xref: /openbmc/openbmc-test-automation/redfish/account_service/test_ldap_configuration.robot (revision bade11a2432921a471bf39131693dcc197a96084)
1 *** Settings ***
2 Documentation    Test Redfish LDAP user configuration.
3 
4 Library          ../../lib/gen_robot_valid.py
5 Resource         ../../lib/resource.robot
6 Resource         ../../lib/bmc_redfish_resource.robot
7 Resource         ../../lib/openbmc_ffdc.robot
8 Library          ../../lib/gen_robot_valid.py
9 Resource         ../../lib/bmc_network_utils.robot
10 Resource         ../../lib/bmc_ldap_utils.robot
11 
12 Suite Setup      Suite Setup Execution
13 Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
14 Test Teardown    FFDC On Test Case Fail
15 
16 Force Tags       LDAP_Test
17 
18 *** Variables ***
19 ${old_ldap_privilege}   ${EMPTY}
20 &{old_account_service}  &{EMPTY}
21 &{old_ldap_config}      &{EMPTY}
22 ${hostname}             ${EMPTY}
23 ${test_ip}              10.6.6.6
24 ${test_mask}            255.255.255.0
25 
26 ** Test Cases **
27 
28 Verify LDAP Configuration Created
29     [Documentation]  Verify that LDAP configuration created.
30     [Tags]  Verify_LDAP_Configuration_Created
31 
32     Create LDAP Configuration
33     # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
34     Get LDAP Configuration  ${LDAP_TYPE}
35     Sleep  10s
36     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
37     Redfish.Logout
38     Redfish.Login
39 
40 
41 Verify LDAP Service Disable
42     [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
43     ...  login.
44     [Tags]  Verify_LDAP_Service_Disable
45 
46     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
47     ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
48     Sleep  15s
49     ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
50     ...  ${LDAP_USER_PASSWORD}
51     Should Be Equal  ${resp}  ${False}
52     ...  msg=LDAP user was able to login even though the LDAP service was disabled.
53     Redfish.Logout
54     Redfish.Login
55     # Enabling LDAP so that LDAP user works.
56     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
57     ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
58     Redfish.Logout
59     Redfish.Login
60 
61 
62 Verify LDAP Login With ServiceEnabled
63     [Documentation]  Verify that LDAP Login with ServiceEnabled.
64     [Tags]  Verify_LDAP_Login_With_ServiceEnabled
65 
66     Disable Other LDAP
67     # Actual service enablement.
68     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
69     ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
70     Sleep  15s
71     # After update, LDAP login.
72     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
73     Redfish.Logout
74     Redfish.Login
75 
76 
77 Verify LDAP Login With Correct AuthenticationType
78     [Documentation]  Verify that LDAP Login with right AuthenticationType.
79     [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
80 
81     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
82     ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
83     Sleep  15s
84     # After update, LDAP login.
85     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
86     Redfish.Logout
87     Redfish.Login
88 
89 
90 Verify LDAP Config Update With Incorrect AuthenticationType
91     [Documentation]  Verify that invalid AuthenticationType is not updated.
92     [Tags]  Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType
93 
94     ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
95 
96     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
97     ...  body=${body}  valid_status_codes=[400]
98 
99 
100 Verify LDAP Login With Correct LDAP URL
101     [Documentation]  Verify LDAP Login with right LDAP URL.
102     [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
103 
104     Config LDAP URL  ${LDAP_SERVER_URI}
105 
106 
107 Verify LDAP Config Update With Incorrect LDAP URL
108     [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
109     [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
110     [Teardown]  Run Keywords  Restore LDAP URL  AND
111     ...  FFDC On Test Case Fail
112 
113     Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
114 
115 Verify LDAP Configuration Exist
116     [Documentation]  Verify that LDAP configuration is available.
117     [Tags]  Verify_LDAP_Configuration_Exist
118 
119     ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
120     ...  ${LDAP_TYPE}  default=${EMPTY}
121     Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
122 
123 
124 Verify LDAP User Login
125     [Documentation]  Verify that LDAP user able to login into BMC.
126     [Tags]  Verify_LDAP_User_Login
127 
128     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
129     Redfish.Logout
130     Redfish.Login
131 
132 
133 Verify LDAP Service Available
134     [Documentation]  Verify that LDAP service is available.
135     [Tags]  Verify_LDAP_Service_Available
136 
137     @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
138     Should Contain  ${ldap_configuration}  LDAPService
139     ...  msg=LDAPService is not available.
140 
141 
142 Verify LDAP Login Works After BMC Reboot
143     [Documentation]  Verify that LDAP login works after BMC reboot.
144     [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
145 
146     Redfish OBMC Reboot (off)
147     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
148     Redfish.Logout
149     Redfish.Login
150 
151 
152 Verify LDAP User With Admin Privilege Able To Do BMC Reboot
153     [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
154     [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
155 
156 
157     Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
158     ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
159     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
160     # With LDAP user and with right privilege trying to do BMC reboot.
161     Redfish OBMC Reboot (off)
162     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
163     Redfish.Logout
164     Redfish.Login
165 
166 
167 Verify LDAP User With Operator Privilege Able To Do Host Poweroff
168     [Documentation]  Verify that LDAP user with operator privilege can do host
169     ...  power off.
170     [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
171     [Teardown]  Restore LDAP Privilege
172 
173     Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
174     ...  Operator  ${GROUP_NAME}
175 
176     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
177     # Verify that the LDAP user with operator privilege is able to power the system off.
178     Redfish.Post  ${REDFISH_POWER_URI}
179     ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
180     Redfish.Logout
181     Redfish.Login
182 
183 
184 Verify AccountLockout Attributes Set To Zero By LDAP User
185     [Documentation]  Verify that attribute AccountLockoutDuration and
186     ...  AccountLockoutThreshold are set to 0 by LDAP user.
187     [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
188     ...  FFDC On Test Case Fail
189     [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User
190 
191     ${old_account_service}=  Redfish.Get Properties
192     ...  ${REDFISH_BASE_URI}AccountService
193     Rprint Vars  old_account_service
194 
195     # Create LDAP user and create session using LDAP user.
196     Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
197     ...  Administrator  ${GROUP_NAME}
198 
199     # Clear existing Redfish sessions.
200     Redfish.Logout
201 
202     # Login using LDAP user.
203     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
204 
205     # Set Account Lockout attributes using LDAP user.
206     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
207     ...  body=[('AccountLockoutDuration', 0)]
208     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
209     ...  body=[('AccountLockoutThreshold', 0)]
210 
211 
212 Verify LDAP User With Read Privilege Able To Check Inventory
213     [Documentation]  Verify that LDAP user with read privilege able to
214     ...  read firmware inventory.
215     [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
216     [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
217     [Template]  Set Read Privilege And Check Firmware Inventory
218 
219     ReadOnly
220 
221 
222 Verify LDAP User With Read Privilege Should Not Do Host Poweron
223     [Documentation]  Verify that LDAP user with read privilege should not be
224     ...  allowed to power on the host.
225     [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
226     [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
227     [Template]  Set Read Privilege And Check Poweron
228 
229     ReadOnly
230 
231 
232 Update LDAP Group Name And Verify Operations
233     [Documentation]  Verify that LDAP group name update and able to do right
234     ...  operations.
235     [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
236     [Template]  Update LDAP Config And Verify Set Host Name
237     [Teardown]  Restore LDAP Privilege
238 
239     # group_name             group_privilege  valid_status_codes
240     ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
241     ${GROUP_NAME}            Operator         [${HTTP_OK}, ${HTTP_NO_CONTENT}]
242     ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
243     ${GROUP_NAME}            NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
244     Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
245     Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
246     Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
247     Invalid_LDAP_Group_Name  NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
248 
249 
250 Verify LDAP BaseDN Update And LDAP Login
251     [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
252     ...  that LDAP login works.
253     [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
254 
255 
256     ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
257     ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
258     Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
259     Sleep  15s
260     Redfish Verify LDAP Login
261 
262 
263 Verify LDAP BindDN Update And LDAP Login
264     [Documentation]  Update LDAP BindDN of LDAP configuration and verify
265     ...  that LDAP login works.
266     [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
267 
268     ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
269     ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
270     ...  '${LDAP_BIND_DN}'}}}
271     Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
272     Sleep  15s
273     Redfish Verify LDAP Login
274 
275 
276 Verify LDAP BindDN Password Update And LDAP Login
277     [Documentation]  Update LDAP BindDN password of LDAP configuration and
278     ...  verify that LDAP login works.
279     [Tags]  Verify_LDAP_BindDN_Password_Update_And_LDAP_Login
280 
281 
282     ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
283     ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
284     ...  '${LDAP_BIND_DN_PASSWORD}'}}}
285     Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
286     Sleep  15s
287     Redfish Verify LDAP Login
288 
289 
290 Verify LDAP Type Update And LDAP Login
291     [Documentation]  Update LDAP type of LDAP configuration and verify
292     ...  that LDAP login works.
293     [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
294 
295     Disable Other LDAP
296     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
297     ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
298     Sleep  15s
299     Redfish Verify LDAP Login
300 
301 
302 Verify LDAP Authorization With Null Privilege
303     [Documentation]  Verify the failure of LDAP authorization with empty
304     ...  privilege.
305     [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
306     [Teardown]  Restore LDAP Privilege
307 
308     Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
309     ...  [${HTTP_FORBIDDEN}]
310 
311 
312 Verify LDAP Authorization With Invalid Privilege
313     [Documentation]  Verify that LDAP user authorization with wrong privilege
314     ...  fails.
315     [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
316     [Teardown]  Restore LDAP Privilege
317 
318     Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
319     ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
320 
321 
322 Verify LDAP Login With Invalid Data
323     [Documentation]  Verify that LDAP login with Invalid LDAP data and
324     ...  right LDAP user fails.
325     [Tags]  Verify_LDAP_Login_With_Invalid_Data
326     [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
327     ...  Create LDAP Configuration
328 
329     Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
330     ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
331     ...  Invalid_LDAP_BASE_DN
332     Sleep  15s
333     Redfish Verify LDAP Login  ${False}
334 
335 
336 Verify LDAP Config Creation Without BASE_DN
337     [Documentation]  Verify that LDAP login with LDAP configuration
338     ...  created without BASE_DN fails.
339     [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
340     [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
341     ...  Create LDAP Configuration
342 
343     Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
344     ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
345     Sleep  15s
346     Redfish Verify LDAP Login  ${False}
347 
348 
349 Verify LDAP Authentication Without Password
350     [Documentation]  Verify that LDAP user authentication without LDAP
351     ...  user password fails.
352     [Tags]  Verify_LDAP_Authentication_Without_Password
353     [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
354 
355     ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
356     Valid Value  status  [${False}]
357 
358 
359 Verify LDAP Login With Invalid BASE_DN
360     [Documentation]  Verify that LDAP login with invalid BASE_DN and
361     ...  valid LDAP user fails.
362     [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
363     [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
364     ...  Create LDAP Configuration
365 
366     Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
367     ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
368     Sleep  15s
369     Redfish Verify LDAP Login  ${False}
370 
371 
372 Verify LDAP Login With Invalid BIND_DN_PASSWORD
373     [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
374     ...  valid LDAP user fails.
375     [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
376     [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
377     ...  Create LDAP Configuration
378 
379     Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
380     ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
381     Sleep  15s
382     Redfish Verify LDAP Login  ${False}
383 
384 
385 Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
386     [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
387     ...  BIND_DN and valid LDAP user fails.
388     [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
389     [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
390     ...  Create LDAP Configuration
391 
392     Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
393     ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
394     Sleep  15s
395     Redfish Verify LDAP Login  ${False}
396 
397 
398 Verify Group Name And Group Privilege Able To Modify
399     [Documentation]  Verify that LDAP group name and group privilege able to
400     ...  modify.
401     [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
402     [Setup]  Update LDAP Configuration with LDAP User Role And Group
403     ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
404 
405     Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
406     ...  Administrator  ${GROUP_NAME}
407 
408 
409 Verify LDAP Login With Invalid BIND_DN
410     [Documentation]  Verify that LDAP login with invalid BIND_DN and
411     ...  valid LDAP user fails.
412     [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
413     [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
414     ...  Create LDAP Configuration
415 
416     Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
417     ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
418     Sleep  15s
419     Redfish Verify LDAP Login  ${False}
420 
421 
422 Verify LDAP Authentication With Invalid LDAP User
423     [Documentation]  Verify that LDAP user authentication for user not exist
424     ...  in LDAP server and fails.
425     [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
426     [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
427 
428     ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
429     ...  ${LDAP_USER_PASSWORD}
430     Valid Value  status  [${False}]
431 
432 
433 Update LDAP User Roles And Verify Host Poweroff Operation
434     [Documentation]  Update LDAP user roles and verify host poweroff operation.
435     [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
436     [Teardown]  Restore LDAP Privilege
437 
438     [Template]  Update LDAP User Role And Host Poweroff
439     # ldap_type   group_privilege  group_name     valid_status_codes
440 
441     # Verify LDAP user with NoAccess privilege not able to do host poweroff.
442     ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
443 
444     # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
445     ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
446 
447     # Verify LDAP user with Operator privilege able to do host poweroff.
448     ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
449 
450     # Verify LDAP user with Administrator privilege able to do host poweroff.
451     ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
452 
453 
454 Update LDAP User Roles And Verify Host Poweron Operation
455     [Documentation]  Update LDAP user roles and verify host poweron operation.
456     [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
457     [Teardown]  Restore LDAP Privilege
458 
459     [Template]  Update LDAP User Role And Host Poweron
460     # ldap_type   group_privilege  group_name     valid_status_codes
461 
462     # Verify LDAP user with NoAccess privilege not able to do host poweron.
463     ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
464 
465     # Verify LDAP user with ReadOnly privilege not able to do host poweron.
466     ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
467 
468     # Verify LDAP user with Operator privilege able to do host poweron.
469     ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
470 
471     # Verify LDAP user with Administrator privilege able to do host poweron.
472     ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
473 
474 
475 Configure IP Address Via Different User Roles And Verify
476     [Documentation]  Configure IP address via different user roles and verify.
477     [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
478     [Teardown]  Restore LDAP Privilege
479 
480     [Template]  Update LDAP User Role And Configure IP Address
481     # Verify LDAP user with Administrator privilege is able to configure IP address.
482     ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
483 
484     # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
485     ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
486 
487     # Verify LDAP user with NoAccess privilege is forbidden to configure IP address.
488     ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
489 
490     # Verify LDAP user with Operator privilege is able to configure IP address.
491     ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
492 
493 
494 Delete IP Address Via Different User Roles And Verify
495     [Documentation]  Delete IP address via different user roles and verify.
496     [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
497     [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail
498 
499     [Template]  Update LDAP User Role And Delete IP Address
500     # Verify LDAP user with Administrator privilege is able to delete IP address.
501     ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
502 
503     # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
504     ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
505 
506     # Verify LDAP user with NoAccess privilege is forbidden to delete IP address.
507     ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
508 
509     # Verify LDAP user with Operator privilege is able to delete IP address.
510     ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
511 
512 
513 Read Network Configuration Via Different User Roles And Verify
514     [Documentation]  Read network configuration via different user roles and verify.
515     [Tags]  Read_Network_Configuration_Via_Different_User_Roles_And_Verify
516     [Teardown]  Restore LDAP Privilege
517 
518     [Template]  Update LDAP User Role And Read Network Configuration
519     ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}
520 
521     ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}
522 
523     ${LDAP_TYPE}  NoAccess       ${GROUP_NAME}  ${HTTP_FORBIDDEN}
524 
525     ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}
526 
527 
528 *** Keywords ***
529 
530 Redfish Verify LDAP Login
531     [Documentation]  LDAP user log into BMC.
532     [Arguments]  ${valid_status}=${True}
533 
534     # Description of argument(s):
535     # valid_status  Expected status of LDAP login ("True" or "False").
536 
537     # According to our repo coding rules, Redfish.Login is to be done in Suite
538     # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
539     # deviation from this rule (such as in this keyword), the deviant code
540     # must take steps to restore us to our original logged-in state.
541 
542     ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
543     ...  ${LDAP_USER_PASSWORD}
544     Valid Value  status  [${valid_status}]
545     Redfish.Logout
546     Redfish.Login
547 
548 
549 Update LDAP Config And Verify Set Host Name
550     [Documentation]  Update LDAP config and verify by attempting to set host name.
551     [Arguments]  ${group_name}  ${group_privilege}=Administrator
552     ...  ${valid_status_codes}=[${HTTP_OK}]
553     [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
554 
555     # Description of argument(s):
556     # group_name                    The group name of user.
557     # group_privilege               The group privilege ("Administrator",
558     #                               "Operator", "User" or "Callback").
559     # valid_status_codes            Expected return code(s) from patch
560     #                               operation (e.g. "200") used to update
561     #                               HostName.  See prolog of rest_request
562     #                               method in redfish_plut.py for details.
563     Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
564     ...  ${group_privilege}  ${group_name}
565     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
566     # Verify that the LDAP user in ${group_name} with the given privilege is
567     # allowed to change the hostname.
568     Redfish.Patch  ${REDFISH_NW_ETH0_URI}  body={'HostName': '${hostname}'}
569     ...  valid_status_codes=${valid_status_codes}
570 
571 
572 Disable Other LDAP
573     [Documentation]  Disable other LDAP configuration.
574 
575     # First disable other LDAP.
576     ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
577     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
578     ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
579     Sleep  15s
580 
581 
582 Config LDAP URL
583     [Documentation]  Config LDAP URL.
584     [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
585 
586     # Description of argument(s):
587     # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
588 
589     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
590     ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
591     Sleep  15s
592     # After update, LDAP login.
593     ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
594     Valid Value  status  [${expected_status}]
595 
596     Redfish.Logout
597     Redfish.Login
598 
599 
600 Restore LDAP URL
601     [Documentation]  Restore LDAP URL.
602 
603     # Restoring the working LDAP server uri.
604     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
605     ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
606     Sleep  15s
607 
608 
609 Restore AccountLockout Attributes
610     [Documentation]  Restore AccountLockout Attributes.
611 
612     Return From Keyword If  &{old_account_service} == &{EMPTY}
613     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
614     ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
615     Redfish.Patch  ${REDFISH_BASE_URI}AccountService
616     ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
617 
618 
619 Suite Setup Execution
620     [Documentation]  Do suite setup tasks.
621 
622     Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
623     Valid Value  LDAP_USER
624     Valid Value  LDAP_USER_PASSWORD
625     Valid Value  GROUP_PRIVILEGE
626     Valid Value  GROUP_NAME
627     Valid Value  LDAP_SERVER_URI
628     Valid Value  LDAP_BIND_DN_PASSWORD
629     Valid Value  LDAP_BIND_DN
630     Valid Value  LDAP_BASE_DN
631 
632     Redfish.Login
633     # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
634     Get LDAP Configuration  ${LDAP_TYPE}
635     ${old_ldap_privilege}=  Get LDAP Privilege
636     Set Suite Variable  ${old_ldap_privilege}
637     Disable Other LDAP
638     Create LDAP Configuration
639     ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
640 
641 
642 Set Read Privilege And Check Firmware Inventory
643     [Documentation]  Set read privilege and check firmware inventory.
644     [Arguments]  ${read_privilege}
645 
646     # Description of argument(s):
647     # read_privilege  The read privilege role (e.g. "User" / "Callback").
648 
649     Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
650     ...  ${read_privilege}  ${GROUP_NAME}
651 
652     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
653     # Verify that the LDAP user with read privilege is able to read inventory.
654     ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
655     Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
656     Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
657     Redfish.Logout
658     Redfish.Login
659 
660 
661 Set Read Privilege And Check Poweron
662     [Documentation]  Set read privilege and power on should not be possible.
663     [Arguments]  ${read_privilege}
664 
665     # Description of argument(s):
666     # read_privilege  The read privilege role (e.g. "User" / "Callback").
667 
668     Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
669     ...  ${read_privilege}  ${GROUP_NAME}
670     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
671     Redfish.Post  ${REDFISH_POWER_URI}
672     ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
673     Redfish.Logout
674     Redfish.Login
675 
676 
677 Get LDAP Configuration
678     [Documentation]  Retrieve LDAP Configuration.
679     [Arguments]   ${ldap_type}
680 
681     # Description of argument(s):
682     # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
683 
684     ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
685     [Return]  ${ldap_config["${ldap_type}"]}
686 
687 
688 Update LDAP Configuration with LDAP User Role And Group
689     [Documentation]  Update LDAP configuration update with LDAP user Role and group.
690     [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
691 
692     # Description of argument(s):
693     # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
694     # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
695     # group_name       The group name of user.
696 
697     ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
698     ${remote_role_mapping}=  Create List  ${local_role_remote_group}
699     ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
700     ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
701     Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
702     # Provide adequate time for LDAP daemon to restart after the update.
703     Sleep  15s
704 
705 
706 Get LDAP Privilege
707     [Documentation]  Get LDAP privilege and return it.
708 
709     ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
710     ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
711     Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
712 
713     [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
714 
715 
716 Restore LDAP Privilege
717     [Documentation]  Restore the LDAP privilege to its original value.
718 
719     Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'
720     # Log back in to restore the original privilege.
721     Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
722     ...  ${old_ldap_privilege}  ${GROUP_NAME}
723 
724     Sleep  18s
725 
726 
727 Update LDAP User Role And Host Poweroff
728     [Documentation]  Update LDAP user role and do host poweroff.
729     [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
730     [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
731 
732     # Description of argument(s):
733     # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
734     # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
735     # group_name         The group name of user.
736     # valid_status_code  The expected valid status code.
737 
738     Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
739     ...  ${group_privilege}  ${group_name}
740 
741     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
742 
743     Redfish.Post  ${REDFISH_POWER_URI}
744     ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
745 
746 
747 Update LDAP User Role And Host Poweron
748     [Documentation]  Update LDAP user role and do host poweron.
749     [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
750     [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
751 
752     # Description of argument(s):
753     # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
754     # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
755     # group_name         The group name of user.
756     # valid_status_code  The expected valid status code.
757 
758     Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
759     ...  ${group_privilege}  ${group_name}
760 
761     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
762 
763     Redfish.Post  ${REDFISH_POWER_URI}
764     ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
765 
766 
767 Update LDAP User Role And Configure IP Address
768     [Documentation]  Update LDAP user role and configure IP address.
769     [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
770     [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
771 
772     # Description of argument(s):
773     # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
774     # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
775     # group_name         The group name of user.
776     # valid_status_code  The expected valid status code.
777 
778     Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
779     ...  ${group_privilege}  ${group_name}
780 
781     Redfish.Logout
782 
783     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
784 
785     ${test_gateway}=  Get BMC Default Gateway
786 
787     Run Keyword If  '${group_privilege}' == 'NoAccess'
788     ...  Add IP Address With NoAccess User  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
789     ...  ELSE
790     ...  Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
791 
792 
793 Update LDAP User Role And Delete IP Address
794     [Documentation]  Update LDAP user role and delete IP address.
795     [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
796     [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
797 
798     # Description of argument(s):
799     # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
800     # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
801     # group_name         The group name of user.
802     # valid_status_code  The expected valid status code.
803 
804     ${test_gateway}=  Get BMC Default Gateway
805 
806     # Configure IP address before deleting via LDAP user roles.
807     Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}
808 
809     Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
810     ...  ${group_privilege}  ${group_name}
811 
812     Redfish.Logout
813 
814     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
815 
816     Run Keyword If  '${group_privilege}' == 'NoAccess'
817     ...  Delete IP Address With NoAccess User  ${test_ip}  ${valid_status_code}
818     ...  ELSE
819     ...  Delete IP Address  ${test_ip}  ${valid_status_code}
820 
821 
822 Update LDAP User Role And Read Network Configuration
823     [Documentation]  Update LDAP user role and read network configuration.
824     [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
825     [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
826 
827     # Description of argument(s):
828     # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
829     # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
830     # group_name         The group name of user.
831     # valid_status_code  The expected valid status code.
832 
833     Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
834     ...  ${group_privilege}  ${group_name}
835 
836     Redfish.Logout
837 
838     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
839     Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]
840 
841 
842 Add IP Address With NoAccess User
843     [Documentation]  Add IP Address To BMC.
844     [Arguments]  ${ip}  ${subnet_mask}  ${gateway}
845     ...  ${valid_status_codes}=${HTTP_OK}
846 
847     # Description of argument(s):
848     # ip                  IP address to be added (e.g. "10.7.7.7").
849     # subnet_mask         Subnet mask for the IP to be added
850     #                     (e.g. "255.255.0.0").
851     # gateway             Gateway for the IP to be added (e.g. "10.7.7.1").
852     # valid_status_codes  Expected return code from patch operation
853     #                     (e.g. "200").  See prolog of rest_request
854     #                     method in redfish_plus.py for details.
855 
856     # Logout from LDAP user.
857     Redfish.Logout
858 
859     # Login with local user.
860     Redfish.Login
861 
862     ${empty_dict}=  Create Dictionary
863     ${ip_data}=  Create Dictionary  Address=${ip}
864     ...  SubnetMask=${subnet_mask}  Gateway=${gateway}
865 
866     ${patch_list}=  Create List
867     ${network_configurations}=  Get Network Configuration
868     ${num_entries}=  Get Length  ${network_configurations}
869 
870     FOR  ${INDEX}  IN RANGE  0  ${num_entries}
871       Append To List  ${patch_list}  ${empty_dict}
872     END
873 
874     ${valid_status_codes}=  Run Keyword If  '${valid_status_codes}' == '${HTTP_OK}'
875     ...  Set Variable   ${HTTP_OK},${HTTP_NO_CONTENT}
876     ...  ELSE  Set Variable  ${valid_status_codes}
877 
878     # We need not check for existence of IP on BMC while adding.
879     Append To List  ${patch_list}  ${ip_data}
880     ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
881 
882     ${active_channel_config}=  Get Active Channel Config
883     ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
884 
885     # Logout from local user.
886     Redfish.Logout
887 
888     # Login from LDAP user and check if we can configure IP address.
889     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
890 
891     Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
892     ...  valid_status_codes=[${valid_status_codes}]
893 
894 
895 Delete IP Address With NoAccess User
896     [Documentation]  Delete IP Address Of BMC.
897     [Arguments]  ${ip}  ${valid_status_codes}=${HTTP_OK}
898 
899     # Description of argument(s):
900     # ip                  IP address to be deleted (e.g. "10.7.7.7").
901     # valid_status_codes  Expected return code from patch operation
902     #                     (e.g. "200").  See prolog of rest_request
903     #                     method in redfish_plus.py for details.
904 
905     # Logout from LDAP user.
906     Redfish.Logout
907 
908     # Login with local user.
909     Redfish.Login
910 
911     ${empty_dict}=  Create Dictionary
912     ${patch_list}=  Create List
913 
914     @{network_configurations}=  Get Network Configuration
915     FOR  ${network_configuration}  IN  @{network_configurations}
916       Run Keyword If  '${network_configuration['Address']}' == '${ip}'
917       ...  Append To List  ${patch_list}  ${null}
918       ...  ELSE  Append To List  ${patch_list}  ${empty_dict}
919     END
920 
921     ${ip_found}=  Run Keyword And Return Status  List Should Contain Value
922     ...  ${patch_list}  ${null}  msg=${ip} does not exist on BMC
923     Pass Execution If  ${ip_found} == ${False}  ${ip} does not exist on BMC
924 
925     # Run patch command only if given IP is found on BMC
926     ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
927 
928     ${active_channel_config}=  Get Active Channel Config
929     ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
930 
931     # Logout from local user.
932     Redfish.Logout
933 
934     # Login from LDAP user and check if we can delete IP address.
935     Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
936 
937     Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
938     ...  valid_status_codes=[${valid_status_codes}]
939 
940     # Note: Network restart takes around 15-18s after patch request processing
941     Sleep  ${NETWORK_TIMEOUT}s
942     Wait For Host To Ping  ${OPENBMC_HOST}  ${NETWORK_TIMEOUT}
943