1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Library          ../../lib/gen_robot_valid.py
9
10Suite Setup      Suite Setup Execution
11Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
12Test Teardown    FFDC On Test Case Fail
13
14Force Tags       LDAP_Test
15
16*** Variables ***
17${old_ldap_privilege}   ${EMPTY}
18&{old_account_service}  &{EMPTY}
19&{old_ldap_config}      &{EMPTY}
20${hostname}             ${EMPTY}
21
22** Test Cases **
23
24Verify LDAP Configuration Created
25    [Documentation]  Verify that LDAP configuration created.
26    [Tags]  Verify_LDAP_Configuration_Created
27
28    Create LDAP Configuration
29    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
30    Get LDAP Configuration  ${LDAP_TYPE}
31    Sleep  10s
32    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
33    Redfish.Logout
34    Redfish.Login
35
36
37Verify LDAP Service Disable
38    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
39    ...  login.
40    [Tags]  Verify_LDAP_Service_Disable
41
42    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
43    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
44    Sleep  15s
45    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
46    ...  ${LDAP_USER_PASSWORD}
47    Should Be Equal  ${resp}  ${False}
48    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
49    Redfish.Logout
50    Redfish.Login
51    # Enabling LDAP so that LDAP user works.
52    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
53    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
54    Redfish.Logout
55    Redfish.Login
56
57
58Verify LDAP Login With ServiceEnabled
59    [Documentation]  Verify that LDAP Login with ServiceEnabled.
60    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
61
62    Disable Other LDAP
63    # Actual service enablement.
64    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
65    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
66    Sleep  15s
67    # After update, LDAP login.
68    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
69    Redfish.Logout
70    Redfish.Login
71
72
73Verify LDAP Login With Correct AuthenticationType
74    [Documentation]  Verify that LDAP Login with right AuthenticationType.
75    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
76
77    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
78    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
79    Sleep  15s
80    # After update, LDAP login.
81    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
82    Redfish.Logout
83    Redfish.Login
84
85
86Verify LDAP Config Update With Incorrect AuthenticationType
87    [Documentation]  Verify that invalid AuthenticationType is not updated.
88    [Tags]  Verify_LDAP_Update_With_Incorrect_AuthenticationType
89
90    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
91    ...  valid_status_codes=[400]
92    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
93    ...  body=${body}
94
95
96Verify LDAP Login With Correct LDAP URL
97    [Documentation]  Verify LDAP Login with right LDAP URL.
98    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
99
100    Config LDAP URL  ${LDAP_SERVER_URI}
101
102
103Verify LDAP Config Update With Incorrect LDAP URL
104    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
105    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
106    [Teardown]  Run Keywords  Restore LDAP URL  AND
107    ...  FFDC On Test Case Fail
108
109    Config LDAP URL  "ldap://1.2.3.4"
110
111
112Verify LDAP Configuration Exist
113    [Documentation]  Verify that LDAP configuration is available.
114    [Tags]  Verify_LDAP_Configuration_Exist
115
116    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
117    ...  ${LDAP_TYPE}  default=${EMPTY}
118    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
119
120
121Verify LDAP User Login
122    [Documentation]  Verify that LDAP user able to login into BMC.
123    [Tags]  Verify_LDAP_User_Login
124
125    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
126    Redfish.Logout
127    Redfish.Login
128
129
130Verify LDAP Service Available
131    [Documentation]  Verify that LDAP service is available.
132    [Tags]  Verify_LDAP_Service_Available
133
134    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
135    Should Contain  ${ldap_configuration}  LDAPService
136    ...  msg=LDAPService is not available.
137
138
139Verify LDAP Login Works After BMC Reboot
140    [Documentation]  Verify that LDAP login works after BMC reboot.
141    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
142
143    Redfish OBMC Reboot (off)
144    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
145    Redfish.Logout
146    Redfish.Login
147
148
149Verify LDAP User With Admin Privilege Able To Do BMC Reboot
150    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
151    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
152
153
154    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
155    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
156    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
157    # With LDAP user and with right privilege trying to do BMC reboot.
158    Redfish OBMC Reboot (off)
159    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
160    Redfish.Logout
161    Redfish.Login
162
163
164Verify LDAP User With Operator Privilege Able To Do Host Poweroff
165    [Documentation]  Verify that LDAP user with operator privilege can do host
166    ...  power off.
167    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
168    [Teardown]  Restore LDAP Privilege
169
170    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
171    ...  Operator  ${GROUP_NAME}
172
173    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
174    # Verify that the LDAP user with operator privilege is able to power the system off.
175    Redfish.Post  ${REDFISH_POWER_URI}
176    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
177    Redfish.Logout
178    Redfish.Login
179
180
181Verify AccountLockout Attributes Set To Zero
182    [Documentation]  Verify that attribute AccountLockoutDuration and
183    ...  AccountLockoutThreshold are set to 0.
184    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
185    ...  FFDC On Test Case Fail
186    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero
187
188    ${old_account_service}=  Redfish.Get Properties
189    ...  ${REDFISH_BASE_URI}AccountService
190    Rprint Vars  old_account_service
191    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
192    ...  body=[('AccountLockoutDuration', 0)]
193    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
194    ...  body=[('AccountLockoutThreshold', 0)]
195
196
197Verify LDAP User With Read Privilege Able To Check Inventory
198    [Documentation]  Verify that LDAP user with read privilege able to
199    ...  read firmware inventory.
200    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
201    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
202    [Template]  Set Read Privilege And Check Firmware Inventory
203
204    User
205    Callback
206
207
208Verify LDAP User With Read Privilege Should Not Do Host Poweron
209    [Documentation]  Verify that LDAP user with read privilege should not be
210    ...  allowed to power on the host.
211    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
212    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
213    [Template]  Set Read Privilege And Check Poweron
214
215    User
216    Callback
217
218
219Update LDAP Group Name And Verify Operations
220    [Documentation]  Verify that LDAP group name update and able to do right
221    ...  operations.
222    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
223    [Template]  Update LDAP Config And Verify Set Host Name
224    [Teardown]  Restore LDAP Privilege
225
226    # group_name             group_privilege  valid_status_codes
227    ${GROUP_NAME}            Administrator    [${HTTP_OK}]
228    ${GROUP_NAME}            Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
229    ${GROUP_NAME}            User             [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
230    ${GROUP_NAME}            Callback         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
231    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
232    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
233    Invalid_LDAP_Group_Name  User             [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
234    Invalid_LDAP_Group_Name  Callback         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
235
236
237Verify LDAP BaseDN Update And LDAP Login
238    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
239    ...  that LDAP login works.
240    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
241
242
243    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
244    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
245    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
246    Sleep  15s
247    Redfish Verify LDAP Login
248
249
250Verify LDAP BindDN Update And LDAP Login
251    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
252    ...  that LDAP login works.
253    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
254
255    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
256    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
257    ...  '${LDAP_BIND_DN}'}}}
258    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
259    Sleep  15s
260    Redfish Verify LDAP Login
261
262
263Verify LDAP BindDN Password Update And LDAP Login
264    [Documentation]  Update LDAP BindDN password of LDAP configuration and
265    ...  verify that LDAP login works.
266    [Tags]  Verify_LDAP_BindDN_Passsword_Update_And_LDAP_Login
267
268
269    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
270    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
271    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
272    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
273    Sleep  15s
274    Redfish Verify LDAP Login
275
276
277Verify LDAP Type Update And LDAP Login
278    [Documentation]  Update LDAP type of LDAP configuration and verify
279    ...  that LDAP login works.
280    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
281
282    Disable Other LDAP
283    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
284    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
285    Sleep  15s
286    Redfish Verify LDAP Login
287
288
289Verify Authorization With Null Privilege
290    [Documentation]  Verify the failure of LDAP authorization with empty
291    ...  privilege.
292    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
293    [Teardown]  Restore LDAP Privilege
294
295    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
296    ...  [${HTTP_FORBIDDEN}]
297
298
299Verify Authorization With Invalid Privilege
300    [Documentation]  Verify that LDAP user authorization with wrong privilege
301    ...  fails.
302    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
303    [Teardown]  Restore LDAP Privilege
304
305    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
306    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
307
308
309Verify LDAP Login With Invalid Data
310    [Documentation]  Verify that LDAP login with Invalid LDAP data and
311    ...  right LDAP user fails.
312    [Tags]  Verify_LDAP_Login_With_Invalid_Data
313    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
314    ...  Create LDAP Configuration
315
316    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
317    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
318    ...  Invalid_LDAP_BASE_DN
319    Sleep  15s
320    Redfish Verify LDAP Login  ${False}
321
322
323Verify LDAP Config Creation Without BASE_DN
324    [Documentation]  Verify that LDAP login with LDAP configuration
325    ...  created without BASE_DN fails.
326    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
327    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
328    ...  Create LDAP Configuration
329
330    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
331    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
332    Sleep  15s
333    Redfish Verify LDAP Login  ${False}
334
335
336Verify LDAP Authentication Without Password
337    [Documentation]  Verify that LDAP user authentication without LDAP
338    ...  user password fails.
339    [Tags]  Verify_LDAP_Authentication_Without_Password
340
341    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
342    Valid Value  status  [${False}]
343
344
345Verify LDAP Login With Invalid BASE_DN
346    [Documentation]  Verify that LDAP login with invalid BASE_DN and
347    ...  valid LDAP user fails.
348    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
349    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
350    ...  Create LDAP Configuration
351
352    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
353    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
354    Sleep  15s
355    Redfish Verify LDAP Login  ${False}
356
357
358Verify LDAP Login With Invalid BIND_DN_PASSWORD
359    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
360    ...  valid LDAP user fails.
361    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
362    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
363    ...  Create LDAP Configuration
364
365    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
366    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
367    Sleep  15s
368    Redfish Verify LDAP Login  ${False}
369
370
371Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
372    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
373    ...  BIND_DN and valid LDAP user fails.
374    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
375    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
376    ...  Create LDAP Configuration
377
378    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
379    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
380    Sleep  15s
381    Redfish Verify LDAP Login  ${False}
382
383
384Verify Group Name And Group Privilege Able To Modify
385    [Documentation]  Verify that LDAP group name and group privilege able to
386    ...  modify.
387    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
388    [Setup]  Update LDAP Configuration with LDAP User Role And Group
389    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
390
391    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
392    ...  Administrator  ${GROUP_NAME}
393
394
395Verify LDAP Login With Invalid BIND_DN
396    [Documentation]  Verify that LDAP login with invalid BIND_DN and
397    ...  valid LDAP user fails.
398    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
399    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
400    ...  Create LDAP Configuration
401
402    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
403    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
404    Sleep  15s
405    Redfish Verify LDAP Login  ${False}
406
407
408Verify LDAP Authentication With Invalid LDAP User
409    [Documentation]  Verify that LDAP user authentication for user not exist
410    ...  in LDAP server and fails.
411    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
412
413    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
414    ...  ${LDAP_USER_PASSWORD}
415    Valid Value  status  [${False}]
416
417
418*** Keywords ***
419
420Redfish Verify LDAP Login
421    [Documentation]  LDAP user log into BMC.
422    [Arguments]  ${valid_status}=${True}
423
424    # Description of argument(s):
425    # valid_status  Expected status of LDAP login ("True" or "False").
426
427    # According to our repo coding rules, Redfish.Login is to be done in Suite
428    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
429    # deviation from this rule (such as in this keyword), the deviant code
430    # must take steps to restore us to our original logged-in state.
431
432    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
433    ...  ${LDAP_USER_PASSWORD}
434    Valid Value  status  [${valid_status}]
435    Redfish.Logout
436    Redfish.Login
437
438
439Update LDAP Config And Verify Set Host Name
440    [Documentation]  Update LDAP config and verify by attempting to set host name.
441    [Arguments]  ${group_name}  ${group_privilege}=Administrator
442    ...  ${valid_status_codes}=[${HTTP_OK}]
443
444    # Description of argument(s):
445    # group_name                    The group name of user.
446    # group_privilege               The group privilege ("Administrator",
447    #                               "Operator", "User" or "Callback").
448    # valid_status_codes            Expected return code(s) from patch
449    #                               operation (e.g. "200") used to update
450    #                               HostName.  See prolog of rest_request
451    #                               method in redfish_plut.py for details.
452    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
453    ...  ${group_privilege}  ${group_name}
454    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
455    # Verify that the LDAP user in ${group_name} with the given privilege is
456    # allowed to change the hostname.
457    Redfish.Patch  ${REDFISH_NW_PROTOCOL_URI}  body={'HostName': '${hostname}'}
458    ...  valid_status_codes=${valid_status_codes}
459    Redfish.Logout
460    Redfish.Login
461
462
463Disable Other LDAP
464    [Documentation]  Disable other LDAP configuration.
465
466    # First disable other LDAP.
467    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
468    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
469    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
470    Sleep  15s
471
472
473Create LDAP Configuration
474    [Documentation]  Create LDAP configuration.
475    [Arguments]  ${ldap_type}=${LDAP_TYPE}  ${ldap_server_uri}=${LDAP_SERVER_URI}
476    ...  ${ldap_bind_dn}=${LDAP_BIND_DN}  ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD}
477    ...  ${ldap_base_dn}=${LDAP_BASE_DN}
478
479    # Description of argument(s):
480    # ldap_type              The LDAP type ("ActiveDirectory" or "LDAP").
481    # ldap_server_uri        LDAP server uri (e.g. ldap://XX.XX.XX.XX).
482    # ldap_bind_dn           The LDAP bind distinguished name.
483    # ldap_bind_dn_password  The LDAP bind distinguished name password.
484    # ldap_base_dn           The LDAP base distinguished name.
485
486    ${body}=  Catenate  {'${ldap_type}':
487    ...  {'ServiceEnabled': ${True},
488    ...   'ServiceAddresses': ['${ldap_server_uri}'],
489    ...   'Authentication':
490    ...       {'AuthenticationType': 'UsernameAndPassword',
491    ...        'Username':'${ldap_bind_dn}',
492    ...        'Password': '${ldap_bind_dn_password}'},
493    ...   'LDAPService':
494    ...       {'SearchSettings':
495    ...           {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}}
496
497    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
498    Sleep  15s
499
500
501Config LDAP URL
502    [Documentation]  Config LDAP URL.
503    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}
504
505    # Description of argument(s):
506    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
507
508    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
509    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
510    Sleep  15s
511    # After update, LDAP login.
512    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
513    Redfish.Logout
514    Redfish.Login
515
516
517Restore LDAP URL
518    [Documentation]  Restore LDAP URL.
519
520    # Restoring the working LDAP server uri.
521    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
522    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
523    Sleep  15s
524
525
526Restore AccountLockout Attributes
527    [Documentation]  Restore AccountLockout Attributes.
528
529    Return From Keyword If  &{old_account_service} == &{EMPTY}
530    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
531    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
532    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
533    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
534
535
536Suite Setup Execution
537    [Documentation]  Do suite setup tasks.
538
539    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
540    Valid Value  LDAP_USER
541    Valid Value  LDAP_USER_PASSWORD
542    Valid Value  GROUP_PRIVILEGE
543    Valid Value  GROUP_NAME
544    Valid Value  LDAP_SERVER_URI
545    Valid Value  LDAP_BIND_DN_PASSWORD
546    Valid Value  LDAP_BIND_DN
547    Valid Value  LDAP_BASE_DN
548
549    Redfish.Login
550    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
551    Get LDAP Configuration  ${LDAP_TYPE}
552    ${old_ldap_privilege}=  Get LDAP Privilege
553    Disable Other LDAP
554    Create LDAP Configuration
555    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
556
557
558Set Read Privilege And Check Firmware Inventory
559    [Documentation]  Set read privilege and check firmware inventory.
560    [Arguments]  ${read_privilege}
561
562    # Description of argument(s):
563    # read_privilege  The read privilege role (e.g. "User" / "Callback").
564
565    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
566    ...  ${read_privilege}  ${GROUP_NAME}
567
568    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
569    # Verify that the LDAP user with read privilege is able to read inventory.
570    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
571    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
572    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
573    Redfish.Logout
574    Redfish.Login
575
576
577Set Read Privilege And Check Poweron
578    [Documentation]  Set read privilege and power on should not be possible.
579    [Arguments]  ${read_privilege}
580
581    # Description of argument(s):
582    # read_privilege  The read privilege role (e.g. "User" / "Callback").
583
584    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
585    ...  ${read_privilege}  ${GROUP_NAME}
586    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
587    Redfish.Post  ${REDFISH_POWER_URI}
588    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
589    Redfish.Logout
590    Redfish.Login
591
592
593Get LDAP Configuration
594    [Documentation]  Retrieve LDAP Configuration.
595    [Arguments]   ${ldap_type}
596
597    # Description of argument(s):
598    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
599
600    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
601    [Return]  ${ldap_config["${ldap_type}"]}
602
603
604Update LDAP Configuration with LDAP User Role And Group
605    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
606    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
607
608    # Description of argument(s):
609    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
610    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
611    # group_name       The group name of user.
612
613    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
614    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
615    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
616    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
617    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
618    # Provide adequate time for LDAP daemon to restart after the update.
619    Sleep  15s
620
621
622Get LDAP Privilege
623    [Documentation]  Get LDAP privilege and return it.
624
625    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
626    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
627    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
628
629    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
630
631
632Restore LDAP Privilege
633    [Documentation]  Restore the LDAP privilege to its original value.
634
635    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}'
636    # Log back in to restore the original privilege.
637    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
638    ...  ${old_ldap_privilege}  ${GROUP_NAME}
639