1*** Settings *** 2Documentation Test Redfish LDAP user configuration. 3 4Library ../../lib/gen_robot_valid.py 5Resource ../../lib/resource.robot 6Resource ../../lib/bmc_redfish_resource.robot 7Resource ../../lib/openbmc_ffdc.robot 8Library ../../lib/gen_robot_valid.py 9Resource ../../lib/bmc_network_utils.robot 10Resource ../../lib/bmc_ldap_utils.robot 11 12Suite Setup Suite Setup Execution 13Suite Teardown Run Keywords Restore LDAP Privilege AND Redfish.Logout 14Test Teardown FFDC On Test Case Fail 15 16Force Tags LDAP_Test 17 18*** Variables *** 19${old_ldap_privilege} ${EMPTY} 20&{old_account_service} &{EMPTY} 21&{old_ldap_config} &{EMPTY} 22${hostname} ${EMPTY} 23${test_ip} 10.6.6.6 24${test_mask} 255.255.255.0 25 26** Test Cases ** 27 28Verify LDAP Configuration Created 29 [Documentation] Verify that LDAP configuration created. 30 [Tags] Verify_LDAP_Configuration_Created 31 32 Create LDAP Configuration 33 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 34 Get LDAP Configuration ${LDAP_TYPE} 35 Sleep 10s 36 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 37 Redfish.Logout 38 Redfish.Login 39 40 41Verify LDAP Service Disable 42 [Documentation] Verify that LDAP is disabled and that LDAP user cannot 43 ... login. 44 [Tags] Verify_LDAP_Service_Disable 45 46 Redfish.Patch ${REDFISH_BASE_URI}AccountService 47 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}} 48 Sleep 15s 49 ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 50 ... ${LDAP_USER_PASSWORD} 51 Should Be Equal ${resp} ${False} 52 ... msg=LDAP user was able to login even though the LDAP service was disabled. 53 Redfish.Logout 54 Redfish.Login 55 # Enabling LDAP so that LDAP user works. 56 Redfish.Patch ${REDFISH_BASE_URI}AccountService 57 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 58 Redfish.Logout 59 Redfish.Login 60 61 62Verify LDAP Login With ServiceEnabled 63 [Documentation] Verify that LDAP Login with ServiceEnabled. 64 [Tags] Verify_LDAP_Login_With_ServiceEnabled 65 66 Disable Other LDAP 67 # Actual service enablement. 68 Redfish.Patch ${REDFISH_BASE_URI}AccountService 69 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 70 Sleep 15s 71 # After update, LDAP login. 72 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 73 Redfish.Logout 74 Redfish.Login 75 76 77Verify LDAP Login With Correct AuthenticationType 78 [Documentation] Verify that LDAP Login with right AuthenticationType. 79 [Tags] Verify_LDAP_Login_With_Correct_AuthenticationType 80 81 Redfish.Patch ${REDFISH_BASE_URI}AccountService 82 ... body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}} 83 Sleep 15s 84 # After update, LDAP login. 85 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 86 Redfish.Logout 87 Redfish.Login 88 89 90Verify LDAP Config Update With Incorrect AuthenticationType 91 [Documentation] Verify that invalid AuthenticationType is not updated. 92 [Tags] Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType 93 94 ${body}= Catenate {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}} 95 96 Redfish.Patch ${REDFISH_BASE_URI}AccountService 97 ... body=${body} valid_status_codes=[400] 98 99 100Verify LDAP Login With Correct LDAP URL 101 [Documentation] Verify LDAP Login with right LDAP URL. 102 [Tags] Verify_LDAP_Login_With_Correct_LDAP_URL 103 104 Config LDAP URL ${LDAP_SERVER_URI} 105 106 107Verify LDAP Config Update With Incorrect LDAP URL 108 [Documentation] Verify that LDAP Login fails with invalid LDAP URL. 109 [Tags] Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL 110 [Teardown] Run Keywords Restore LDAP URL AND 111 ... FFDC On Test Case Fail 112 113 Config LDAP URL ldap://1.2.3.4/ ${FALSE} 114 115Verify LDAP Configuration Exist 116 [Documentation] Verify that LDAP configuration is available. 117 [Tags] Verify_LDAP_Configuration_Exist 118 119 ${resp}= Redfish.Get Attribute ${REDFISH_BASE_URI}AccountService 120 ... ${LDAP_TYPE} default=${EMPTY} 121 Should Not Be Empty ${resp} msg=LDAP configuration is not defined. 122 123 124Verify LDAP User Login 125 [Documentation] Verify that LDAP user able to login into BMC. 126 [Tags] Verify_LDAP_User_Login 127 128 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 129 Redfish.Logout 130 Redfish.Login 131 132 133Verify LDAP Service Available 134 [Documentation] Verify that LDAP service is available. 135 [Tags] Verify_LDAP_Service_Available 136 137 @{ldap_configuration}= Get LDAP Configuration ${LDAP_TYPE} 138 Should Contain ${ldap_configuration} LDAPService 139 ... msg=LDAPService is not available. 140 141 142Verify LDAP Login Works After BMC Reboot 143 [Documentation] Verify that LDAP login works after BMC reboot. 144 [Tags] Verify_LDAP_Login_Works_After_BMC_Reboot 145 146 Redfish OBMC Reboot (off) 147 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 148 Redfish.Logout 149 Redfish.Login 150 151 152Verify LDAP User With Admin Privilege Able To Do BMC Reboot 153 [Documentation] Verify that LDAP user with administrator privilege able to do BMC reboot. 154 [Tags] Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot 155 156 157 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 158 ... ${GROUP_PRIVILEGE} ${GROUP_NAME} 159 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 160 # With LDAP user and with right privilege trying to do BMC reboot. 161 Redfish OBMC Reboot (off) 162 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 163 Redfish.Logout 164 Redfish.Login 165 166 167Verify LDAP User With Operator Privilege Able To Do Host Poweroff 168 [Documentation] Verify that LDAP user with operator privilege can do host 169 ... power off. 170 [Tags] Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff 171 [Teardown] Restore LDAP Privilege 172 173 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 174 ... Operator ${GROUP_NAME} 175 176 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 177 # Verify that the LDAP user with operator privilege is able to power the system off. 178 Redfish.Post ${REDFISH_POWER_URI} 179 ... body={'ResetType': 'ForceOff'} valid_status_codes=[200] 180 Redfish.Logout 181 Redfish.Login 182 183 184Verify AccountLockout Attributes Set To Zero By LDAP User 185 [Documentation] Verify that attribute AccountLockoutDuration and 186 ... AccountLockoutThreshold are set to 0 by LDAP user. 187 [Teardown] Run Keywords Restore AccountLockout Attributes AND 188 ... FFDC On Test Case Fail 189 [Tags] Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User 190 191 ${old_account_service}= Redfish.Get Properties 192 ... ${REDFISH_BASE_URI}AccountService 193 Rprint Vars old_account_service 194 195 # Create LDAP user and create session using LDAP user. 196 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 197 ... Administrator ${GROUP_NAME} 198 199 # Clear existing Redfish sessions. 200 Redfish.Logout 201 202 # Login using LDAP user. 203 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 204 205 # Set Account Lockout attributes using LDAP user. 206 Redfish.Patch ${REDFISH_BASE_URI}AccountService 207 ... body=[('AccountLockoutDuration', 0)] 208 Redfish.Patch ${REDFISH_BASE_URI}AccountService 209 ... body=[('AccountLockoutThreshold', 0)] 210 211 212Verify LDAP User With Read Privilege Able To Check Inventory 213 [Documentation] Verify that LDAP user with read privilege able to 214 ... read firmware inventory. 215 [Tags] Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory 216 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 217 [Template] Set Read Privilege And Check Firmware Inventory 218 219 ReadOnly 220 221 222Verify LDAP User With Read Privilege Should Not Do Host Poweron 223 [Documentation] Verify that LDAP user with read privilege should not be 224 ... allowed to power on the host. 225 [Tags] Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron 226 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege 227 [Template] Set Read Privilege And Check Poweron 228 229 ReadOnly 230 231 232Update LDAP Group Name And Verify Operations 233 [Documentation] Verify that LDAP group name update and able to do right 234 ... operations. 235 [Tags] Update_LDAP_Group_Name_And_Verify_Operations 236 [Template] Update LDAP Config And Verify Set Host Name 237 [Teardown] Restore LDAP Privilege 238 239 # group_name group_privilege valid_status_codes 240 ${GROUP_NAME} Administrator [${HTTP_OK}, ${HTTP_NO_CONTENT}] 241 ${GROUP_NAME} Operator [${HTTP_OK}, ${HTTP_NO_CONTENT}] 242 ${GROUP_NAME} ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 243 ${GROUP_NAME} NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 244 Invalid_LDAP_Group_Name Administrator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 245 Invalid_LDAP_Group_Name Operator [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 246 Invalid_LDAP_Group_Name ReadOnly [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 247 Invalid_LDAP_Group_Name NoAccess [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}] 248 249 250Verify LDAP BaseDN Update And LDAP Login 251 [Documentation] Update LDAP BaseDN of LDAP configuration and verify 252 ... that LDAP login works. 253 [Tags] Verify_LDAP_BaseDN_Update_And_LDAP_Login 254 255 256 ${body}= Catenate {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings': 257 ... {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}} 258 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 259 Sleep 15s 260 Redfish Verify LDAP Login 261 262 263Verify LDAP BindDN Update And LDAP Login 264 [Documentation] Update LDAP BindDN of LDAP configuration and verify 265 ... that LDAP login works. 266 [Tags] Verify_LDAP_BindDN_Update_And_LDAP_Login 267 268 ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': 269 ... {'AuthenticationType':'UsernameAndPassword', 'Username': 270 ... '${LDAP_BIND_DN}'}}} 271 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 272 Sleep 15s 273 Redfish Verify LDAP Login 274 275 276Verify LDAP BindDN Password Update And LDAP Login 277 [Documentation] Update LDAP BindDN password of LDAP configuration and 278 ... verify that LDAP login works. 279 [Tags] Verify_LDAP_BindDN_Password_Update_And_LDAP_Login 280 281 282 ${body}= Catenate {'${LDAP_TYPE}': { 'Authentication': 283 ... {'AuthenticationType':'UsernameAndPassword', 'Password': 284 ... '${LDAP_BIND_DN_PASSWORD}'}}} 285 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=${body} 286 Sleep 15s 287 Redfish Verify LDAP Login 288 289 290Verify LDAP Type Update And LDAP Login 291 [Documentation] Update LDAP type of LDAP configuration and verify 292 ... that LDAP login works. 293 [Tags] Verify_LDAP_Type_Update_And_LDAP_Login 294 295 Disable Other LDAP 296 Redfish.Patch ${REDFISH_BASE_URI}AccountService 297 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} 298 Sleep 15s 299 Redfish Verify LDAP Login 300 301 302Verify LDAP Authorization With Null Privilege 303 [Documentation] Verify the failure of LDAP authorization with empty 304 ... privilege. 305 [Tags] Verify_LDAP_Authorization_With_Null_Privilege 306 [Teardown] Restore LDAP Privilege 307 308 Update LDAP Config And Verify Set Host Name ${GROUP_NAME} ${EMPTY} 309 ... [${HTTP_FORBIDDEN}] 310 311 312Verify LDAP Authorization With Invalid Privilege 313 [Documentation] Verify that LDAP user authorization with wrong privilege 314 ... fails. 315 [Tags] Verify_LDAP_Authorization_With_Invalid_Privilege 316 [Teardown] Restore LDAP Privilege 317 318 Update LDAP Config And Verify Set Host Name ${GROUP_NAME} 319 ... Invalid_Privilege [${HTTP_FORBIDDEN}] 320 321 322Verify LDAP Login With Invalid Data 323 [Documentation] Verify that LDAP login with Invalid LDAP data and 324 ... right LDAP user fails. 325 [Tags] Verify_LDAP_Login_With_Invalid_Data 326 [Teardown] Run Keywords FFDC On Test Case Fail AND 327 ... Create LDAP Configuration 328 329 Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI 330 ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD 331 ... Invalid_LDAP_BASE_DN 332 Sleep 15s 333 Redfish Verify LDAP Login ${False} 334 335 336Verify LDAP Config Creation Without BASE_DN 337 [Documentation] Verify that LDAP login with LDAP configuration 338 ... created without BASE_DN fails. 339 [Tags] Verify_LDAP_Config_Creation_Without_BASE_DN 340 [Teardown] Run Keywords FFDC On Test Case Fail AND 341 ... Create LDAP Configuration 342 343 Create LDAP Configuration ${LDAP_TYPE} Invalid_LDAP_Server_URI 344 ... Invalid_LDAP_BIND_DN LDAP_BIND_DN_PASSWORD ${EMPTY} 345 Sleep 15s 346 Redfish Verify LDAP Login ${False} 347 348 349Verify LDAP Authentication Without Password 350 [Documentation] Verify that LDAP user authentication without LDAP 351 ... user password fails. 352 [Tags] Verify_LDAP_Authentication_Without_Password 353 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 354 355 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 356 Valid Value status [${False}] 357 358 359Verify LDAP Login With Invalid BASE_DN 360 [Documentation] Verify that LDAP login with invalid BASE_DN and 361 ... valid LDAP user fails. 362 [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN 363 [Teardown] Run Keywords FFDC On Test Case Fail AND 364 ... Create LDAP Configuration 365 366 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 367 ... ${LDAP_BIND_DN} ${LDAP_BIND_DN_PASSWORD} Invalid_LDAP_BASE_DN 368 Sleep 15s 369 Redfish Verify LDAP Login ${False} 370 371 372Verify LDAP Login With Invalid BIND_DN_PASSWORD 373 [Documentation] Verify that LDAP login with invalid BIND_DN_PASSWORD and 374 ... valid LDAP user fails. 375 [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD 376 [Teardown] Run Keywords FFDC On Test Case Fail AND 377 ... Create LDAP Configuration 378 379 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 380 ... ${LDAP_BIND_DN} INVALID_LDAP_BIND_DN_PASSWORD ${LDAP_BASE_DN} 381 Sleep 15s 382 Redfish Verify LDAP Login ${False} 383 384 385Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN 386 [Documentation] Verify that LDAP login with invalid BASE_DN and invalid 387 ... BIND_DN and valid LDAP user fails. 388 [Tags] Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN 389 [Teardown] Run Keywords FFDC On Test Case Fail AND 390 ... Create LDAP Configuration 391 392 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 393 ... INVALID_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} INVALID_LDAP_BASE_DN 394 Sleep 15s 395 Redfish Verify LDAP Login ${False} 396 397 398Verify Group Name And Group Privilege Able To Modify 399 [Documentation] Verify that LDAP group name and group privilege able to 400 ... modify. 401 [Tags] Verify_Group_Name_And_Group_Privilege_Able_To_Modify 402 [Setup] Update LDAP Configuration with LDAP User Role And Group 403 ... ${LDAP_TYPE} Operator ${GROUP_NAME} 404 405 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 406 ... Administrator ${GROUP_NAME} 407 408 409Verify LDAP Login With Invalid BIND_DN 410 [Documentation] Verify that LDAP login with invalid BIND_DN and 411 ... valid LDAP user fails. 412 [Tags] Verify_LDAP_Login_With_Invalid_BIND_DN 413 [Teardown] Run Keywords FFDC On Test Case Fail AND 414 ... Create LDAP Configuration 415 416 Create LDAP Configuration ${LDAP_TYPE} ${LDAP_SERVER_URI} 417 ... Invalid_LDAP_BIND_DN ${LDAP_BIND_DN_PASSWORD} ${LDAP_BASE_DN} 418 Sleep 15s 419 Redfish Verify LDAP Login ${False} 420 421 422Verify LDAP Authentication With Invalid LDAP User 423 [Documentation] Verify that LDAP user authentication for user not exist 424 ... in LDAP server and fails. 425 [Tags] Verify_LDAP_Authentication_With_Invalid_LDAP_User 426 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 427 428 ${status}= Run Keyword And Return Status Redfish.Login INVALID_LDAP_USER 429 ... ${LDAP_USER_PASSWORD} 430 Valid Value status [${False}] 431 432 433Update LDAP User Roles And Verify Host Poweroff Operation 434 [Documentation] Update LDAP user roles and verify host poweroff operation. 435 [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation 436 [Teardown] Restore LDAP Privilege 437 438 [Template] Update LDAP User Role And Host Poweroff 439 # ldap_type group_privilege group_name valid_status_codes 440 441 # Verify LDAP user with NoAccess privilege not able to do host poweroff. 442 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 443 444 # Verify LDAP user with ReadOnly privilege not able to do host poweroff. 445 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 446 447 # Verify LDAP user with Operator privilege able to do host poweroff. 448 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 449 450 # Verify LDAP user with Administrator privilege able to do host poweroff. 451 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 452 453 454Update LDAP User Roles And Verify Host Poweron Operation 455 [Documentation] Update LDAP user roles and verify host poweron operation. 456 [Tags] Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation 457 [Teardown] Restore LDAP Privilege 458 459 [Template] Update LDAP User Role And Host Poweron 460 # ldap_type group_privilege group_name valid_status_codes 461 462 # Verify LDAP user with NoAccess privilege not able to do host poweron. 463 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 464 465 # Verify LDAP user with ReadOnly privilege not able to do host poweron. 466 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 467 468 # Verify LDAP user with Operator privilege able to do host poweron. 469 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 470 471 # Verify LDAP user with Administrator privilege able to do host poweron. 472 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 473 474 475Configure IP Address Via Different User Roles And Verify 476 [Documentation] Configure IP address via different user roles and verify. 477 [Tags] Configure_IP_Address_Via_Different_User_Roles_And_Verify 478 [Teardown] Restore LDAP Privilege 479 480 [Template] Update LDAP User Role And Configure IP Address 481 # Verify LDAP user with Administrator privilege is able to configure IP address. 482 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 483 484 # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address. 485 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 486 487 # Verify LDAP user with NoAccess privilege is forbidden to configure IP address. 488 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 489 490 # Verify LDAP user with Operator privilege is able to configure IP address. 491 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_FORBIDDEN} 492 493 494Delete IP Address Via Different User Roles And Verify 495 [Documentation] Delete IP address via different user roles and verify. 496 [Tags] Delete_IP_Address_Via_Different_User_Roles_And_Verify 497 [Teardown] Run Keywords Restore LDAP Privilege AND FFDC On Test Case Fail 498 499 [Template] Update LDAP User Role And Delete IP Address 500 # Verify LDAP user with Administrator privilege is able to delete IP address. 501 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 502 503 # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address. 504 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_FORBIDDEN} 505 506 # Verify LDAP user with NoAccess privilege is forbidden to delete IP address. 507 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 508 509 # Verify LDAP user with Operator privilege is able to delete IP address. 510 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_FORBIDDEN} 511 512 513Read Network Configuration Via Different User Roles And Verify 514 [Documentation] Read network configuration via different user roles and verify. 515 [Tags] Read_Network_Configuration_Via_Different_User_Roles_And_Verify 516 [Teardown] Restore LDAP Privilege 517 518 [Template] Update LDAP User Role And Read Network Configuration 519 ${LDAP_TYPE} Administrator ${GROUP_NAME} ${HTTP_OK} 520 521 ${LDAP_TYPE} ReadOnly ${GROUP_NAME} ${HTTP_OK} 522 523 ${LDAP_TYPE} NoAccess ${GROUP_NAME} ${HTTP_FORBIDDEN} 524 525 ${LDAP_TYPE} Operator ${GROUP_NAME} ${HTTP_OK} 526 527 528*** Keywords *** 529 530Redfish Verify LDAP Login 531 [Documentation] LDAP user log into BMC. 532 [Arguments] ${valid_status}=${True} 533 534 # Description of argument(s): 535 # valid_status Expected status of LDAP login ("True" or "False"). 536 537 # According to our repo coding rules, Redfish.Login is to be done in Suite 538 # Setup and Redfish.Logout is to be done in Suite Teardown. For any 539 # deviation from this rule (such as in this keyword), the deviant code 540 # must take steps to restore us to our original logged-in state. 541 542 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} 543 ... ${LDAP_USER_PASSWORD} 544 Valid Value status [${valid_status}] 545 Redfish.Logout 546 Redfish.Login 547 548 549Update LDAP Config And Verify Set Host Name 550 [Documentation] Update LDAP config and verify by attempting to set host name. 551 [Arguments] ${group_name} ${group_privilege}=Administrator 552 ... ${valid_status_codes}=[${HTTP_OK}] 553 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 554 555 # Description of argument(s): 556 # group_name The group name of user. 557 # group_privilege The group privilege ("Administrator", 558 # "Operator", "User" or "Callback"). 559 # valid_status_codes Expected return code(s) from patch 560 # operation (e.g. "200") used to update 561 # HostName. See prolog of rest_request 562 # method in redfish_plut.py for details. 563 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 564 ... ${group_privilege} ${group_name} 565 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 566 # Verify that the LDAP user in ${group_name} with the given privilege is 567 # allowed to change the hostname. 568 Redfish.Patch ${REDFISH_NW_ETH0_URI} body={'HostName': '${hostname}'} 569 ... valid_status_codes=${valid_status_codes} 570 571 572Disable Other LDAP 573 [Documentation] Disable other LDAP configuration. 574 575 # First disable other LDAP. 576 ${inverse_ldap_type}= Set Variable If '${LDAP_TYPE}' == 'LDAP' ActiveDirectory LDAP 577 Redfish.Patch ${REDFISH_BASE_URI}AccountService 578 ... body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}} 579 Sleep 15s 580 581 582Config LDAP URL 583 [Documentation] Config LDAP URL. 584 [Arguments] ${ldap_server_uri}=${LDAP_SERVER_URI} ${expected_status}=${TRUE} 585 586 # Description of argument(s): 587 # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/"). 588 589 Redfish.Patch ${REDFISH_BASE_URI}AccountService 590 ... body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}} 591 Sleep 15s 592 # After update, LDAP login. 593 ${status}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 594 Valid Value status [${expected_status}] 595 596 Redfish.Logout 597 Redfish.Login 598 599 600Restore LDAP URL 601 [Documentation] Restore LDAP URL. 602 603 # Restoring the working LDAP server uri. 604 Redfish.Patch ${REDFISH_BASE_URI}AccountService 605 ... body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}} 606 Sleep 15s 607 608 609Restore AccountLockout Attributes 610 [Documentation] Restore AccountLockout Attributes. 611 612 Return From Keyword If &{old_account_service} == &{EMPTY} 613 Redfish.Patch ${REDFISH_BASE_URI}AccountService 614 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})] 615 Redfish.Patch ${REDFISH_BASE_URI}AccountService 616 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})] 617 618 619Suite Setup Execution 620 [Documentation] Do suite setup tasks. 621 622 Valid Value LDAP_TYPE valid_values=["ActiveDirectory", "LDAP"] 623 Valid Value LDAP_USER 624 Valid Value LDAP_USER_PASSWORD 625 Valid Value GROUP_PRIVILEGE 626 Valid Value GROUP_NAME 627 Valid Value LDAP_SERVER_URI 628 Valid Value LDAP_BIND_DN_PASSWORD 629 Valid Value LDAP_BIND_DN 630 Valid Value LDAP_BASE_DN 631 632 Redfish.Login 633 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. 634 Get LDAP Configuration ${LDAP_TYPE} 635 ${old_ldap_privilege}= Get LDAP Privilege 636 Set Suite Variable ${old_ldap_privilege} 637 Disable Other LDAP 638 Create LDAP Configuration 639 ${hostname}= Redfish.Get Attribute ${REDFISH_NW_PROTOCOL_URI} HostName 640 641 642Set Read Privilege And Check Firmware Inventory 643 [Documentation] Set read privilege and check firmware inventory. 644 [Arguments] ${read_privilege} 645 646 # Description of argument(s): 647 # read_privilege The read privilege role (e.g. "User" / "Callback"). 648 649 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 650 ... ${read_privilege} ${GROUP_NAME} 651 652 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 653 # Verify that the LDAP user with read privilege is able to read inventory. 654 ${resp}= Redfish.Get /redfish/v1/UpdateService/FirmwareInventory 655 Should Be True ${resp.dict["Members@odata.count"]} >= ${1} 656 Length Should Be ${resp.dict["Members"]} ${resp.dict["Members@odata.count"]} 657 Redfish.Logout 658 Redfish.Login 659 660 661Set Read Privilege And Check Poweron 662 [Documentation] Set read privilege and power on should not be possible. 663 [Arguments] ${read_privilege} 664 665 # Description of argument(s): 666 # read_privilege The read privilege role (e.g. "User" / "Callback"). 667 668 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 669 ... ${read_privilege} ${GROUP_NAME} 670 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 671 Redfish.Post ${REDFISH_POWER_URI} 672 ... body={'ResetType': 'On'} valid_status_codes=[401, 403] 673 Redfish.Logout 674 Redfish.Login 675 676 677Get LDAP Configuration 678 [Documentation] Retrieve LDAP Configuration. 679 [Arguments] ${ldap_type} 680 681 # Description of argument(s): 682 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 683 684 ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService 685 [Return] ${ldap_config["${ldap_type}"]} 686 687 688Update LDAP Configuration with LDAP User Role And Group 689 [Documentation] Update LDAP configuration update with LDAP user Role and group. 690 [Arguments] ${ldap_type} ${group_privilege} ${group_name} 691 692 # Description of argument(s): 693 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 694 # group_privilege The group privilege ("Administrator", "Operator", "User" or "Callback"). 695 # group_name The group name of user. 696 697 ${local_role_remote_group}= Create Dictionary LocalRole=${group_privilege} RemoteGroup=${group_name} 698 ${remote_role_mapping}= Create List ${local_role_remote_group} 699 ${ldap_data}= Create Dictionary RemoteRoleMapping=${remote_role_mapping} 700 ${payload}= Create Dictionary ${ldap_type}=${ldap_data} 701 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=&{payload} 702 # Provide adequate time for LDAP daemon to restart after the update. 703 Sleep 15s 704 705 706Get LDAP Privilege 707 [Documentation] Get LDAP privilege and return it. 708 709 ${ldap_config}= Get LDAP Configuration ${LDAP_TYPE} 710 ${num_list_entries}= Get Length ${ldap_config["RemoteRoleMapping"]} 711 Return From Keyword If ${num_list_entries} == ${0} @{EMPTY} 712 713 [Return] ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]} 714 715 716Restore LDAP Privilege 717 [Documentation] Restore the LDAP privilege to its original value. 718 719 Return From Keyword If '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]' 720 # Log back in to restore the original privilege. 721 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} 722 ... ${old_ldap_privilege} ${GROUP_NAME} 723 724 Sleep 18s 725 726 727Update LDAP User Role And Host Poweroff 728 [Documentation] Update LDAP user role and do host poweroff. 729 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} 730 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 731 732 # Description of argument(s): 733 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 734 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 735 # group_name The group name of user. 736 # valid_status_code The expected valid status code. 737 738 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 739 ... ${group_privilege} ${group_name} 740 741 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 742 743 Redfish.Post ${REDFISH_POWER_URI} 744 ... body={'ResetType': 'ForceOff'} valid_status_codes=[${valid_status_code}] 745 746 747Update LDAP User Role And Host Poweron 748 [Documentation] Update LDAP user role and do host poweron. 749 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code} 750 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 751 752 # Description of argument(s): 753 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 754 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 755 # group_name The group name of user. 756 # valid_status_code The expected valid status code. 757 758 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 759 ... ${group_privilege} ${group_name} 760 761 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 762 763 Redfish.Post ${REDFISH_POWER_URI} 764 ... body={'ResetType': 'On'} valid_status_codes=[${valid_status_code}] 765 766 767Update LDAP User Role And Configure IP Address 768 [Documentation] Update LDAP user role and configure IP address. 769 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 770 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} 771 772 # Description of argument(s): 773 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 774 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 775 # group_name The group name of user. 776 # valid_status_code The expected valid status code. 777 778 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 779 ... ${group_privilege} ${group_name} 780 781 Redfish.Logout 782 783 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 784 785 ${test_gateway}= Get BMC Default Gateway 786 787 Run Keyword If '${group_privilege}' == 'NoAccess' 788 ... Add IP Address With NoAccess User ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} 789 ... ELSE 790 ... Add IP Address ${test_ip} ${test_mask} ${test_gateway} ${valid_status_code} 791 792 793Update LDAP User Role And Delete IP Address 794 [Documentation] Update LDAP user role and delete IP address. 795 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 796 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login AND Delete IP Address ${test_ip} 797 798 # Description of argument(s): 799 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 800 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 801 # group_name The group name of user. 802 # valid_status_code The expected valid status code. 803 804 ${test_gateway}= Get BMC Default Gateway 805 806 # Configure IP address before deleting via LDAP user roles. 807 Add IP Address ${test_ip} ${test_mask} ${test_gateway} 808 809 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 810 ... ${group_privilege} ${group_name} 811 812 Redfish.Logout 813 814 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 815 816 Run Keyword If '${group_privilege}' == 'NoAccess' 817 ... Delete IP Address With NoAccess User ${test_ip} ${valid_status_code} 818 ... ELSE 819 ... Delete IP Address ${test_ip} ${valid_status_code} 820 821 822Update LDAP User Role And Read Network Configuration 823 [Documentation] Update LDAP user role and read network configuration. 824 [Arguments] ${ldap_type} ${group_privilege} ${group_name} ${valid_status_code}=${HTTP_OK} 825 [Teardown] Run Keywords Redfish.Logout AND Redfish.Login 826 827 # Description of argument(s): 828 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). 829 # group_privilege The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess"). 830 # group_name The group name of user. 831 # valid_status_code The expected valid status code. 832 833 Update LDAP Configuration with LDAP User Role And Group ${ldap_type} 834 ... ${group_privilege} ${group_name} 835 836 Redfish.Logout 837 838 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 839 Redfish.Get ${REDFISH_NW_ETH0_URI} valid_status_codes=[${valid_status_code}] 840 841 842Add IP Address With NoAccess User 843 [Documentation] Add IP Address To BMC. 844 [Arguments] ${ip} ${subnet_mask} ${gateway} 845 ... ${valid_status_codes}=${HTTP_OK} 846 847 # Description of argument(s): 848 # ip IP address to be added (e.g. "10.7.7.7"). 849 # subnet_mask Subnet mask for the IP to be added 850 # (e.g. "255.255.0.0"). 851 # gateway Gateway for the IP to be added (e.g. "10.7.7.1"). 852 # valid_status_codes Expected return code from patch operation 853 # (e.g. "200"). See prolog of rest_request 854 # method in redfish_plus.py for details. 855 856 # Logout from LDAP user. 857 Redfish.Logout 858 859 # Login with local user. 860 Redfish.Login 861 862 ${empty_dict}= Create Dictionary 863 ${ip_data}= Create Dictionary Address=${ip} 864 ... SubnetMask=${subnet_mask} Gateway=${gateway} 865 866 ${patch_list}= Create List 867 ${network_configurations}= Get Network Configuration 868 ${num_entries}= Get Length ${network_configurations} 869 870 FOR ${INDEX} IN RANGE 0 ${num_entries} 871 Append To List ${patch_list} ${empty_dict} 872 END 873 874 ${valid_status_codes}= Run Keyword If '${valid_status_codes}' == '${HTTP_OK}' 875 ... Set Variable ${HTTP_OK},${HTTP_NO_CONTENT} 876 ... ELSE Set Variable ${valid_status_codes} 877 878 # We need not check for existence of IP on BMC while adding. 879 Append To List ${patch_list} ${ip_data} 880 ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} 881 882 ${active_channel_config}= Get Active Channel Config 883 ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} 884 885 # Logout from local user. 886 Redfish.Logout 887 888 # Login from LDAP user and check if we can configure IP address. 889 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 890 891 Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} 892 ... valid_status_codes=[${valid_status_codes}] 893 894 895Delete IP Address With NoAccess User 896 [Documentation] Delete IP Address Of BMC. 897 [Arguments] ${ip} ${valid_status_codes}=${HTTP_OK} 898 899 # Description of argument(s): 900 # ip IP address to be deleted (e.g. "10.7.7.7"). 901 # valid_status_codes Expected return code from patch operation 902 # (e.g. "200"). See prolog of rest_request 903 # method in redfish_plus.py for details. 904 905 # Logout from LDAP user. 906 Redfish.Logout 907 908 # Login with local user. 909 Redfish.Login 910 911 ${empty_dict}= Create Dictionary 912 ${patch_list}= Create List 913 914 @{network_configurations}= Get Network Configuration 915 FOR ${network_configuration} IN @{network_configurations} 916 Run Keyword If '${network_configuration['Address']}' == '${ip}' 917 ... Append To List ${patch_list} ${null} 918 ... ELSE Append To List ${patch_list} ${empty_dict} 919 END 920 921 ${ip_found}= Run Keyword And Return Status List Should Contain Value 922 ... ${patch_list} ${null} msg=${ip} does not exist on BMC 923 Pass Execution If ${ip_found} == ${False} ${ip} does not exist on BMC 924 925 # Run patch command only if given IP is found on BMC 926 ${data}= Create Dictionary IPv4StaticAddresses=${patch_list} 927 928 ${active_channel_config}= Get Active Channel Config 929 ${ethernet_interface}= Set Variable ${active_channel_config['${CHANNEL_NUMBER}']['name']} 930 931 # Logout from local user. 932 Redfish.Logout 933 934 # Login from LDAP user and check if we can delete IP address. 935 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} 936 937 Redfish.patch ${REDFISH_NW_ETH_IFACE}${ethernet_interface} body=&{data} 938 ... valid_status_codes=[${valid_status_codes}] 939 940 # Note: Network restart takes around 15-18s after patch request processing 941 Sleep ${NETWORK_TIMEOUT}s 942 Wait For Host To Ping ${OPENBMC_HOST} ${NETWORK_TIMEOUT} 943