1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Library          ../../lib/gen_robot_valid.py
9Resource         ../../lib/bmc_network_utils.robot
10
11Suite Setup      Suite Setup Execution
12Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
13Test Teardown    FFDC On Test Case Fail
14
15Force Tags       LDAP_Test
16
17*** Variables ***
18${old_ldap_privilege}   ${EMPTY}
19&{old_account_service}  &{EMPTY}
20&{old_ldap_config}      &{EMPTY}
21${hostname}             ${EMPTY}
22${test_ip}              10.6.6.6
23${test_mask}            255.255.255.0
24
25** Test Cases **
26
27Verify LDAP Configuration Created
28    [Documentation]  Verify that LDAP configuration created.
29    [Tags]  Verify_LDAP_Configuration_Created
30
31    Create LDAP Configuration
32    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
33    Get LDAP Configuration  ${LDAP_TYPE}
34    Sleep  10s
35    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
36    Redfish.Logout
37    Redfish.Login
38
39
40Verify LDAP Service Disable
41    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
42    ...  login.
43    [Tags]  Verify_LDAP_Service_Disable
44
45    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
46    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
47    Sleep  15s
48    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
49    ...  ${LDAP_USER_PASSWORD}
50    Should Be Equal  ${resp}  ${False}
51    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
52    Redfish.Logout
53    Redfish.Login
54    # Enabling LDAP so that LDAP user works.
55    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
56    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
57    Redfish.Logout
58    Redfish.Login
59
60
61Verify LDAP Login With ServiceEnabled
62    [Documentation]  Verify that LDAP Login with ServiceEnabled.
63    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
64
65    Disable Other LDAP
66    # Actual service enablement.
67    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
68    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
69    Sleep  15s
70    # After update, LDAP login.
71    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
72    Redfish.Logout
73    Redfish.Login
74
75
76Verify LDAP Login With Correct AuthenticationType
77    [Documentation]  Verify that LDAP Login with right AuthenticationType.
78    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
79
80    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
81    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
82    Sleep  15s
83    # After update, LDAP login.
84    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
85    Redfish.Logout
86    Redfish.Login
87
88
89Verify LDAP Config Update With Incorrect AuthenticationType
90    [Documentation]  Verify that invalid AuthenticationType is not updated.
91    [Tags]  Verify_LDAP_Update_With_Incorrect_AuthenticationType
92
93    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
94
95    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
96    ...  body=${body}  valid_status_codes=[400]
97
98
99Verify LDAP Login With Correct LDAP URL
100    [Documentation]  Verify LDAP Login with right LDAP URL.
101    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
102
103    Config LDAP URL  ${LDAP_SERVER_URI}
104
105
106Verify LDAP Config Update With Incorrect LDAP URL
107    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
108    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
109    [Teardown]  Run Keywords  Restore LDAP URL  AND
110    ...  FFDC On Test Case Fail
111
112    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
113
114Verify LDAP Configuration Exist
115    [Documentation]  Verify that LDAP configuration is available.
116    [Tags]  Verify_LDAP_Configuration_Exist
117
118    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
119    ...  ${LDAP_TYPE}  default=${EMPTY}
120    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
121
122
123Verify LDAP User Login
124    [Documentation]  Verify that LDAP user able to login into BMC.
125    [Tags]  Verify_LDAP_User_Login
126
127    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
128    Redfish.Logout
129    Redfish.Login
130
131
132Verify LDAP Service Available
133    [Documentation]  Verify that LDAP service is available.
134    [Tags]  Verify_LDAP_Service_Available
135
136    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
137    Should Contain  ${ldap_configuration}  LDAPService
138    ...  msg=LDAPService is not available.
139
140
141Verify LDAP Login Works After BMC Reboot
142    [Documentation]  Verify that LDAP login works after BMC reboot.
143    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
144
145    Redfish OBMC Reboot (off)
146    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
147    Redfish.Logout
148    Redfish.Login
149
150
151Verify LDAP User With Admin Privilege Able To Do BMC Reboot
152    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
153    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
154
155
156    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
157    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
158    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
159    # With LDAP user and with right privilege trying to do BMC reboot.
160    Redfish OBMC Reboot (off)
161    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
162    Redfish.Logout
163    Redfish.Login
164
165
166Verify LDAP User With Operator Privilege Able To Do Host Poweroff
167    [Documentation]  Verify that LDAP user with operator privilege can do host
168    ...  power off.
169    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
170    [Teardown]  Restore LDAP Privilege
171
172    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
173    ...  Operator  ${GROUP_NAME}
174
175    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
176    # Verify that the LDAP user with operator privilege is able to power the system off.
177    Redfish.Post  ${REDFISH_POWER_URI}
178    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
179    Redfish.Logout
180    Redfish.Login
181
182
183Verify AccountLockout Attributes Set To Zero
184    [Documentation]  Verify that attribute AccountLockoutDuration and
185    ...  AccountLockoutThreshold are set to 0.
186    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
187    ...  FFDC On Test Case Fail
188    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero
189
190    ${old_account_service}=  Redfish.Get Properties
191    ...  ${REDFISH_BASE_URI}AccountService
192    Rprint Vars  old_account_service
193    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
194    ...  body=[('AccountLockoutDuration', 0)]
195    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
196    ...  body=[('AccountLockoutThreshold', 0)]
197
198
199Verify LDAP User With Read Privilege Able To Check Inventory
200    [Documentation]  Verify that LDAP user with read privilege able to
201    ...  read firmware inventory.
202    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
203    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
204    [Template]  Set Read Privilege And Check Firmware Inventory
205
206    ReadOnly
207
208
209Verify LDAP User With Read Privilege Should Not Do Host Poweron
210    [Documentation]  Verify that LDAP user with read privilege should not be
211    ...  allowed to power on the host.
212    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
213    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
214    [Template]  Set Read Privilege And Check Poweron
215
216    ReadOnly
217
218
219Update LDAP Group Name And Verify Operations
220    [Documentation]  Verify that LDAP group name update and able to do right
221    ...  operations.
222    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
223    [Template]  Update LDAP Config And Verify Set Host Name
224    [Teardown]  Restore LDAP Privilege
225
226    # group_name             group_privilege  valid_status_codes
227    ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
228    ${GROUP_NAME}            Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
229    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
230    ${GROUP_NAME}            NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
231    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
232    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
233    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
234    Invalid_LDAP_Group_Name  NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
235
236
237Verify LDAP BaseDN Update And LDAP Login
238    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
239    ...  that LDAP login works.
240    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
241
242
243    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
244    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
245    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
246    Sleep  15s
247    Redfish Verify LDAP Login
248
249
250Verify LDAP BindDN Update And LDAP Login
251    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
252    ...  that LDAP login works.
253    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
254
255    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
256    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
257    ...  '${LDAP_BIND_DN}'}}}
258    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
259    Sleep  15s
260    Redfish Verify LDAP Login
261
262
263Verify LDAP BindDN Password Update And LDAP Login
264    [Documentation]  Update LDAP BindDN password of LDAP configuration and
265    ...  verify that LDAP login works.
266    [Tags]  Verify_LDAP_BindDN_Passsword_Update_And_LDAP_Login
267
268
269    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
270    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
271    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
272    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
273    Sleep  15s
274    Redfish Verify LDAP Login
275
276
277Verify LDAP Type Update And LDAP Login
278    [Documentation]  Update LDAP type of LDAP configuration and verify
279    ...  that LDAP login works.
280    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
281
282    Disable Other LDAP
283    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
284    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
285    Sleep  15s
286    Redfish Verify LDAP Login
287
288
289Verify Authorization With Null Privilege
290    [Documentation]  Verify the failure of LDAP authorization with empty
291    ...  privilege.
292    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
293    [Teardown]  Restore LDAP Privilege
294
295    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
296    ...  [${HTTP_FORBIDDEN}]
297
298
299Verify Authorization With Invalid Privilege
300    [Documentation]  Verify that LDAP user authorization with wrong privilege
301    ...  fails.
302    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
303    [Teardown]  Restore LDAP Privilege
304
305    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
306    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
307
308
309Verify LDAP Login With Invalid Data
310    [Documentation]  Verify that LDAP login with Invalid LDAP data and
311    ...  right LDAP user fails.
312    [Tags]  Verify_LDAP_Login_With_Invalid_Data
313    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
314    ...  Create LDAP Configuration
315
316    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
317    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
318    ...  Invalid_LDAP_BASE_DN
319    Sleep  15s
320    Redfish Verify LDAP Login  ${False}
321
322
323Verify LDAP Config Creation Without BASE_DN
324    [Documentation]  Verify that LDAP login with LDAP configuration
325    ...  created without BASE_DN fails.
326    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
327    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
328    ...  Create LDAP Configuration
329
330    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
331    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
332    Sleep  15s
333    Redfish Verify LDAP Login  ${False}
334
335
336Verify LDAP Authentication Without Password
337    [Documentation]  Verify that LDAP user authentication without LDAP
338    ...  user password fails.
339    [Tags]  Verify_LDAP_Authentication_Without_Password
340    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
341
342    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
343    Valid Value  status  [${False}]
344
345
346Verify LDAP Login With Invalid BASE_DN
347    [Documentation]  Verify that LDAP login with invalid BASE_DN and
348    ...  valid LDAP user fails.
349    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
350    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
351    ...  Create LDAP Configuration
352
353    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
354    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
355    Sleep  15s
356    Redfish Verify LDAP Login  ${False}
357
358
359Verify LDAP Login With Invalid BIND_DN_PASSWORD
360    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
361    ...  valid LDAP user fails.
362    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
363    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
364    ...  Create LDAP Configuration
365
366    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
367    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
368    Sleep  15s
369    Redfish Verify LDAP Login  ${False}
370
371
372Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
373    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
374    ...  BIND_DN and valid LDAP user fails.
375    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
376    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
377    ...  Create LDAP Configuration
378
379    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
380    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
381    Sleep  15s
382    Redfish Verify LDAP Login  ${False}
383
384
385Verify Group Name And Group Privilege Able To Modify
386    [Documentation]  Verify that LDAP group name and group privilege able to
387    ...  modify.
388    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
389    [Setup]  Update LDAP Configuration with LDAP User Role And Group
390    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
391
392    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
393    ...  Administrator  ${GROUP_NAME}
394
395
396Verify LDAP Login With Invalid BIND_DN
397    [Documentation]  Verify that LDAP login with invalid BIND_DN and
398    ...  valid LDAP user fails.
399    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
400    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
401    ...  Create LDAP Configuration
402
403    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
404    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
405    Sleep  15s
406    Redfish Verify LDAP Login  ${False}
407
408
409Verify LDAP Authentication With Invalid LDAP User
410    [Documentation]  Verify that LDAP user authentication for user not exist
411    ...  in LDAP server and fails.
412    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
413    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
414
415    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
416    ...  ${LDAP_USER_PASSWORD}
417    Valid Value  status  [${False}]
418
419
420Update LDAP User Roles And Verify Host Poweroff Operation
421    [Documentation]  Update LDAP user roles and verify host poweroff operation.
422    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
423    [Teardown]  Restore LDAP Privilege
424
425    [Template]  Update LDAP User Role And Host Poweroff
426    # ldap_type   group_privilege  group_name     valid_status_codes
427
428    # Verify LDAP user with NoAccess privilege not able to do host poweroff.
429    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
430
431    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
432    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
433
434    # Verify LDAP user with Operator privilege able to do host poweroff.
435    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
436
437    # Verify LDAP user with Administrator privilege able to do host poweroff.
438    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
439
440
441Update LDAP User Roles And Verify Host Poweron Operation
442    [Documentation]  Update LDAP user roles and verify host poweron operation.
443    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
444    [Teardown]  Restore LDAP Privilege
445
446    [Template]  Update LDAP User Role And Host Poweron
447    # ldap_type   group_privilege  group_name     valid_status_codes
448
449    # Verify LDAP user with NoAccess privilege not able to do host poweron.
450    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
451
452    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
453    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
454
455    # Verify LDAP user with Operator privilege able to do host poweron.
456    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
457
458    # Verify LDAP user with Administrator privilege able to do host poweron.
459    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
460
461
462Configure IP Address Via Different User Roles And Verify
463    [Documentation]  Configure IP address via different user roles and verify.
464    [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
465    [Teardown]  Restore LDAP Privilege
466
467    [Template]  Update LDAP User Role And Configure IP Address
468    # Verify LDAP user with Administrator privilege is able to configure IP address.
469    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
470
471    # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
472    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
473
474    # Verify LDAP user with NoAccess privilege is forbidden to configure IP address.
475    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
476
477    # Verify LDAP user with Operator privilege is able to configure IP address.
478    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
479
480
481Delete IP Address Via Different User Roles And Verify
482    [Documentation]  Delete IP address via different user roles and verify.
483    [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
484    [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail
485
486    [Template]  Update LDAP User Role And Delete IP Address
487    # Verify LDAP user with Administrator privilege is able to delete IP address.
488    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
489
490    # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
491    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
492
493    # Verify LDAP user with NoAccess privilege is forbidden to delete IP address.
494    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
495
496    # Verify LDAP user with Operator privilege is able to delete IP address.
497    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
498
499
500Read Network Configuration Via Different User Roles And Verify
501    [Documentation]  Read network configuration via different user roles and verify.
502    [Tags]  Read_Network_configuration_Via_Different_User_Roles_And_Verify
503    [Teardown]  Restore LDAP Privilege
504
505    [Template]  Update LDAP User Role And Read Network Configuration
506    ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}
507
508    ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}
509
510    ${LDAP_TYPE}  NoAccess       ${GROUP_NAME}  ${HTTP_FORBIDDEN}
511
512    ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}
513
514
515*** Keywords ***
516
517Redfish Verify LDAP Login
518    [Documentation]  LDAP user log into BMC.
519    [Arguments]  ${valid_status}=${True}
520
521    # Description of argument(s):
522    # valid_status  Expected status of LDAP login ("True" or "False").
523
524    # According to our repo coding rules, Redfish.Login is to be done in Suite
525    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
526    # deviation from this rule (such as in this keyword), the deviant code
527    # must take steps to restore us to our original logged-in state.
528
529    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
530    ...  ${LDAP_USER_PASSWORD}
531    Valid Value  status  [${valid_status}]
532    Redfish.Logout
533    Redfish.Login
534
535
536Update LDAP Config And Verify Set Host Name
537    [Documentation]  Update LDAP config and verify by attempting to set host name.
538    [Arguments]  ${group_name}  ${group_privilege}=Administrator
539    ...  ${valid_status_codes}=[${HTTP_OK}]
540
541    # Description of argument(s):
542    # group_name                    The group name of user.
543    # group_privilege               The group privilege ("Administrator",
544    #                               "Operator", "User" or "Callback").
545    # valid_status_codes            Expected return code(s) from patch
546    #                               operation (e.g. "200") used to update
547    #                               HostName.  See prolog of rest_request
548    #                               method in redfish_plut.py for details.
549    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
550    ...  ${group_privilege}  ${group_name}
551    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
552    # Verify that the LDAP user in ${group_name} with the given privilege is
553    # allowed to change the hostname.
554    Redfish.Patch  ${REDFISH_NW_PROTOCOL_URI}  body={'HostName': '${hostname}'}
555    ...  valid_status_codes=${valid_status_codes}
556    Redfish.Logout
557    Redfish.Login
558
559
560Disable Other LDAP
561    [Documentation]  Disable other LDAP configuration.
562
563    # First disable other LDAP.
564    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
565    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
566    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
567    Sleep  15s
568
569
570Create LDAP Configuration
571    [Documentation]  Create LDAP configuration.
572    [Arguments]  ${ldap_type}=${LDAP_TYPE}  ${ldap_server_uri}=${LDAP_SERVER_URI}
573    ...  ${ldap_bind_dn}=${LDAP_BIND_DN}  ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD}
574    ...  ${ldap_base_dn}=${LDAP_BASE_DN}
575
576    # Description of argument(s):
577    # ldap_type              The LDAP type ("ActiveDirectory" or "LDAP").
578    # ldap_server_uri        LDAP server uri (e.g. ldap://XX.XX.XX.XX).
579    # ldap_bind_dn           The LDAP bind distinguished name.
580    # ldap_bind_dn_password  The LDAP bind distinguished name password.
581    # ldap_base_dn           The LDAP base distinguished name.
582
583    ${body}=  Catenate  {'${ldap_type}':
584    ...  {'ServiceEnabled': ${True},
585    ...   'ServiceAddresses': ['${ldap_server_uri}'],
586    ...   'Authentication':
587    ...       {'AuthenticationType': 'UsernameAndPassword',
588    ...        'Username':'${ldap_bind_dn}',
589    ...        'Password': '${ldap_bind_dn_password}'},
590    ...   'LDAPService':
591    ...       {'SearchSettings':
592    ...           {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}}
593
594    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
595    Sleep  15s
596
597
598Config LDAP URL
599    [Documentation]  Config LDAP URL.
600    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
601
602    # Description of argument(s):
603    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
604
605    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
606    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
607    Sleep  15s
608    # After update, LDAP login.
609    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
610    Valid Value  status  [${expected_status}]
611
612    Redfish.Logout
613    Redfish.Login
614
615
616Restore LDAP URL
617    [Documentation]  Restore LDAP URL.
618
619    # Restoring the working LDAP server uri.
620    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
621    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
622    Sleep  15s
623
624
625Restore AccountLockout Attributes
626    [Documentation]  Restore AccountLockout Attributes.
627
628    Return From Keyword If  &{old_account_service} == &{EMPTY}
629    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
630    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
631    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
632    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
633
634
635Suite Setup Execution
636    [Documentation]  Do suite setup tasks.
637
638    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
639    Valid Value  LDAP_USER
640    Valid Value  LDAP_USER_PASSWORD
641    Valid Value  GROUP_PRIVILEGE
642    Valid Value  GROUP_NAME
643    Valid Value  LDAP_SERVER_URI
644    Valid Value  LDAP_BIND_DN_PASSWORD
645    Valid Value  LDAP_BIND_DN
646    Valid Value  LDAP_BASE_DN
647
648    Redfish.Login
649    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
650    Get LDAP Configuration  ${LDAP_TYPE}
651    ${old_ldap_privilege}=  Get LDAP Privilege
652    Set Suite Variable  ${old_ldap_privilege}
653    Disable Other LDAP
654    Create LDAP Configuration
655    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
656
657
658Set Read Privilege And Check Firmware Inventory
659    [Documentation]  Set read privilege and check firmware inventory.
660    [Arguments]  ${read_privilege}
661
662    # Description of argument(s):
663    # read_privilege  The read privilege role (e.g. "User" / "Callback").
664
665    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
666    ...  ${read_privilege}  ${GROUP_NAME}
667
668    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
669    # Verify that the LDAP user with read privilege is able to read inventory.
670    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
671    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
672    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
673    Redfish.Logout
674    Redfish.Login
675
676
677Set Read Privilege And Check Poweron
678    [Documentation]  Set read privilege and power on should not be possible.
679    [Arguments]  ${read_privilege}
680
681    # Description of argument(s):
682    # read_privilege  The read privilege role (e.g. "User" / "Callback").
683
684    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
685    ...  ${read_privilege}  ${GROUP_NAME}
686    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
687    Redfish.Post  ${REDFISH_POWER_URI}
688    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
689    Redfish.Logout
690    Redfish.Login
691
692
693Get LDAP Configuration
694    [Documentation]  Retrieve LDAP Configuration.
695    [Arguments]   ${ldap_type}
696
697    # Description of argument(s):
698    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
699
700    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
701    [Return]  ${ldap_config["${ldap_type}"]}
702
703
704Update LDAP Configuration with LDAP User Role And Group
705    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
706    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
707
708    # Description of argument(s):
709    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
710    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
711    # group_name       The group name of user.
712
713    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
714    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
715    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
716    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
717    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
718    # Provide adequate time for LDAP daemon to restart after the update.
719    Sleep  15s
720
721
722Get LDAP Privilege
723    [Documentation]  Get LDAP privilege and return it.
724
725    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
726    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
727    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
728
729    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
730
731
732Restore LDAP Privilege
733    [Documentation]  Restore the LDAP privilege to its original value.
734
735    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'
736    # Log back in to restore the original privilege.
737    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
738    ...  ${old_ldap_privilege}  ${GROUP_NAME}
739
740    Sleep  18s
741
742
743Update LDAP User Role And Host Poweroff
744    [Documentation]  Update LDAP user role and do host poweroff.
745    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
746    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
747
748    # Description of argument(s):
749    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
750    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
751    # group_name         The group name of user.
752    # valid_status_code  The expected valid status code.
753
754    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
755    ...  ${group_privilege}  ${group_name}
756
757    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
758
759    Redfish.Post  ${REDFISH_POWER_URI}
760    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
761
762
763Update LDAP User Role And Host Poweron
764    [Documentation]  Update LDAP user role and do host poweron.
765    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
766    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
767
768    # Description of argument(s):
769    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
770    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
771    # group_name         The group name of user.
772    # valid_status_code  The expected valid status code.
773
774    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
775    ...  ${group_privilege}  ${group_name}
776
777    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
778
779    Redfish.Post  ${REDFISH_POWER_URI}
780    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
781
782
783Update LDAP User Role And Configure IP Address
784    [Documentation]  Update LDAP user role and configure IP address.
785    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
786    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
787
788    # Description of argument(s):
789    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
790    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
791    # group_name         The group name of user.
792    # valid_status_code  The expected valid status code.
793
794    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
795    ...  ${group_privilege}  ${group_name}
796
797    Redfish.Logout
798
799    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
800
801    ${test_gateway}=  Get BMC Default Gateway
802
803    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
804
805
806Update LDAP User Role And Delete IP Address
807    [Documentation]  Update LDAP user role and delete IP address.
808    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
809    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
810
811    # Description of argument(s):
812    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
813    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
814    # group_name         The group name of user.
815    # valid_status_code  The expected valid status code.
816
817    ${test_gateway}=  Get BMC Default Gateway
818
819    # Configure IP address before deleting via LDAP user roles.
820    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}
821
822    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
823    ...  ${group_privilege}  ${group_name}
824
825    Redfish.Logout
826
827    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
828
829    Delete IP Address  ${test_ip}  ${valid_status_code}
830
831
832Update LDAP User Role And Read Network Configuration
833    [Documentation]  Update LDAP user role and read network configuration.
834    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
835    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
836
837    # Description of argument(s):
838    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
839    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
840    # group_name         The group name of user.
841    # valid_status_code  The expected valid status code.
842
843    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
844    ...  ${group_privilege}  ${group_name}
845
846    Redfish.Logout
847
848    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
849    Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]
850
851