1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Resource         ../../lib/utils.robot
9Library          ../../lib/gen_robot_valid.py
10Resource         ../../lib/bmc_network_utils.robot
11Resource         ../../lib/bmc_ldap_utils.robot
12
13Suite Setup      Suite Setup Execution
14Suite Teardown   LDAP Suite Teardown Execution
15Test Teardown    Run Keywords  Redfish.Login  AND  FFDC On Test Case Fail
16Force Tags       LDAP_Test
17
18*** Variables ***
19${old_ldap_privilege}   Administrator
20&{old_account_service}  &{EMPTY}
21&{old_ldap_config}      &{EMPTY}
22${hostname}             ${EMPTY}
23${test_ip}              10.6.6.6
24${test_mask}            255.255.255.0
25
26** Test Cases **
27
28Verify LDAP Configuration Created
29    [Documentation]  Verify that LDAP configuration created.
30    [Tags]  Verify_LDAP_Configuration_Created
31
32    Create LDAP Configuration
33    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
34    Get LDAP Configuration  ${LDAP_TYPE}
35    Sleep  10s
36    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
37    Redfish.Logout
38
39
40Verify LDAP Service Disable
41    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
42    ...  login.
43    [Tags]  Verify_LDAP_Service_Disable
44
45    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
46    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
47    Sleep  15s
48    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
49    ...  ${LDAP_USER_PASSWORD}
50    Should Be Equal  ${resp}  ${False}
51    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
52    Redfish.Logout
53    Redfish.Login
54    # Enabling LDAP so that LDAP user works.
55    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
56    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
57    Redfish.Logout
58
59
60Verify LDAP Login With ServiceEnabled
61    [Documentation]  Verify that LDAP Login with ServiceEnabled.
62    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
63
64    Disable Other LDAP
65    # Actual service enablement.
66    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
67    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
68    Sleep  15s
69    # After update, LDAP login.
70    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
71    Redfish.Logout
72
73
74Verify LDAP Login With Correct AuthenticationType
75    [Documentation]  Verify that LDAP Login with right AuthenticationType.
76    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
77
78    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
79    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
80    Sleep  15s
81    # After update, LDAP login.
82    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
83    Redfish.Logout
84
85
86Verify LDAP Config Update With Incorrect AuthenticationType
87    [Documentation]  Verify that invalid AuthenticationType is not updated.
88    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType
89
90    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
91
92    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
93    ...  body=${body}  valid_status_codes=[400]
94
95
96Verify LDAP Login With Correct LDAP URL
97    [Documentation]  Verify LDAP Login with right LDAP URL.
98    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
99
100    Config LDAP URL  ${LDAP_SERVER_URI}
101
102
103Verify LDAP Config Update With Incorrect LDAP URL
104    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
105    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
106    [Teardown]  Run Keywords  Restore LDAP URL  AND
107    ...  FFDC On Test Case Fail
108
109    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
110
111Verify LDAP Configuration Exist
112    [Documentation]  Verify that LDAP configuration is available.
113    [Tags]  Verify_LDAP_Configuration_Exist
114
115    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
116    ...  ${LDAP_TYPE}  default=${EMPTY}
117    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
118
119
120Verify LDAP User Login
121    [Documentation]  Verify that LDAP user able to login into BMC.
122    [Tags]  Verify_LDAP_User_Login
123
124    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
125    Redfish.Logout
126
127
128Verify LDAP Service Available
129    [Documentation]  Verify that LDAP service is available.
130    [Tags]  Verify_LDAP_Service_Available
131
132    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
133    Should Contain  ${ldap_configuration}  LDAPService
134    ...  msg=LDAPService is not available.
135
136
137Verify LDAP Login Works After BMC Reboot
138    [Documentation]  Verify that LDAP login works after BMC reboot.
139    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
140
141    Redfish OBMC Reboot (off)
142    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
143    Redfish.Logout
144
145
146Verify LDAP User With Admin Privilege Able To Do BMC Reboot
147    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
148    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
149
150
151    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
152    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
153    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
154    # With LDAP user and with right privilege trying to do BMC reboot.
155    Redfish OBMC Reboot (off)
156    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
157    Redfish.Logout
158
159
160Verify LDAP User With Operator Privilege Able To Do Host Poweroff
161    [Documentation]  Verify that LDAP user with operator privilege can do host
162    ...  power off.
163    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
164    [Teardown]  Restore LDAP Privilege
165
166    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
167    ...  Operator  ${GROUP_NAME}
168
169    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
170    # Verify that the LDAP user with operator privilege is able to power the system off.
171    Redfish.Post  ${REDFISH_POWER_URI}
172    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
173    Redfish.Logout
174    Redfish.Login
175
176
177Verify AccountLockout Attributes Set To Zero By LDAP User
178    [Documentation]  Verify that attribute AccountLockoutDuration and
179    ...  AccountLockoutThreshold are set to 0 by LDAP user.
180    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
181    ...  FFDC On Test Case Fail
182    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User
183
184    ${old_account_service}=  Redfish.Get Properties
185    ...  ${REDFISH_BASE_URI}AccountService
186    Rprint Vars  old_account_service
187
188    # Create LDAP user and create session using LDAP user.
189    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
190    ...  Administrator  ${GROUP_NAME}
191
192    # Clear existing Redfish sessions.
193    Redfish.Logout
194
195    # Login using LDAP user.
196    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
197
198    # Set Account Lockout attributes using LDAP user.
199    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
200    ...  body=[('AccountLockoutDuration', 0)]
201    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
202    ...  body=[('AccountLockoutThreshold', 0)]
203
204
205Verify LDAP User With Read Privilege Able To Check Inventory
206    [Documentation]  Verify that LDAP user with read privilege able to
207    ...  read firmware inventory.
208    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
209    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
210    [Template]  Set Read Privilege And Check Firmware Inventory
211
212    ReadOnly
213
214
215Verify LDAP User With Read Privilege Should Not Do Host Poweron
216    [Documentation]  Verify that LDAP user with read privilege should not be
217    ...  allowed to power on the host.
218    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
219    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
220    [Template]  Set Read Privilege And Check Poweron
221
222    ReadOnly
223
224
225Update LDAP Group Name And Verify Operations
226    [Documentation]  Verify that LDAP group name update and able to do right
227    ...  operations.
228    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
229    [Template]  Update LDAP Config And Verify Set Host Name
230    [Teardown]  Restore LDAP Privilege
231
232    # group_name             group_privilege  valid_status_codes
233    ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
234    ${GROUP_NAME}            Operator         [${HTTP_OK}, ${HTTP_NO_CONTENT}]
235    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
236    ${GROUP_NAME}            NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
237    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
238    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
239    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
240    Invalid_LDAP_Group_Name  NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
241
242
243Verify LDAP BaseDN Update And LDAP Login
244    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
245    ...  that LDAP login works.
246    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
247
248
249    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
250    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
251    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
252    Sleep  15s
253    Redfish Verify LDAP Login
254
255
256Verify LDAP BindDN Update And LDAP Login
257    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
258    ...  that LDAP login works.
259    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
260
261    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
262    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
263    ...  '${LDAP_BIND_DN}'}}}
264    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
265    Sleep  15s
266    Redfish Verify LDAP Login
267
268
269Verify LDAP BindDN Password Update And LDAP Login
270    [Documentation]  Update LDAP BindDN password of LDAP configuration and
271    ...  verify that LDAP login works.
272    [Tags]  Verify_LDAP_BindDN_Password_Update_And_LDAP_Login
273
274
275    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
276    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
277    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
278    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
279    Sleep  15s
280    Redfish Verify LDAP Login
281
282
283Verify LDAP Type Update And LDAP Login
284    [Documentation]  Update LDAP type of LDAP configuration and verify
285    ...  that LDAP login works.
286    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
287
288    Disable Other LDAP
289    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
290    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
291    Sleep  15s
292    Redfish Verify LDAP Login
293
294
295Verify LDAP Authorization With Null Privilege
296    [Documentation]  Verify the failure of LDAP authorization with empty
297    ...  privilege.
298    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
299    [Teardown]  Restore LDAP Privilege
300
301    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
302    ...  [${HTTP_FORBIDDEN}]
303
304
305Verify LDAP Authorization With Invalid Privilege
306    [Documentation]  Verify that LDAP user authorization with wrong privilege
307    ...  fails.
308    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
309    [Teardown]  Restore LDAP Privilege
310
311    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
312    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
313
314
315Verify LDAP Login With Invalid Data
316    [Documentation]  Verify that LDAP login with Invalid LDAP data and
317    ...  right LDAP user fails.
318    [Tags]  Verify_LDAP_Login_With_Invalid_Data
319    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
320    ...  Redfish.Login  AND
321    ...  Create LDAP Configuration
322
323    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
324    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
325    ...  Invalid_LDAP_BASE_DN
326    Sleep  15s
327    Redfish Verify LDAP Login  ${False}
328
329
330Verify LDAP Config Creation Without BASE_DN
331    [Documentation]  Verify that LDAP login with LDAP configuration
332    ...  created without BASE_DN fails.
333    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
334    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
335    ...  Redfish.Login  AND
336    ...  Create LDAP Configuration
337
338    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
339    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
340    Sleep  15s
341    Redfish Verify LDAP Login  ${False}
342
343
344Verify LDAP Authentication Without Password
345    [Documentation]  Verify that LDAP user authentication without LDAP
346    ...  user password fails.
347    [Tags]  Verify_LDAP_Authentication_Without_Password
348    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
349
350    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
351    Valid Value  status  [${False}]
352
353
354Verify LDAP Login With Invalid BASE_DN
355    [Documentation]  Verify that LDAP login with invalid BASE_DN and
356    ...  valid LDAP user fails.
357    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
358    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
359    ...  Redfish.Login  AND
360    ...  Create LDAP Configuration
361
362    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
363    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
364    Sleep  15s
365    Redfish Verify LDAP Login  ${False}
366
367
368Verify LDAP Login With Invalid BIND_DN_PASSWORD
369    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
370    ...  valid LDAP user fails.
371    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
372    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
373    ...  Redfish.Login  AND
374    ...  Create LDAP Configuration
375
376    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
377    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
378    Sleep  15s
379    Redfish Verify LDAP Login  ${False}
380
381
382Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
383    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
384    ...  BIND_DN and valid LDAP user fails.
385    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
386    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
387    ...  Redfish.Login  AND
388    ...  Create LDAP Configuration
389
390    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
391    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
392    Sleep  15s
393    Redfish Verify LDAP Login  ${False}
394
395
396Verify Group Name And Group Privilege Able To Modify
397    [Documentation]  Verify that LDAP group name and group privilege able to
398    ...  modify.
399    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
400    [Setup]  Update LDAP Configuration with LDAP User Role And Group
401    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
402
403    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
404    ...  Administrator  ${GROUP_NAME}
405
406
407Verify LDAP Login With Invalid BIND_DN
408    [Documentation]  Verify that LDAP login with invalid BIND_DN and
409    ...  valid LDAP user fails.
410    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
411    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
412    ...  Redfish.Login  AND
413    ...  Create LDAP Configuration
414
415    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
416    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
417    Sleep  15s
418    Redfish Verify LDAP Login  ${False}
419
420
421Verify LDAP Authentication With Invalid LDAP User
422    [Documentation]  Verify that LDAP user authentication for user not exist
423    ...  in LDAP server and fails.
424    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
425    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
426
427    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
428    ...  ${LDAP_USER_PASSWORD}
429    Valid Value  status  [${False}]
430
431
432Update LDAP User Roles And Verify Host Poweroff Operation
433    [Documentation]  Update LDAP user roles and verify host poweroff operation.
434    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
435    [Teardown]  Restore LDAP Privilege
436
437    [Template]  Update LDAP User Role And Host Poweroff
438    # ldap_type   group_privilege  group_name     valid_status_codes
439
440    # Verify LDAP user with NoAccess privilege not able to do host poweroff.
441    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
442
443    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
444    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
445
446    # Verify LDAP user with Operator privilege able to do host poweroff.
447    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
448
449    # Verify LDAP user with Administrator privilege able to do host poweroff.
450    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
451
452
453Update LDAP User Roles And Verify Host Poweron Operation
454    [Documentation]  Update LDAP user roles and verify host poweron operation.
455    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
456    [Teardown]  Restore LDAP Privilege
457
458    [Template]  Update LDAP User Role And Host Poweron
459    # ldap_type   group_privilege  group_name     valid_status_codes
460
461    # Verify LDAP user with NoAccess privilege not able to do host poweron.
462    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
463
464    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
465    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
466
467    # Verify LDAP user with Operator privilege able to do host poweron.
468    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
469
470    # Verify LDAP user with Administrator privilege able to do host poweron.
471    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
472
473
474Configure IP Address Via Different User Roles And Verify
475    [Documentation]  Configure IP address via different user roles and verify.
476    [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
477    [Teardown]  Restore LDAP Privilege
478
479    [Template]  Update LDAP User Role And Configure IP Address
480    # Verify LDAP user with Administrator privilege is able to configure IP address.
481    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
482
483    # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
484    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
485
486    # Verify LDAP user with NoAccess privilege is forbidden to configure IP address.
487    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
488
489    # Verify LDAP user with Operator privilege is able to configure IP address.
490    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
491
492
493Delete IP Address Via Different User Roles And Verify
494    [Documentation]  Delete IP address via different user roles and verify.
495    [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
496    [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail
497
498    [Template]  Update LDAP User Role And Delete IP Address
499    # Verify LDAP user with Administrator privilege is able to delete IP address.
500    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
501
502    # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
503    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
504
505    # Verify LDAP user with NoAccess privilege is forbidden to delete IP address.
506    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
507
508    # Verify LDAP user with Operator privilege is able to delete IP address.
509    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
510
511
512Read Network Configuration Via Different User Roles And Verify
513    [Documentation]  Read network configuration via different user roles and verify.
514    [Tags]  Read_Network_Configuration_Via_Different_User_Roles_And_Verify
515    [Teardown]  Restore LDAP Privilege
516
517    [Template]  Update LDAP User Role And Read Network Configuration
518    ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}
519
520    ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}
521
522    ${LDAP_TYPE}  NoAccess       ${GROUP_NAME}  ${HTTP_FORBIDDEN}
523
524    ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}
525
526Switch LDAP Type And Verify Login Fails
527    [Documentation]  Switch LDAP type and verify login fails.
528    [Tags]  Switch_LDAP_Type_And_Verify_Login_Fails
529
530    # Check Login with LDAP Type is working
531    Create LDAP Configuration
532    Redfish Verify LDAP Login
533
534    # Disable the LDAP Type from OpenLDAP to ActiveDirectory or vice-versa
535    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
536    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
537
538    # Enable the inverse LDAP type
539    Disable Other LDAP  ${True}
540    Create LDAP Configuration  ${LDAP_TYPE_1}  ${LDAP_SERVER_URI_1}  ${LDAP_BIND_DN_1}  ${LDAP_BIND_DN_PASSWORD_1}  ${LDAP_BASE_DN_1}
541    Redfish.Logout
542    Sleep  10s
543
544    # Check if Login works via Inverse LDAP
545    Redfish.Login  ${LDAP_USER_1}  ${LDAP_USER_PASSWORD_1}
546    Redfish.Logout
547    Sleep  10s
548
549    # Login using LDAP type must fail
550    Redfish Verify LDAP Login  ${False}
551    Redfish.Logout
552
553*** Keywords ***
554
555Redfish Verify LDAP Login
556    [Documentation]  LDAP user log into BMC.
557    [Arguments]  ${valid_status}=${True}
558
559    # Description of argument(s):
560    # valid_status  Expected status of LDAP login ("True" or "False").
561
562    # According to our repo coding rules, Redfish.Login is to be done in Suite
563    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
564    # deviation from this rule (such as in this keyword), the deviant code
565    # must take steps to restore us to our original logged-in state.
566
567    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
568    ...  ${LDAP_USER_PASSWORD}
569    Valid Value  status  [${valid_status}]
570    Redfish.Logout
571    Redfish.Login
572
573
574Update LDAP Config And Verify Set Host Name
575    [Documentation]  Update LDAP config and verify by attempting to set host name.
576    [Arguments]  ${group_name}  ${group_privilege}=Administrator
577    ...  ${valid_status_codes}=[${HTTP_OK}]
578    [Teardown]  Run Keyword If  '${group_privilege}'=='NoAccess'  Redfish.Login
579                ...  ELSE  Run Keywords  Redfish.Logout  AND  Redfish.Login
580
581    # Description of argument(s):
582    # group_name                    The group name of user.
583    # group_privilege               The group privilege ("Administrator",
584    #                               "Operator", "User" or "Callback").
585    # valid_status_codes            Expected return code(s) from patch
586    #                               operation (e.g. "200") used to update
587    #                               HostName.  See prolog of rest_request
588    #                               method in redfish_plus.py for details.
589    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
590    ...  ${group_privilege}  ${group_name}
591
592    Run Keyword If  '${group_privilege}'=='NoAccess'
593    ...  Run Keyword And Return  Verify Redfish Login for LDAP Userrole NoAccess
594
595    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
596    # Verify that the LDAP user in ${group_name} with the given privilege is
597    # allowed to change the hostname.
598    Redfish.Patch  ${REDFISH_NW_ETH0_URI}  body={'HostName': '${hostname}'}
599    ...  valid_status_codes=${valid_status_codes}
600
601Verify Redfish Login for LDAP Userrole NoAccess
602    [Documentation]  Verify Redfish login should not be able to login for LDAP Userrole NoAccess.
603
604    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
605    Valid Value  status  [${False}]
606
607Disable Other LDAP
608    [Documentation]  Disable other LDAP configuration.
609    [Arguments]  ${service_state}=${False}
610
611    # First disable other LDAP.
612    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
613    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
614    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${service_state}}}
615    Sleep  15s
616
617
618Config LDAP URL
619    [Documentation]  Config LDAP URL.
620    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
621
622    # Description of argument(s):
623    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
624
625    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
626    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
627    Sleep  15s
628    # After update, LDAP login.
629    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
630    Valid Value  status  [${expected_status}]
631
632    Redfish.Logout
633    Redfish.Login
634
635
636Restore LDAP URL
637    [Documentation]  Restore LDAP URL.
638
639    # Restoring the working LDAP server uri.
640    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
641    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
642    Sleep  15s
643
644
645Restore AccountLockout Attributes
646    [Documentation]  Restore AccountLockout Attributes.
647
648    Return From Keyword If  &{old_account_service} == &{EMPTY}
649    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
650    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
651    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
652    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
653
654
655Suite Setup Execution
656    [Documentation]  Do suite setup tasks.
657
658    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
659    Valid Value  LDAP_USER
660    Valid Value  LDAP_USER_PASSWORD
661    Valid Value  GROUP_PRIVILEGE
662    Valid Value  GROUP_NAME
663    Valid Value  LDAP_SERVER_URI
664    Valid Value  LDAP_BIND_DN_PASSWORD
665    Valid Value  LDAP_BIND_DN
666    Valid Value  LDAP_BASE_DN
667
668    Redfish.Login
669    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
670    Get LDAP Configuration  ${LDAP_TYPE}
671    Set Suite Variable  ${old_ldap_privilege}
672    Disable Other LDAP
673    Create LDAP Configuration
674    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
675
676
677LDAP Suite Teardown Execution
678    [Documentation]  Restore ldap configuration, delete unused redfish session.
679
680    Restore LDAP Privilege
681    Redfish.Logout
682    Run Keyword And Ignore Error  Delete All Redfish Sessions
683
684
685Set Read Privilege And Check Firmware Inventory
686    [Documentation]  Set read privilege and check firmware inventory.
687    [Arguments]  ${read_privilege}
688
689    # Description of argument(s):
690    # read_privilege  The read privilege role (e.g. "User" / "Callback").
691
692    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
693    ...  ${read_privilege}  ${GROUP_NAME}
694
695    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
696    # Verify that the LDAP user with read privilege is able to read inventory.
697    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
698    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
699    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
700    Redfish.Logout
701    Redfish.Login
702
703
704Set Read Privilege And Check Poweron
705    [Documentation]  Set read privilege and power on should not be possible.
706    [Arguments]  ${read_privilege}
707
708    # Description of argument(s):
709    # read_privilege  The read privilege role (e.g. "User" / "Callback").
710
711    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
712    ...  ${read_privilege}  ${GROUP_NAME}
713    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
714    Redfish.Post  ${REDFISH_POWER_URI}
715    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
716    Redfish.Logout
717    Redfish.Login
718
719
720Get LDAP Configuration
721    [Documentation]  Retrieve LDAP Configuration.
722    [Arguments]   ${ldap_type}
723
724    # Description of argument(s):
725    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
726
727    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
728    [Return]  ${ldap_config["${ldap_type}"]}
729
730
731Update LDAP Configuration with LDAP User Role And Group
732    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
733    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
734
735    # Description of argument(s):
736    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
737    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
738    # group_name       The group name of user.
739
740    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
741    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
742    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
743    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
744    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
745    # Provide adequate time for LDAP daemon to restart after the update.
746    Sleep  15s
747
748
749Get LDAP Privilege
750    [Documentation]  Get LDAP privilege and return it.
751
752    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
753    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
754    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
755
756    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
757
758
759Restore LDAP Privilege
760    [Documentation]  Restore the LDAP privilege to its original value.
761
762    Redfish.Login
763    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'
764    # Log back in to restore the original privilege.
765    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
766    ...  ${old_ldap_privilege}  ${GROUP_NAME}
767
768    Sleep  18s
769
770Verify Host Power Status
771    [Documentation]  Verify the Host power status and do host power on/off respectively.
772    [Arguments]  ${expected_power_status}
773
774    # Description of argument(s):
775    # expected_power_status  State of Host e.g. Off or On.
776
777    ${power_status}=  Redfish.Get Attribute  /redfish/v1/Chassis/${CHASSIS_ID}  PowerState
778    Return From Keyword If  '${power_status}' == '${expected_power_status}'
779
780    Run Keyword If  '${power_status}' == 'Off'  Redfish Power On
781    ...  ELSE  Redfish Power Off
782
783Update LDAP User Role And Host Poweroff
784    [Documentation]  Update LDAP user role and do host poweroff.
785    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
786    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
787
788    # Description of argument(s):
789    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
790    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
791    # group_name         The group name of user.
792    # valid_status_code  The expected valid status code.
793
794    # check Host state and do the power on/off if needed.
795    Verify Host Power Status  On
796
797    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
798    ...  ${group_privilege}  ${group_name}
799
800    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
801
802    Redfish.Post  ${REDFISH_POWER_URI}
803    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
804
805    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
806    Wait Until Keyword Succeeds  1 min  10 sec  Verify Host Power State  Off
807
808
809Update LDAP User Role And Host Poweron
810    [Documentation]  Update LDAP user role and do host poweron.
811    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
812    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
813
814    # Description of argument(s):
815    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
816    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
817    # group_name         The group name of user.
818    # valid_status_code  The expected valid status code.
819
820    # check Host state and do the power on/off if needed.
821    Verify Host Power Status  Off
822
823    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
824    ...  ${group_privilege}  ${group_name}
825
826    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
827
828    Redfish.Post  ${REDFISH_POWER_URI}
829    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
830
831    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
832    Verify Host Is Up
833
834
835Update LDAP User Role And Configure IP Address
836    [Documentation]  Update LDAP user role and configure IP address.
837    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
838    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
839
840    # Description of argument(s):
841    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
842    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
843    # group_name         The group name of user.
844    # valid_status_code  The expected valid status code.
845
846    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
847    ...  ${group_privilege}  ${group_name}
848
849    Redfish.Logout
850
851    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
852
853    ${test_gateway}=  Get BMC Default Gateway
854
855    Run Keyword If  '${group_privilege}' == 'NoAccess'
856    ...  Add IP Address With NoAccess User  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
857    ...  ELSE
858    ...  Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
859
860
861Update LDAP User Role And Delete IP Address
862    [Documentation]  Update LDAP user role and delete IP address.
863    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
864    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
865
866    # Description of argument(s):
867    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
868    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
869    # group_name         The group name of user.
870    # valid_status_code  The expected valid status code.
871
872    ${test_gateway}=  Get BMC Default Gateway
873
874    # Configure IP address before deleting via LDAP user roles.
875    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}
876
877    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
878    ...  ${group_privilege}  ${group_name}
879
880    Redfish.Logout
881
882    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
883
884    Run Keyword If  '${group_privilege}' == 'NoAccess'
885    ...  Delete IP Address With NoAccess User  ${test_ip}  ${valid_status_code}
886    ...  ELSE
887    ...  Delete IP Address  ${test_ip}  ${valid_status_code}
888
889
890Update LDAP User Role And Read Network Configuration
891    [Documentation]  Update LDAP user role and read network configuration.
892    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
893    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
894
895    # Description of argument(s):
896    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
897    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
898    # group_name         The group name of user.
899    # valid_status_code  The expected valid status code.
900
901    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
902    ...  ${group_privilege}  ${group_name}
903
904    Redfish.Logout
905
906    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
907    Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]
908
909
910Add IP Address With NoAccess User
911    [Documentation]  Add IP Address To BMC.
912    [Arguments]  ${ip}  ${subnet_mask}  ${gateway}
913    ...  ${valid_status_codes}=${HTTP_OK}
914
915    # Description of argument(s):
916    # ip                  IP address to be added (e.g. "10.7.7.7").
917    # subnet_mask         Subnet mask for the IP to be added
918    #                     (e.g. "255.255.0.0").
919    # gateway             Gateway for the IP to be added (e.g. "10.7.7.1").
920    # valid_status_codes  Expected return code from patch operation
921    #                     (e.g. "200").  See prolog of rest_request
922    #                     method in redfish_plus.py for details.
923
924    # Logout from LDAP user.
925    Redfish.Logout
926
927    # Login with local user.
928    Redfish.Login
929
930    ${empty_dict}=  Create Dictionary
931    ${ip_data}=  Create Dictionary  Address=${ip}
932    ...  SubnetMask=${subnet_mask}  Gateway=${gateway}
933
934    ${patch_list}=  Create List
935    ${network_configurations}=  Get Network Configuration
936    ${num_entries}=  Get Length  ${network_configurations}
937
938    FOR  ${INDEX}  IN RANGE  0  ${num_entries}
939      Append To List  ${patch_list}  ${empty_dict}
940    END
941
942    ${valid_status_codes}=  Run Keyword If  '${valid_status_codes}' == '${HTTP_OK}'
943    ...  Set Variable   ${HTTP_OK},${HTTP_NO_CONTENT}
944    ...  ELSE  Set Variable  ${valid_status_codes}
945
946    # We need not check for existence of IP on BMC while adding.
947    Append To List  ${patch_list}  ${ip_data}
948    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
949
950    ${active_channel_config}=  Get Active Channel Config
951    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
952
953    # Logout from local user.
954    Redfish.Logout
955
956    # Login from LDAP user and check if we can configure IP address.
957    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
958
959    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
960    ...  valid_status_codes=[${valid_status_codes}]
961
962
963Delete IP Address With NoAccess User
964    [Documentation]  Delete IP Address Of BMC.
965    [Arguments]  ${ip}  ${valid_status_codes}=${HTTP_OK}
966
967    # Description of argument(s):
968    # ip                  IP address to be deleted (e.g. "10.7.7.7").
969    # valid_status_codes  Expected return code from patch operation
970    #                     (e.g. "200").  See prolog of rest_request
971    #                     method in redfish_plus.py for details.
972
973    # Logout from LDAP user.
974    Redfish.Logout
975
976    # Login with local user.
977    Redfish.Login
978
979    ${empty_dict}=  Create Dictionary
980    ${patch_list}=  Create List
981
982    @{network_configurations}=  Get Network Configuration
983    FOR  ${network_configuration}  IN  @{network_configurations}
984      Run Keyword If  '${network_configuration['Address']}' == '${ip}'
985      ...  Append To List  ${patch_list}  ${null}
986      ...  ELSE  Append To List  ${patch_list}  ${empty_dict}
987    END
988
989    ${ip_found}=  Run Keyword And Return Status  List Should Contain Value
990    ...  ${patch_list}  ${null}  msg=${ip} does not exist on BMC
991    Pass Execution If  ${ip_found} == ${False}  ${ip} does not exist on BMC
992
993    # Run patch command only if given IP is found on BMC
994    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
995
996    ${active_channel_config}=  Get Active Channel Config
997    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
998
999    # Logout from local user.
1000    Redfish.Logout
1001
1002    # Login from LDAP user and check if we can delete IP address.
1003    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
1004
1005    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
1006    ...  valid_status_codes=[${valid_status_codes}]
1007
1008    # Note: Network restart takes around 15-18s after patch request processing
1009    Sleep  ${NETWORK_TIMEOUT}s
1010    Wait For Host To Ping  ${OPENBMC_HOST}  ${NETWORK_TIMEOUT}
1011