1 *** Settings *** 2 Documentation Test Redfish LDAP user configuration. 3 4 Library ../../lib/gen_robot_valid.py 5 Resource ../../lib/resource.robot 6 Resource ../../lib/bmc_redfish_resource.robot 7 Resource ../../lib/openbmc_ffdc.robot 8 Library ../../lib/gen_robot_valid.py 9 Resource ../../lib/bmc_network_utils.robot 10 Resource ../../lib/bmc_ldap_utils.robot 11 12 Suite Setup Suite Setup Execution 13 Suite Teardown Run Keywords Restore LDAP Privilege AND Redfish.Logout 14 Test Teardown FFDC On Test Case Fail 15 16 Force Tags LDAP_Test 17 18 *** Variables *** 19 ${old_ldap_privilege} ${EMPTY} 20 &{old_account_service} &{EMPTY} 21 &{old_ldap_config} &{EMPTY} 22 ${hostname} ${EMPTY} 23 ${test_ip} 10.6.6.6 24 ${test_mask} 255.255.255.0 25 26 ** Test Cases ** 27 28 Verify LDAP Configuration Created 29 [Documentation] Verify that LDAP configuration created. 30 [Tags] Verify_LDAP_Configuration_Created 31 32 Create LDAP Configuration 33 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 34 Get LDAP Configuration ${LDAP_TYPE} 35 Sleep 10s 36 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 37 Redfish.Logout 38 Redfish.Login 39 40 41 Verify LDAP Service Disable 42 [Documentation] Verify that LDAP is disabled and that LDAP user cannot 43 ... login. 44 [Tags] Verify_LDAP_Service_Disable 45 46 Redfish.Patch ${REDFISH_BASE_URI}AccountService 47 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}} 48 Sleep 15s 49 ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 50 ... ${LDAP_USER_PASSWORD} 51 Should Be Equal ${resp} ${False} 52 ... msg=LDAP user was able to login even though the LDAP service was disabled. 53 Redfish.Logout 54 Redfish.Login 55 # Enabling LDAP so that LDAP user works. 56 Redfish.Patch ${REDFISH_BASE_URI}AccountService 57 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 58 Redfish.Logout 59 Redfish.Login 60 61 62 Verify LDAP Login With ServiceEnabled 63 [Documentation] Verify that LDAP Login with ServiceEnabled. 64 [Tags] Verify_LDAP_Login_With_ServiceEnabled 65 66 Disable Other LDAP 67 # Actual service enablement. 68 Redfish.Patch ${REDFISH_BASE_URI}AccountService 69 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 70 Sleep 15s 71 # After update, LDAP login. 72 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 73 Redfish.Logout 74 Redfish.Login 75 76 77 Verify LDAP Login With Correct AuthenticationType 78 [Documentation] Verify that LDAP Login with right AuthenticationType. 79 [Tags] Verify_LDAP_Login_With_Correct_AuthenticationType 80 81 Redfish.Patch ${REDFISH_BASE_URI}AccountService 82 ... body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}} 83 Sleep 15s 84 # After update, LDAP login. 85 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 86 Redfish.Logout 87 Redfish.Login 88 89 90 Verify LDAP Config Update With Incorrect AuthenticationType 91 [Documentation] Verify that invalid AuthenticationType is not updated. 92 [Tags] Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType 93 94 ${body}= Catenate {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}} 95 96 Redfish.Patch ${REDFISH_BASE_URI}AccountService 97 ... body=${body} valid_status_codes=[400] 98 99 100 Verify LDAP Login With Correct LDAP URL 101 [Documentation] Verify LDAP Login with right LDAP URL. 102 [Tags] Verify_LDAP_Login_With_Correct_LDAP_URL 103 104 Config LDAP URL ${LDAP_SERVER_URI} 105 106 107 Verify LDAP Config Update With Incorrect LDAP URL 108 [Documentation] Verify that LDAP Login fails with invalid LDAP URL. 109 [Tags] Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL 110 [Teardown] Run Keywords Restore LDAP URL AND 111 ... FFDC On Test Case Fail 112 113 Config LDAP URL ldap://1.2.3.4/ ${FALSE} 114 115 Verify LDAP Configuration Exist 116 [Documentation] Verify that LDAP configuration is available. 117 [Tags] Verify_LDAP_Configuration_Exist 118 119 ${resp}= Redfish.Get Attribute ${REDFISH_BASE_URI}AccountService 120 ... ${LDAP_TYPE} default=${EMPTY} 121 Should Not Be Empty ${resp} msg=LDAP configuration is not defined. 122 123 124 Verify LDAP User Login 125 [Documentation] Verify that LDAP user able to login into BMC. 126 [Tags] Verify_LDAP_User_Login 127 128 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 129 Redfish.Logout 130 Redfish.Login 131 132 133 Verify LDAP Service Available 134 [Documentation] Verify that LDAP service is available. 135 [Tags] Verify_LDAP_Service_Available 136 137 @{ldap_configuration}= Get LDAP Configuration ${LDAP_TYPE} 138 Should Contain ${ldap_configuration} LDAPService 139 ... msg=LDAPService is not available. 140 141 142 Verify LDAP Login Works After BMC Reboot 143 [Documentation] Verify that LDAP login works after BMC reboot. 144 [Tags] Verify_LDAP_Login_Works_After_BMC_Reboot 145 146 Redfish OBMC Reboot (off) 147 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 148 Redfish.Logout 149 Redfish.Login 150 151 152 Verify LDAP User With Admin Privilege Able To Do BMC Reboot 153 [Documentation] Verify that LDAP user with administrator privilege able to do BMC reboot. 154 [Tags] Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot 155 156 157 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 158 ... ${GROUP_PRIVILEGE} ${GROUP_NAME} 159 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 160 # With LDAP user and with right privilege trying to do BMC reboot. 161 Redfish OBMC Reboot (off) 162 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 163 Redfish.Logout 164 Redfish.Login 165 166 167 Verify LDAP User With Operator Privilege Able To Do Host Poweroff 168 [Documentation] Verify that LDAP user with operator privilege can do host 169 ... power off. 170 [Tags] Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff 171 [Teardown] Restore LDAP Privilege 172 173 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 174 ... Operator ${GROUP_NAME} 175 176 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 177 # Verify that the LDAP user with operator privilege is able to power the system off. 178 Redfish.Post ${REDFISH_POWER_URI} 179 ... body={'ResetType': 'ForceOff'} valid_status_codes=[200] 180 Redfish.Logout 181 Redfish.Login 182 183 184 Verify AccountLockout Attributes Set To Zero By LDAP User 185 [Documentation] Verify that attribute AccountLockoutDuration and 186 ... AccountLockoutThreshold are set to 0 by LDAP user. 187 [Teardown] Run Keywords Restore AccountLockout Attributes AND 188 ... FFDC On Test Case Fail 189 [Tags] Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User 190 191 ${old_account_service}= Redfish.Get Properties 192 ... ${REDFISH_BASE_URI}AccountService 193 Rprint Vars old_account_service 194 195 # Create LDAP user and create session using LDAP user. 196 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 197 ... Administrator ${GROUP_NAME} 198 199 # Clear existing Redfish sessions. 200 Redfish.Logout 201 202 # Login using LDAP user. 203 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 204 205 # Set Account Lockout attributes using LDAP user. 206 Redfish.Patch ${REDFISH_BASE_URI}AccountService 207 ... body=[('AccountLockoutDuration', 0)] 208 Redfish.Patch ${REDFISH_BASE_URI}AccountService 209 ... body=[('AccountLockoutThreshold', 0)] 210 211 212 Verify LDAP User With Read Privilege Able To Check Inventory 213 [Documentation] Verify that LDAP user with read privilege able to 214 ... read firmware inventory. 215 [Tags] Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory 216 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 217 [Template] Set Read Privilege And Check Firmware Inventory 218 219 ReadOnly 220 221 222 Verify LDAP User With Read Privilege Should Not Do Host Poweron 223 [Documentation] Verify that LDAP user with read privilege should not be 224 ... allowed to power on the host. 225 [Tags] Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron 226 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 227 [Template] Set Read Privilege And Check Poweron 228 229 ReadOnly 230 231 232 Update LDAP Group Name And Verify Operations 233 [Documentation] Verify that LDAP group name update and able to do right 234 ... operations. 235 [Tags] Update_LDAP_Group_Name_And_Verify_Operations 236 [Template] Update LDAP Config And Verify Set Host Name 237 [Teardown] Restore LDAP Privilege 238 239 # group_name group_privilege valid_status_codes 240 ${GROUP_NAME} Administrator [${HTTP_OK}, ${HTTP_NO_CONTENT}] 241 ${GROUP_NAME} Operator [${HTTP_OK}, ${HTTP_NO_CONTENT}] 242 ${GROUP_NAME} ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 243 ${GROUP_NAME} NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 244 Invalid_LDAP_Group_Name Administrator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 245 Invalid_LDAP_Group_Name Operator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 246 Invalid_LDAP_Group_Name ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 247 Invalid_LDAP_Group_Name NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 248 249 250 Verify LDAP BaseDN Update And LDAP Login 251 [Documentation] Update LDAP BaseDN of LDAP configuration and verify 252 ... that LDAP login works. 253 [Tags] Verify_LDAP_BaseDN_Update_And_LDAP_Login 254 255 256 ${body}= Catenate {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings': 257 ... {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}} 258 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 259 Sleep 15s 260 Redfish Verify LDAP Login 261 262 263 Verify LDAP BindDN Update And LDAP Login 264 [Documentation] Update LDAP BindDN of LDAP configuration and verify 265 ... that LDAP login works. 266 [Tags] Verify_LDAP_BindDN_Update_And_LDAP_Login 267 268 ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': 269 ... {'AuthenticationType':'UsernameAndPassword', 'Username': 270 ... '${LDAP_BIND_DN}'}}} 271 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 272 Sleep 15s 273 Redfish Verify LDAP Login 274 275 276 Verify LDAP BindDN Password Update And LDAP Login 277 [Documentation] Update LDAP BindDN password of LDAP configuration and 278 ... verify that LDAP login works. 279 [Tags] Verify_LDAP_BindDN_Password_Update_And_LDAP_Login 280 281 282 ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': 283 ... {'AuthenticationType':'UsernameAndPassword', 'Password': 284 ... '${LDAP_BIND_DN_PASSWORD}'}}} 285 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 286 Sleep 15s 287 Redfish Verify LDAP Login 288 289 290 Verify LDAP Type Update And LDAP Login 291 [Documentation] Update LDAP type of LDAP configuration and verify 292 ... that LDAP login works. 293 [Tags] Verify_LDAP_Type_Update_And_LDAP_Login 294 295 Disable Other LDAP 296 Redfish.Patch ${REDFISH_BASE_URI}AccountService 297 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 298 Sleep 15s 299 Redfish Verify LDAP Login 300 301 302 Verify LDAP Authorization With Null Privilege 303 [Documentation] Verify the failure of LDAP authorization with empty 304 ... privilege. 305 [Tags] Verify_LDAP_Authorization_With_Null_Privilege 306 [Teardown] Restore LDAP Privilege 307 308 Update LDAP Config And Verify Set Host Name ${GROUP_NAME} ${EMPTY} 309 ... [${HTTP_FORBIDDEN}] 310 311 312 Verify LDAP Authorization With Invalid Privilege 313 [Documentation] Verify that LDAP user authorization with wrong privilege 314 ... fails. 315 [Tags] Verify_LDAP_Authorization_With_Invalid_Privilege 316 [Teardown] Restore LDAP Privilege 317 318 Update LDAP Config And Verify Set Host Name ${GROUP_NAME} 319 ... Invalid_Privilege [${HTTP_FORBIDDEN}] 320 321 322 Verify LDAP Login With Invalid Data 323 [Documentation] Verify that LDAP login with Invalid LDAP data and 324 ... right LDAP user fails. 325 [Tags] Verify_LDAP_Login_With_Invalid_Data 326 [Teardown] Run Keywords FFDC On Test Case Fail AND 327 ... Create LDAP Configuration 328 329 Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI 330 ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD 331 ... Invalid_LDAP_BASE_DN 332 Sleep 15s 333 Redfish Verify LDAP Login ${False} 334 335 336 Verify LDAP Config Creation Without BASE_DN 337 [Documentation] Verify that LDAP login with LDAP configuration 338 ... created without BASE_DN fails. 339 [Tags] Verify_LDAP_Config_Creation_Without_BASE_DN 340 [Teardown] Run Keywords FFDC On Test Case Fail AND 341 ... Create LDAP Configuration 342 343 Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI 344 ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD ${EMPTY} 345 Sleep 15s 346 Redfish Verify LDAP Login ${False} 347 348 349 Verify LDAP Authentication Without Password 350 [Documentation] Verify that LDAP user authentication without LDAP 351 ... user password fails. 352 [Tags] Verify_LDAP_Authentication_Without_Password 353 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 354 355 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 356 Valid Value status [${False}] 357 358 359 Verify LDAP Login With Invalid BASE_DN 360 [Documentation] Verify that LDAP login with invalid BASE_DN and 361 ... valid LDAP user fails. 362 [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN 363 [Teardown] Run Keywords FFDC On Test Case Fail AND 364 ... Create LDAP Configuration 365 366 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 367 ... ${LDAP_BIND_DN} ${LDAP_BIND_DN_PASSWORD} Invalid_LDAP_BASE_DN 368 Sleep 15s 369 Redfish Verify LDAP Login ${False} 370 371 372 Verify LDAP Login With Invalid BIND_DN_PASSWORD 373 [Documentation] Verify that LDAP login with invalid BIND_DN_PASSWORD and 374 ... valid LDAP user fails. 375 [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD 376 [Teardown] Run Keywords FFDC On Test Case Fail AND 377 ... Create LDAP Configuration 378 379 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 380 ... ${LDAP_BIND_DN} INVALID_LDAP_BIND_DN_PASSWORD ${LDAP_BASE_DN} 381 Sleep 15s 382 Redfish Verify LDAP Login ${False} 383 384 385 Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN 386 [Documentation] Verify that LDAP login with invalid BASE_DN and invalid 387 ... BIND_DN and valid LDAP user fails. 388 [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN 389 [Teardown] Run Keywords FFDC On Test Case Fail AND 390 ... Create LDAP Configuration 391 392 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 393 ... INVALID_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} INVALID_LDAP_BASE_DN 394 Sleep 15s 395 Redfish Verify LDAP Login ${False} 396 397 398 Verify Group Name And Group Privilege Able To Modify 399 [Documentation] Verify that LDAP group name and group privilege able to 400 ... modify. 401 [Tags] Verify_Group_Name_And_Group_Privilege_Able_To_Modify 402 [Setup] Update LDAP Configuration with LDAP User Role And Group 403 ... ${LDAP_TYPE} Operator ${GROUP_NAME} 404 405 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 406 ... Administrator ${GROUP_NAME} 407 408 409 Verify LDAP Login With Invalid BIND_DN 410 [Documentation] Verify that LDAP login with invalid BIND_DN and 411 ... valid LDAP user fails. 412 [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN 413 [Teardown] Run Keywords FFDC On Test Case Fail AND 414 ... Create LDAP Configuration 415 416 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 417 ... Invalid_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} ${LDAP_BASE_DN} 418 Sleep 15s 419 Redfish Verify LDAP Login ${False} 420 421 422 Verify LDAP Authentication With Invalid LDAP User 423 [Documentation] Verify that LDAP user authentication for user not exist 424 ... in LDAP server and fails. 425 [Tags] Verify_LDAP_Authentication_With_Invalid_LDAP_User 426 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 427 428 ${status}= Run Keyword And Return Status Redfish.Login INVALID_LDAP_USER 429 ... ${LDAP_USER_PASSWORD} 430 Valid Value status [${False}] 431 432 433 Update LDAP User Roles And Verify Host Poweroff Operation 434 [Documentation] Update LDAP user roles and verify host poweroff operation. 435 [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation 436 [Teardown] Restore LDAP Privilege 437 438 [Template] Update LDAP User Role And Host Poweroff 439 # ldap_type group_privilege group_name valid_status_codes 440 441 # Verify LDAP user with NoAccess privilege not able to do host poweroff. 442 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 443 444 # Verify LDAP user with ReadOnly privilege not able to do host poweroff. 445 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 446 447 # Verify LDAP user with Operator privilege able to do host poweroff. 448 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 449 450 # Verify LDAP user with Administrator privilege able to do host poweroff. 451 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 452 453 454 Update LDAP User Roles And Verify Host Poweron Operation 455 [Documentation] Update LDAP user roles and verify host poweron operation. 456 [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation 457 [Teardown] Restore LDAP Privilege 458 459 [Template] Update LDAP User Role And Host Poweron 460 # ldap_type group_privilege group_name valid_status_codes 461 462 # Verify LDAP user with NoAccess privilege not able to do host poweron. 463 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 464 465 # Verify LDAP user with ReadOnly privilege not able to do host poweron. 466 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 467 468 # Verify LDAP user with Operator privilege able to do host poweron. 469 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 470 471 # Verify LDAP user with Administrator privilege able to do host poweron. 472 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 473 474 475 Configure IP Address Via Different User Roles And Verify 476 [Documentation] Configure IP address via different user roles and verify. 477 [Tags] Configure_IP_Address_Via_Different_User_Roles_And_Verify 478 [Teardown] Restore LDAP Privilege 479 480 [Template] Update LDAP User Role And Configure IP Address 481 # Verify LDAP user with Administrator privilege is able to configure IP address. 482 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 483 484 # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address. 485 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 486 487 # Verify LDAP user with NoAccess privilege is forbidden to configure IP address. 488 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 489 490 # Verify LDAP user with Operator privilege is able to configure IP address. 491 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 492 493 494 Delete IP Address Via Different User Roles And Verify 495 [Documentation] Delete IP address via different user roles and verify. 496 [Tags] Delete_IP_Address_Via_Different_User_Roles_And_Verify 497 [Teardown] Run Keywords Restore LDAP Privilege AND FFDC On Test Case Fail 498 499 [Template] Update LDAP User Role And Delete IP Address 500 # Verify LDAP user with Administrator privilege is able to delete IP address. 501 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 502 503 # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address. 504 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 505 506 # Verify LDAP user with NoAccess privilege is forbidden to delete IP address. 507 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 508 509 # Verify LDAP user with Operator privilege is able to delete IP address. 510 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 511 512 513 Read Network Configuration Via Different User Roles And Verify 514 [Documentation] Read network configuration via different user roles and verify. 515 [Tags] Read_Network_Configuration_Via_Different_User_Roles_And_Verify 516 [Teardown] Restore LDAP Privilege 517 518 [Template] Update LDAP User Role And Read Network Configuration 519 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 520 521 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_OK} 522 523 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 524 525 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 526 527 528 *** Keywords *** 529 530 Redfish Verify LDAP Login 531 [Documentation] LDAP user log into BMC. 532 [Arguments] ${valid_status}=${True} 533 534 # Description of argument(s): 535 # valid_status Expected status of LDAP login ("True" or "False"). 536 537 # According to our repo coding rules, Redfish.Login is to be done in Suite 538 # Setup and Redfish.Logout is to be done in Suite Teardown. For any 539 # deviation from this rule (such as in this keyword), the deviant code 540 # must take steps to restore us to our original logged-in state. 541 542 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 543 ... ${LDAP_USER_PASSWORD} 544 Valid Value status [${valid_status}] 545 Redfish.Logout 546 Redfish.Login 547 548 549 Update LDAP Config And Verify Set Host Name 550 [Documentation] Update LDAP config and verify by attempting to set host name. 551 [Arguments] ${group_name} ${group_privilege}=Administrator 552 ... ${valid_status_codes}=[${HTTP_OK}] 553 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 554 555 # Description of argument(s): 556 # group_name The group name of user. 557 # group_privilege The group privilege ("Administrator", 558 # "Operator", "User" or "Callback"). 559 # valid_status_codes Expected return code(s) from patch 560 # operation (e.g. "200") used to update 561 # HostName. See prolog of rest_request 562 # method in redfish_plut.py for details. 563 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 564 ... ${group_privilege} ${group_name} 565 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 566 # Verify that the LDAP user in ${group_name} with the given privilege is 567 # allowed to change the hostname. 568 Redfish.Patch ${REDFISH_NW_ETH0_URI} body={'HostName': '${hostname}'} 569 ... valid_status_codes=${valid_status_codes} 570 571 572 Disable Other LDAP 573 [Documentation] Disable other LDAP configuration. 574 575 # First disable other LDAP. 576 ${inverse_ldap_type}= Set Variable If '${LDAP_TYPE}' == 'LDAP' ActiveDirectory LDAP 577 Redfish.Patch ${REDFISH_BASE_URI}AccountService 578 ... body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}} 579 Sleep 15s 580 581 582 Config LDAP URL 583 [Documentation] Config LDAP URL. 584 [Arguments] ${ldap_server_uri}=${LDAP_SERVER_URI} ${expected_status}=${TRUE} 585 586 # Description of argument(s): 587 # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/"). 588 589 Redfish.Patch ${REDFISH_BASE_URI}AccountService 590 ... body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}} 591 Sleep 15s 592 # After update, LDAP login. 593 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 594 Valid Value status [${expected_status}] 595 596 Redfish.Logout 597 Redfish.Login 598 599 600 Restore LDAP URL 601 [Documentation] Restore LDAP URL. 602 603 # Restoring the working LDAP server uri. 604 Redfish.Patch ${REDFISH_BASE_URI}AccountService 605 ... body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}} 606 Sleep 15s 607 608 609 Restore AccountLockout Attributes 610 [Documentation] Restore AccountLockout Attributes. 611 612 Return From Keyword If &{old_account_service} == &{EMPTY} 613 Redfish.Patch ${REDFISH_BASE_URI}AccountService 614 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})] 615 Redfish.Patch ${REDFISH_BASE_URI}AccountService 616 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})] 617 618 619 Suite Setup Execution 620 [Documentation] Do suite setup tasks. 621 622 Valid Value LDAP_TYPE valid_values=["ActiveDirectory", "LDAP"] 623 Valid Value LDAP_USER 624 Valid Value LDAP_USER_PASSWORD 625 Valid Value GROUP_PRIVILEGE 626 Valid Value GROUP_NAME 627 Valid Value LDAP_SERVER_URI 628 Valid Value LDAP_BIND_DN_PASSWORD 629 Valid Value LDAP_BIND_DN 630 Valid Value LDAP_BASE_DN 631 632 Redfish.Login 633 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 634 Get LDAP Configuration ${LDAP_TYPE} 635 ${old_ldap_privilege}= Get LDAP Privilege 636 Set Suite Variable ${old_ldap_privilege} 637 Disable Other LDAP 638 Create LDAP Configuration 639 ${hostname}= Redfish.Get Attribute ${REDFISH_NW_PROTOCOL_URI} HostName 640 641 642 Set Read Privilege And Check Firmware Inventory 643 [Documentation] Set read privilege and check firmware inventory. 644 [Arguments] ${read_privilege} 645 646 # Description of argument(s): 647 # read_privilege The read privilege role (e.g. "User" / "Callback"). 648 649 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 650 ... ${read_privilege} ${GROUP_NAME} 651 652 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 653 # Verify that the LDAP user with read privilege is able to read inventory. 654 ${resp}= Redfish.Get /redfish/v1/UpdateService/FirmwareInventory 655 Should Be True ${resp.dict["Members@odata.count"]} >= ${1} 656 Length Should Be ${resp.dict["Members"]} ${resp.dict["Members@odata.count"]} 657 Redfish.Logout 658 Redfish.Login 659 660 661 Set Read Privilege And Check Poweron 662 [Documentation] Set read privilege and power on should not be possible. 663 [Arguments] ${read_privilege} 664 665 # Description of argument(s): 666 # read_privilege The read privilege role (e.g. "User" / "Callback"). 667 668 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 669 ... ${read_privilege} ${GROUP_NAME} 670 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 671 Redfish.Post ${REDFISH_POWER_URI} 672 ... body={'ResetType': 'On'} valid_status_codes=[401, 403] 673 Redfish.Logout 674 Redfish.Login 675 676 677 Get LDAP Configuration 678 [Documentation] Retrieve LDAP Configuration. 679 [Arguments] ${ldap_type} 680 681 # Description of argument(s): 682 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 683 684 ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService 685 [Return] ${ldap_config["${ldap_type}"]} 686 687 688 Update LDAP Configuration with LDAP User Role And Group 689 [Documentation] Update LDAP configuration update with LDAP user Role and group. 690 [Arguments] ${ldap_type} ${group_privilege} ${group_name} 691 692 # Description of argument(s): 693 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 694 # group_privilege The group privilege ("Administrator", "Operator", "User" or "Callback"). 695 # group_name The group name of user. 696 697 ${local_role_remote_group}= Create Dictionary LocalRole=${group_privilege} RemoteGroup=${group_name} 698 ${remote_role_mapping}= Create List ${local_role_remote_group} 699 ${ldap_data}= Create Dictionary RemoteRoleMapping=${remote_role_mapping} 700 ${payload}= Create Dictionary ${ldap_type}=${ldap_data} 701 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=&{payload} 702 # Provide adequate time for LDAP daemon to restart after the update. 703 Sleep 15s 704 705 706 Get LDAP Privilege 707 [Documentation] Get LDAP privilege and return it. 708 709 ${ldap_config}= Get LDAP Configuration ${LDAP_TYPE} 710 ${num_list_entries}= Get Length ${ldap_config["RemoteRoleMapping"]} 711 Return From Keyword If ${num_list_entries} == ${0} @{EMPTY} 712 713 [Return] ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]} 714 715 716 Restore LDAP Privilege 717 [Documentation] Restore the LDAP privilege to its original value. 718 719 Return From Keyword If '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]' 720 # Log back in to restore the original privilege. 721 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 722 ... ${old_ldap_privilege} ${GROUP_NAME} 723 724 Sleep 18s 725 726 727 Update LDAP User Role And Host Poweroff 728 [Documentation] Update LDAP user role and do host poweroff. 729 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} 730 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 731 732 # Description of argument(s): 733 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 734 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 735 # group_name The group name of user. 736 # valid_status_code The expected valid status code. 737 738 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 739 ... ${group_privilege} ${group_name} 740 741 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 742 743 Redfish.Post ${REDFISH_POWER_URI} 744 ... body={'ResetType': 'ForceOff'} valid_status_codes=[${valid_status_code}] 745 746 747 Update LDAP User Role And Host Poweron 748 [Documentation] Update LDAP user role and do host poweron. 749 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} 750 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 751 752 # Description of argument(s): 753 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 754 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 755 # group_name The group name of user. 756 # valid_status_code The expected valid status code. 757 758 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 759 ... ${group_privilege} ${group_name} 760 761 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 762 763 Redfish.Post ${REDFISH_POWER_URI} 764 ... body={'ResetType': 'On'} valid_status_codes=[${valid_status_code}] 765 766 767 Update LDAP User Role And Configure IP Address 768 [Documentation] Update LDAP user role and configure IP address. 769 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 770 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} 771 772 # Description of argument(s): 773 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 774 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 775 # group_name The group name of user. 776 # valid_status_code The expected valid status code. 777 778 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 779 ... ${group_privilege} ${group_name} 780 781 Redfish.Logout 782 783 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 784 785 ${test_gateway}= Get BMC Default Gateway 786 787 Run Keyword If '${group_privilege}' == 'NoAccess' 788 ... Add IP Address With NoAccess User ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} 789 ... ELSE 790 ... Add IP Address ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} 791 792 793 Update LDAP User Role And Delete IP Address 794 [Documentation] Update LDAP user role and delete IP address. 795 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 796 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} 797 798 # Description of argument(s): 799 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 800 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 801 # group_name The group name of user. 802 # valid_status_code The expected valid status code. 803 804 ${test_gateway}= Get BMC Default Gateway 805 806 # Configure IP address before deleting via LDAP user roles. 807 Add IP Address ${test_ip} ${test_mask} ${test_gateway} 808 809 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 810 ... ${group_privilege} ${group_name} 811 812 Redfish.Logout 813 814 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 815 816 Run Keyword If '${group_privilege}' == 'NoAccess' 817 ... Delete IP Address With NoAccess User ${test_ip} ${valid_status_code} 818 ... ELSE 819 ... Delete IP Address ${test_ip} ${valid_status_code} 820 821 822 Update LDAP User Role And Read Network Configuration 823 [Documentation] Update LDAP user role and read network configuration. 824 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 825 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 826 827 # Description of argument(s): 828 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 829 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 830 # group_name The group name of user. 831 # valid_status_code The expected valid status code. 832 833 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 834 ... ${group_privilege} ${group_name} 835 836 Redfish.Logout 837 838 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 839 Redfish.Get ${REDFISH_NW_ETH0_URI} valid_status_codes=[${valid_status_code}] 840 841 842 Add IP Address With NoAccess User 843 [Documentation] Add IP Address To BMC. 844 [Arguments] ${ip} ${subnet_mask} ${gateway} 845 ... ${valid_status_codes}=${HTTP_OK} 846 847 # Description of argument(s): 848 # ip IP address to be added (e.g. "10.7.7.7"). 849 # subnet_mask Subnet mask for the IP to be added 850 # (e.g. "255.255.0.0"). 851 # gateway Gateway for the IP to be added (e.g. "10.7.7.1"). 852 # valid_status_codes Expected return code from patch operation 853 # (e.g. "200"). See prolog of rest_request 854 # method in redfish_plus.py for details. 855 856 # Logout from LDAP user. 857 Redfish.Logout 858 859 # Login with local user. 860 Redfish.Login 861 862 ${empty_dict}= Create Dictionary 863 ${ip_data}= Create Dictionary Address=${ip} 864 ... SubnetMask=${subnet_mask} Gateway=${gateway} 865 866 ${patch_list}= Create List 867 ${network_configurations}= Get Network Configuration 868 ${num_entries}= Get Length ${network_configurations} 869 870 FOR ${INDEX} IN RANGE 0 ${num_entries} 871 Append To List ${patch_list} ${empty_dict} 872 END 873 874 ${valid_status_codes}= Run Keyword If '${valid_status_codes}' == '${HTTP_OK}' 875 ... Set Variable ${HTTP_OK},${HTTP_NO_CONTENT} 876 ... ELSE Set Variable ${valid_status_codes} 877 878 # We need not check for existence of IP on BMC while adding. 879 Append To List ${patch_list} ${ip_data} 880 ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} 881 882 ${active_channel_config}= Get Active Channel Config 883 ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} 884 885 # Logout from local user. 886 Redfish.Logout 887 888 # Login from LDAP user and check if we can configure IP address. 889 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 890 891 Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} 892 ... valid_status_codes=[${valid_status_codes}] 893 894 895 Delete IP Address With NoAccess User 896 [Documentation] Delete IP Address Of BMC. 897 [Arguments] ${ip} ${valid_status_codes}=${HTTP_OK} 898 899 # Description of argument(s): 900 # ip IP address to be deleted (e.g. "10.7.7.7"). 901 # valid_status_codes Expected return code from patch operation 902 # (e.g. "200"). See prolog of rest_request 903 # method in redfish_plus.py for details. 904 905 # Logout from LDAP user. 906 Redfish.Logout 907 908 # Login with local user. 909 Redfish.Login 910 911 ${empty_dict}= Create Dictionary 912 ${patch_list}= Create List 913 914 @{network_configurations}= Get Network Configuration 915 FOR ${network_configuration} IN @{network_configurations} 916 Run Keyword If '${network_configuration['Address']}' == '${ip}' 917 ... Append To List ${patch_list} ${null} 918 ... ELSE Append To List ${patch_list} ${empty_dict} 919 END 920 921 ${ip_found}= Run Keyword And Return Status List Should Contain Value 922 ... ${patch_list} ${null} msg=${ip} does not exist on BMC 923 Pass Execution If ${ip_found} == ${False} ${ip} does not exist on BMC 924 925 # Run patch command only if given IP is found on BMC 926 ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} 927 928 ${active_channel_config}= Get Active Channel Config 929 ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} 930 931 # Logout from local user. 932 Redfish.Logout 933 934 # Login from LDAP user and check if we can delete IP address. 935 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 936 937 Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} 938 ... valid_status_codes=[${valid_status_codes}] 939 940 # Note: Network restart takes around 15-18s after patch request processing 941 Sleep ${NETWORK_TIMEOUT}s 942 Wait For Host To Ping ${OPENBMC_HOST} ${NETWORK_TIMEOUT} 943