xref: /openbmc/openbmc-test-automation/redfish/account_service/test_ldap_configuration.robot (revision e54be14763346d82a359e67dae7237973bd1acfa) 
1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/utils.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Resource         ../../lib/bmc_network_utils.robot
9Resource         ../../lib/bmc_ldap_utils.robot
10
11Suite Setup      Suite Setup Execution
12Suite Teardown   LDAP Suite Teardown Execution
13Test Teardown    Run Keywords  Redfish.Login  AND  FFDC On Test Case Fail
14Test Tags       Ldap_Configuration
15
16*** Variables ***
17${old_ldap_privilege}   Administrator
18&{old_account_service}  &{EMPTY}
19&{old_ldap_config}      &{EMPTY}
20${hostname}             ${EMPTY}
21${test_ip}              10.6.6.6
22${test_mask}            255.255.255.0
23
24** Test Cases **
25
26Verify LDAP Configuration Created
27    [Documentation]  Verify that LDAP configuration created.
28    [Tags]  Verify_LDAP_Configuration_Created
29
30    Create LDAP Configuration
31    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
32    Get LDAP Configuration  ${LDAP_TYPE}
33    Sleep  10s
34    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
35    Redfish.Logout
36
37
38Verify Redfish LDAP Service Disable
39    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
40    ...  login.
41    [Tags]  Verify_Redfish_LDAP_Service_Disable
42
43    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
44    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
45    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
46    Sleep  15s
47    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
48    ...  ${LDAP_USER_PASSWORD}
49    Should Be Equal  ${resp}  ${False}
50    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
51    Redfish.Logout
52    Redfish.Login
53    # Enabling LDAP so that LDAP user works.
54    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
55    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
56    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
57    Redfish.Logout
58
59
60Verify LDAP Login With ServiceEnabled
61    [Documentation]  Verify that LDAP Login with ServiceEnabled.
62    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
63
64    Disable Other LDAP
65    # Actual service enablement.
66    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
67    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
68    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
69    Sleep  15s
70    # After update, LDAP login.
71    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
72    Redfish.Logout
73
74
75Verify LDAP Login With Correct AuthenticationType
76    [Documentation]  Verify that LDAP Login with right AuthenticationType.
77    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
78
79    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
80    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
81    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
82    Sleep  15s
83    # After update, LDAP login.
84    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
85    Redfish.Logout
86
87
88Verify LDAP Config Update With Incorrect AuthenticationType
89    [Documentation]  Verify that invalid AuthenticationType is not updated.
90    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType
91
92    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
93
94    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
95    ...  body=${body}  valid_status_codes=[400]
96
97
98Verify LDAP Login With Correct LDAP URL
99    [Documentation]  Verify LDAP Login with right LDAP URL.
100    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
101
102    Config LDAP URL  ${LDAP_SERVER_URI}
103
104
105Verify LDAP Config Update With Incorrect LDAP URL
106    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
107    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
108    [Teardown]  Run Keywords  Restore LDAP URL  AND
109    ...  FFDC On Test Case Fail
110
111    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
112
113Verify LDAP Configuration Exist
114    [Documentation]  Verify that LDAP configuration is available.
115    [Tags]  Verify_LDAP_Configuration_Exist
116
117    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
118    ...  ${LDAP_TYPE}  default=${EMPTY}
119    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
120
121
122Verify LDAP User Login
123    [Documentation]  Verify that LDAP user able to login into BMC.
124    [Tags]  Verify_LDAP_User_Login
125
126    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
127    Redfish.Logout
128
129
130Verify LDAP Service Available
131    [Documentation]  Verify that LDAP service is available.
132    [Tags]  Verify_LDAP_Service_Available
133
134    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
135    Should Contain  ${ldap_configuration}  LDAPService
136    ...  msg=LDAPService is not available.
137
138
139Verify LDAP Login Works After BMC Reboot
140    [Documentation]  Verify that LDAP login works after BMC reboot.
141    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
142
143    Redfish OBMC Reboot (off)
144    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
145    Redfish.Logout
146
147
148Verify LDAP User With Admin Privilege Able To Do BMC Reboot
149    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
150    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
151
152
153    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
154    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
155    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
156    # With LDAP user and with right privilege trying to do BMC reboot.
157    Redfish OBMC Reboot (off)
158    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
159    Redfish.Logout
160
161
162Verify LDAP User With Operator Privilege Able To Do Host Poweroff
163    [Documentation]  Verify that LDAP user with operator privilege can do host
164    ...  power off.
165    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
166    [Teardown]  Restore LDAP Privilege
167
168    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
169    ...  Operator  ${GROUP_NAME}
170
171    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
172    # Verify that the LDAP user with operator privilege is able to power the system off.
173    Redfish.Post  ${REDFISH_POWER_URI}
174    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
175    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
176    Redfish.Logout
177    Redfish.Login
178
179
180Verify AccountLockout Attributes Set To Zero By LDAP User
181    [Documentation]  Verify that attribute AccountLockoutDuration and
182    ...  AccountLockoutThreshold are set to 0 by LDAP user.
183    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
184    ...  FFDC On Test Case Fail
185    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User
186
187    ${old_account_service}=  Redfish.Get Properties
188    ...  ${REDFISH_BASE_URI}AccountService
189    Rprint Vars  old_account_service
190
191    # Create LDAP user and create session using LDAP user.
192    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
193    ...  Administrator  ${GROUP_NAME}
194
195    # Clear existing Redfish sessions.
196    Redfish.Logout
197
198    # Login using LDAP user.
199    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
200
201    # Set Account Lockout attributes using LDAP user.
202    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
203    ...  body=[('AccountLockoutDuration', 0)]
204    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
205    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
206    ...  body=[('AccountLockoutThreshold', 0)]
207    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
208
209
210Verify LDAP User With Read Privilege Able To Check Inventory
211    [Documentation]  Verify that LDAP user with read privilege able to
212    ...  read firmware inventory.
213    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
214    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
215    [Template]  Set Read Privilege And Check Firmware Inventory
216
217    ReadOnly
218
219
220Verify LDAP User With Read Privilege Should Not Do Host Poweron
221    [Documentation]  Verify that LDAP user with read privilege should not be
222    ...  allowed to power on the host.
223    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
224    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
225    [Template]  Set Read Privilege And Check Poweron
226
227    ReadOnly
228
229
230Update LDAP Group Name And Verify Operations
231    [Documentation]  Verify that LDAP group name update and able to do right
232    ...  operations.
233    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
234    [Template]  Update LDAP Config And Verify Set Host Name
235    [Teardown]  Restore LDAP Privilege
236
237    # group_name             group_privilege  valid_status_codes
238    ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
239    ${GROUP_NAME}            Operator         [${HTTP_OK}, ${HTTP_NO_CONTENT}]
240    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
241    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
242    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
243    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
244
245
246Verify LDAP BaseDN Update And LDAP Login
247    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
248    ...  that LDAP login works.
249    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
250
251
252    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
253    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
254    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
255    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
256    Sleep  15s
257    Redfish Verify LDAP Login
258
259
260Verify LDAP BindDN Update And LDAP Login
261    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
262    ...  that LDAP login works.
263    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
264
265    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
266    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
267    ...  '${LDAP_BIND_DN}'}}}
268    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
269    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
270    Sleep  15s
271    Redfish Verify LDAP Login
272
273
274Verify LDAP BindDN Password Update And LDAP Login
275    [Documentation]  Update LDAP BindDN password of LDAP configuration and
276    ...  verify that LDAP login works.
277    [Tags]  Verify_LDAP_BindDN_Password_Update_And_LDAP_Login
278
279
280    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
281    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
282    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
283    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
284    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
285    Sleep  15s
286    Redfish Verify LDAP Login
287
288
289Verify LDAP Type Update And LDAP Login
290    [Documentation]  Update LDAP type of LDAP configuration and verify
291    ...  that LDAP login works.
292    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
293
294    Disable Other LDAP
295    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
296    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
297    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
298    Sleep  15s
299    Redfish Verify LDAP Login
300
301
302Verify LDAP Authorization With Null Privilege
303    [Documentation]  Verify the failure of LDAP authorization with empty
304    ...  privilege.
305    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
306    [Teardown]  Restore LDAP Privilege
307
308    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
309    ...  [${HTTP_FORBIDDEN}]
310
311
312Verify LDAP Authorization With Invalid Privilege
313    [Documentation]  Verify that LDAP user authorization with wrong privilege
314    ...  fails.
315    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
316    [Teardown]  Restore LDAP Privilege
317
318    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
319    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
320
321
322Verify LDAP Login With Invalid Data
323    [Documentation]  Verify that LDAP login with Invalid LDAP data and
324    ...  right LDAP user fails.
325    [Tags]  Verify_LDAP_Login_With_Invalid_Data
326    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
327    ...  Redfish.Login  AND
328    ...  Create LDAP Configuration
329
330    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
331    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
332    ...  Invalid_LDAP_BASE_DN
333    Sleep  15s
334    Redfish Verify LDAP Login  ${False}
335
336
337Verify LDAP Config Creation Without BASE DN
338    [Documentation]  Verify that LDAP login with LDAP configuration
339    ...  created without BASE_DN fails.
340    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
341    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
342    ...  Redfish.Login  AND
343    ...  Create LDAP Configuration
344
345    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
346    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
347    Sleep  15s
348    Redfish Verify LDAP Login  ${False}
349
350
351Verify LDAP Authentication Without Password
352    [Documentation]  Verify that LDAP user authentication without LDAP
353    ...  user password fails.
354    [Tags]  Verify_LDAP_Authentication_Without_Password
355    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
356
357    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
358    Valid Value  status  [${False}]
359
360
361Verify LDAP Login With Invalid BASE DN
362    [Documentation]  Verify that LDAP login with invalid BASE_DN and
363    ...  valid LDAP user fails.
364    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
365    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
366    ...  Redfish.Login  AND
367    ...  Create LDAP Configuration
368
369    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
370    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
371    Sleep  15s
372    Redfish Verify LDAP Login  ${False}
373
374
375Verify LDAP Login With Invalid BIND_DN_PASSWORD
376    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
377    ...  valid LDAP user fails.
378    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
379    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
380    ...  Redfish.Login  AND
381    ...  Create LDAP Configuration
382
383    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
384    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
385    Sleep  15s
386    Redfish Verify LDAP Login  ${False}
387
388
389Verify LDAP Login With Invalid BASE DN And Invalid BIND DN
390    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
391    ...  BIND_DN and valid LDAP user fails.
392    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
393    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
394    ...  Redfish.Login  AND
395    ...  Create LDAP Configuration
396
397    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
398    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
399    Sleep  15s
400    Redfish Verify LDAP Login  ${False}
401
402
403Verify Group Name And Group Privilege Able To Modify
404    [Documentation]  Verify that LDAP group name and group privilege able to
405    ...  modify.
406    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
407    [Setup]  Update LDAP Configuration with LDAP User Role And Group
408    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
409
410    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
411    ...  Administrator  ${GROUP_NAME}
412
413
414Verify LDAP Login With Invalid BIND DN
415    [Documentation]  Verify that LDAP login with invalid BIND_DN and
416    ...  valid LDAP user fails.
417    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
418    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
419    ...  Redfish.Login  AND
420    ...  Create LDAP Configuration
421
422    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
423    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
424    Sleep  15s
425    Redfish Verify LDAP Login  ${False}
426
427
428Verify LDAP Authentication With Invalid LDAP User
429    [Documentation]  Verify that LDAP user authentication for user not exist
430    ...  in LDAP server and fails.
431    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
432    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
433
434    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
435    ...  ${LDAP_USER_PASSWORD}
436    Valid Value  status  [${False}]
437
438
439Update LDAP User Roles And Verify Host Poweroff Operation
440    [Documentation]  Update LDAP user roles and verify host poweroff operation.
441    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
442    [Teardown]  Restore LDAP Privilege
443
444    [Template]  Update LDAP User Role And Host Poweroff
445    # ldap_type   group_privilege  group_name     valid_status_codes
446
447    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
448    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
449
450    # Verify LDAP user with Operator privilege able to do host poweroff.
451    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
452
453    # Verify LDAP user with Administrator privilege able to do host poweroff.
454    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
455
456
457Update LDAP User Roles And Verify Host Poweron Operation
458    [Documentation]  Update LDAP user roles and verify host poweron operation.
459    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
460    [Teardown]  Restore LDAP Privilege
461
462    [Template]  Update LDAP User Role And Host Poweron
463    # ldap_type   group_privilege  group_name     valid_status_codes
464
465    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
466    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
467
468    # Verify LDAP user with Operator privilege able to do host poweron.
469    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
470
471    # Verify LDAP user with Administrator privilege able to do host poweron.
472    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
473
474
475Configure IP Address Via Different User Roles And Verify
476    [Documentation]  Configure IP address via different user roles and verify.
477    [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
478    [Teardown]  Restore LDAP Privilege
479
480    [Template]  Update LDAP User Role And Configure IP Address
481    # Verify LDAP user with Administrator privilege is able to configure IP address.
482    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
483
484    # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
485    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
486
487    # Verify LDAP user with Operator privilege is able to configure IP address.
488    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
489
490
491Delete IP Address Via Different User Roles And Verify
492    [Documentation]  Delete IP address via different user roles and verify.
493    [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
494    [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail
495
496    [Template]  Update LDAP User Role And Delete IP Address
497    # Verify LDAP user with Administrator privilege is able to delete IP address.
498    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
499
500    # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
501    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
502
503    # Verify LDAP user with Operator privilege is able to delete IP address.
504    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
505
506
507Read Network Configuration Via Different User Roles And Verify
508    [Documentation]  Read network configuration via different user roles and verify.
509    [Tags]  Read_Network_Configuration_Via_Different_User_Roles_And_Verify
510    [Teardown]  Restore LDAP Privilege
511
512    [Template]  Update LDAP User Role And Read Network Configuration
513    ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}
514
515    ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}
516
517    ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}
518
519Switch LDAP Type And Verify Login Fails
520    [Documentation]  Switch LDAP type and verify login fails.
521    [Tags]  Switch_LDAP_Type_And_Verify_Login_Fails
522
523    # Check Login with LDAP Type is working
524    Create LDAP Configuration
525    Redfish Verify LDAP Login
526
527    # Disable the LDAP Type from OpenLDAP to ActiveDirectory or vice-versa
528    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
529    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
530    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
531
532    # Enable the inverse LDAP type
533    Disable Other LDAP  ${True}
534    Create LDAP Configuration  ${LDAP_TYPE_1}  ${LDAP_SERVER_URI_1}  ${LDAP_BIND_DN_1}  ${LDAP_BIND_DN_PASSWORD_1}  ${LDAP_BASE_DN_1}
535    Redfish.Logout
536    Sleep  10s
537
538    # Check if Login works via Inverse LDAP
539    Redfish.Login  ${LDAP_USER_1}  ${LDAP_USER_PASSWORD_1}
540    Redfish.Logout
541    Sleep  10s
542
543    # Login using LDAP type must fail
544    Redfish Verify LDAP Login  ${False}
545    Redfish.Logout
546
547*** Keywords ***
548
549Redfish Verify LDAP Login
550    [Documentation]  LDAP user log into BMC.
551    [Arguments]  ${valid_status}=${True}
552
553    # Description of argument(s):
554    # valid_status  Expected status of LDAP login ("True" or "False").
555
556    # According to our repo coding rules, Redfish.Login is to be done in Suite
557    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
558    # deviation from this rule (such as in this keyword), the deviant code
559    # must take steps to restore us to our original logged-in state.
560
561    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
562    ...  ${LDAP_USER_PASSWORD}
563    Valid Value  status  [${valid_status}]
564    Redfish.Logout
565    Redfish.Login
566
567
568Update LDAP Config And Verify Set Host Name
569    [Documentation]  Update LDAP config and verify by attempting to set host name.
570    [Arguments]  ${group_name}  ${group_privilege}=Administrator
571    ...  ${valid_status_codes}=[${HTTP_OK}]
572    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
573
574    # Description of argument(s):
575    # group_name                    The group name of user.
576    # group_privilege               The group privilege ("Administrator",
577    #                               "Operator", "User" or "Callback").
578    # valid_status_codes            Expected return code(s) from patch
579    #                               operation (e.g. "200") used to update
580    #                               HostName.  See prolog of rest_request
581    #                               method in redfish_plus.py for details.
582    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
583    ...  ${group_privilege}  ${group_name}
584
585    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
586    # Verify that the LDAP user in ${group_name} with the given privilege is
587    # allowed to change the hostname.
588    Redfish.Patch  ${REDFISH_NW_ETH0_URI}  body={'HostName': '${hostname}'}
589    ...  valid_status_codes=${valid_status_codes}
590
591Disable Other LDAP
592    [Documentation]  Disable other LDAP configuration.
593    [Arguments]  ${service_state}=${False}
594
595    # First disable other LDAP.
596    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
597    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
598    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${service_state}}}
599    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
600    Sleep  15s
601
602
603Config LDAP URL
604    [Documentation]  Config LDAP URL.
605    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
606
607    # Description of argument(s):
608    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
609
610    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
611    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
612    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
613    Sleep  15s
614    # After update, LDAP login.
615    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
616    Valid Value  status  [${expected_status}]
617
618    Redfish.Logout
619    Redfish.Login
620
621
622Restore LDAP URL
623    [Documentation]  Restore LDAP URL.
624
625    # Restoring the working LDAP server uri.
626    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
627    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
628    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
629    Sleep  15s
630
631
632Restore AccountLockout Attributes
633    [Documentation]  Restore AccountLockout Attributes.
634
635    IF  &{old_account_service} == &{EMPTY}  RETURN
636    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
637    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
638    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
639    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
640    ...  body=[('AccountLockoutThreshold', ${old_account_service['AccountLockoutThreshold']})]
641    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
642
643Suite Setup Execution
644    [Documentation]  Do suite setup tasks.
645
646    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
647    Valid Value  LDAP_USER
648    Valid Value  LDAP_USER_PASSWORD
649    Valid Value  GROUP_PRIVILEGE
650    Valid Value  GROUP_NAME
651    Valid Value  LDAP_SERVER_URI
652    Valid Value  LDAP_BIND_DN_PASSWORD
653    Valid Value  LDAP_BIND_DN
654    Valid Value  LDAP_BASE_DN
655
656    Redfish.Login
657    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
658    Get LDAP Configuration  ${LDAP_TYPE}
659    Set Suite Variable  ${old_ldap_privilege}
660    Disable Other LDAP
661    Create LDAP Configuration
662    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
663
664
665LDAP Suite Teardown Execution
666    [Documentation]  Restore ldap configuration, delete unused redfish session.
667
668    Restore LDAP Privilege
669    Redfish.Logout
670    Run Keyword And Ignore Error  Delete All Redfish Sessions
671
672
673Set Read Privilege And Check Firmware Inventory
674    [Documentation]  Set read privilege and check firmware inventory.
675    [Arguments]  ${read_privilege}
676
677    # Description of argument(s):
678    # read_privilege  The read privilege role (e.g. "User" / "Callback").
679
680    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
681    ...  ${read_privilege}  ${GROUP_NAME}
682
683    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
684    # Verify that the LDAP user with read privilege is able to read inventory.
685    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
686    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
687    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
688    Redfish.Logout
689    Redfish.Login
690
691
692Set Read Privilege And Check Poweron
693    [Documentation]  Set read privilege and power on should not be possible.
694    [Arguments]  ${read_privilege}
695
696    # Description of argument(s):
697    # read_privilege  The read privilege role (e.g. "User" / "Callback").
698
699    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
700    ...  ${read_privilege}  ${GROUP_NAME}
701    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
702    Redfish.Post  ${REDFISH_POWER_URI}
703    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
704    Redfish.Logout
705    Redfish.Login
706
707
708Get LDAP Configuration
709    [Documentation]  Retrieve LDAP Configuration.
710    [Arguments]   ${ldap_type}
711
712    # Description of argument(s):
713    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
714
715    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
716    RETURN  ${ldap_config["${ldap_type}"]}
717
718
719Update LDAP Configuration with LDAP User Role And Group
720    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
721    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
722
723    # Description of argument(s):
724    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
725    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
726    # group_name       The group name of user.
727
728    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
729    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
730    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
731    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
732    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
733    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
734    # Provide adequate time for LDAP daemon to restart after the update.
735    Sleep  15s
736
737
738Get LDAP Privilege
739    [Documentation]  Get LDAP privilege and return it.
740
741    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
742    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
743    IF  ${num_list_entries} == ${0}  @{EMPTY}  RETURN
744
745    RETURN  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
746
747
748Restore LDAP Privilege
749    [Documentation]  Restore the LDAP privilege to its original value.
750
751    Redfish.Login
752    IF  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'  RETURN
753    # Log back in to restore the original privilege.
754    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
755    ...  ${old_ldap_privilege}  ${GROUP_NAME}
756
757    Sleep  18s
758
759Verify Host Power Status
760    [Documentation]  Verify the Host power status and do host power on/off respectively.
761    [Arguments]  ${expected_power_status}
762
763    # Description of argument(s):
764    # expected_power_status  State of Host e.g. Off or On.
765
766    ${power_status}=  Redfish.Get Attribute  /redfish/v1/Chassis/${CHASSIS_ID}  PowerState
767    IF  '${power_status}' == '${expected_power_status}'  RETURN
768
769    IF  '${power_status}' == 'Off'
770        Redfish Power On
771    ELSE
772        Redfish Power Off
773    END
774
775Update LDAP User Role And Host Poweroff
776    [Documentation]  Update LDAP user role and do host poweroff.
777    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
778    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
779
780    # Description of argument(s):
781    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
782    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
783    # group_name         The group name of user.
784    # valid_status_code  The expected valid status code.
785
786    # check Host state and do the power on/off if needed.
787    Verify Host Power Status  On
788
789    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
790    ...  ${group_privilege}  ${group_name}
791
792    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
793
794    Redfish.Post  ${REDFISH_POWER_URI}
795    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
796
797    IF  ${valid_status_code} == ${HTTP_FORBIDDEN}  RETURN
798    Wait Until Keyword Succeeds  1 min  10 sec  Verify Host Power State  Off
799
800
801Update LDAP User Role And Host Poweron
802    [Documentation]  Update LDAP user role and do host poweron.
803    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
804    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
805
806    # Description of argument(s):
807    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
808    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
809    # group_name         The group name of user.
810    # valid_status_code  The expected valid status code.
811
812    # check Host state and do the power on/off if needed.
813    Verify Host Power Status  Off
814
815    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
816    ...  ${group_privilege}  ${group_name}
817
818    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
819
820    Redfish.Post  ${REDFISH_POWER_URI}
821    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
822
823    IF  ${valid_status_code} == ${HTTP_FORBIDDEN}  RETURN
824    Verify Host Is Up
825
826
827Update LDAP User Role And Configure IP Address
828    [Documentation]  Update LDAP user role and configure IP address.
829    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
830    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
831
832    # Description of argument(s):
833    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
834    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
835    # group_name         The group name of user.
836    # valid_status_code  The expected valid status code.
837
838    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
839    ...  ${group_privilege}  ${group_name}
840
841    Redfish.Logout
842
843    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
844
845    ${test_gateway}=  Get BMC Default Gateway
846
847    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
848
849
850Update LDAP User Role And Delete IP Address
851    [Documentation]  Update LDAP user role and delete IP address.
852    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
853    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
854
855    # Description of argument(s):
856    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
857    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
858    # group_name         The group name of user.
859    # valid_status_code  The expected valid status code.
860
861    ${test_gateway}=  Get BMC Default Gateway
862
863    # Configure IP address before deleting via LDAP user roles.
864    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}
865
866    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
867    ...  ${group_privilege}  ${group_name}
868
869    Redfish.Logout
870
871    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
872
873    Delete IP Address  ${test_ip}  ${valid_status_code}
874
875
876Update LDAP User Role And Read Network Configuration
877    [Documentation]  Update LDAP user role and read network configuration.
878    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
879    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
880
881    # Description of argument(s):
882    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
883    # group_privilege    The group privilege ("Administrator", "Operator" or "ReadOnly").
884    # group_name         The group name of user.
885    # valid_status_code  The expected valid status code.
886
887    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
888    ...  ${group_privilege}  ${group_name}
889
890    Redfish.Logout
891
892    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
893    Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]
894