1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Library          ../../lib/gen_robot_valid.py
9
10Suite Setup      Suite Setup Execution
11Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
12Test Teardown    FFDC On Test Case Fail
13
14Force Tags       LDAP_Test
15
16*** Variables ***
17${old_ldap_privilege}  ${EMPTY}
18&{old_account_service}  &{EMPTY}
19&{old_ldap_config}  &{EMPTY}
20
21** Test Cases **
22
23Verify LDAP Configuration Created
24    [Documentation]  Verify LDAP configuration created.
25    [Tags]  Verify_LDAP_Configuration_Created
26
27    Create LDAP Configuration
28    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
29    Get LDAP Configuration  ${LDAP_TYPE}
30    Sleep  10s
31    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
32    Redfish.Logout
33    Redfish.Login
34
35
36Verify LDAP Service Disable
37    [Documentation]  Verify LDAP is disabled and that LDAP user cannot login.
38    [Tags]  Verify_LDAP_Service_Disable
39
40    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
41    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
42    Sleep  15s
43    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
44    ...  ${LDAP_USER_PASSWORD}
45    Should Be Equal  ${resp}  ${False}  msg=LDAP user was able to login even though the LDAP service was disabled.
46    Redfish.Logout
47    Redfish.Login
48    # Enabling LDAP so that LDAP user works.
49    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
50    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
51    Redfish.Logout
52    Redfish.Login
53
54
55Verify LDAP Login With ServiceEnabled
56    [Documentation]  Verify LDAP Login with ServiceEnabled.
57    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
58
59    Disable Other LDAP
60    # Actual service enablement.
61    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
62    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
63    Sleep  15s
64    # After update, LDAP login.
65    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
66    Redfish.Logout
67    Redfish.Login
68
69
70Verify LDAP Login With Correct AuthenticationType
71    [Documentation]  Verify LDAP Login with right AuthenticationType.
72    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
73
74    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
75    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
76    Sleep  15s
77    # After update, LDAP login.
78    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
79    Redfish.Logout
80    Redfish.Login
81
82
83Verify LDAP Config Update With Incorrect AuthenticationType
84    [Documentation]  Verify invalid AuthenticationType is not updated.
85    [Tags]  Verify_LDAP_Update_With_Incorrect_AuthenticationType
86
87    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
88    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}  valid_status_codes=[400]
89
90
91Verify LDAP Login With Correct LDAP URL
92    [Documentation]  Verify LDAP Login with right LDAP URL.
93    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
94
95    Config LDAP URL  ${LDAP_SERVER_URI}
96
97
98Verify LDAP Config Update With Incorrect LDAP URL
99    [Documentation]  Verify LDAP Login fails with invalid LDAP URL.
100    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
101    [Teardown]  Run Keywords  Restore LDAP URL  AND
102    ...  FFDC On Test Case Fail
103
104    Config LDAP URL  "ldap://1.2.3.4"
105
106
107Verify LDAP Configuration Exist
108    [Documentation]  Verify LDAP configuration is available.
109    [Tags]  Verify_LDAP_Configuration_Exist
110
111    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
112    ...  ${LDAP_TYPE}  default=${EMPTY}
113    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
114
115
116Verify LDAP User Login
117    [Documentation]  Verify LDAP user able to login into BMC.
118    [Tags]  Verify_LDAP_User_Login
119
120    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
121    Redfish.Logout
122    Redfish.Login
123
124
125Verify LDAP Service Available
126    [Documentation]  Verify LDAP service is available.
127    [Tags]  Verify_LDAP_Service_Available
128
129    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
130    Should Contain  ${ldap_configuration}  LDAPService
131    ...  msg=LDAPService is not available.
132
133
134Verify LDAP Login Works After BMC Reboot
135    [Documentation]  Verify LDAP login works after BMC reboot.
136    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
137
138    Redfish OBMC Reboot (off)
139    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
140    Redfish.Logout
141    Redfish.Login
142
143
144Verify LDAP User With Admin Privilege Able To Do BMC Reboot
145    [Documentation]  Verify LDAP user with administrator privilege able to do BMC reboot.
146    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
147
148
149    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
150    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
151    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
152    # With LDAP user and with right privilege trying to do BMC reboot.
153    Redfish OBMC Reboot (off)
154    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
155    Redfish.Logout
156    Redfish.Login
157
158
159Verify LDAP User With Operator Privilege Able To Do Host Poweroff
160    [Documentation]  Verify LDAP user with operator privilege can do host power off.
161    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
162    [Teardown]  Restore LDAP Privilege
163
164    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
165    ...  Operator  ${GROUP_NAME}
166
167    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
168    # Verify that the LDAP user with operator privilege is able to power the system off.
169    Redfish.Post  ${REDFISH_POWER_URI}
170    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
171    Redfish.Logout
172    Redfish.Login
173
174
175Verify AccountLockout Attributes Set To Zero
176    [Documentation]  Verify attribute AccountLockoutDuration and
177    ...  AccountLockoutThreshold are set to 0.
178    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
179    ...  FFDC On Test Case Fail
180    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero
181
182    ${old_account_service}=  Redfish.Get Properties
183    ...  ${REDFISH_BASE_URI}AccountService
184    Rprint Vars  old_account_service
185    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
186    ...  body=[('AccountLockoutDuration', 0)]
187    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
188    ...  body=[('AccountLockoutThreshold', 0)]
189
190
191Verify LDAP User With Read Privilege Able To Check Inventory
192    [Documentation]  Verify LDAP user with read privilege able to
193    ...  read firmware inventory.
194    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
195    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
196    [Template]  Set Read Privilege And Check Firmware Inventory
197
198    User
199    Callback
200
201
202Verify LDAP User With Read Privilege Should Not Do Host Poweron
203    [Documentation]  Verify LDAP user with read privilege should not be
204    ...  allowed to power on the host.
205    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
206    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
207    [Template]  Set Read Privilege And Check Poweron
208
209    User
210    Callback
211
212
213Update LDAP Group Name And Verify Operations
214    [Documentation]  Verify LDAP group name update and able to do right operations.
215    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
216    [Template]  Update LDAP Config And Verify Set Host Name
217    [Teardown]  Restore LDAP Privilege
218
219    # group_name             group_privilege  valid_status_codes
220    ${GROUP_NAME}            Administrator    [${HTTP_OK}]
221    ${GROUP_NAME}            Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
222    ${GROUP_NAME}            User             [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
223    ${GROUP_NAME}            Callback         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
224    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
225    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
226    Invalid_LDAP_Group_Name  User             [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
227    Invalid_LDAP_Group_Name  Callback         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
228
229
230Verify LDAP BaseDN Update And LDAP Login
231    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
232    ...  LDAP login works.
233    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
234
235
236    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
237    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
238    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
239    Sleep  15s
240    Redfish Verify LDAP Login
241
242
243Verify LDAP BindDN Update And LDAP Login
244    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
245    ...  LDAP login works.
246    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
247
248    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
249    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
250    ...  '${LDAP_BIND_DN}'}}}
251    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
252    Sleep  15s
253    Redfish Verify LDAP Login
254
255
256Verify LDAP BindDN Password Update And LDAP Login
257    [Documentation]  Update LDAP BindDN password of LDAP configuration and
258    ...  verify LDAP login works.
259    [Tags]  Verify_LDAP_BindDN_Passsword_Update_And_LDAP_Login
260
261
262    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
263    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
264    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
265    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
266    Sleep  15s
267    Redfish Verify LDAP Login
268
269
270Verify LDAP Type Update And LDAP Login
271    [Documentation]  Update LDAP type of LDAP configuration and verify
272    ...  LDAP login works.
273    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
274
275    Disable Other LDAP
276    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
277    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
278    Sleep  15s
279    Redfish Verify LDAP Login
280
281
282*** Keywords ***
283
284Redfish Verify LDAP Login
285    [Documentation]  LDAP user log into BMC.
286
287    # According to our repo coding rules, Redfish.Login is to be done in Suite
288    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
289    # deviation from this rule (such as in this keyword), the deviant code
290    # must take steps to restore us to our original logged-in state.
291
292    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
293    Redfish.Logout
294    Redfish.Login
295
296
297Update LDAP Config And Verify Set Host Name
298    [Documentation]  Update LDAP config and verify by attempting to set host name.
299    [Arguments]  ${group_name}  ${group_privilege}=Administrator
300    ...  ${valid_status_codes}=[${HTTP_OK}]
301
302    # Description of argument(s):
303    # group_name                    The group name of user.
304    # group_privilege               The group privilege ("Administrator",
305    #                               "Operator", "User" or "Callback").
306    # valid_status_codes            Expected return code(s) from patch
307    #                               operation (e.g. "200") used to update
308    #                               HostName.  See prolog of rest_request
309    #                               method in redfish_plut.py for details.
310    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
311    ...  ${group_privilege}  ${group_name}
312    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
313    # Verify that the LDAP user in ${group_name} with the given privilege is
314    # allowed to change the hostname.
315    ${hostname}=  Redfish_Utils.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
316    Redfish.Patch  ${REDFISH_NW_PROTOCOL_URI}  body={'HostName': '${hostname}'}
317    ...  valid_status_codes=${valid_status_codes}
318    Redfish.Logout
319    Redfish.Login
320
321
322Disable Other LDAP
323    [Documentation]  Disable other LDAP configuration.
324
325    # First disable other LDAP.
326    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
327    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
328    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
329    Sleep  15s
330
331
332Create LDAP Configuration
333    [Documentation]  Create LDAP configuration.
334    [Arguments]  ${ldap_type}=${LDAP_TYPE}  ${ldap_server_uri}=${LDAP_SERVER_URI}
335    ...  ${ldap_bind_dn}=${LDAP_BIND_DN}  ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD}
336    ...  ${ldap_base_dn}=${LDAP_BASE_DN}
337
338    # Description of argument(s):
339    # ldap_type              The LDAP type ("ActiveDirectory" or "LDAP").
340    # ldap_server_uri        LDAP server uri (e.g. ldap://XX.XX.XX.XX).
341    # ldap_bind_dn           The LDAP bind distinguished name.
342    # ldap_bind_dn_password  The LDAP bind distinguished name password.
343    # ldap_base_dn           The LDAP base distinguished name.
344
345    Disable Other LDAP
346    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
347    ...  body={'${ldap_type}': {'ServiceEnabled': ${True}, 'ServiceAddresses': ['${ldap_server_uri}'], 'Authentication': {'AuthenticationType':'UsernameAndPassword', 'Username':'${ldap_bind_dn}', 'Password':'${ldap_bind_dn_password}'}, 'LDAPService': {'SearchSettings': {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}}
348    Sleep  15s
349
350
351Config LDAP URL
352    [Documentation]  Config LDAP URL.
353    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}
354
355    # Description of argument(s):
356    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
357
358    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
359    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
360    Sleep  15s
361    # After update, LDAP login.
362    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
363    Redfish.Logout
364    Redfish.Login
365
366
367Restore LDAP URL
368    [Documentation]  Restore LDAP URL.
369
370    # Restoring the working LDAP server uri.
371    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
372    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
373    Sleep  15s
374
375
376Restore AccountLockout Attributes
377    [Documentation]  Restore AccountLockout Attributes.
378
379    Return From Keyword If  &{old_account_service} == &{EMPTY}
380    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
381    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
382    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
383    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
384
385
386Suite Setup Execution
387    [Documentation]  Do suite setup tasks.
388
389    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
390    Valid Value  LDAP_USER
391    Valid Value  LDAP_USER_PASSWORD
392    Valid Value  GROUP_PRIVILEGE
393    Valid Value  GROUP_NAME
394    Valid Value  LDAP_SERVER_URI
395    Valid Value  LDAP_BIND_DN_PASSWORD
396    Valid Value  LDAP_BIND_DN
397    Valid Value  LDAP_BASE_DN
398
399    Redfish.Login
400    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
401    Get LDAP Configuration  ${LDAP_TYPE}
402    ${old_ldap_privilege}=  Get LDAP Privilege
403
404
405Set Read Privilege And Check Firmware Inventory
406    [Documentation]  Set read privilege and check firmware inventory.
407    [Arguments]  ${read_privilege}
408
409    # Description of argument(s):
410    # read_privilege  The read privilege role (e.g. "User" / "Callback").
411
412    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
413    ...  ${read_privilege}  ${GROUP_NAME}
414
415    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
416    # Verify that the LDAP user with read privilege is able to read inventory.
417    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
418    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
419    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
420    Redfish.Logout
421    Redfish.Login
422
423
424Set Read Privilege And Check Poweron
425    [Documentation]  Set read privilege and power on should not be possible.
426    [Arguments]  ${read_privilege}
427
428    # Description of argument(s):
429    # read_privilege  The read privilege role (e.g. "User" / "Callback").
430
431    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
432    ...  ${read_privilege}  ${GROUP_NAME}
433    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
434    Redfish.Post  ${REDFISH_POWER_URI}
435    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
436    Redfish.Logout
437    Redfish.Login
438
439
440Get LDAP Configuration
441    [Documentation]  Retrieve LDAP Configuration.
442    [Arguments]   ${ldap_type}
443
444    # Description of argument(s):
445    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
446
447    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
448    [Return]  ${ldap_config["${ldap_type}"]}
449
450
451Update LDAP Configuration with LDAP User Role And Group
452    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
453    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
454
455    # Description of argument(s):
456    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
457    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
458    # group_name       The group name of user.
459
460    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
461    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
462    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
463    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
464    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
465    # Provide adequate time for LDAP daemon to restart after the update.
466    Sleep  15s
467
468
469Get LDAP Privilege
470    [Documentation]  Get LDAP privilege and return it.
471
472    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
473    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
474    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
475
476    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
477
478
479Restore LDAP Privilege
480    [Documentation]  Restore the LDAP privilege to its original value.
481
482    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}'
483    # Log back in to restore the original privilege.
484    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
485    ...  ${old_ldap_privilege}  ${GROUP_NAME}
486