xref: /openbmc/openbmc-test-automation/redfish/account_service/test_user_account.robot (revision 069b266e40a93fda3992c888062745b1ac920473) 
1*** Settings ***
2Documentation    Test suite for verifying Redfish admin, readonly operation user accounts.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14*** Variables ***
15
16${account_lockout_duration}   ${30}
17${account_lockout_threshold}  ${3}
18${ssh_status}                 ${True}
19
20*** Test Cases ***
21
22Verify AccountService Available
23    [Documentation]  Verify Redfish account service is available.
24    [Tags]  Verify_AccountService_Available
25
26    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
27    Should Be Equal As Strings  ${resp}  ${True}
28
29
30Verify Redfish Admin User Persistence After Reboot
31    [Documentation]  Verify Redfish admin user persistence after reboot.
32    [Tags]  Verify_Redfish_Admin_User_Persistence_After_Reboot
33    [Setup]  Run Keywords  Redfish.Login  AND
34    ...  Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
35    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
36    ...  AND  Test Teardown Execution
37
38    # Reboot BMC.
39    Redfish OBMC Reboot (off)  stack_mode=normal
40
41    # Verify users after reboot.
42    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
43
44
45Verify Redfish Operator User Persistence After Reboot
46    [Documentation]  Verify Redfish operator user persistence after reboot.
47    [Tags]  Verify_Redfish_Operator_User_Persistence_After_Reboot
48    [Setup]  Run Keywords  Redfish.Login  AND
49    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
50    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
51    ...  AND  Test Teardown Execution
52
53    # Reboot BMC.
54    Redfish OBMC Reboot (off)  stack_mode=normal
55
56    # Verify users after reboot.
57    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
58
59
60Verify Redfish Readonly User Persistence After Reboot
61    [Documentation]  Verify Redfish readonly user persistence after reboot.
62    [Tags]  Verify_Redfish_Readonly_User_Persistence_After_Reboot
63    [Setup]  Run Keywords  Redfish.Login  AND
64    ...  Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
65    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
66    ...  AND  Test Teardown Execution
67
68    # Reboot BMC.
69    Redfish OBMC Reboot (off)  stack_mode=normal
70
71    # Verify users after reboot.
72    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
73
74Redfish Create and Verify Admin User
75    [Documentation]  Create a Redfish user with administrator role and verify.
76    [Tags]  Redfish_Create_and_Verify_Admin_User
77    [Template]  Redfish Create And Verify User
78
79    #username      password    role_id         enabled
80    admin_user     TestPwd123  Administrator   ${True}
81
82
83Redfish Create and Verify Operator User
84    [Documentation]  Create a Redfish user with operator role and verify.
85    [Tags]  Redfish_Create_and_Verify_Operator_User
86    [Template]  Redfish Create And Verify User
87
88    #username      password    role_id         enabled
89    operator_user  TestPwd123  Operator        ${True}
90
91
92Redfish Create and Verify Readonly User
93    [Documentation]  Create a Redfish user with readonly role and verify.
94    [Tags]  Redfish_Create_and_Verify_Readonly_User
95    [Template]  Redfish Create And Verify User
96
97    #username      password    role_id         enabled
98    readonly_user  TestPwd123  ReadOnly        ${True}
99
100
101Verify Redfish Admin User Login With Wrong Password
102    [Documentation]  Verify Redfish create admin user with valid password and make sure
103    ...  admin user failed to login with wrong password.
104    [Tags]  Verify_Redfish_Admin_User_Login_With_Wrong_Password
105    [Template]  Verify Redfish User Login With Wrong Password
106
107    #username      password    role_id         enabled  wrong_password
108    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
109
110
111Verify Redfish Operator User Login With Wrong Password
112    [Documentation]  Verify Redfish create operator user with valid password and make sure
113    ... operator user failed to login with wrong password.
114    [Tags]  Verify_Redfish_Operator_User_Login_With_Wrong_Password
115    [Template]  Verify Redfish User Login With Wrong Password
116
117    #username      password    role_id         enabled  wrong_password
118    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
119
120
121Verify Redfish Readonly User Login With Wrong Password
122    [Documentation]  Verify Redfish create readonly user with valid password and make sure
123    ...  readonly user failed to login with wrong password.
124    [Tags]  Verify_Redfish_Readonly_User_Login_With_Wrong_Password
125    [Template]  Verify Redfish User Login With Wrong Password
126
127    #username      password    role_id         enabled  wrong_password
128    readonly_user  TestPwd123  ReadOnly        ${True}  12
129
130
131Verify Login with Deleted Redfish Admin User
132    [Documentation]  Verify login with deleted Redfish admin user.
133    [Tags]  Verify_Login_with_Deleted_Redfish_Admin_User
134    [Template]  Verify Login with Deleted Redfish User
135
136    #username     password    role_id         enabled
137    admin_user     TestPwd123  Administrator   ${True}
138
139
140Verify Login with Deleted Redfish Operator User
141    [Documentation]  Verify login with deleted Redfish operator user.
142    [Tags]  Verify_Login_with_Deleted_Redfish_Operator_User
143    [Template]  Verify Login with Deleted Redfish User
144
145    #username     password    role_id         enabled
146    operator_user  TestPwd123  Operator        ${True}
147
148
149Verify Login with Deleted Redfish Readonly User
150    [Documentation]  Verify login with deleted Redfish readonly user.
151    [Tags]  Verify_Login_with_Deleted_Redfish_Readonly_User
152    [Template]  Verify Login with Deleted Redfish User
153
154    #username     password    role_id         enabled
155    readonly_user  TestPwd123  ReadOnly        ${True}
156
157
158Verify Admin User Creation Without Enabling It
159    [Documentation]  Verify admin user creation without enabling it.
160    [Tags]  Verify_Admin_User_Creation_Without_Enabling_It
161    [Template]  Verify Create User Without Enabling
162
163    #username      password    role_id         enabled
164    admin_user     TestPwd123  Administrator   ${False}
165
166
167Verify Operator User Creation Without Enabling It
168    [Documentation]  Verify operator user creation without enabling it.
169    [Tags]  Verify_Operator_User_Creation_Without_Enabling_It
170    [Template]  Verify Create User Without Enabling
171
172    #username      password    role_id         enabled
173    operator_user  TestPwd123  Operator        ${False}
174
175
176Verify Readonly User Creation Without Enabling It
177    [Documentation]  Verify readonly user creation without enabling it.
178    [Tags]  Verify_Readonly_User_Creation_Without_Enabling_It
179    [Template]  Verify Create User Without Enabling
180
181    #username      password    role_id         enabled
182    readonly_user  TestPwd123  ReadOnly        ${False}
183
184
185Verify User Creation With Invalid Role Id
186    [Documentation]  Verify user creation with invalid role ID.
187    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
188
189    # Make sure the user account in question does not already exist.
190    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
191    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
192
193    # Create specified user.
194    ${payload}=  Create Dictionary
195    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
196    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
197    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
198
199Verify Error Upon Creating Same Users With Different Privileges
200    [Documentation]  Verify error upon creating same users with different privileges.
201    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
202
203    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
204
205    # Create specified user.
206    ${payload}=  Create Dictionary
207    ...  UserName=test_user  Password=TestPwd123  RoleId=ReadOnly  Enabled=${True}
208    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
209    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
210
211    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
212
213
214Verify Modifying User Attributes
215    [Documentation]  Verify modifying user attributes.
216    [Tags]  Verify_Modifying_User_Attributes
217
218    # Create Redfish users.
219    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
220    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
221
222    # Make sure the new user account does not already exist.
223    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
224    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
225
226    # Update admin_user username using Redfish.
227    ${payload}=  Create Dictionary  UserName=newadmin_user
228    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
229    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
230
231    # Update readonly_user role using Redfish.
232    ${payload}=  Create Dictionary  RoleId=Administrator
233    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
234    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
235
236    # Verify users after updating
237    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
238    Redfish Verify User  readonly_user  TestPwd123     Administrator   ${True}
239
240    # Delete created users.
241    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
242    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
243
244
245Verify Modifying Operator User Attributes
246    [Documentation]  Verify modifying operator user attributes.
247    [Tags]  Verify_Modifying_Operator_User_Attributes
248    [Setup]  Run Keywords  Redfish.Login  AND
249    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
250    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
251    ...  AND  Test Teardown Execution
252
253    # Update operator_user password using Redfish.
254    ${payload}=  Create Dictionary  Password=NewTestPwd123
255    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
256
257    # Verify users after updating
258    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
259
260
261Verify User Account Locked
262    [Documentation]  Verify user account locked upon trying with invalid password.
263    [Tags]  Verify_User_Account_Locked
264
265    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
266
267    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
268    ...  AccountLockoutDuration=${account_lockout_duration}
269    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
270    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
271
272    Redfish.Logout
273
274    # Make ${account_lockout_threshold} failed login attempts.
275    Repeat Keyword  ${account_lockout_threshold} times
276    ...  Run Keyword And Expect Error  *InvalidCredentialsError*  Redfish.Login  admin_user  abcd1234
277
278    # Verify that legitimate login fails due to lockout.
279    Run Keyword And Expect Error  *InvalidCredentialsError*
280    ...  Redfish.Login  admin_user  TestPwd123
281
282    # Wait for lockout duration to expire and adding 5 sec delay to the account lock timeout
283    # ... then verify that login works.
284    ${total_wait_duartion}=  Evaluate  ${account_lockout_duration} + 5
285    Sleep  ${total_wait_duartion}s
286
287    Redfish.Login  admin_user  TestPwd123
288
289    Redfish.Logout
290
291    Redfish.Login
292
293    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
294
295
296Verify User Account Unlock
297    [Documentation]  Verify manually unlocking the account before lockout time
298    [Tags]  Verify_User_Account_Unlock
299    [Teardown]  Run Keywords  Redfish.Logout
300    ...  AND  Redfish.Login
301    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
302    ...  AND  SSHLibrary.Close All Connections
303
304    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
305
306    ${payload}=  Create Dictionary
307    ...  AccountLockoutThreshold=${account_lockout_threshold}
308    ...  AccountLockoutDuration=${account_lockout_duration}
309    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
310
311    Redfish.Logout
312
313    # Make ${account_lockout_threshold} failed login attempts.
314    Repeat Keyword  ${account_lockout_threshold} times
315    ...  Run Keyword And Expect Error  InvalidCredentialsError*
316    ...  Redfish.Login  test_user  abc123
317
318    # Ensure SSH Login with locked account gets failed
319    SSHLibrary.Open Connection  ${OPENBMC_HOST}
320    Run Keyword And Expect Error  Authentication failed*
321    ...  SSHLibrary.Login  test_user  TestPwd123
322
323    # Verify that legitimate login fails due to lockout.
324    Run Keyword And Expect Error  InvalidCredentialsError*
325    ...  Redfish.Login  test_user  TestPwd123
326
327    ${payload}=  Create Dictionary  Locked=${FALSE}
328
329    # Manually unlock the account before lockout threshold expires
330    Redfish.Login
331    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}test_user  body=${payload}
332    Redfish.Logout
333
334    # Try redfish login with the recently unlocked account
335    Redfish.Login  test_user  TestPwd123
336
337    # Try SSH login with the unlocked account
338    SSHLibrary.Open Connection  ${OPENBMC_HOST}
339    SSHLibrary.Login  test_user  TestPwd123
340
341
342Verify Admin User Privilege
343    [Documentation]  Verify admin user privilege.
344    [Tags]  Verify_Admin_User_Privilege
345
346    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
347    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
348
349    Redfish.Logout
350
351    Redfish.Login  admin_user  TestPwd123
352
353    # Change password of 'readonly' user with admin user.
354    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
355
356    # Verify modified user.
357    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
358
359    # Note: Delete user would work here because a root login is
360    # performed as part of "Redfish Verify User" keyword's teardown.
361    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
362    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
363
364
365Verify Operator User Role Change Using Admin Privilege User
366    [Documentation]  Verify operator user role change using admin privilege user
367    [Tags]  Verify_Operator_User_Role_Change_Using_Admin_Privilege_User
368
369    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
370    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
371
372    Redfish.Logout
373
374    # Change role ID of operator user with admin user.
375    # Login with admin user.
376    Redfish.Login  admin_user  TestPwd123
377
378    # Modify Role ID of Operator user.
379    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
380
381    # Verify modified user.
382    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
383
384    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
385    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
386
387
388Verify Operator User Privilege
389    [Documentation]  Verify operator user privilege.
390    [Tags]  Verify_Operator_User_Privilege
391
392    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
393    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
394
395    Redfish.Logout
396    # Login with operator user.
397    Redfish.Login  operator_user  TestPwd123
398
399    # Verify BMC reset.
400    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
401
402    # Attempt to change password of admin user with operator user.
403    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
404    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
405
406    Redfish.Logout
407
408    Redfish.Login
409
410    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
411    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
412
413
414Verify ReadOnly User Privilege
415    [Documentation]  Verify ReadOnly user privilege.
416    [Tags]  Verify_ReadOnly_User_Privilege
417
418    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
419    Redfish.Logout
420
421    # Login with read_only user.
422    Redfish.Login  readonly_user  TestPwd123
423
424    # Read system level data.
425    ${system_model}=  Redfish_Utils.Get Attribute
426    ...  ${SYSTEM_BASE_URI}  Model
427
428    Redfish.Logout
429    Redfish.Login
430    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
431
432
433Verify Minimum Password Length For Redfish Admin And Readonly User
434    [Documentation]  Verify minimum password length for new and existing admin or
435    ...  readonly user.
436    [Template]  Verify Minimum Password Length For Redfish User
437
438    #username        role_id
439    admin_user       Administrator
440    readonly_user    ReadOnly
441
442
443Verify Standard User Roles Defined By Redfish
444    [Documentation]  Verify standard user roles defined by Redfish.
445    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
446
447    ${member_list}=  Redfish_Utils.Get Member List
448    ...  /redfish/v1/AccountService/Roles
449
450    @{roles}=  Create List
451    ...  /redfish/v1/AccountService/Roles/Administrator
452    ...  /redfish/v1/AccountService/Roles/Operator
453    ...  /redfish/v1/AccountService/Roles/ReadOnly
454
455    List Should Contain Sub List  ${member_list}  ${roles}
456
457    # The standard roles are:
458
459    # | Role name | Assigned privileges |
460    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
461    # | Operator | Login, ConfigureComponents, ConfigureSelf |
462    # | ReadOnly | Login, ConfigureSelf |
463
464    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
465    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
466    @{readOnly}=  Create List  Login  ConfigureSelf
467
468    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
469    ...  readOnly_privileges=${readOnly}
470
471    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
472    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
473
474    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
475    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
476
477    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
478    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
479
480
481Verify Error While Deleting Root User
482    [Documentation]  Verify error while deleting root user.
483    [Tags]  Verify_Error_While_Deleting_Root_User
484
485    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
486
487
488Verify SSH Login Access With Admin User
489    [Documentation]  Verify that admin user have SSH login access.
490    ...              By default, admin should have access but there could be
491    ...              case where admin user shell access is restricted by design
492    ...              in the community sphere..
493    [Tags]  Verify_SSH_Login_Access_With_Admin_User
494
495    # Create an admin User.
496    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
497
498    # Attempt SSH login with admin user.
499    SSHLibrary.Open Connection  ${OPENBMC_HOST}
500    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
501
502    # By default ssh_status is True, user can change the status via CLI
503    # -v ssh_status:False
504    Should Be Equal As Strings  "${status}"  "${ssh_status}"
505
506    Redfish.Login
507    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
508
509
510Verify Configure BasicAuth Enable And Disable
511    [Documentation]  Verify configure basicauth enable and disable
512    [Tags]  Verify_Configure_BasicAuth_Enable_And_Disable
513    [Template]  Template For Configure Auth Methods
514
515    # auth_method
516    BasicAuth
517    XToken
518
519
520Redfish Create and Verify Admin User With Invalid Password Format
521    [Documentation]  Create a admin user with invalid password format and verify.
522    [Template]  Create User With Unsupported Password Format And Verify
523    [Tags]  Redfish_Create_and_Verify_Admin_User_With_Invalid_Password_Format
524
525    #username       role_id        password
526    admin_user      Administrator  snellens
527    admin_user      Administrator  10000001
528    admin_user      Administrator  12345678
529    admin_user      Administrator  abcdefgh
530    admin_user      Administrator  abf12345
531    admin_user      Administrator  helloworld
532    admin_user      Administrator  HELLOWORLD
533    admin_user      Administrator  &$%**!*@
534    admin_user      Administrator  Dictation
535
536
537Redfish Create and Verify Readonly User With Invalid Password Format
538    [Documentation]  Create a readonly user with invalid password format and verify.
539    [Template]  Create User With Unsupported Password Format And Verify
540    [Tags]  Redfish_Create_and_Verify_Readonly_User_With_Invalid_Password_Format
541
542    #username       role_id        password
543    readonly_user   ReadOnly       snellens
544    readonly_user   ReadOnly       10000001
545    readonly_user   ReadOnly       12345678
546    readonly_user   ReadOnly       abcdefgh
547    readonly_user   ReadOnly       abf12345
548    readonly_user   ReadOnly       helloworld
549    readonly_user   ReadOnly       HELLOWORLD
550    readonly_user   ReadOnly       &$%**!*@
551    readonly_user   ReadOnly       Dictation
552
553
554Verify Admin And Readonly User Password Is Not Same As Username
555    [Documentation]  Verify that admin and readonly user creation is failed if
556    ...  password is same as username.
557    [Template]  Create User With Unsupported Password Format And Verify
558    [Tags]      Verify_Admin_And_Readonly_User_Password_Is_Not_Same_As_Username
559
560    #username        role_id             password
561    AdminUser1       Administrator       AdminUser1
562    ReadOnlyUser1    ReadOnly            ReadOnlyUser1
563
564
565*** Keywords ***
566
567Test Teardown Execution
568    [Documentation]  Do the post test teardown.
569
570    Run Keyword And Ignore Error  Redfish.Logout
571    FFDC On Test Case Fail
572
573
574Redfish Create User
575    [Documentation]  Redfish create user.
576    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
577
578    # Description of argument(s):
579    # username            The username to be created.
580    # password            The password to be assigned.
581    # role_id             The role ID of the user to be created
582    #                     (e.g. "Administrator", "Operator", etc.).
583    # enabled             Indicates whether the username being created
584    #                     should be enabled (${True}, ${False}).
585    # login_check         Checks user login for created user.
586    #                     (e.g. ${True}, ${False}).
587
588    # Make sure the user account in question does not already exist.
589    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
590    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
591
592    # Create specified user.
593    ${payload}=  Create Dictionary
594    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
595    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
596    ...  valid_status_codes=[${HTTP_CREATED}]
597
598    # Resetting faillock count as a workaround for issue
599    # openbmc/phosphor-user-manager#4
600    ${cmd}=  Catenate  /usr/sbin/faillock --user ${username} --reset
601
602    Bmc Execute Command  ${cmd}
603
604    # Verify login with created user.
605    IF  '${login_check}' == '${True}'
606        ${status}=  Run Keyword And Return Status
607        ...  Verify Redfish User Login  ${username}  ${password}
608    ELSE
609        ${status}=  Set Variable  ${False}
610    END
611
612    IF  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
613
614    # Validate Role ID of created user.
615    ${role_config}=  Redfish_Utils.Get Attribute
616    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
617    Should Be Equal  ${role_id}  ${role_config}
618
619
620Redfish Verify User
621    [Documentation]  Redfish user verification.
622    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
623
624    # Description of argument(s):
625    # username            The username to be created.
626    # password            The password to be assigned.
627    # role_id             The role ID of the user to be created
628    #                     (e.g. "Administrator", "Operator", etc.).
629    # enabled             Indicates whether the username being created
630    #                     should be enabled (${True}, ${False}).
631
632    ${status}=  Verify Redfish User Login  ${username}  ${password}
633    # Doing a check of the returned status.
634    Should Be Equal  ${status}  ${enabled}
635
636    # Validate Role Id of user.
637    ${role_config}=  Redfish_Utils.Get Attribute
638    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
639    Should Be Equal  ${role_id}  ${role_config}
640
641
642Verify Redfish User Login
643    [Documentation]  Verify Redfish login with given user id.
644    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
645    [Arguments]   ${username}  ${password}
646
647    # Description of argument(s):
648    # username            Login username.
649    # password            Login password.
650
651    # Logout from current Redfish session.
652    # We don't really care if the current session is flushed out since we are going to login
653    # with new credential in next.
654    Run Keyword And Ignore Error  Redfish.Logout
655
656    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
657    RETURN  ${status}
658
659
660Redfish Create And Verify User
661    [Documentation]  Redfish create and verify user.
662    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
663
664    # Description of argument(s):
665    # username            The username to be created.
666    # password            The password to be assigned.
667    # role_id             The role ID of the user to be created
668    #                     (e.g. "Administrator", "Operator", etc.).
669    # enabled             Indicates whether the username being created
670    #                     should be enabled (${True}, ${False}).
671
672    # Example:
673    #{
674    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
675    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
676    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
677    #"Description": "User Account",
678    #"Enabled": true,
679    #"Id": "test1",
680    #"Links": {
681    #  "Role": {
682    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
683    #  }
684    #},
685
686    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
687
688    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
689
690    # Delete Specified User
691    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
692
693Verify Redfish User Login With Wrong Password
694    [Documentation]  Verify Redfish User failed to login with wrong password.
695    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
696
697    # Description of argument(s):
698    # username            The username to be created.
699    # password            The password to be assigned.
700    # role_id             The role ID of the user to be created
701    #                     (e.g. "Administrator", "Operator", etc.).
702    # enabled             Indicates whether the username being created
703    #                     should be enabled (${True}, ${False}).
704    # wrong_password      Any invalid password.
705
706    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
707
708    Redfish.Logout
709
710    # Attempt to login with created user with invalid password.
711    Run Keyword And Expect Error  InvalidCredentialsError*
712    ...  Redfish.Login  ${username}  ${wrong_password}
713
714    Redfish.Login
715
716    # Delete newly created user.
717    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
718
719
720Verify Login with Deleted Redfish User
721    [Documentation]  Verify Login with Deleted Redfish User.
722    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
723
724    # Description of argument(s):
725    # username            The username to be created.
726    # password            The password to be assigned.
727    # role_id             The role ID of the user to be created
728    #                     (e.g. "Administrator", "Operator", etc.).
729    # enabled             Indicates whether the username being created
730    #                     should be enabled (${True}, ${False}).
731
732    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
733
734    # Delete newly created user.
735    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
736
737    Redfish.Logout
738
739    # Attempt to login with deleted user account.
740    Run Keyword And Expect Error  InvalidCredentialsError*
741    ...  Redfish.Login  ${username}  ${password}
742
743    Redfish.Login
744
745
746Verify Create User Without Enabling
747    [Documentation]  Verify Create User Without Enabling.
748    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
749
750    # Description of argument(s):
751    # username            The username to be created.
752    # password            The password to be assigned.
753    # role_id             The role ID of the user to be created
754    #                     (e.g. "Administrator", "Operator", etc.).
755    # enabled             Indicates whether the username being created
756    #                     should be enabled (${True}, ${False}).
757
758    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
759
760    Redfish.Logout
761
762    # Login with created user.
763    Run Keyword And Expect Error  InvalidCredentialsError*
764    ...  Redfish.Login  ${username}  ${password}
765
766    Redfish.Login
767
768    # Delete newly created user.
769    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
770
771Template For Configure Auth Methods
772    [Documentation]  Template to configure auth methods.
773    [Arguments]  ${auth_method}
774    [Teardown]  Configure AuthMethods  ${auth_method}=${initial_value}
775
776    # Description of Argument(s):
777    # authmethods   The authmethod setting which needs to be
778    #               set in account service URI.
779    # valid values  BasicAuth, XToken.
780
781    Get AuthMethods Default Values  ${auth_method}
782
783    # Patch basicauth to TRUE
784    Configure AuthMethods  ${auth_method}=${TRUE}
785
786    IF  "${auth_method}" == "XToken"
787        Check XToken Works Fine  ${HTTP_OK}
788    ELSE
789        Check BasicAuth Works Fine  ${HTTP_OK}
790    END
791
792    # Patch basicauth to FALSE
793    Configure AuthMethods  ${auth_method}=${FALSE}
794
795    IF  "${auth_method}" == "BasicAuth"
796        Check BasicAuth Works Fine  ${HTTP_UNAUTHORIZED}
797    ELSE
798        Check XToken Works Fine  ${HTTP_UNAUTHORIZED}
799    END
800
801Configure AuthMethods
802    [Documentation]  Enable/disable authmethod types.
803    [Arguments]  &{authmethods}
804
805    # Description of argument(s):
806    # authmethods            The authmethod setting which needs to be
807    #                        set in account service URI.
808    # Usage Example          Configure AuthMethods  XToken=${TRUE}  BasicAuth=${TRUE}
809    #                        This will set the value of "XToken" and "BasicAuth"
810    #                        property in accountservice uri to TRUE.
811
812    ${openbmc}=  Create Dictionary  AuthMethods=${authmethods}
813    ${oem}=  Create Dictionary  OpenBMC=${openbmc}
814    ${payload}=  Create Dictionary  Oem=${oem}
815
816    # Setting authmethod properties using Redfish session based auth
817    ${status}=  Run Keyword And Return Status
818    ...  Redfish.Patch  ${REDFISH_BASE_URI}AccountService
819    ...  body=${payload}  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
820
821    # Setting authmethod properties using basic auth in case the former fails
822    IF  ${status}==${FALSE}
823        # Payload dictionary pre-process to match json formatting
824        ${payload}=  Convert To String  ${payload}
825        ${payload}=  Replace String  ${payload}  '  "
826        ${payload}=  Replace String  ${payload}  False  false
827        ${payload}=  Replace String  ${payload}  True  true
828
829        # Curl Command Framing for PATCH authmethod
830        ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
831        ...  -X PATCH '${AUTH_URI}${REDFISH_ACCOUNTS_SERVICE_URI}'
832        ...  -H 'content-type:application/json' -H 'If-Match:*'
833        ...  -d '${payload}'
834        ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
835
836        #  Check the response of curl command is 200 or 204
837        ${check_no_content}=
838        ...  Run Keyword and Return Status  Should Contain  ${out}  204
839        ${check_ok}=
840        ...  Run Keyword and Return Status  Should Contain  ${out}  200
841        Pass Execution If  ${check_no_content}==${TRUE}
842        ...  OR  ${check_ok}==${TRUE}
843    END
844
845
846Get AuthMethods Default Values
847    [Documentation]  Get enabled/disabled status of all authmethods
848    ...  from Redfish account service URI
849    [Arguments]  ${authmethod}
850
851    # Description of argument(s):
852    # authmethod            The authmethod property whose value needs to be
853    #                       retrieved from account service URI.
854    # Usage Example         Get AuthMethods Default Values  BasicAuth
855    #                       returns >> ${TRUE}
856    # Example:
857    # {
858    #     "@odata.id": "/redfish/v1/AccountService",
859    #     (...)
860    #     "Oem": {
861    #         "OpenBMC": {
862    #             "AuthMethods": {
863    #                 "BasicAuth": true,
864    #                 "Cookie": true,
865    #                 "SessionToken": true,
866    #                 "TLS": true,
867    #                 "XToken": true
868    #             }
869    #         }
870    #     }
871    # }
872
873    ${resp}=  Redfish.Get Attribute  ${REDFISH_ACCOUNTS_SERVICE_URI}  Oem
874    ${authmethods}=  Set Variable  ${resp['OpenBMC']['AuthMethods']}
875    ${initial_value}=  Get From Dictionary  ${authmethods}  ${authmethod}
876    Set Test Variable  ${initial_value}
877
878Check XToken Works Fine
879    [Documentation]  Verify Xtoken works fine.
880    [Arguments]  ${status_code}
881
882    # Description of Argument(s):
883    # status_code : 200, 401.
884
885    # Verify xtoken auth works for xtoken
886    Redfish.Get  ${REDFISH_ACCOUNTS_SERVICE_URI}
887    ...  valid_status_codes=[${status_code}]
888
889Check BasicAuth Works Fine
890    [Documentation]  Verify Basic Auth works fine.
891    [Arguments]  ${status_code}
892
893    # Description of Argument(s):
894    # status_code : 200, 401.
895
896    # Verify basic auth works based on basic auth.
897    ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
898    ...  ${AUTH_URI}/redfish/v1/AccountService
899    ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
900
901    #  Check the response of curl command is 200/401
902    Should Contain  ${out}  ${status_code}
903
904
905Create User With Unsupported Password Format And Verify
906   [Documentation]  Create admin or readonly user with unsupported password format
907   ...  and verify.
908   [Arguments]   ${username}  ${role_id}  ${password}
909
910   # Description of argument(s):
911   # username            The username to be created.
912   # role_id             The role ID of the user to be created
913   #                     (e.g. "Administrator", "ReadOnly").
914   # password            The password to be assigned.
915   #                     Unsupported password format are sequential characters,
916   #                     sequential digits, palindrome digits, palindrome characters,
917   #                     only uppercase letters, only lowercase letters, only digits,
918   #                     only characters, not a dictionary word, username and password
919   #                     should not be same.
920
921   # Make sure the user account in question does not already exist.
922    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
923    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
924
925   # Create specified user with invalid password format.
926   ${payload}=  Create Dictionary
927   ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${True}
928   Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
929   ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
930
931
932Verify Minimum Password Length For Redfish User
933    [Documentation]  Verify minimum password length for new and existing admin or
934    ...  readonly user.
935    [Arguments]  ${user_name}  ${role_id}
936
937    # Description of argument(s):
938    # user_name           The username to be created.
939    # role_id             The role ID of the user to be created.
940
941    # Make sure the user account in question does not already exist.
942    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
943    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
944
945    # Try to create a user with invalid length password.
946    ${payload}=  Create Dictionary
947    ...  UserName=${user_name}  Password=UserPwd  RoleId=${role_id}  Enabled=${True}
948    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
949    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
950
951    # Create specified user with valid length password.
952    Set To Dictionary  ${payload}  Password  UserPwd1
953    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
954    ...  valid_status_codes=[${HTTP_CREATED}]
955
956    # Try to change to an invalid password.
957    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
958    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
959
960    # Change to a valid password.
961    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
962
963    # Verify login.
964    Redfish.Logout
965    Redfish.Login  ${user_name}  UserPwd1
966    Redfish.Logout
967    Redfish.Login
968    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
969