1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3Library          ../../lib/gen_robot_valid.py
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Library          ../../lib/gen_robot_valid.py
8
9Suite Setup      Suite Setup Execution
10Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
11Test Teardown    FFDC On Test Case Fail
12
13Force Tags       LDAP_Test
14
15*** Variables ***
16${old_ldap_privilege}  ${EMPTY}
17&{old_account_service}  &{EMPTY}
18&{old_ldap_config}  &{EMPTY}
19
20** Test Cases **
21
22Verify LDAP Configuration Created
23    [Documentation]  Verify LDAP configuration created.
24    [Tags]  Verify_LDAP_Configuration_Created
25
26    Create LDAP Configuration
27    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
28    Get LDAP Configuration  ${LDAP_TYPE}
29    Sleep  10s
30    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
31    Redfish.Logout
32    Redfish.Login
33
34
35Verify LDAP Service Disable
36    [Documentation]  Verify LDAP is disabled and that LDAP user cannot login.
37    [Tags]  Verify_LDAP_Service_Disable
38
39    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
40    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
41    Sleep  15s
42    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
43    ...  ${LDAP_USER_PASSWORD}
44    Should Be Equal  ${resp}  ${False}  msg=LDAP user was able to login even though the LDAP service was disabled.
45    Redfish.Logout
46    Redfish.Login
47    # Enabling LDAP so that LDAP user works.
48    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
49    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
50    Redfish.Logout
51    Redfish.Login
52
53
54Verify LDAP Configuration Exist
55    [Documentation]  Verify LDAP configuration is available.
56    [Tags]  Verify_LDAP_Configuration_Exist
57    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
58    ...  ${LDAP_TYPE}  default=${EMPTY}
59    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
60
61
62Verify LDAP User Login
63    [Documentation]  Verify LDAP user able to login into BMC.
64    [Tags]  Verify_LDAP_User_Login
65    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
66    ...  ${LDAP_USER_PASSWORD}
67    Should Be Equal  ${resp}  ${True}  msg=LDAP user is not able to login.
68    Redfish.Logout
69    Redfish.Login
70
71
72Verify LDAP Service Available
73    [Documentation]  Verify LDAP service is available.
74    [Tags]  Verify_LDAP_Service_Available
75    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
76    Should Contain  ${ldap_configuration}  LDAPService
77    ...  msg=LDAPService is not available.
78
79
80Verify LDAP Login Works After BMC Reboot
81    [Documentation]  Verify LDAP login works after BMC reboot.
82    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
83    Redfish OBMC Reboot (off)
84    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
85    Redfish.Logout
86    Redfish.Login
87
88
89Verify LDAP User With Admin Privilege Able To Do BMC Reboot
90    [Documentation]  Verify LDAP user with administrator privilege able to do BMC reboot.
91    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
92
93    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
94    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
95    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
96    # With LDAP user and with right privilege trying to do BMC reboot.
97    Redfish OBMC Reboot (off)
98    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
99    Redfish.Logout
100    Redfish.Login
101
102
103Verify LDAP User With Operator Privilege Able To Do Host Poweroff
104    [Documentation]  Verify LDAP user with operator privilege can do host power off.
105    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
106    [Teardown]  Restore LDAP Privilege
107
108    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
109    ...  Operator  ${GROUP_NAME}
110
111    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
112    ${new_ldap_privilege}=  Set Variable
113    ...  ${ldap_config["LDAP"]["RemoteRoleMapping"][0]["LocalRole"]}
114    Should Be Equal  ${new_ldap_privilege}  Operator
115    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
116    # Verify that the LDAP user with operator privilege is able to power the system off.
117    Redfish.Post  ${REDFISH_POWER_URI}
118    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
119    Redfish.Logout
120    Redfish.Login
121
122
123Verify AccountLockout Attributes Set To Zero
124    [Documentation]  Verify attribute AccountLockoutDuration and
125    ...  AccountLockoutThreshold are set to 0.
126    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
127    ...  FFDC On Test Case Fail
128    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero
129    ${old_account_service}=  Redfish.Get Properties
130    ...  ${REDFISH_BASE_URI}AccountService
131    Rprint Vars  old_account_service
132    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
133    ...  body=[('AccountLockoutDuration', 0)]
134    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
135    ...  body=[('AccountLockoutThreshold', 0)]
136
137
138Verify LDAP User With Read Privilege Able To Check Inventory
139    [Documentation]  Verify LDAP user with read privilege able to
140    ...  read firmware inventory.
141    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
142    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
143    [Template]  Set Read Privilege And Check Firmware Inventory
144
145    User
146    Callback
147
148
149Verify LDAP User With Read Privilege Should Not Do Host Poweron
150    [Documentation]  Verify LDAP user with read privilege should not be
151    ...  allowed to power on the host.
152    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
153    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
154    [Template]  Set Read Privilege And Check Poweron
155
156    User
157    Callback
158
159
160*** Keywords ***
161
162Create LDAP Configuration
163    [Documentation]  Create LDAP configuration.
164    [Arguments]  ${ldap_type}=${LDAP_TYPE}  ${ldap_server_uri}=${LDAP_SERVER_URI}
165    ...  ${ldap_bind_dn}=${LDAP_BIND_DN}  ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD}
166    ...  ${ldap_base_dn}=${LDAP_BASE_DN}
167
168    # Description of argument(s):
169    # ldap_type              The LDAP type ("ActiveDirectory" or "LDAP").
170    # ldap_server_uri        LDAP server uri (e.g. ldap://XX.XX.XX.XX).
171    # ldap_bind_dn           The LDAP bind distinguished name.
172    # ldap_bind_dn_password  The LDAP bind distinguished name password.
173    # ldap_base_dn           The LDAP base distinguished name.
174
175    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
176    ...  body={'${ldap_type}': {'ServiceEnabled': ${True}}}
177    Sleep  15s
178    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
179    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
180    Sleep  15s
181    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
182    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
183    Sleep  15s
184    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
185    ...  body={'${ldap_type}': {'Authentication': {'Username':'${ldap_bind_dn}'}}}
186    Sleep  15s
187    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
188    ...  body={'${ldap_type}': {'Authentication': {'Password':'${ldap_bind_dn_password}'}}}
189    Sleep  15s
190    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
191    ...  body={'${ldap_type}': {'LDAPService': {'SearchSettings': {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}}
192    Sleep  15s
193
194
195Restore AccountLockout Attributes
196    [Documentation]  Restore AccountLockout Attributes.
197    Return From Keyword If  &{old_account_service} == &{EMPTY}
198    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
199    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
200    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
201    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
202
203
204Suite Setup Execution
205    [Documentation]  Do suite setup tasks.
206    Rvalid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
207    Rvalid Value  LDAP_USER
208    Rvalid Value  LDAP_USER_PASSWORD
209    Rvalid Value  GROUP_PRIVILEGE
210    Rvalid Value  GROUP_NAME
211    Redfish.Login
212    ${old_ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
213    Run Keyword If  '${old_ldap_config['ServiceEnabled']}' == 'False'
214    ...  Run Keywords  Create LDAP Configuration  AND
215    ...  Update LDAP Configuration with LDAP User Role And Group
216    ...  ${LDAP_TYPE}  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
217    ${old_ldap_privilege}=  Get LDAP Privilege
218
219
220Set Read Privilege And Check Firmware Inventory
221    [Documentation]  Set read privilege and check firmware inventory.
222    [Arguments]  ${read_privilege}
223
224    # Description of argument(s):
225    # read_privilege  The read privilege role (e.g. "User" / "Callback").
226
227    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
228    ...  ${read_privilege}  ${GROUP_NAME}
229
230    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
231    # Verify that the LDAP user with read privilege is able to read inventory.
232    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
233    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
234    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
235    Redfish.Logout
236    Redfish.Login
237
238
239Set Read Privilege And Check Poweron
240    [Documentation]  Set read privilege and power on should not be possible.
241    [Arguments]  ${read_privilege}
242
243    # Description of argument(s):
244    # read_privilege  The read privilege role (e.g. "User" / "Callback").
245
246    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
247    ...  ${read_privilege}  ${GROUP_NAME}
248    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
249    Redfish.Post  ${REDFISH_POWER_URI}
250    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
251    Redfish.Logout
252    Redfish.Login
253
254
255Get LDAP Configuration
256    [Documentation]  Retrieve LDAP Configuration.
257    [Arguments]   ${ldap_type}
258
259    # Description of argument(s):
260    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
261
262    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
263    [Return]  ${ldap_config["${ldap_type}"]}
264
265
266Update LDAP Configuration with LDAP User Role And Group
267    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
268    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
269
270    # Description of argument(s):
271    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
272    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
273    # group_name       The group name of user.
274
275    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
276    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
277    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
278    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
279    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
280    # Provide adequate time for LDAP daemon to restart after the update.
281    Sleep  10s
282
283
284Get LDAP Privilege
285    [Documentation]  Get LDAP privilege and return it.
286    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
287    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
288
289
290Restore LDAP Privilege
291    [Documentation]  Restore the LDAP privilege to its original value.
292    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}'
293    # Log back in to restore the original privilege.
294    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
295    ...  ${old_ldap_privilege}  ${GROUP_NAME}
296