address
486    # Verify LDAP user with Administrator privilege is able to delete IP address.
487    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
488
489    # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
490    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
491
492    # Verify LDAP user with Operator privilege is able to delete IP address.
493    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
494
495
496Read Network Configuration Via Different User Roles And Verify
497    [Documentation]  Read network configuration via different user roles and verify.
498    [Tags]  Read_Network_Configuration_Via_Different_User_Roles_And_Verify
499    [Teardown]  Restore LDAP Privilege
500
501    [Template]  Update LDAP User Role And Read Network Configuration
502    ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}
503
504    ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}
505
506    ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}
507
508Switch LDAP Type And Verify Login Fails
509    [Documentation]  Switch LDAP type and verify login fails.
510    [Tags]  Switch_LDAP_Type_And_Verify_Login_Fails
511
512    # Check Login with LDAP Type is working
513    Create LDAP Configuration
514    Redfish Verify LDAP Login
515
516    # Disable the LDAP Type from OpenLDAP to ActiveDirectory or vice-versa
517    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
518    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
519
520    # Enable the inverse LDAP type
521    Disable Other LDAP  ${True}
522    Create LDAP Configuration  ${LDAP_TYPE_1}  ${LDAP_SERVER_URI_1}  ${LDAP_BIND_DN_1}  ${LDAP_BIND_DN_PASSWORD_1}  ${LDAP_BASE_DN_1}
523    Redfish.Logout
524    Sleep  10s
525
526    # Check if Login works via Inverse LDAP
527    Redfish.Login  ${LDAP_USER_1}  ${LDAP_USER_PASSWORD_1}
528    Redfish.Logout
529    Sleep  10s
530
531    # Login using LDAP type must fail
532    Redfish Verify LDAP Login  ${False}
533    Redfish.Logout
534
535*** Keywords ***
536
537Redfish Verify LDAP Login
538    [Documentation]  LDAP user log into BMC.
539    [Arguments]  ${valid_status}=${True}
540
541    # Description of argument(s):
542    # valid_status  Expected status of LDAP login ("True" or "False").
543
544    # According to our repo coding rules, Redfish.Login is to be done in Suite
545    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
546    # deviation from this rule (such as in this keyword), the deviant code
547    # must take steps to restore us to our original logged-in state.
548
549    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
550    ...  ${LDAP_USER_PASSWORD}
551    Valid Value  status  [${valid_status}]
552    Redfish.Logout
553    Redfish.Login
554
555
556Update LDAP Config And Verify Set Host Name
557    [Documentation]  Update LDAP config and verify by attempting to set host name.
558    [Arguments]  ${group_name}  ${group_privilege}=Administrator
559    ...  ${valid_status_codes}=[${HTTP_OK}]
560    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
561
562    # Description of argument(s):
563    # group_name                    The group name of user.
564    # group_privilege               The group privilege ("Administrator",
565    #                               "Operator", "User" or "Callback").
566    # valid_status_codes            Expected return code(s) from patch
567    #                               operation (e.g. "200") used to update
568    #                               HostName.  See prolog of rest_request
569    #                               method in redfish_plus.py for details.
570    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
571    ...  ${group_privilege}  ${group_name}
572
573    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
574    # Verify that the LDAP user in ${group_name} with the given privilege is
575    # allowed to change the hostname.
576    Redfish.Patch  ${REDFISH_NW_ETH0_URI}  body={'HostName': '${hostname}'}
577    ...  valid_status_codes=${valid_status_codes}
578
579Disable Other LDAP
580    [Documentation]  Disable other LDAP configuration.
581    [Arguments]  ${service_state}=${False}
582
583    # First disable other LDAP.
584    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
585    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
586    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${service_state}}}
587    Sleep  15s
588
589
590Config LDAP URL
591    [Documentation]  Config LDAP URL.
592    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
593
594    # Description of argument(s):
595    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
596
597    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
598    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
599    Sleep  15s
600    # After update, LDAP login.
601    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
602    Valid Value  status  [${expected_status}]
603
604    Redfish.Logout
605    Redfish.Login
606
607
608Restore LDAP URL
609    [Documentation]  Restore LDAP URL.
610
611    # Restoring the working LDAP server uri.
612    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
613    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
614    Sleep  15s
615
616
617Restore AccountLockout Attributes
618    [Documentation]  Restore AccountLockout Attributes.
619
620    Return From Keyword If  &{old_account_service} == &{EMPTY}
621    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
622    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
623    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
624    ...  body=[('AccountLockoutThreshold', ${old_account_service['AccountLockoutThreshold']})]
625
626
627Suite Setup Execution
628    [Documentation]  Do suite setup tasks.
629
630    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
631    Valid Value  LDAP_USER
632    Valid Value  LDAP_USER_PASSWORD
633    Valid Value  GROUP_PRIVILEGE
634    Valid Value  GROUP_NAME
635    Valid Value  LDAP_SERVER_URI
636    Valid Value  LDAP_BIND_DN_PASSWORD
637    Valid Value  LDAP_BIND_DN
638    Valid Value  LDAP_BASE_DN
639
640    Redfish.Login
641    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
642    Get LDAP Configuration  ${LDAP_TYPE}
643    Set Suite Variable  ${old_ldap_privilege}
644    Disable Other LDAP
645    Create LDAP Configuration
646    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
647
648
649LDAP Suite Teardown Execution
650    [Documentation]  Restore ldap configuration, delete unused redfish session.
651
652    Restore LDAP Privilege
653    Redfish.Logout
654    Run Keyword And Ignore Error  Delete All Redfish Sessions
655
656
657Set Read Privilege And Check Firmware Inventory
658    [Documentation]  Set read privilege and check firmware inventory.
659    [Arguments]  ${read_privilege}
660
661    # Description of argument(s):
662    # read_privilege  The read privilege role (e.g. "User" / "Callback").
663
664    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
665    ...  ${read_privilege}  ${GROUP_NAME}
666
667    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
668    # Verify that the LDAP user with read privilege is able to read inventory.
669    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
670    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
671    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
672    Redfish.Logout
673    Redfish.Login
674
675
676Set Read Privilege And Check Poweron
677    [Documentation]  Set read privilege and power on should not be possible.
678    [Arguments]  ${read_privilege}
679
680    # Description of argument(s):
681    # read_privilege  The read privilege role (e.g. "User" / "Callback").
682
683    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
684    ...  ${read_privilege}  ${GROUP_NAME}
685    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
686    Redfish.Post  ${REDFISH_POWER_URI}
687    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
688    Redfish.Logout
689    Redfish.Login
690
691
692Get LDAP Configuration
693    [Documentation]  Retrieve LDAP Configuration.
694    [Arguments]   ${ldap_type}
695
696    # Description of argument(s):
697    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
698
699    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
700    [Return]  ${ldap_config["${ldap_type}"]}
701
702
703Update LDAP Configuration with LDAP User Role And Group
704    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
705    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
706
707    # Description of argument(s):
708    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
709    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
710    # group_name       The group name of user.
711
712    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
713    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
714    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
715    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
716    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
717    # Provide adequate time for LDAP daemon to restart after the update.
718    Sleep  15s
719
720
721Get LDAP Privilege
722    [Documentation]  Get LDAP privilege and return it.
723
724    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
725    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
726    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
727
728    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
729
730
731Restore LDAP Privilege
732    [Documentation]  Restore the LDAP privilege to its original value.
733
734    Redfish.Login
735    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'
736    # Log back in to restore the original privilege.
737    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
738    ...  ${old_ldap_privilege}  ${GROUP_NAME}
739
740    Sleep  18s
741
742Verify Host Power Status
743    [Documentation]  Verify the Host power status and do host power on/off respectively.
744    [Arguments]  ${expected_power_status}
745
746    # Description of argument(s):
747    # expected_power_status  State of Host e.g. Off or On.
748
749    ${power_status}=  Redfish.Get Attribute  /redfish/v1/Chassis/${CHASSIS_ID}  PowerState
750    Return From Keyword If  '${power_status}' == '${expected_power_status}'
751
752    Run Keyword If  '${power_status}' == 'Off'  Redfish Power On
753    ...  ELSE  Redfish Power Off
754
755Update LDAP User Role And Host Poweroff
756    [Documentation]  Update LDAP user role and do host poweroff.
757    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
758    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
759
760    # Description of argument(s):
761    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
762    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
763    # group_name         The group name of user.
764    # valid_status_code  The expected valid status code.
765
766    # check Host state and do the power on/off if needed.
767    Verify Host Power Status  On
768
769    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
770    ...  ${group_privilege}  ${group_name}
771
772    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
773
774    Redfish.Post  ${REDFISH_POWER_URI}
775    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
776
777    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
778    Wait Until Keyword Succeeds  1 min  10 sec  Verify Host Power State  Off
779
780
781Update LDAP User Role And Host Poweron
782    [Documentation]  Update LDAP user role and do host poweron.
783    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
784    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
785
786    # Description of argument(s):
787    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
788    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
789    # group_name         The group name of user.
790    # valid_status_code  The expected valid status code.
791
792    # check Host state and do the power on/off if needed.
793    Verify Host Power Status  Off
794
795    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
796    ...  ${group_privilege}  ${group_name}
797
798    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
799
800    Redfish.Post  ${REDFISH_POWER_URI}
801    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
802
803    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
804    Verify Host Is Up
805
806
807Update LDAP User Role And Configure IP Address
808    [Documentation]  Update LDAP user role and configure IP address.
809    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
810    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
811
812    # Description of argument(s):
813    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
814    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
815    # group_name         The group name of user.
816    # valid_status_code  The expected valid status code.
817
818    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
819    ...  ${group_privilege}  ${group_name}
820
821    Redfish.Logout
822
823    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
824
825    ${test_gateway}=  Get BMC Default Gateway
826
827    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
828
829
830Update LDAP User Role And Delete IP Address
831    [Documentation]  Update LDAP user role and delete IP address.
832    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
833    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
834
835    # Description of argument(s):
836    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
837    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
838    # group_name         The group name of user.
839    # valid_status_code  The expected valid status code.
840
841    ${test_gateway}=  Get BMC Default Gateway
842
843    # Configure IP address before deleting via LDAP user roles.
844    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}
845
846    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
847    ...  ${group_privilege}  ${group_name}
848
849    Redfish.Logout
850
851    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
852
853    Delete IP Address  ${test_ip}  ${valid_status_code}
854
855
856Update LDAP User Role And Read Network Configuration
857    [Documentation]  Update LDAP user role and read network configuration.
858    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
859    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
860
861    # Description of argument(s):
862    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
863    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
864    # group_name         The group name of user.
865    # valid_status_code  The expected valid status code.
866
867    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
868    ...  ${group_privilege}  ${group_name}
869
870    Redfish.Logout
871
872    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
873    Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]
874