1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Library          ../../lib/gen_robot_valid.py
9Resource         ../../lib/bmc_network_utils.robot
10Resource         ../../lib/bmc_ldap_utils.robot
11
12Suite Setup      Suite Setup Execution
13Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
14Test Teardown    FFDC On Test Case Fail
15
16Force Tags       LDAP_Test
17
18*** Variables ***
19${old_ldap_privilege}   Administrator
20&{old_account_service}  &{EMPTY}
21&{old_ldap_config}      &{EMPTY}
22${hostname}             ${EMPTY}
23${test_ip}              10.6.6.6
24${test_mask}            255.255.255.0
25
26** Test Cases **
27
28Verify LDAP Configuration Created
29    [Documentation]  Verify that LDAP configuration created.
30    [Tags]  Verify_LDAP_Configuration_Created
31
32    Create LDAP Configuration
33    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
34    Get LDAP Configuration  ${LDAP_TYPE}
35    Sleep  10s
36    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
37    Redfish.Logout
38    Redfish.Login
39
40
41Verify LDAP Service Disable
42    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
43    ...  login.
44    [Tags]  Verify_LDAP_Service_Disable
45
46    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
47    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
48    Sleep  15s
49    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
50    ...  ${LDAP_USER_PASSWORD}
51    Should Be Equal  ${resp}  ${False}
52    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
53    Redfish.Logout
54    Redfish.Login
55    # Enabling LDAP so that LDAP user works.
56    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
57    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
58    Redfish.Logout
59    Redfish.Login
60
61
62Verify LDAP Login With ServiceEnabled
63    [Documentation]  Verify that LDAP Login with ServiceEnabled.
64    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
65
66    Disable Other LDAP
67    # Actual service enablement.
68    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
69    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
70    Sleep  15s
71    # After update, LDAP login.
72    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
73    Redfish.Logout
74    Redfish.Login
75
76
77Verify LDAP Login With Correct AuthenticationType
78    [Documentation]  Verify that LDAP Login with right AuthenticationType.
79    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
80
81    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
82    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
83    Sleep  15s
84    # After update, LDAP login.
85    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
86    Redfish.Logout
87    Redfish.Login
88
89
90Verify LDAP Config Update With Incorrect AuthenticationType
91    [Documentation]  Verify that invalid AuthenticationType is not updated.
92    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType
93
94    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
95
96    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
97    ...  body=${body}  valid_status_codes=[400]
98
99
100Verify LDAP Login With Correct LDAP URL
101    [Documentation]  Verify LDAP Login with right LDAP URL.
102    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
103
104    Config LDAP URL  ${LDAP_SERVER_URI}
105
106
107Verify LDAP Config Update With Incorrect LDAP URL
108    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
109    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
110    [Teardown]  Run Keywords  Restore LDAP URL  AND
111    ...  FFDC On Test Case Fail
112
113    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
114
115Verify LDAP Configuration Exist
116    [Documentation]  Verify that LDAP configuration is available.
117    [Tags]  Verify_LDAP_Configuration_Exist
118
119    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
120    ...  ${LDAP_TYPE}  default=${EMPTY}
121    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
122
123
124Verify LDAP User Login
125    [Documentation]  Verify that LDAP user able to login into BMC.
126    [Tags]  Verify_LDAP_User_Login
127
128    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
129    Redfish.Logout
130    Redfish.Login
131
132
133Verify LDAP Service Available
134    [Documentation]  Verify that LDAP service is available.
135    [Tags]  Verify_LDAP_Service_Available
136
137    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
138    Should Contain  ${ldap_configuration}  LDAPService
139    ...  msg=LDAPService is not available.
140
141
142Verify LDAP Login Works After BMC Reboot
143    [Documentation]  Verify that LDAP login works after BMC reboot.
144    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
145
146    Redfish OBMC Reboot (off)
147    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
148    Redfish.Logout
149    Redfish.Login
150
151
152Verify LDAP User With Admin Privilege Able To Do BMC Reboot
153    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
154    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
155
156
157    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
158    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
159    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
160    # With LDAP user and with right privilege trying to do BMC reboot.
161    Redfish OBMC Reboot (off)
162    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
163    Redfish.Logout
164    Redfish.Login
165
166
167Verify LDAP User With Operator Privilege Able To Do Host Poweroff
168    [Documentation]  Verify that LDAP user with operator privilege can do host
169    ...  power off.
170    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
171    [Teardown]  Restore LDAP Privilege
172
173    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
174    ...  Operator  ${GROUP_NAME}
175
176    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
177    # Verify that the LDAP user with operator privilege is able to power the system off.
178    Redfish.Post  ${REDFISH_POWER_URI}
179    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
180    Redfish.Logout
181    Redfish.Login
182
183
184Verify AccountLockout Attributes Set To Zero By LDAP User
185    [Documentation]  Verify that attribute AccountLockoutDuration and
186    ...  AccountLockoutThreshold are set to 0 by LDAP user.
187    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
188    ...  FFDC On Test Case Fail
189    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User
190
191    ${old_account_service}=  Redfish.Get Properties
192    ...  ${REDFISH_BASE_URI}AccountService
193    Rprint Vars  old_account_service
194
195    # Create LDAP user and create session using LDAP user.
196    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
197    ...  Administrator  ${GROUP_NAME}
198
199    # Clear existing Redfish sessions.
200    Redfish.Logout
201
202    # Login using LDAP user.
203    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
204
205    # Set Account Lockout attributes using LDAP user.
206    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
207    ...  body=[('AccountLockoutDuration', 0)]
208    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
209    ...  body=[('AccountLockoutThreshold', 0)]
210
211
212Verify LDAP User With Read Privilege Able To Check Inventory
213    [Documentation]  Verify that LDAP user with read privilege able to
214    ...  read firmware inventory.
215    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
216    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
217    [Template]  Set Read Privilege And Check Firmware Inventory
218
219    ReadOnly
220
221
222Verify LDAP User With Read Privilege Should Not Do Host Poweron
223    [Documentation]  Verify that LDAP user with read privilege should not be
224    ...  allowed to power on the host.
225    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
226    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
227    [Template]  Set Read Privilege And Check Poweron
228
229    ReadOnly
230
231
232Update LDAP Group Name And Verify Operations
233    [Documentation]  Verify that LDAP group name update and able to do right
234    ...  operations.
235    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
236    [Template]  Update LDAP Config And Verify Set Host Name
237    [Teardown]  Restore LDAP Privilege
238
239    # group_name             group_privilege  valid_status_codes
240    ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
241    ${GROUP_NAME}            Operator         [${HTTP_OK}, ${HTTP_NO_CONTENT}]
242    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
243    ${GROUP_NAME}            NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
244    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
245    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
246    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
247    Invalid_LDAP_Group_Name  NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
248
249
250Verify LDAP BaseDN Update And LDAP Login
251    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
252    ...  that LDAP login works.
253    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
254
255
256    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
257    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
258    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
259    Sleep  15s
260    Redfish Verify LDAP Login
261
262
263Verify LDAP BindDN Update And LDAP Login
264    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
265    ...  that LDAP login works.
266    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
267
268    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
269    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
270    ...  '${LDAP_BIND_DN}'}}}
271    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
272    Sleep  15s
273    Redfish Verify LDAP Login
274
275
276Verify LDAP BindDN Password Update And LDAP Login
277    [Documentation]  Update LDAP BindDN password of LDAP configuration and
278    ...  verify that LDAP login works.
279    [Tags]  Verify_LDAP_BindDN_Password_Update_And_LDAP_Login
280
281
282    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
283    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
284    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
285    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
286    Sleep  15s
287    Redfish Verify LDAP Login
288
289
290Verify LDAP Type Update And LDAP Login
291    [Documentation]  Update LDAP type of LDAP configuration and verify
292    ...  that LDAP login works.
293    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
294
295    Disable Other LDAP
296    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
297    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
298    Sleep  15s
299    Redfish Verify LDAP Login
300
301
302Verify LDAP Authorization With Null Privilege
303    [Documentation]  Verify the failure of LDAP authorization with empty
304    ...  privilege.
305    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
306    [Teardown]  Restore LDAP Privilege
307
308    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
309    ...  [${HTTP_FORBIDDEN}]
310
311
312Verify LDAP Authorization With Invalid Privilege
313    [Documentation]  Verify that LDAP user authorization with wrong privilege
314    ...  fails.
315    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
316    [Teardown]  Restore LDAP Privilege
317
318    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
319    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
320
321
322Verify LDAP Login With Invalid Data
323    [Documentation]  Verify that LDAP login with Invalid LDAP data and
324    ...  right LDAP user fails.
325    [Tags]  Verify_LDAP_Login_With_Invalid_Data
326    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
327    ...  Create LDAP Configuration
328
329    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
330    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
331    ...  Invalid_LDAP_BASE_DN
332    Sleep  15s
333    Redfish Verify LDAP Login  ${False}
334
335
336Verify LDAP Config Creation Without BASE_DN
337    [Documentation]  Verify that LDAP login with LDAP configuration
338    ...  created without BASE_DN fails.
339    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
340    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
341    ...  Create LDAP Configuration
342
343    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
344    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
345    Sleep  15s
346    Redfish Verify LDAP Login  ${False}
347
348
349Verify LDAP Authentication Without Password
350    [Documentation]  Verify that LDAP user authentication without LDAP
351    ...  user password fails.
352    [Tags]  Verify_LDAP_Authentication_Without_Password
353    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
354
355    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
356    Valid Value  status  [${False}]
357
358
359Verify LDAP Login With Invalid BASE_DN
360    [Documentation]  Verify that LDAP login with invalid BASE_DN and
361    ...  valid LDAP user fails.
362    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
363    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
364    ...  Create LDAP Configuration
365
366    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
367    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
368    Sleep  15s
369    Redfish Verify LDAP Login  ${False}
370
371
372Verify LDAP Login With Invalid BIND_DN_PASSWORD
373    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
374    ...  valid LDAP user fails.
375    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
376    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
377    ...  Create LDAP Configuration
378
379    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
380    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
381    Sleep  15s
382    Redfish Verify LDAP Login  ${False}
383
384
385Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
386    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
387    ...  BIND_DN and valid LDAP user fails.
388    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
389    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
390    ...  Create LDAP Configuration
391
392    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
393    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
394    Sleep  15s
395    Redfish Verify LDAP Login  ${False}
396
397
398Verify Group Name And Group Privilege Able To Modify
399    [Documentation]  Verify that LDAP group name and group privilege able to
400    ...  modify.
401    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
402    [Setup]  Update LDAP Configuration with LDAP User Role And Group
403    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
404
405    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
406    ...  Administrator  ${GROUP_NAME}
407
408
409Verify LDAP Login With Invalid BIND_DN
410    [Documentation]  Verify that LDAP login with invalid BIND_DN and
411    ...  valid LDAP user fails.
412    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
413    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
414    ...  Create LDAP Configuration
415
416    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
417    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
418    Sleep  15s
419    Redfish Verify LDAP Login  ${False}
420
421
422Verify LDAP Authentication With Invalid LDAP User
423    [Documentation]  Verify that LDAP user authentication for user not exist
424    ...  in LDAP server and fails.
425    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
426    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
427
428    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
429    ...  ${LDAP_USER_PASSWORD}
430    Valid Value  status  [${False}]
431
432
433Update LDAP User Roles And Verify Host Poweroff Operation
434    [Documentation]  Update LDAP user roles and verify host poweroff operation.
435    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
436    [Teardown]  Restore LDAP Privilege
437
438    [Template]  Update LDAP User Role And Host Poweroff
439    # ldap_type   group_privilege  group_name     valid_status_codes
440
441    # Verify LDAP user with NoAccess privilege not able to do host poweroff.
442    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
443
444    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
445    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
446
447    # Verify LDAP user with Operator privilege able to do host poweroff.
448    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
449
450    # Verify LDAP user with Administrator privilege able to do host poweroff.
451    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
452
453
454Update LDAP User Roles And Verify Host Poweron Operation
455    [Documentation]  Update LDAP user roles and verify host poweron operation.
456    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
457    [Teardown]  Restore LDAP Privilege
458
459    [Template]  Update LDAP User Role And Host Poweron
460    # ldap_type   group_privilege  group_name     valid_status_codes
461
462    # Verify LDAP user with NoAccess privilege not able to do host poweron.
463    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
464
465    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
466    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
467
468    # Verify LDAP user with Operator privilege able to do host poweron.
469    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
470
471    # Verify LDAP user with Administrator privilege able to do host poweron.
472    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
473
474
475Configure IP Address Via Different User Roles And Verify
476    [Documentation]  Configure IP address via different user roles and verify.
477    [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
478    [Teardown]  Restore LDAP Privilege
479
480    [Template]  Update LDAP User Role And Configure IP Address
481    # Verify LDAP user with Administrator privilege is able to configure IP address.
482    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
483
484    # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
485    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
486
487    # Verify LDAP user with NoAccess privilege is forbidden to configure IP address.
488    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
489
490    # Verify LDAP user with Operator privilege is able to configure IP address.
491    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
492
493
494Delete IP Address Via Different User Roles And Verify
495    [Documentation]  Delete IP address via different user roles and verify.
496    [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
497    [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail
498
499    [Template]  Update LDAP User Role And Delete IP Address
500    # Verify LDAP user with Administrator privilege is able to delete IP address.
501    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
502
503    # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
504    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
505
506    # Verify LDAP user with NoAccess privilege is forbidden to delete IP address.
507    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
508
509    # Verify LDAP user with Operator privilege is able to delete IP address.
510    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
511
512
513Read Network Configuration Via Different User Roles And Verify
514    [Documentation]  Read network configuration via different user roles and verify.
515    [Tags]  Read_Network_Configuration_Via_Different_User_Roles_And_Verify
516    [Teardown]  Restore LDAP Privilege
517
518    [Template]  Update LDAP User Role And Read Network Configuration
519    ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}
520
521    ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}
522
523    ${LDAP_TYPE}  NoAccess       ${GROUP_NAME}  ${HTTP_FORBIDDEN}
524
525    ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}
526
527
528*** Keywords ***
529
530Redfish Verify LDAP Login
531    [Documentation]  LDAP user log into BMC.
532    [Arguments]  ${valid_status}=${True}
533
534    # Description of argument(s):
535    # valid_status  Expected status of LDAP login ("True" or "False").
536
537    # According to our repo coding rules, Redfish.Login is to be done in Suite
538    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
539    # deviation from this rule (such as in this keyword), the deviant code
540    # must take steps to restore us to our original logged-in state.
541
542    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
543    ...  ${LDAP_USER_PASSWORD}
544    Valid Value  status  [${valid_status}]
545    Redfish.Logout
546    Redfish.Login
547
548
549Update LDAP Config And Verify Set Host Name
550    [Documentation]  Update LDAP config and verify by attempting to set host name.
551    [Arguments]  ${group_name}  ${group_privilege}=Administrator
552    ...  ${valid_status_codes}=[${HTTP_OK}]
553    [Teardown]  Run Keyword If  '${group_privilege}'=='NoAccess'  Redfish.Login
554                ...  ELSE  Run Keywords  Redfish.Logout  AND  Redfish.Login
555
556    # Description of argument(s):
557    # group_name                    The group name of user.
558    # group_privilege               The group privilege ("Administrator",
559    #                               "Operator", "User" or "Callback").
560    # valid_status_codes            Expected return code(s) from patch
561    #                               operation (e.g. "200") used to update
562    #                               HostName.  See prolog of rest_request
563    #                               method in redfish_plut.py for details.
564    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
565    ...  ${group_privilege}  ${group_name}
566
567    Run Keyword If  '${group_privilege}'=='NoAccess'
568    ...  Run Keyword And Return  Verify Redfish Login for LDAP Userrole NoAccess
569
570    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
571    # Verify that the LDAP user in ${group_name} with the given privilege is
572    # allowed to change the hostname.
573    Redfish.Patch  ${REDFISH_NW_ETH0_URI}  body={'HostName': '${hostname}'}
574    ...  valid_status_codes=${valid_status_codes}
575
576Verify Redfish Login for LDAP Userrole NoAccess
577    [Documentation]  Verify Redfish login should not be able to login for LDAP Userrole NoAccess.
578
579    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
580    Valid Value  status  [${False}]
581
582Disable Other LDAP
583    [Documentation]  Disable other LDAP configuration.
584
585    # First disable other LDAP.
586    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
587    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
588    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
589    Sleep  15s
590
591
592Config LDAP URL
593    [Documentation]  Config LDAP URL.
594    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
595
596    # Description of argument(s):
597    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
598
599    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
600    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
601    Sleep  15s
602    # After update, LDAP login.
603    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
604    Valid Value  status  [${expected_status}]
605
606    Redfish.Logout
607    Redfish.Login
608
609
610Restore LDAP URL
611    [Documentation]  Restore LDAP URL.
612
613    # Restoring the working LDAP server uri.
614    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
615    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
616    Sleep  15s
617
618
619Restore AccountLockout Attributes
620    [Documentation]  Restore AccountLockout Attributes.
621
622    Return From Keyword If  &{old_account_service} == &{EMPTY}
623    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
624    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
625    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
626    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
627
628
629Suite Setup Execution
630    [Documentation]  Do suite setup tasks.
631
632    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
633    Valid Value  LDAP_USER
634    Valid Value  LDAP_USER_PASSWORD
635    Valid Value  GROUP_PRIVILEGE
636    Valid Value  GROUP_NAME
637    Valid Value  LDAP_SERVER_URI
638    Valid Value  LDAP_BIND_DN_PASSWORD
639    Valid Value  LDAP_BIND_DN
640    Valid Value  LDAP_BASE_DN
641
642    Redfish.Login
643    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
644    Get LDAP Configuration  ${LDAP_TYPE}
645    Set Suite Variable  ${old_ldap_privilege}
646    Disable Other LDAP
647    Create LDAP Configuration
648    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
649
650
651Set Read Privilege And Check Firmware Inventory
652    [Documentation]  Set read privilege and check firmware inventory.
653    [Arguments]  ${read_privilege}
654
655    # Description of argument(s):
656    # read_privilege  The read privilege role (e.g. "User" / "Callback").
657
658    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
659    ...  ${read_privilege}  ${GROUP_NAME}
660
661    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
662    # Verify that the LDAP user with read privilege is able to read inventory.
663    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
664    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
665    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
666    Redfish.Logout
667    Redfish.Login
668
669
670Set Read Privilege And Check Poweron
671    [Documentation]  Set read privilege and power on should not be possible.
672    [Arguments]  ${read_privilege}
673
674    # Description of argument(s):
675    # read_privilege  The read privilege role (e.g. "User" / "Callback").
676
677    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
678    ...  ${read_privilege}  ${GROUP_NAME}
679    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
680    Redfish.Post  ${REDFISH_POWER_URI}
681    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
682    Redfish.Logout
683    Redfish.Login
684
685
686Get LDAP Configuration
687    [Documentation]  Retrieve LDAP Configuration.
688    [Arguments]   ${ldap_type}
689
690    # Description of argument(s):
691    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
692
693    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
694    [Return]  ${ldap_config["${ldap_type}"]}
695
696
697Update LDAP Configuration with LDAP User Role And Group
698    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
699    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
700
701    # Description of argument(s):
702    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
703    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
704    # group_name       The group name of user.
705
706    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
707    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
708    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
709    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
710    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
711    # Provide adequate time for LDAP daemon to restart after the update.
712    Sleep  15s
713
714
715Get LDAP Privilege
716    [Documentation]  Get LDAP privilege and return it.
717
718    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
719    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
720    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
721
722    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
723
724
725Restore LDAP Privilege
726    [Documentation]  Restore the LDAP privilege to its original value.
727
728    Redfish.Login
729    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'
730    # Log back in to restore the original privilege.
731    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
732    ...  ${old_ldap_privilege}  ${GROUP_NAME}
733
734    Sleep  18s
735
736Verify Host Power Status
737    [Documentation]  Verify the Host power status and do host power on/off respectively.
738    [Arguments]  ${expected_power_status}
739
740    ${power_status}=  Redfish.Get Attribute  /redfish/v1/Chassis/${CHASSIS_ID}  PowerState
741    Return From Keyword If  '${power_status}' == '${expected_power_status}'
742
743    Run Keyword If  '${power_status}' == 'Off'  Redfish Power On
744    ...  ELSE  Redfish Power Off
745
746Update LDAP User Role And Host Poweroff
747    [Documentation]  Update LDAP user role and do host poweroff.
748    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
749    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
750
751    # Description of argument(s):
752    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
753    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
754    # group_name         The group name of user.
755    # valid_status_code  The expected valid status code.
756
757    # check Host state and do the power on/off if needed.
758    Verify Host Power Status  On
759
760    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
761    ...  ${group_privilege}  ${group_name}
762
763    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
764
765    Redfish.Post  ${REDFISH_POWER_URI}
766    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
767
768Update LDAP User Role And Host Poweron
769    [Documentation]  Update LDAP user role and do host poweron.
770    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
771    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
772
773    # Description of argument(s):
774    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
775    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
776    # group_name         The group name of user.
777    # valid_status_code  The expected valid status code.
778
779    # check Host state and do the power on/off if needed.
780    Verify Host Power Status  Off
781
782    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
783    ...  ${group_privilege}  ${group_name}
784
785    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
786
787    Redfish.Post  ${REDFISH_POWER_URI}
788    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
789
790
791Update LDAP User Role And Configure IP Address
792    [Documentation]  Update LDAP user role and configure IP address.
793    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
794    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
795
796    # Description of argument(s):
797    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
798    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
799    # group_name         The group name of user.
800    # valid_status_code  The expected valid status code.
801
802    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
803    ...  ${group_privilege}  ${group_name}
804
805    Redfish.Logout
806
807    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
808
809    ${test_gateway}=  Get BMC Default Gateway
810
811    Run Keyword If  '${group_privilege}' == 'NoAccess'
812    ...  Add IP Address With NoAccess User  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
813    ...  ELSE
814    ...  Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
815
816
817Update LDAP User Role And Delete IP Address
818    [Documentation]  Update LDAP user role and delete IP address.
819    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
820    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
821
822    # Description of argument(s):
823    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
824    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
825    # group_name         The group name of user.
826    # valid_status_code  The expected valid status code.
827
828    ${test_gateway}=  Get BMC Default Gateway
829
830    # Configure IP address before deleting via LDAP user roles.
831    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}
832
833    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
834    ...  ${group_privilege}  ${group_name}
835
836    Redfish.Logout
837
838    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
839
840    Run Keyword If  '${group_privilege}' == 'NoAccess'
841    ...  Delete IP Address With NoAccess User  ${test_ip}  ${valid_status_code}
842    ...  ELSE
843    ...  Delete IP Address  ${test_ip}  ${valid_status_code}
844
845
846Update LDAP User Role And Read Network Configuration
847    [Documentation]  Update LDAP user role and read network configuration.
848    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
849    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
850
851    # Description of argument(s):
852    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
853    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
854    # group_name         The group name of user.
855    # valid_status_code  The expected valid status code.
856
857    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
858    ...  ${group_privilege}  ${group_name}
859
860    Redfish.Logout
861
862    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
863    Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]
864
865
866Add IP Address With NoAccess User
867    [Documentation]  Add IP Address To BMC.
868    [Arguments]  ${ip}  ${subnet_mask}  ${gateway}
869    ...  ${valid_status_codes}=${HTTP_OK}
870
871    # Description of argument(s):
872    # ip                  IP address to be added (e.g. "10.7.7.7").
873    # subnet_mask         Subnet mask for the IP to be added
874    #                     (e.g. "255.255.0.0").
875    # gateway             Gateway for the IP to be added (e.g. "10.7.7.1").
876    # valid_status_codes  Expected return code from patch operation
877    #                     (e.g. "200").  See prolog of rest_request
878    #                     method in redfish_plus.py for details.
879
880    # Logout from LDAP user.
881    Redfish.Logout
882
883    # Login with local user.
884    Redfish.Login
885
886    ${empty_dict}=  Create Dictionary
887    ${ip_data}=  Create Dictionary  Address=${ip}
888    ...  SubnetMask=${subnet_mask}  Gateway=${gateway}
889
890    ${patch_list}=  Create List
891    ${network_configurations}=  Get Network Configuration
892    ${num_entries}=  Get Length  ${network_configurations}
893
894    FOR  ${INDEX}  IN RANGE  0  ${num_entries}
895      Append To List  ${patch_list}  ${empty_dict}
896    END
897
898    ${valid_status_codes}=  Run Keyword If  '${valid_status_codes}' == '${HTTP_OK}'
899    ...  Set Variable   ${HTTP_OK},${HTTP_NO_CONTENT}
900    ...  ELSE  Set Variable  ${valid_status_codes}
901
902    # We need not check for existence of IP on BMC while adding.
903    Append To List  ${patch_list}  ${ip_data}
904    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
905
906    ${active_channel_config}=  Get Active Channel Config
907    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
908
909    # Logout from local user.
910    Redfish.Logout
911
912    # Login from LDAP user and check if we can configure IP address.
913    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
914
915    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
916    ...  valid_status_codes=[${valid_status_codes}]
917
918
919Delete IP Address With NoAccess User
920    [Documentation]  Delete IP Address Of BMC.
921    [Arguments]  ${ip}  ${valid_status_codes}=${HTTP_OK}
922
923    # Description of argument(s):
924    # ip                  IP address to be deleted (e.g. "10.7.7.7").
925    # valid_status_codes  Expected return code from patch operation
926    #                     (e.g. "200").  See prolog of rest_request
927    #                     method in redfish_plus.py for details.
928
929    # Logout from LDAP user.
930    Redfish.Logout
931
932    # Login with local user.
933    Redfish.Login
934
935    ${empty_dict}=  Create Dictionary
936    ${patch_list}=  Create List
937
938    @{network_configurations}=  Get Network Configuration
939    FOR  ${network_configuration}  IN  @{network_configurations}
940      Run Keyword If  '${network_configuration['Address']}' == '${ip}'
941      ...  Append To List  ${patch_list}  ${null}
942      ...  ELSE  Append To List  ${patch_list}  ${empty_dict}
943    END
944
945    ${ip_found}=  Run Keyword And Return Status  List Should Contain Value
946    ...  ${patch_list}  ${null}  msg=${ip} does not exist on BMC
947    Pass Execution If  ${ip_found} == ${False}  ${ip} does not exist on BMC
948
949    # Run patch command only if given IP is found on BMC
950    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
951
952    ${active_channel_config}=  Get Active Channel Config
953    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
954
955    # Logout from local user.
956    Redfish.Logout
957
958    # Login from LDAP user and check if we can delete IP address.
959    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
960
961    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
962    ...  valid_status_codes=[${valid_status_codes}]
963
964    # Note: Network restart takes around 15-18s after patch request processing
965    Sleep  ${NETWORK_TIMEOUT}s
966    Wait For Host To Ping  ${OPENBMC_HOST}  ${NETWORK_TIMEOUT}
967