1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Library          ../../lib/gen_robot_valid.py
9
10Suite Setup      Suite Setup Execution
11Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
12Test Teardown    FFDC On Test Case Fail
13
14Force Tags       LDAP_Test
15
16*** Variables ***
17${old_ldap_privilege}   ${EMPTY}
18&{old_account_service}  &{EMPTY}
19&{old_ldap_config}      &{EMPTY}
20${hostname}             ${EMPTY}
21
22** Test Cases **
23
24Verify LDAP Configuration Created
25    [Documentation]  Verify that LDAP configuration created.
26    [Tags]  Verify_LDAP_Configuration_Created
27
28    Create LDAP Configuration
29    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
30    Get LDAP Configuration  ${LDAP_TYPE}
31    Sleep  10s
32    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
33    Redfish.Logout
34    Redfish.Login
35
36
37Verify LDAP Service Disable
38    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
39    ...  login.
40    [Tags]  Verify_LDAP_Service_Disable
41
42    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
43    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
44    Sleep  15s
45    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
46    ...  ${LDAP_USER_PASSWORD}
47    Should Be Equal  ${resp}  ${False}
48    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
49    Redfish.Logout
50    Redfish.Login
51    # Enabling LDAP so that LDAP user works.
52    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
53    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
54    Redfish.Logout
55    Redfish.Login
56
57
58Verify LDAP Login With ServiceEnabled
59    [Documentation]  Verify that LDAP Login with ServiceEnabled.
60    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
61
62    Disable Other LDAP
63    # Actual service enablement.
64    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
65    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
66    Sleep  15s
67    # After update, LDAP login.
68    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
69    Redfish.Logout
70    Redfish.Login
71
72
73Verify LDAP Login With Correct AuthenticationType
74    [Documentation]  Verify that LDAP Login with right AuthenticationType.
75    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
76
77    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
78    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
79    Sleep  15s
80    # After update, LDAP login.
81    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
82    Redfish.Logout
83    Redfish.Login
84
85
86Verify LDAP Config Update With Incorrect AuthenticationType
87    [Documentation]  Verify that invalid AuthenticationType is not updated.
88    [Tags]  Verify_LDAP_Update_With_Incorrect_AuthenticationType
89
90    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
91
92    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
93    ...  body=${body}  valid_status_codes=[400]
94
95
96Verify LDAP Login With Correct LDAP URL
97    [Documentation]  Verify LDAP Login with right LDAP URL.
98    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
99
100    Config LDAP URL  ${LDAP_SERVER_URI}
101
102
103Verify LDAP Config Update With Incorrect LDAP URL
104    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
105    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
106    [Teardown]  Run Keywords  Restore LDAP URL  AND
107    ...  FFDC On Test Case Fail
108
109    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
110
111Verify LDAP Configuration Exist
112    [Documentation]  Verify that LDAP configuration is available.
113    [Tags]  Verify_LDAP_Configuration_Exist
114
115    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
116    ...  ${LDAP_TYPE}  default=${EMPTY}
117    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
118
119
120Verify LDAP User Login
121    [Documentation]  Verify that LDAP user able to login into BMC.
122    [Tags]  Verify_LDAP_User_Login
123
124    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
125    Redfish.Logout
126    Redfish.Login
127
128
129Verify LDAP Service Available
130    [Documentation]  Verify that LDAP service is available.
131    [Tags]  Verify_LDAP_Service_Available
132
133    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
134    Should Contain  ${ldap_configuration}  LDAPService
135    ...  msg=LDAPService is not available.
136
137
138Verify LDAP Login Works After BMC Reboot
139    [Documentation]  Verify that LDAP login works after BMC reboot.
140    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
141
142    Redfish OBMC Reboot (off)
143    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
144    Redfish.Logout
145    Redfish.Login
146
147
148Verify LDAP User With Admin Privilege Able To Do BMC Reboot
149    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
150    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
151
152
153    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
154    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
155    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
156    # With LDAP user and with right privilege trying to do BMC reboot.
157    Redfish OBMC Reboot (off)
158    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
159    Redfish.Logout
160    Redfish.Login
161
162
163Verify LDAP User With Operator Privilege Able To Do Host Poweroff
164    [Documentation]  Verify that LDAP user with operator privilege can do host
165    ...  power off.
166    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
167    [Teardown]  Restore LDAP Privilege
168
169    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
170    ...  Operator  ${GROUP_NAME}
171
172    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
173    # Verify that the LDAP user with operator privilege is able to power the system off.
174    Redfish.Post  ${REDFISH_POWER_URI}
175    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
176    Redfish.Logout
177    Redfish.Login
178
179
180Verify AccountLockout Attributes Set To Zero
181    [Documentation]  Verify that attribute AccountLockoutDuration and
182    ...  AccountLockoutThreshold are set to 0.
183    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
184    ...  FFDC On Test Case Fail
185    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero
186
187    ${old_account_service}=  Redfish.Get Properties
188    ...  ${REDFISH_BASE_URI}AccountService
189    Rprint Vars  old_account_service
190    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
191    ...  body=[('AccountLockoutDuration', 0)]
192    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
193    ...  body=[('AccountLockoutThreshold', 0)]
194
195
196Verify LDAP User With Read Privilege Able To Check Inventory
197    [Documentation]  Verify that LDAP user with read privilege able to
198    ...  read firmware inventory.
199    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
200    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
201    [Template]  Set Read Privilege And Check Firmware Inventory
202
203    ReadOnly
204
205
206Verify LDAP User With Read Privilege Should Not Do Host Poweron
207    [Documentation]  Verify that LDAP user with read privilege should not be
208    ...  allowed to power on the host.
209    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
210    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
211    [Template]  Set Read Privilege And Check Poweron
212
213    ReadOnly
214
215
216Update LDAP Group Name And Verify Operations
217    [Documentation]  Verify that LDAP group name update and able to do right
218    ...  operations.
219    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
220    [Template]  Update LDAP Config And Verify Set Host Name
221    [Teardown]  Restore LDAP Privilege
222
223    # group_name             group_privilege  valid_status_codes
224    ${GROUP_NAME}            Administrator    [${HTTP_OK}]
225    ${GROUP_NAME}            Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
226    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
227    ${GROUP_NAME}            NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
228    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
229    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
230    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
231    Invalid_LDAP_Group_Name  NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
232
233
234Verify LDAP BaseDN Update And LDAP Login
235    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
236    ...  that LDAP login works.
237    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
238
239
240    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
241    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
242    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
243    Sleep  15s
244    Redfish Verify LDAP Login
245
246
247Verify LDAP BindDN Update And LDAP Login
248    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
249    ...  that LDAP login works.
250    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
251
252    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
253    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
254    ...  '${LDAP_BIND_DN}'}}}
255    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
256    Sleep  15s
257    Redfish Verify LDAP Login
258
259
260Verify LDAP BindDN Password Update And LDAP Login
261    [Documentation]  Update LDAP BindDN password of LDAP configuration and
262    ...  verify that LDAP login works.
263    [Tags]  Verify_LDAP_BindDN_Passsword_Update_And_LDAP_Login
264
265
266    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
267    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
268    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
269    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
270    Sleep  15s
271    Redfish Verify LDAP Login
272
273
274Verify LDAP Type Update And LDAP Login
275    [Documentation]  Update LDAP type of LDAP configuration and verify
276    ...  that LDAP login works.
277    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
278
279    Disable Other LDAP
280    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
281    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
282    Sleep  15s
283    Redfish Verify LDAP Login
284
285
286Verify Authorization With Null Privilege
287    [Documentation]  Verify the failure of LDAP authorization with empty
288    ...  privilege.
289    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
290    [Teardown]  Restore LDAP Privilege
291
292    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
293    ...  [${HTTP_FORBIDDEN}]
294
295
296Verify Authorization With Invalid Privilege
297    [Documentation]  Verify that LDAP user authorization with wrong privilege
298    ...  fails.
299    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
300    [Teardown]  Restore LDAP Privilege
301
302    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
303    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
304
305
306Verify LDAP Login With Invalid Data
307    [Documentation]  Verify that LDAP login with Invalid LDAP data and
308    ...  right LDAP user fails.
309    [Tags]  Verify_LDAP_Login_With_Invalid_Data
310    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
311    ...  Create LDAP Configuration
312
313    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
314    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
315    ...  Invalid_LDAP_BASE_DN
316    Sleep  15s
317    Redfish Verify LDAP Login  ${False}
318
319
320Verify LDAP Config Creation Without BASE_DN
321    [Documentation]  Verify that LDAP login with LDAP configuration
322    ...  created without BASE_DN fails.
323    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
324    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
325    ...  Create LDAP Configuration
326
327    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
328    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
329    Sleep  15s
330    Redfish Verify LDAP Login  ${False}
331
332
333Verify LDAP Authentication Without Password
334    [Documentation]  Verify that LDAP user authentication without LDAP
335    ...  user password fails.
336    [Tags]  Verify_LDAP_Authentication_Without_Password
337
338    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
339    Valid Value  status  [${False}]
340
341
342Verify LDAP Login With Invalid BASE_DN
343    [Documentation]  Verify that LDAP login with invalid BASE_DN and
344    ...  valid LDAP user fails.
345    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
346    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
347    ...  Create LDAP Configuration
348
349    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
350    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
351    Sleep  15s
352    Redfish Verify LDAP Login  ${False}
353
354
355Verify LDAP Login With Invalid BIND_DN_PASSWORD
356    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
357    ...  valid LDAP user fails.
358    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
359    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
360    ...  Create LDAP Configuration
361
362    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
363    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
364    Sleep  15s
365    Redfish Verify LDAP Login  ${False}
366
367
368Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
369    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
370    ...  BIND_DN and valid LDAP user fails.
371    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
372    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
373    ...  Create LDAP Configuration
374
375    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
376    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
377    Sleep  15s
378    Redfish Verify LDAP Login  ${False}
379
380
381Verify Group Name And Group Privilege Able To Modify
382    [Documentation]  Verify that LDAP group name and group privilege able to
383    ...  modify.
384    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
385    [Setup]  Update LDAP Configuration with LDAP User Role And Group
386    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
387
388    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
389    ...  Administrator  ${GROUP_NAME}
390
391
392Verify LDAP Login With Invalid BIND_DN
393    [Documentation]  Verify that LDAP login with invalid BIND_DN and
394    ...  valid LDAP user fails.
395    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
396    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
397    ...  Create LDAP Configuration
398
399    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
400    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
401    Sleep  15s
402    Redfish Verify LDAP Login  ${False}
403
404
405Verify LDAP Authentication With Invalid LDAP User
406    [Documentation]  Verify that LDAP user authentication for user not exist
407    ...  in LDAP server and fails.
408    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
409
410    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
411    ...  ${LDAP_USER_PASSWORD}
412    Valid Value  status  [${False}]
413
414
415Update LDAP User Roles And Verify Host Poweroff Operation
416    [Documentation]  Update LDAP user roles and verify host poweroff operation.
417    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
418    [Teardown]  Restore LDAP Privilege
419
420    [Template]  Update LDAP User Role And Host Poweroff
421    # ldap_type   group_privilege  group_name     valid_status_codes
422
423    # Verify LDAP user with NoAccess privilege not able to do host poweroff.
424    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
425
426    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
427    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
428
429    # Verify LDAP user with Operator privilege able to do host poweroff.
430    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
431
432    # Verify LDAP user with Administrator privilege able to do host poweroff.
433    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
434
435
436Update LDAP User Roles And Verify Host Poweron Operation
437    [Documentation]  Update LDAP user roles and verify host poweron operation.
438    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
439    [Teardown]  Restore LDAP Privilege
440
441    [Template]  Update LDAP User Role And Host Poweron
442    # ldap_type   group_privilege  group_name     valid_status_codes
443
444    # Verify LDAP user with NoAccess privilege not able to do host poweron.
445    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
446
447    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
448    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
449
450    # Verify LDAP user with Operator privilege able to do host poweron.
451    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
452
453    # Verify LDAP user with Administrator privilege able to do host poweron.
454    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
455
456
457*** Keywords ***
458
459Redfish Verify LDAP Login
460    [Documentation]  LDAP user log into BMC.
461    [Arguments]  ${valid_status}=${True}
462
463    # Description of argument(s):
464    # valid_status  Expected status of LDAP login ("True" or "False").
465
466    # According to our repo coding rules, Redfish.Login is to be done in Suite
467    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
468    # deviation from this rule (such as in this keyword), the deviant code
469    # must take steps to restore us to our original logged-in state.
470
471    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
472    ...  ${LDAP_USER_PASSWORD}
473    Valid Value  status  [${valid_status}]
474    Redfish.Logout
475    Redfish.Login
476
477
478Update LDAP Config And Verify Set Host Name
479    [Documentation]  Update LDAP config and verify by attempting to set host name.
480    [Arguments]  ${group_name}  ${group_privilege}=Administrator
481    ...  ${valid_status_codes}=[${HTTP_OK}]
482
483    # Description of argument(s):
484    # group_name                    The group name of user.
485    # group_privilege               The group privilege ("Administrator",
486    #                               "Operator", "User" or "Callback").
487    # valid_status_codes            Expected return code(s) from patch
488    #                               operation (e.g. "200") used to update
489    #                               HostName.  See prolog of rest_request
490    #                               method in redfish_plut.py for details.
491    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
492    ...  ${group_privilege}  ${group_name}
493    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
494    # Verify that the LDAP user in ${group_name} with the given privilege is
495    # allowed to change the hostname.
496    Redfish.Patch  ${REDFISH_NW_PROTOCOL_URI}  body={'HostName': '${hostname}'}
497    ...  valid_status_codes=${valid_status_codes}
498    Redfish.Logout
499    Redfish.Login
500
501
502Disable Other LDAP
503    [Documentation]  Disable other LDAP configuration.
504
505    # First disable other LDAP.
506    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
507    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
508    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
509    Sleep  15s
510
511
512Create LDAP Configuration
513    [Documentation]  Create LDAP configuration.
514    [Arguments]  ${ldap_type}=${LDAP_TYPE}  ${ldap_server_uri}=${LDAP_SERVER_URI}
515    ...  ${ldap_bind_dn}=${LDAP_BIND_DN}  ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD}
516    ...  ${ldap_base_dn}=${LDAP_BASE_DN}
517
518    # Description of argument(s):
519    # ldap_type              The LDAP type ("ActiveDirectory" or "LDAP").
520    # ldap_server_uri        LDAP server uri (e.g. ldap://XX.XX.XX.XX).
521    # ldap_bind_dn           The LDAP bind distinguished name.
522    # ldap_bind_dn_password  The LDAP bind distinguished name password.
523    # ldap_base_dn           The LDAP base distinguished name.
524
525    ${body}=  Catenate  {'${ldap_type}':
526    ...  {'ServiceEnabled': ${True},
527    ...   'ServiceAddresses': ['${ldap_server_uri}'],
528    ...   'Authentication':
529    ...       {'AuthenticationType': 'UsernameAndPassword',
530    ...        'Username':'${ldap_bind_dn}',
531    ...        'Password': '${ldap_bind_dn_password}'},
532    ...   'LDAPService':
533    ...       {'SearchSettings':
534    ...           {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}}
535
536    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
537    Sleep  15s
538
539
540Config LDAP URL
541    [Documentation]  Config LDAP URL.
542    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
543
544    # Description of argument(s):
545    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
546
547    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
548    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
549    Sleep  15s
550    # After update, LDAP login.
551    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
552    Valid Value  status  [${expected_status}]
553
554    Redfish.Logout
555    Redfish.Login
556
557
558Restore LDAP URL
559    [Documentation]  Restore LDAP URL.
560
561    # Restoring the working LDAP server uri.
562    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
563    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
564    Sleep  15s
565
566
567Restore AccountLockout Attributes
568    [Documentation]  Restore AccountLockout Attributes.
569
570    Return From Keyword If  &{old_account_service} == &{EMPTY}
571    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
572    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
573    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
574    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
575
576
577Suite Setup Execution
578    [Documentation]  Do suite setup tasks.
579
580    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
581    Valid Value  LDAP_USER
582    Valid Value  LDAP_USER_PASSWORD
583    Valid Value  GROUP_PRIVILEGE
584    Valid Value  GROUP_NAME
585    Valid Value  LDAP_SERVER_URI
586    Valid Value  LDAP_BIND_DN_PASSWORD
587    Valid Value  LDAP_BIND_DN
588    Valid Value  LDAP_BASE_DN
589
590    Redfish.Login
591    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
592    Get LDAP Configuration  ${LDAP_TYPE}
593    ${old_ldap_privilege}=  Get LDAP Privilege
594    Set Suite Variable  ${old_ldap_privilege}
595    Disable Other LDAP
596    Create LDAP Configuration
597    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
598
599
600Set Read Privilege And Check Firmware Inventory
601    [Documentation]  Set read privilege and check firmware inventory.
602    [Arguments]  ${read_privilege}
603
604    # Description of argument(s):
605    # read_privilege  The read privilege role (e.g. "User" / "Callback").
606
607    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
608    ...  ${read_privilege}  ${GROUP_NAME}
609
610    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
611    # Verify that the LDAP user with read privilege is able to read inventory.
612    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
613    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
614    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
615    Redfish.Logout
616    Redfish.Login
617
618
619Set Read Privilege And Check Poweron
620    [Documentation]  Set read privilege and power on should not be possible.
621    [Arguments]  ${read_privilege}
622
623    # Description of argument(s):
624    # read_privilege  The read privilege role (e.g. "User" / "Callback").
625
626    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
627    ...  ${read_privilege}  ${GROUP_NAME}
628    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
629    Redfish.Post  ${REDFISH_POWER_URI}
630    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
631    Redfish.Logout
632    Redfish.Login
633
634
635Get LDAP Configuration
636    [Documentation]  Retrieve LDAP Configuration.
637    [Arguments]   ${ldap_type}
638
639    # Description of argument(s):
640    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
641
642    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
643    [Return]  ${ldap_config["${ldap_type}"]}
644
645
646Update LDAP Configuration with LDAP User Role And Group
647    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
648    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
649
650    # Description of argument(s):
651    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
652    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
653    # group_name       The group name of user.
654
655    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
656    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
657    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
658    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
659    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
660    # Provide adequate time for LDAP daemon to restart after the update.
661    Sleep  15s
662
663
664Get LDAP Privilege
665    [Documentation]  Get LDAP privilege and return it.
666
667    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
668    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
669    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
670
671    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
672
673
674Restore LDAP Privilege
675    [Documentation]  Restore the LDAP privilege to its original value.
676
677    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}'
678    # Log back in to restore the original privilege.
679    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
680    ...  ${old_ldap_privilege}  ${GROUP_NAME}
681
682    Sleep  18s
683
684
685Update LDAP User Role And Host Poweroff
686    [Documentation]  Update LDAP user role and do host poweroff.
687    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
688    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
689
690    # Description of argument(s):
691    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
692    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
693    # group_name         The group name of user.
694    # valid_status_code  The expected valid status code.
695
696    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
697    ...  ${group_privilege}  ${group_name}
698
699    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
700
701    Redfish.Post  ${REDFISH_POWER_URI}
702    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
703
704
705Update LDAP User Role And Host Poweron
706    [Documentation]  Update LDAP user role and do host poweron.
707    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
708    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
709
710    # Description of argument(s):
711    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
712    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
713    # group_name         The group name of user.
714    # valid_status_code  The expected valid status code.
715
716    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
717    ...  ${group_privilege}  ${group_name}
718
719    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
720
721    Redfish.Post  ${REDFISH_POWER_URI}
722    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
723