xref: /openbmc/openbmc-test-automation/redfish/account_service/test_user_account.robot (revision 025063e5276721ce64b872bc18df6ce96cb8aa95) 
1*** Settings ***
2Documentation    Test suite for verifying Redfish admin, readonly operation user accounts.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14Test Tags        User_Account
15
16*** Variables ***
17
18${account_lockout_duration}   ${30}
19${account_lockout_threshold}  ${3}
20${ssh_status}                 ${True}
21
22*** Test Cases ***
23
24Verify AccountService Available
25    [Documentation]  Verify Redfish account service is available.
26    [Tags]  Verify_AccountService_Available
27
28    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
29    Should Be Equal As Strings  ${resp}  ${True}
30
31
32Verify Redfish Admin User Persistence After Reboot
33    [Documentation]  Verify Redfish admin user persistence after reboot.
34    [Tags]  Verify_Redfish_Admin_User_Persistence_After_Reboot
35    [Setup]  Run Keywords  Redfish.Login  AND
36    ...  Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
37    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
38    ...  AND  Test Teardown Execution
39
40    # Reboot BMC.
41    Redfish OBMC Reboot (off)  stack_mode=normal
42
43    # Verify users after reboot.
44    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
45
46
47Verify Redfish Operator User Persistence After Reboot
48    [Documentation]  Verify Redfish operator user persistence after reboot.
49    [Tags]  Verify_Redfish_Operator_User_Persistence_After_Reboot
50    [Setup]  Run Keywords  Redfish.Login  AND
51    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
52    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
53    ...  AND  Test Teardown Execution
54
55    # Reboot BMC.
56    Redfish OBMC Reboot (off)  stack_mode=normal
57
58    # Verify users after reboot.
59    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
60
61
62Verify Redfish Readonly User Persistence After Reboot
63    [Documentation]  Verify Redfish readonly user persistence after reboot.
64    [Tags]  Verify_Redfish_Readonly_User_Persistence_After_Reboot
65    [Setup]  Run Keywords  Redfish.Login  AND
66    ...  Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
67    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
68    ...  AND  Test Teardown Execution
69
70    # Reboot BMC.
71    Redfish OBMC Reboot (off)  stack_mode=normal
72
73    # Verify users after reboot.
74    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
75
76Redfish Create and Verify Admin User
77    [Documentation]  Create a Redfish user with administrator role and verify.
78    [Tags]  Redfish_Create_and_Verify_Admin_User
79    [Template]  Redfish Create And Verify User
80
81    #username      password    role_id         enabled
82    admin_user     TestPwd123  Administrator   ${True}
83
84
85Redfish Create and Verify Operator User
86    [Documentation]  Create a Redfish user with operator role and verify.
87    [Tags]  Redfish_Create_and_Verify_Operator_User
88    [Template]  Redfish Create And Verify User
89
90    #username      password    role_id         enabled
91    operator_user  TestPwd123  Operator        ${True}
92
93
94Redfish Create and Verify Readonly User
95    [Documentation]  Create a Redfish user with readonly role and verify.
96    [Tags]  Redfish_Create_and_Verify_Readonly_User
97    [Template]  Redfish Create And Verify User
98
99    #username      password    role_id         enabled
100    readonly_user  TestPwd123  ReadOnly        ${True}
101
102
103Verify Redfish Admin User Login With Wrong Password
104    [Documentation]  Verify Redfish create admin user with valid password and make sure
105    ...  admin user failed to login with wrong password.
106    [Tags]  Verify_Redfish_Admin_User_Login_With_Wrong_Password
107    [Template]  Verify Redfish User Login With Wrong Password
108
109    #username      password    role_id         enabled  wrong_password
110    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
111
112
113Verify Redfish Operator User Login With Wrong Password
114    [Documentation]  Verify Redfish create operator user with valid password and make sure
115    ... operator user failed to login with wrong password.
116    [Tags]  Verify_Redfish_Operator_User_Login_With_Wrong_Password
117    [Template]  Verify Redfish User Login With Wrong Password
118
119    #username      password    role_id         enabled  wrong_password
120    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
121
122
123Verify Redfish Readonly User Login With Wrong Password
124    [Documentation]  Verify Redfish create readonly user with valid password and make sure
125    ...  readonly user failed to login with wrong password.
126    [Tags]  Verify_Redfish_Readonly_User_Login_With_Wrong_Password
127    [Template]  Verify Redfish User Login With Wrong Password
128
129    #username      password    role_id         enabled  wrong_password
130    readonly_user  TestPwd123  ReadOnly        ${True}  12
131
132
133Verify Login with Deleted Redfish Admin User
134    [Documentation]  Verify login with deleted Redfish admin user.
135    [Tags]  Verify_Login_with_Deleted_Redfish_Admin_User
136    [Template]  Verify Login with Deleted Redfish User
137
138    #username     password    role_id         enabled
139    admin_user     TestPwd123  Administrator   ${True}
140
141
142Verify Login with Deleted Redfish Operator User
143    [Documentation]  Verify login with deleted Redfish operator user.
144    [Tags]  Verify_Login_with_Deleted_Redfish_Operator_User
145    [Template]  Verify Login with Deleted Redfish User
146
147    #username     password    role_id         enabled
148    operator_user  TestPwd123  Operator        ${True}
149
150
151Verify Login with Deleted Redfish Readonly User
152    [Documentation]  Verify login with deleted Redfish readonly user.
153    [Tags]  Verify_Login_with_Deleted_Redfish_Readonly_User
154    [Template]  Verify Login with Deleted Redfish User
155
156    #username     password    role_id         enabled
157    readonly_user  TestPwd123  ReadOnly        ${True}
158
159
160Verify Admin User Creation Without Enabling It
161    [Documentation]  Verify admin user creation without enabling it.
162    [Tags]  Verify_Admin_User_Creation_Without_Enabling_It
163    [Template]  Verify Create User Without Enabling
164
165    #username      password    role_id         enabled
166    admin_user     TestPwd123  Administrator   ${False}
167
168
169Verify Operator User Creation Without Enabling It
170    [Documentation]  Verify operator user creation without enabling it.
171    [Tags]  Verify_Operator_User_Creation_Without_Enabling_It
172    [Template]  Verify Create User Without Enabling
173
174    #username      password    role_id         enabled
175    operator_user  TestPwd123  Operator        ${False}
176
177
178Verify Readonly User Creation Without Enabling It
179    [Documentation]  Verify readonly user creation without enabling it.
180    [Tags]  Verify_Readonly_User_Creation_Without_Enabling_It
181    [Template]  Verify Create User Without Enabling
182
183    #username      password    role_id         enabled
184    readonly_user  TestPwd123  ReadOnly        ${False}
185
186
187Verify User Creation With Invalid Role Id
188    [Documentation]  Verify user creation with invalid role ID.
189    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
190
191    # Make sure the user account in question does not already exist.
192    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
193    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
194
195    # Create specified user.
196    ${payload}=  Create Dictionary
197    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
198    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
199    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
200
201Verify Error Upon Creating Same Users With Different Privileges
202    [Documentation]  Verify error upon creating same users with different privileges.
203    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
204
205    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
206
207    # Create specified user.
208    ${payload}=  Create Dictionary
209    ...  UserName=test_user  Password=TestPwd123  RoleId=ReadOnly  Enabled=${True}
210    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
211    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
212
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
214
215
216Verify Modifying User Attributes
217    [Documentation]  Verify modifying user attributes.
218    [Tags]  Verify_Modifying_User_Attributes
219
220    # Create Redfish users.
221    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
222    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
223
224    # Make sure the new user account does not already exist.
225    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
226    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
227
228    # Update admin_user username using Redfish.
229    ${payload}=  Create Dictionary  UserName=newadmin_user
230    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
231    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
232
233    # Update readonly_user role using Redfish.
234    ${payload}=  Create Dictionary  RoleId=Administrator
235    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
236    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
237
238    # Verify users after updating
239    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
240    Redfish Verify User  readonly_user  TestPwd123     Administrator   ${True}
241
242    # Delete created users.
243    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
244    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
245
246
247Verify Modifying Operator User Attributes
248    [Documentation]  Verify modifying operator user attributes.
249    [Tags]  Verify_Modifying_Operator_User_Attributes
250    [Setup]  Run Keywords  Redfish.Login  AND
251    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
252    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
253    ...  AND  Test Teardown Execution
254
255    # Update operator_user password using Redfish.
256    ${payload}=  Create Dictionary  Password=NewTestPwd123
257    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
258
259    # Verify users after updating
260    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
261
262
263Verify User Account Locked
264    [Documentation]  Verify user account locked upon trying with invalid password.
265    [Tags]  Verify_User_Account_Locked
266
267    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
268
269    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
270    ...  AccountLockoutDuration=${account_lockout_duration}
271    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
272    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
273
274    Redfish.Logout
275
276    # Make ${account_lockout_threshold} failed login attempts.
277    Repeat Keyword  ${account_lockout_threshold} times
278    ...  Run Keyword And Expect Error  *InvalidCredentialsError*  Redfish.Login  admin_user  abcd1234
279
280    # Verify that legitimate login fails due to lockout.
281    Run Keyword And Expect Error  *InvalidCredentialsError*
282    ...  Redfish.Login  admin_user  TestPwd123
283
284    # Wait for lockout duration to expire and adding 5 sec delay to the account lock timeout
285    # ... then verify that login works.
286    ${total_wait_duartion}=  Evaluate  ${account_lockout_duration} + 5
287    Sleep  ${total_wait_duartion}s
288
289    Redfish.Login  admin_user  TestPwd123
290
291    Redfish.Logout
292
293    Redfish.Login
294
295    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
296
297
298Verify User Account Unlock
299    [Documentation]  Verify manually unlocking the account before lockout time
300    [Tags]  Verify_User_Account_Unlock
301    [Teardown]  Run Keywords  Redfish.Logout
302    ...  AND  Redfish.Login
303    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
304    ...  AND  SSHLibrary.Close All Connections
305
306    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
307
308    ${payload}=  Create Dictionary
309    ...  AccountLockoutThreshold=${account_lockout_threshold}
310    ...  AccountLockoutDuration=${account_lockout_duration}
311    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
312
313    Redfish.Logout
314
315    # Make ${account_lockout_threshold} failed login attempts.
316    Repeat Keyword  ${account_lockout_threshold} times
317    ...  Run Keyword And Expect Error  InvalidCredentialsError*
318    ...  Redfish.Login  test_user  abc123
319
320    # Ensure SSH Login with locked account gets failed
321    SSHLibrary.Open Connection  ${OPENBMC_HOST}
322    Run Keyword And Expect Error  Authentication failed*
323    ...  SSHLibrary.Login  test_user  TestPwd123
324
325    # Verify that legitimate login fails due to lockout.
326    Run Keyword And Expect Error  InvalidCredentialsError*
327    ...  Redfish.Login  test_user  TestPwd123
328
329    ${payload}=  Create Dictionary  Locked=${FALSE}
330
331    # Manually unlock the account before lockout threshold expires
332    Redfish.Login
333    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}test_user  body=${payload}
334    Redfish.Logout
335
336    # Try redfish login with the recently unlocked account
337    Redfish.Login  test_user  TestPwd123
338
339    # Try SSH login with the unlocked account
340    SSHLibrary.Open Connection  ${OPENBMC_HOST}
341    SSHLibrary.Login  test_user  TestPwd123
342
343
344Verify Admin User Privilege
345    [Documentation]  Verify admin user privilege.
346    [Tags]  Verify_Admin_User_Privilege
347
348    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
349    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
350
351    Redfish.Logout
352
353    Redfish.Login  admin_user  TestPwd123
354
355    # Change password of 'readonly' user with admin user.
356    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
357
358    # Verify modified user.
359    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
360
361    # Note: Delete user would work here because a root login is
362    # performed as part of "Redfish Verify User" keyword's teardown.
363    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
364    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
365
366
367Verify Operator User Role Change Using Admin Privilege User
368    [Documentation]  Verify operator user role change using admin privilege user
369    [Tags]  Verify_Operator_User_Role_Change_Using_Admin_Privilege_User
370
371    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
372    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
373
374    Redfish.Logout
375
376    # Change role ID of operator user with admin user.
377    # Login with admin user.
378    Redfish.Login  admin_user  TestPwd123
379
380    # Modify Role ID of Operator user.
381    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
382
383    # Verify modified user.
384    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
385
386    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
387    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
388
389
390Verify Operator User Privilege
391    [Documentation]  Verify operator user privilege.
392    [Tags]  Verify_Operator_User_Privilege
393
394    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
395    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
396
397    Redfish.Logout
398    # Login with operator user.
399    Redfish.Login  operator_user  TestPwd123
400
401    # Verify BMC reset.
402    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
403
404    # Attempt to change password of admin user with operator user.
405    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
406    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
407
408    Redfish.Logout
409
410    Redfish.Login
411
412    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
413    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
414
415
416Verify ReadOnly User Privilege
417    [Documentation]  Verify ReadOnly user privilege.
418    [Tags]  Verify_ReadOnly_User_Privilege
419
420    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
421    Redfish.Logout
422
423    # Login with read_only user.
424    Redfish.Login  readonly_user  TestPwd123
425
426    # Read system level data.
427    ${system_model}=  Redfish_Utils.Get Attribute
428    ...  ${SYSTEM_BASE_URI}  Model
429
430    Redfish.Logout
431    Redfish.Login
432    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
433
434
435Verify Minimum Password Length For Redfish Admin And Readonly User
436    [Documentation]  Verify minimum password length for new and existing admin or
437    ...  readonly user.
438    [Template]  Verify Minimum Password Length For Redfish User
439
440    #username        role_id
441    admin_user       Administrator
442    readonly_user    ReadOnly
443
444
445Verify Standard User Roles Defined By Redfish
446    [Documentation]  Verify standard user roles defined by Redfish.
447    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
448
449    ${member_list}=  Redfish_Utils.Get Member List
450    ...  /redfish/v1/AccountService/Roles
451
452    @{roles}=  Create List
453    ...  /redfish/v1/AccountService/Roles/Administrator
454    ...  /redfish/v1/AccountService/Roles/Operator
455    ...  /redfish/v1/AccountService/Roles/ReadOnly
456
457    List Should Contain Sub List  ${member_list}  ${roles}
458
459    # The standard roles are:
460
461    # | Role name | Assigned privileges |
462    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
463    # | Operator | Login, ConfigureComponents, ConfigureSelf |
464    # | ReadOnly | Login, ConfigureSelf |
465
466    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
467    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
468    @{readOnly}=  Create List  Login  ConfigureSelf
469
470    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
471    ...  readOnly_privileges=${readOnly}
472
473    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
474    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
475
476    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
477    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
478
479    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
480    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
481
482
483Verify Error While Deleting Root User
484    [Documentation]  Verify error while deleting root user.
485    [Tags]  Verify_Error_While_Deleting_Root_User
486
487    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
488
489
490Verify SSH Login Access With Admin User
491    [Documentation]  Verify that admin user have SSH login access.
492    ...              By default, admin should have access but there could be
493    ...              case where admin user shell access is restricted by design
494    ...              in the community sphere..
495    [Tags]  Verify_SSH_Login_Access_With_Admin_User
496
497    # Create an admin User.
498    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
499
500    # Attempt SSH login with admin user.
501    SSHLibrary.Open Connection  ${OPENBMC_HOST}
502    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
503
504    # By default ssh_status is True, user can change the status via CLI
505    # -v ssh_status:False
506    Should Be Equal As Strings  "${status}"  "${ssh_status}"
507
508    Redfish.Login
509    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
510
511
512Verify Configure BasicAuth Enable And Disable
513    [Documentation]  Verify configure basicauth enable and disable
514    [Tags]  Verify_Configure_BasicAuth_Enable_And_Disable
515    [Template]  Template For Configure Auth Methods
516
517    # auth_method
518    BasicAuth
519    XToken
520
521
522Redfish Create and Verify Admin User With Invalid Password Format
523    [Documentation]  Create a admin user with invalid password format and verify.
524    [Template]  Create User With Unsupported Password Format And Verify
525    [Tags]  Redfish_Create_and_Verify_Admin_User_With_Invalid_Password_Format
526
527    #username       role_id        password
528    admin_user      Administrator  snellens
529    admin_user      Administrator  10000001
530    admin_user      Administrator  12345678
531    admin_user      Administrator  abcdefgh
532    admin_user      Administrator  abf12345
533    admin_user      Administrator  helloworld
534    admin_user      Administrator  HELLOWORLD
535    admin_user      Administrator  &$%**!*@
536    admin_user      Administrator  Dictation
537
538
539Redfish Create and Verify Readonly User With Invalid Password Format
540    [Documentation]  Create a readonly user with invalid password format and verify.
541    [Template]  Create User With Unsupported Password Format And Verify
542    [Tags]  Redfish_Create_and_Verify_Readonly_User_With_Invalid_Password_Format
543
544    #username       role_id        password
545    readonly_user   ReadOnly       snellens
546    readonly_user   ReadOnly       10000001
547    readonly_user   ReadOnly       12345678
548    readonly_user   ReadOnly       abcdefgh
549    readonly_user   ReadOnly       abf12345
550    readonly_user   ReadOnly       helloworld
551    readonly_user   ReadOnly       HELLOWORLD
552    readonly_user   ReadOnly       &$%**!*@
553    readonly_user   ReadOnly       Dictation
554
555
556Verify Admin And Readonly User Password Is Not Same As Username
557    [Documentation]  Verify that admin and readonly user creation is failed if
558    ...  password is same as username.
559    [Template]  Create User With Unsupported Password Format And Verify
560    [Tags]      Verify_Admin_And_Readonly_User_Password_Is_Not_Same_As_Username
561
562    #username        role_id             password
563    AdminUser1       Administrator       AdminUser1
564    ReadOnlyUser1    ReadOnly            ReadOnlyUser1
565
566
567*** Keywords ***
568
569Test Teardown Execution
570    [Documentation]  Do the post test teardown.
571
572    Run Keyword And Ignore Error  Redfish.Logout
573    FFDC On Test Case Fail
574
575
576Redfish Create User
577    [Documentation]  Redfish create user.
578    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
579
580    # Description of argument(s):
581    # username            The username to be created.
582    # password            The password to be assigned.
583    # role_id             The role ID of the user to be created
584    #                     (e.g. "Administrator", "Operator", etc.).
585    # enabled             Indicates whether the username being created
586    #                     should be enabled (${True}, ${False}).
587    # login_check         Checks user login for created user.
588    #                     (e.g. ${True}, ${False}).
589
590    # Make sure the user account in question does not already exist.
591    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
592    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
593
594    # Create specified user.
595    ${payload}=  Create Dictionary
596    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
597    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
598    ...  valid_status_codes=[${HTTP_CREATED}]
599
600    # Resetting faillock count as a workaround for issue
601    # openbmc/phosphor-user-manager#4
602    ${cmd}=  Catenate  /usr/sbin/faillock --user ${username} --reset
603
604    Bmc Execute Command  ${cmd}
605
606    # Verify login with created user.
607    IF  '${login_check}' == '${True}'
608        ${status}=  Run Keyword And Return Status
609        ...  Verify Redfish User Login  ${username}  ${password}
610    ELSE
611        ${status}=  Set Variable  ${False}
612    END
613
614    IF  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
615
616    # Validate Role ID of created user.
617    ${role_config}=  Redfish_Utils.Get Attribute
618    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
619    Should Be Equal  ${role_id}  ${role_config}
620
621
622Redfish Verify User
623    [Documentation]  Redfish user verification.
624    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
625
626    # Description of argument(s):
627    # username            The username to be created.
628    # password            The password to be assigned.
629    # role_id             The role ID of the user to be created
630    #                     (e.g. "Administrator", "Operator", etc.).
631    # enabled             Indicates whether the username being created
632    #                     should be enabled (${True}, ${False}).
633
634    ${status}=  Verify Redfish User Login  ${username}  ${password}
635    # Doing a check of the returned status.
636    Should Be Equal  ${status}  ${enabled}
637
638    # Validate Role Id of user.
639    ${role_config}=  Redfish_Utils.Get Attribute
640    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
641    Should Be Equal  ${role_id}  ${role_config}
642
643
644Verify Redfish User Login
645    [Documentation]  Verify Redfish login with given user id.
646    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
647    [Arguments]   ${username}  ${password}
648
649    # Description of argument(s):
650    # username            Login username.
651    # password            Login password.
652
653    # Logout from current Redfish session.
654    # We don't really care if the current session is flushed out since we are going to login
655    # with new credential in next.
656    Run Keyword And Ignore Error  Redfish.Logout
657
658    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
659    RETURN  ${status}
660
661
662Redfish Create And Verify User
663    [Documentation]  Redfish create and verify user.
664    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
665
666    # Description of argument(s):
667    # username            The username to be created.
668    # password            The password to be assigned.
669    # role_id             The role ID of the user to be created
670    #                     (e.g. "Administrator", "Operator", etc.).
671    # enabled             Indicates whether the username being created
672    #                     should be enabled (${True}, ${False}).
673
674    # Example:
675    #{
676    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
677    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
678    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
679    #"Description": "User Account",
680    #"Enabled": true,
681    #"Id": "test1",
682    #"Links": {
683    #  "Role": {
684    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
685    #  }
686    #},
687
688    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
689
690    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
691
692    # Delete Specified User
693    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
694
695Verify Redfish User Login With Wrong Password
696    [Documentation]  Verify Redfish User failed to login with wrong password.
697    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
698
699    # Description of argument(s):
700    # username            The username to be created.
701    # password            The password to be assigned.
702    # role_id             The role ID of the user to be created
703    #                     (e.g. "Administrator", "Operator", etc.).
704    # enabled             Indicates whether the username being created
705    #                     should be enabled (${True}, ${False}).
706    # wrong_password      Any invalid password.
707
708    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
709
710    Redfish.Logout
711
712    # Attempt to login with created user with invalid password.
713    Run Keyword And Expect Error  InvalidCredentialsError*
714    ...  Redfish.Login  ${username}  ${wrong_password}
715
716    Redfish.Login
717
718    # Delete newly created user.
719    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
720
721
722Verify Login with Deleted Redfish User
723    [Documentation]  Verify Login with Deleted Redfish User.
724    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
725
726    # Description of argument(s):
727    # username            The username to be created.
728    # password            The password to be assigned.
729    # role_id             The role ID of the user to be created
730    #                     (e.g. "Administrator", "Operator", etc.).
731    # enabled             Indicates whether the username being created
732    #                     should be enabled (${True}, ${False}).
733
734    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
735
736    # Delete newly created user.
737    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
738
739    Redfish.Logout
740
741    # Attempt to login with deleted user account.
742    Run Keyword And Expect Error  InvalidCredentialsError*
743    ...  Redfish.Login  ${username}  ${password}
744
745    Redfish.Login
746
747
748Verify Create User Without Enabling
749    [Documentation]  Verify Create User Without Enabling.
750    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
751
752    # Description of argument(s):
753    # username            The username to be created.
754    # password            The password to be assigned.
755    # role_id             The role ID of the user to be created
756    #                     (e.g. "Administrator", "Operator", etc.).
757    # enabled             Indicates whether the username being created
758    #                     should be enabled (${True}, ${False}).
759
760    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
761
762    Redfish.Logout
763
764    # Login with created user.
765    Run Keyword And Expect Error  InvalidCredentialsError*
766    ...  Redfish.Login  ${username}  ${password}
767
768    Redfish.Login
769
770    # Delete newly created user.
771    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
772
773Template For Configure Auth Methods
774    [Documentation]  Template to configure auth methods.
775    [Arguments]  ${auth_method}
776    [Teardown]  Configure AuthMethods  ${auth_method}=${initial_value}
777
778    # Description of Argument(s):
779    # authmethods   The authmethod setting which needs to be
780    #               set in account service URI.
781    # valid values  BasicAuth, XToken.
782
783    Get AuthMethods Default Values  ${auth_method}
784
785    # Patch basicauth to TRUE
786    Configure AuthMethods  ${auth_method}=${TRUE}
787
788    IF  "${auth_method}" == "XToken"
789        Check XToken Works Fine  ${HTTP_OK}
790    ELSE
791        Check BasicAuth Works Fine  ${HTTP_OK}
792    END
793
794    # Patch basicauth to FALSE
795    Configure AuthMethods  ${auth_method}=${FALSE}
796
797    IF  "${auth_method}" == "BasicAuth"
798        Check BasicAuth Works Fine  ${HTTP_UNAUTHORIZED}
799    ELSE
800        Check XToken Works Fine  ${HTTP_UNAUTHORIZED}
801    END
802
803Configure AuthMethods
804    [Documentation]  Enable/disable authmethod types.
805    [Arguments]  &{authmethods}
806
807    # Description of argument(s):
808    # authmethods            The authmethod setting which needs to be
809    #                        set in account service URI.
810    # Usage Example          Configure AuthMethods  XToken=${TRUE}  BasicAuth=${TRUE}
811    #                        This will set the value of "XToken" and "BasicAuth"
812    #                        property in accountservice uri to TRUE.
813
814    ${openbmc}=  Create Dictionary  AuthMethods=${authmethods}
815    ${oem}=  Create Dictionary  OpenBMC=${openbmc}
816    ${payload}=  Create Dictionary  Oem=${oem}
817
818    # Setting authmethod properties using Redfish session based auth
819    ${status}=  Run Keyword And Return Status
820    ...  Redfish.Patch  ${REDFISH_BASE_URI}AccountService
821    ...  body=${payload}  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
822
823    # Setting authmethod properties using basic auth in case the former fails
824    IF  ${status}==${FALSE}
825        # Payload dictionary pre-process to match json formatting
826        ${payload}=  Convert To String  ${payload}
827        ${payload}=  Replace String  ${payload}  '  "
828        ${payload}=  Replace String  ${payload}  False  false
829        ${payload}=  Replace String  ${payload}  True  true
830
831        # Curl Command Framing for PATCH authmethod
832        ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
833        ...  -X PATCH '${AUTH_URI}${REDFISH_ACCOUNTS_SERVICE_URI}'
834        ...  -H 'content-type:application/json' -H 'If-Match:*'
835        ...  -d '${payload}'
836        ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
837
838        #  Check the response of curl command is 200 or 204
839        ${check_no_content}=
840        ...  Run Keyword and Return Status  Should Contain  ${out}  204
841        ${check_ok}=
842        ...  Run Keyword and Return Status  Should Contain  ${out}  200
843        Pass Execution If  ${check_no_content}==${TRUE}
844        ...  OR  ${check_ok}==${TRUE}
845    END
846
847
848Get AuthMethods Default Values
849    [Documentation]  Get enabled/disabled status of all authmethods
850    ...  from Redfish account service URI
851    [Arguments]  ${authmethod}
852
853    # Description of argument(s):
854    # authmethod            The authmethod property whose value needs to be
855    #                       retrieved from account service URI.
856    # Usage Example         Get AuthMethods Default Values  BasicAuth
857    #                       returns >> ${TRUE}
858    # Example:
859    # {
860    #     "@odata.id": "/redfish/v1/AccountService",
861    #     (...)
862    #     "Oem": {
863    #         "OpenBMC": {
864    #             "AuthMethods": {
865    #                 "BasicAuth": true,
866    #                 "Cookie": true,
867    #                 "SessionToken": true,
868    #                 "TLS": true,
869    #                 "XToken": true
870    #             }
871    #         }
872    #     }
873    # }
874
875    ${resp}=  Redfish.Get Attribute  ${REDFISH_ACCOUNTS_SERVICE_URI}  Oem
876    ${authmethods}=  Set Variable  ${resp['OpenBMC']['AuthMethods']}
877    ${initial_value}=  Get From Dictionary  ${authmethods}  ${authmethod}
878    Set Test Variable  ${initial_value}
879
880Check XToken Works Fine
881    [Documentation]  Verify Xtoken works fine.
882    [Arguments]  ${status_code}
883
884    # Description of Argument(s):
885    # status_code : 200, 401.
886
887    # Verify xtoken auth works for xtoken
888    Redfish.Get  ${REDFISH_ACCOUNTS_SERVICE_URI}
889    ...  valid_status_codes=[${status_code}]
890
891Check BasicAuth Works Fine
892    [Documentation]  Verify Basic Auth works fine.
893    [Arguments]  ${status_code}
894
895    # Description of Argument(s):
896    # status_code : 200, 401.
897
898    # Verify basic auth works based on basic auth.
899    ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
900    ...  ${AUTH_URI}/redfish/v1/AccountService
901    ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
902
903    #  Check the response of curl command is 200/401
904    Should Contain  ${out}  ${status_code}
905
906
907Create User With Unsupported Password Format And Verify
908   [Documentation]  Create admin or readonly user with unsupported password format
909   ...  and verify.
910   [Arguments]   ${username}  ${role_id}  ${password}
911
912   # Description of argument(s):
913   # username            The username to be created.
914   # role_id             The role ID of the user to be created
915   #                     (e.g. "Administrator", "ReadOnly").
916   # password            The password to be assigned.
917   #                     Unsupported password format are sequential characters,
918   #                     sequential digits, palindrome digits, palindrome characters,
919   #                     only uppercase letters, only lowercase letters, only digits,
920   #                     only characters, not a dictionary word, username and password
921   #                     should not be same.
922
923   # Make sure the user account in question does not already exist.
924    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
925    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
926
927   # Create specified user with invalid password format.
928   ${payload}=  Create Dictionary
929   ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${True}
930   Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
931   ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
932
933
934Verify Minimum Password Length For Redfish User
935    [Documentation]  Verify minimum password length for new and existing admin or
936    ...  readonly user.
937    [Arguments]  ${user_name}  ${role_id}
938
939    # Description of argument(s):
940    # user_name           The username to be created.
941    # role_id             The role ID of the user to be created.
942
943    # Make sure the user account in question does not already exist.
944    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
945    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
946
947    # Try to create a user with invalid length password.
948    ${payload}=  Create Dictionary
949    ...  UserName=${user_name}  Password=UserPwd  RoleId=${role_id}  Enabled=${True}
950    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
951    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
952
953    # Create specified user with valid length password.
954    Set To Dictionary  ${payload}  Password  UserPwd1
955    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
956    ...  valid_status_codes=[${HTTP_CREATED}]
957
958    # Try to change to an invalid password.
959    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
960    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
961
962    # Change to a valid password.
963    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
964
965    # Verify login.
966    Redfish.Logout
967    Redfish.Login  ${user_name}  UserPwd1
968    Redfish.Logout
969    Redfish.Login
970    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
971