1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Library          ../../lib/gen_robot_valid.py
9
10Suite Setup      Suite Setup Execution
11Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
12Test Teardown    FFDC On Test Case Fail
13
14Force Tags       LDAP_Test
15
16*** Variables ***
17${old_ldap_privilege}  ${EMPTY}
18&{old_account_service}  &{EMPTY}
19&{old_ldap_config}  &{EMPTY}
20
21** Test Cases **
22
23Verify LDAP Configuration Created
24    [Documentation]  Verify that LDAP configuration created.
25    [Tags]  Verify_LDAP_Configuration_Created
26
27    Create LDAP Configuration
28    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
29    Get LDAP Configuration  ${LDAP_TYPE}
30    Sleep  10s
31    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
32    Redfish.Logout
33    Redfish.Login
34
35
36Verify LDAP Service Disable
37    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
38    ...  login.
39    [Tags]  Verify_LDAP_Service_Disable
40
41    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
42    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
43    Sleep  15s
44    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
45    ...  ${LDAP_USER_PASSWORD}
46    Should Be Equal  ${resp}  ${False}  msg=LDAP user was able to login even though the LDAP service was disabled.
47    Redfish.Logout
48    Redfish.Login
49    # Enabling LDAP so that LDAP user works.
50    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
51    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
52    Redfish.Logout
53    Redfish.Login
54
55
56Verify LDAP Login With ServiceEnabled
57    [Documentation]  Verify that LDAP Login with ServiceEnabled.
58    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
59
60    Disable Other LDAP
61    # Actual service enablement.
62    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
63    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
64    Sleep  15s
65    # After update, LDAP login.
66    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
67    Redfish.Logout
68    Redfish.Login
69
70
71Verify LDAP Login With Correct AuthenticationType
72    [Documentation]  Verify that LDAP Login with right AuthenticationType.
73    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
74
75    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
76    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
77    Sleep  15s
78    # After update, LDAP login.
79    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
80    Redfish.Logout
81    Redfish.Login
82
83
84Verify LDAP Config Update With Incorrect AuthenticationType
85    [Documentation]  Verify that invalid AuthenticationType is not updated.
86    [Tags]  Verify_LDAP_Update_With_Incorrect_AuthenticationType
87
88    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
89    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}  valid_status_codes=[400]
90
91
92Verify LDAP Login With Correct LDAP URL
93    [Documentation]  Verify LDAP Login with right LDAP URL.
94    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
95
96    Config LDAP URL  ${LDAP_SERVER_URI}
97
98
99Verify LDAP Config Update With Incorrect LDAP URL
100    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
101    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
102    [Teardown]  Run Keywords  Restore LDAP URL  AND
103    ...  FFDC On Test Case Fail
104
105    Config LDAP URL  "ldap://1.2.3.4"
106
107
108Verify LDAP Configuration Exist
109    [Documentation]  Verify that LDAP configuration is available.
110    [Tags]  Verify_LDAP_Configuration_Exist
111
112    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
113    ...  ${LDAP_TYPE}  default=${EMPTY}
114    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
115
116
117Verify LDAP User Login
118    [Documentation]  Verify that LDAP user able to login into BMC.
119    [Tags]  Verify_LDAP_User_Login
120
121    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
122    Redfish.Logout
123    Redfish.Login
124
125
126Verify LDAP Service Available
127    [Documentation]  Verify that LDAP service is available.
128    [Tags]  Verify_LDAP_Service_Available
129
130    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
131    Should Contain  ${ldap_configuration}  LDAPService
132    ...  msg=LDAPService is not available.
133
134
135Verify LDAP Login Works After BMC Reboot
136    [Documentation]  Verify that LDAP login works after BMC reboot.
137    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
138
139    Redfish OBMC Reboot (off)
140    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
141    Redfish.Logout
142    Redfish.Login
143
144
145Verify LDAP User With Admin Privilege Able To Do BMC Reboot
146    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
147    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
148
149
150    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
151    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
152    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
153    # With LDAP user and with right privilege trying to do BMC reboot.
154    Redfish OBMC Reboot (off)
155    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
156    Redfish.Logout
157    Redfish.Login
158
159
160Verify LDAP User With Operator Privilege Able To Do Host Poweroff
161    [Documentation]  Verify that LDAP user with operator privilege can do host
162    ...  power off.
163    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
164    [Teardown]  Restore LDAP Privilege
165
166    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
167    ...  Operator  ${GROUP_NAME}
168
169    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
170    # Verify that the LDAP user with operator privilege is able to power the system off.
171    Redfish.Post  ${REDFISH_POWER_URI}
172    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
173    Redfish.Logout
174    Redfish.Login
175
176
177Verify AccountLockout Attributes Set To Zero
178    [Documentation]  Verify that attribute AccountLockoutDuration and
179    ...  AccountLockoutThreshold are set to 0.
180    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
181    ...  FFDC On Test Case Fail
182    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero
183
184    ${old_account_service}=  Redfish.Get Properties
185    ...  ${REDFISH_BASE_URI}AccountService
186    Rprint Vars  old_account_service
187    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
188    ...  body=[('AccountLockoutDuration', 0)]
189    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
190    ...  body=[('AccountLockoutThreshold', 0)]
191
192
193Verify LDAP User With Read Privilege Able To Check Inventory
194    [Documentation]  Verify that LDAP user with read privilege able to
195    ...  read firmware inventory.
196    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
197    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
198    [Template]  Set Read Privilege And Check Firmware Inventory
199
200    User
201    Callback
202
203
204Verify LDAP User With Read Privilege Should Not Do Host Poweron
205    [Documentation]  Verify that LDAP user with read privilege should not be
206    ...  allowed to power on the host.
207    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
208    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
209    [Template]  Set Read Privilege And Check Poweron
210
211    User
212    Callback
213
214
215Update LDAP Group Name And Verify Operations
216    [Documentation]  Verify that LDAP group name update and able to do right
217    ...  operations.
218    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
219    [Template]  Update LDAP Config And Verify Set Host Name
220    [Teardown]  Restore LDAP Privilege
221
222    # group_name             group_privilege  valid_status_codes
223    ${GROUP_NAME}            Administrator    [${HTTP_OK}]
224    ${GROUP_NAME}            Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
225    ${GROUP_NAME}            User             [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
226    ${GROUP_NAME}            Callback         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
227    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
228    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
229    Invalid_LDAP_Group_Name  User             [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
230    Invalid_LDAP_Group_Name  Callback         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
231
232
233Verify LDAP BaseDN Update And LDAP Login
234    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
235    ...  that LDAP login works.
236    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
237
238
239    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
240    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
241    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
242    Sleep  15s
243    Redfish Verify LDAP Login
244
245
246Verify LDAP BindDN Update And LDAP Login
247    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
248    ...  that LDAP login works.
249    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
250
251    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
252    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
253    ...  '${LDAP_BIND_DN}'}}}
254    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
255    Sleep  15s
256    Redfish Verify LDAP Login
257
258
259Verify LDAP BindDN Password Update And LDAP Login
260    [Documentation]  Update LDAP BindDN password of LDAP configuration and
261    ...  verify that LDAP login works.
262    [Tags]  Verify_LDAP_BindDN_Passsword_Update_And_LDAP_Login
263
264
265    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
266    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
267    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
268    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
269    Sleep  15s
270    Redfish Verify LDAP Login
271
272
273Verify LDAP Type Update And LDAP Login
274    [Documentation]  Update LDAP type of LDAP configuration and verify
275    ...  that LDAP login works.
276    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
277
278    Disable Other LDAP
279    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
280    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
281    Sleep  15s
282    Redfish Verify LDAP Login
283
284
285Verify Authorization With Null Privilege
286    [Documentation]  Verify the failure of LDAP authorization with empty
287    ...  privilege.
288    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
289    [Setup]  Create LDAP Configuration
290    [Teardown]  Restore LDAP Privilege
291
292    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
293    ...  [${HTTP_FORBIDDEN}]
294
295
296Verify Authorization With Invalid Privilege
297    [Documentation]  Verify that LDAP user authorization with wrong privilege
298    ...  fails.
299    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
300    [Setup]  Create LDAP Configuration
301    [Teardown]  Restore LDAP Privilege
302
303    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
304    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
305
306
307Verify LDAP Login With Invalid Data
308    [Documentation]  Verify that LDAP login with Invalid LDAP data and
309    ...  right LDAP user fails.
310    [Tags]  Verify_LDAP_Login_With_Invalid_Data
311    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
312    ...  Create LDAP Configuration
313
314    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
315    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
316    ...  Invalid_LDAP_BASE_DN
317    Sleep  15s
318    Redfish Verify LDAP Login  ${False}
319
320
321Verify LDAP Config Creation Without BASE_DN
322    [Documentation]  Verify that LDAP login with LDAP configuration
323    ...  created without BASE_DN fails.
324    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
325    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
326    ...  Create LDAP Configuration
327
328    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
329    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
330    Sleep  15s
331    Redfish Verify LDAP Login  ${False}
332
333
334Verify LDAP Authentication Without Password
335    [Documentation]  Verify that LDAP user authentication without LDAP
336    ...  user password fails.
337    [Tags]  Verify_LDAP_Authentication_Without_Password
338    [Setup]  Create LDAP Configuration
339
340    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
341    Valid Value  status  [${False}]
342
343
344Verify LDAP Login With Invalid BASE_DN
345    [Documentation]  Verify that LDAP login with invalid BASE_DN and
346    ...  valid LDAP user fails.
347    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
348    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
349    ...  Create LDAP Configuration
350
351    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
352    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
353    Sleep  15s
354    Redfish Verify LDAP Login  ${False}
355
356
357Verify LDAP Login With Invalid BIND_DN_PASSWORD
358    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
359    ...  valid LDAP user fails.
360    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
361    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
362    ...  Create LDAP Configuration
363
364    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
365    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
366    Sleep  15s
367    Redfish Verify LDAP Login  ${False}
368
369
370Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
371    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
372    ...  BIND_DN and valid LDAP user fails.
373    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
374    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
375    ...  Create LDAP Configuration
376
377    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
378    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
379    Sleep  15s
380    Redfish Verify LDAP Login  ${False}
381
382
383Verify Group Name And Group Privilege Able To Modify
384    [Documentation]  Verify that LDAP group name and group privilege able to
385    ...  modify.
386    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
387    [Setup]  Run Keywords  Create LDAP Configuration  AND
388    ...  Update LDAP Configuration with LDAP User Role And Group
389    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
390
391    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
392    ...  Administrator  ${GROUP_NAME}
393
394
395Verify LDAP Login With Invalid BIND_DN
396    [Documentation]  Verify that LDAP login with invalid BIND_DN and
397    ...  valid LDAP user fails.
398    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
399    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
400    ...  Create LDAP Configuration
401
402    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
403    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
404    Sleep  15s
405    Redfish Verify LDAP Login  ${False}
406
407
408Verify LDAP Authentication With Invalid LDAP User
409    [Documentation]  Verify that LDAP user authentication for user not exist
410    ...  in LDAP server and fails.
411    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
412    [Setup]  Create LDAP Configuration
413
414    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
415    ...  ${LDAP_USER_PASSWORD}
416    Valid Value  status  [${False}]
417
418
419*** Keywords ***
420
421Redfish Verify LDAP Login
422    [Documentation]  LDAP user log into BMC.
423    [Arguments]  ${valid_status}=${True}
424
425    # Description of argument(s):
426    # valid_status  Expected status of LDAP login ("True" or "False").
427
428    # According to our repo coding rules, Redfish.Login is to be done in Suite
429    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
430    # deviation from this rule (such as in this keyword), the deviant code
431    # must take steps to restore us to our original logged-in state.
432
433    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
434    ...  ${LDAP_USER_PASSWORD}
435    Valid Value  status  [${valid_status}]
436    Redfish.Logout
437    Redfish.Login
438
439
440Update LDAP Config And Verify Set Host Name
441    [Documentation]  Update LDAP config and verify by attempting to set host name.
442    [Arguments]  ${group_name}  ${group_privilege}=Administrator
443    ...  ${valid_status_codes}=[${HTTP_OK}]
444
445    # Description of argument(s):
446    # group_name                    The group name of user.
447    # group_privilege               The group privilege ("Administrator",
448    #                               "Operator", "User" or "Callback").
449    # valid_status_codes            Expected return code(s) from patch
450    #                               operation (e.g. "200") used to update
451    #                               HostName.  See prolog of rest_request
452    #                               method in redfish_plut.py for details.
453    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
454    ...  ${group_privilege}  ${group_name}
455    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
456    # Verify that the LDAP user in ${group_name} with the given privilege is
457    # allowed to change the hostname.
458    ${hostname}=  Redfish_Utils.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
459    Redfish.Patch  ${REDFISH_NW_PROTOCOL_URI}  body={'HostName': '${hostname}'}
460    ...  valid_status_codes=${valid_status_codes}
461    Redfish.Logout
462    Redfish.Login
463
464
465Disable Other LDAP
466    [Documentation]  Disable other LDAP configuration.
467
468    # First disable other LDAP.
469    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
470    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
471    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
472    Sleep  15s
473
474
475Create LDAP Configuration
476    [Documentation]  Create LDAP configuration.
477    [Arguments]  ${ldap_type}=${LDAP_TYPE}  ${ldap_server_uri}=${LDAP_SERVER_URI}
478    ...  ${ldap_bind_dn}=${LDAP_BIND_DN}  ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD}
479    ...  ${ldap_base_dn}=${LDAP_BASE_DN}
480
481    # Description of argument(s):
482    # ldap_type              The LDAP type ("ActiveDirectory" or "LDAP").
483    # ldap_server_uri        LDAP server uri (e.g. ldap://XX.XX.XX.XX).
484    # ldap_bind_dn           The LDAP bind distinguished name.
485    # ldap_bind_dn_password  The LDAP bind distinguished name password.
486    # ldap_base_dn           The LDAP base distinguished name.
487
488    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
489    ...  body={'${ldap_type}': {'ServiceEnabled': ${True}, 'ServiceAddresses': ['${ldap_server_uri}'], 'Authentication': {'AuthenticationType':'UsernameAndPassword', 'Username':'${ldap_bind_dn}', 'Password':'${ldap_bind_dn_password}'}, 'LDAPService': {'SearchSettings': {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}}
490    Sleep  15s
491
492
493Config LDAP URL
494    [Documentation]  Config LDAP URL.
495    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}
496
497    # Description of argument(s):
498    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
499
500    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
501    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
502    Sleep  15s
503    # After update, LDAP login.
504    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
505    Redfish.Logout
506    Redfish.Login
507
508
509Restore LDAP URL
510    [Documentation]  Restore LDAP URL.
511
512    # Restoring the working LDAP server uri.
513    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
514    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
515    Sleep  15s
516
517
518Restore AccountLockout Attributes
519    [Documentation]  Restore AccountLockout Attributes.
520
521    Return From Keyword If  &{old_account_service} == &{EMPTY}
522    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
523    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
524    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
525    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
526
527
528Suite Setup Execution
529    [Documentation]  Do suite setup tasks.
530
531    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
532    Valid Value  LDAP_USER
533    Valid Value  LDAP_USER_PASSWORD
534    Valid Value  GROUP_PRIVILEGE
535    Valid Value  GROUP_NAME
536    Valid Value  LDAP_SERVER_URI
537    Valid Value  LDAP_BIND_DN_PASSWORD
538    Valid Value  LDAP_BIND_DN
539    Valid Value  LDAP_BASE_DN
540
541    Redfish.Login
542    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
543    Get LDAP Configuration  ${LDAP_TYPE}
544    ${old_ldap_privilege}=  Get LDAP Privilege
545    Disable Other LDAP
546
547
548Set Read Privilege And Check Firmware Inventory
549    [Documentation]  Set read privilege and check firmware inventory.
550    [Arguments]  ${read_privilege}
551
552    # Description of argument(s):
553    # read_privilege  The read privilege role (e.g. "User" / "Callback").
554
555    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
556    ...  ${read_privilege}  ${GROUP_NAME}
557
558    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
559    # Verify that the LDAP user with read privilege is able to read inventory.
560    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
561    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
562    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
563    Redfish.Logout
564    Redfish.Login
565
566
567Set Read Privilege And Check Poweron
568    [Documentation]  Set read privilege and power on should not be possible.
569    [Arguments]  ${read_privilege}
570
571    # Description of argument(s):
572    # read_privilege  The read privilege role (e.g. "User" / "Callback").
573
574    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
575    ...  ${read_privilege}  ${GROUP_NAME}
576    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
577    Redfish.Post  ${REDFISH_POWER_URI}
578    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
579    Redfish.Logout
580    Redfish.Login
581
582
583Get LDAP Configuration
584    [Documentation]  Retrieve LDAP Configuration.
585    [Arguments]   ${ldap_type}
586
587    # Description of argument(s):
588    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
589
590    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
591    [Return]  ${ldap_config["${ldap_type}"]}
592
593
594Update LDAP Configuration with LDAP User Role And Group
595    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
596    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
597
598    # Description of argument(s):
599    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
600    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
601    # group_name       The group name of user.
602
603    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
604    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
605    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
606    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
607    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
608    # Provide adequate time for LDAP daemon to restart after the update.
609    Sleep  15s
610
611
612Get LDAP Privilege
613    [Documentation]  Get LDAP privilege and return it.
614
615    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
616    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
617    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
618
619    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
620
621
622Restore LDAP Privilege
623    [Documentation]  Restore the LDAP privilege to its original value.
624
625    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}'
626    # Log back in to restore the original privilege.
627    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
628    ...  ${old_ldap_privilege}  ${GROUP_NAME}
629