xref: /openbmc/openbmc-test-automation/redfish/account_service/test_user_account.robot (revision 2067a770fe31056ce24dcc630b99b03c77efa2b8) 
1*** Settings ***
2Documentation    Test suite for verifying Redfish admin, readonly operation user accounts.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14Test Tags        User_Account
15
16*** Variables ***
17
18${account_lockout_duration}   ${30}
19${account_lockout_threshold}  ${3}
20${ssh_status}                 ${True}
21
22*** Test Cases ***
23
24Verify AccountService Available
25    [Documentation]  Verify Redfish account service is available.
26    [Tags]  Verify_AccountService_Available
27
28    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
29    Should Be Equal As Strings  ${resp}  ${True}
30
31
32Verify Redfish Admin User Persistence After Reboot
33    [Documentation]  Verify Redfish admin user persistence after reboot.
34    [Tags]  Verify_Redfish_Admin_User_Persistence_After_Reboot
35    [Setup]  Run Keywords  Redfish.Login  AND
36    ...  Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
37    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
38    ...  AND  Test Teardown Execution
39
40    # Reboot BMC.
41    Redfish OBMC Reboot (off)  stack_mode=normal
42
43    # Verify users after reboot.
44    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
45
46
47Verify Redfish Operator User Persistence After Reboot
48    [Documentation]  Verify Redfish operator user persistence after reboot.
49    [Tags]  Verify_Redfish_Operator_User_Persistence_After_Reboot
50    [Setup]  Run Keywords  Redfish.Login  AND
51    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
52    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
53    ...  AND  Test Teardown Execution
54
55    # Reboot BMC.
56    Redfish OBMC Reboot (off)  stack_mode=normal
57
58    # Verify users after reboot.
59    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
60
61
62Verify Redfish Readonly User Persistence After Reboot
63    [Documentation]  Verify Redfish readonly user persistence after reboot.
64    [Tags]  Verify_Redfish_Readonly_User_Persistence_After_Reboot
65    [Setup]  Run Keywords  Redfish.Login  AND
66    ...  Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
67    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
68    ...  AND  Test Teardown Execution
69
70    # Reboot BMC.
71    Redfish OBMC Reboot (off)  stack_mode=normal
72
73    # Verify users after reboot.
74    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
75
76Redfish Create and Verify Admin User
77    [Documentation]  Create a Redfish user with administrator role and verify.
78    [Tags]  Redfish_Create_and_Verify_Admin_User
79    [Template]  Redfish Create And Verify User
80
81    #username      password    role_id         enabled
82    admin_user     TestPwd123  Administrator   ${True}
83
84
85Redfish Create and Verify Operator User
86    [Documentation]  Create a Redfish user with operator role and verify.
87    [Tags]  Redfish_Create_and_Verify_Operator_User
88    [Template]  Redfish Create And Verify User
89
90    #username      password    role_id         enabled
91    operator_user  TestPwd123  Operator        ${True}
92
93
94Redfish Create and Verify Readonly User
95    [Documentation]  Create a Redfish user with readonly role and verify.
96    [Tags]  Redfish_Create_and_Verify_Readonly_User
97    [Template]  Redfish Create And Verify User
98
99    #username      password    role_id         enabled
100    readonly_user  TestPwd123  ReadOnly        ${True}
101
102
103Verify Redfish Admin User Login With Wrong Password
104    [Documentation]  Verify Redfish create admin user with valid password and make sure
105    ...  admin user failed to login with wrong password.
106    [Tags]  Verify_Redfish_Admin_User_Login_With_Wrong_Password
107    [Template]  Verify Redfish User Login With Wrong Password
108
109    #username      password    role_id         enabled  wrong_password
110    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
111
112
113Verify Redfish Operator User Login With Wrong Password
114    [Documentation]  Verify Redfish create operator user with valid password and make sure
115    ...  operator user failed to login with wrong password.
116    [Tags]  Verify_Redfish_Operator_User_Login_With_Wrong_Password
117    [Template]  Verify Redfish User Login With Wrong Password
118
119    #username      password    role_id         enabled  wrong_password
120    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
121
122
123Verify Redfish Readonly User Login With Wrong Password
124    [Documentation]  Verify Redfish create readonly user with valid password and make sure
125    ...  readonly user failed to login with wrong password.
126    [Tags]  Verify_Redfish_Readonly_User_Login_With_Wrong_Password
127    [Template]  Verify Redfish User Login With Wrong Password
128
129    #username      password    role_id         enabled  wrong_password
130    readonly_user  TestPwd123  ReadOnly        ${True}  12
131
132
133Verify Login with Deleted Redfish Admin User
134    [Documentation]  Verify login with deleted Redfish admin user.
135    [Tags]  Verify_Login_with_Deleted_Redfish_Admin_User
136    [Template]  Verify Login with Deleted Redfish User
137
138    #username     password    role_id         enabled
139    admin_user     TestPwd123  Administrator   ${True}
140
141
142Verify Login with Deleted Redfish Operator User
143    [Documentation]  Verify login with deleted Redfish operator user.
144    [Tags]  Verify_Login_with_Deleted_Redfish_Operator_User
145    [Template]  Verify Login with Deleted Redfish User
146
147    #username     password    role_id         enabled
148    operator_user  TestPwd123  Operator        ${True}
149
150
151Verify Login with Deleted Redfish Readonly User
152    [Documentation]  Verify login with deleted Redfish readonly user.
153    [Tags]  Verify_Login_with_Deleted_Redfish_Readonly_User
154    [Template]  Verify Login with Deleted Redfish User
155
156    #username     password    role_id         enabled
157    readonly_user  TestPwd123  ReadOnly        ${True}
158
159
160Verify Admin User Creation Without Enabling It
161    [Documentation]  Verify admin user creation without enabling it.
162    [Tags]  Verify_Admin_User_Creation_Without_Enabling_It
163    [Template]  Verify Create User Without Enabling
164
165    #username      password    role_id         enabled
166    admin_user     TestPwd123  Administrator   ${False}
167
168
169Verify Operator User Creation Without Enabling It
170    [Documentation]  Verify operator user creation without enabling it.
171    [Tags]  Verify_Operator_User_Creation_Without_Enabling_It
172    [Template]  Verify Create User Without Enabling
173
174    #username      password    role_id         enabled
175    operator_user  TestPwd123  Operator        ${False}
176
177
178Verify Readonly User Creation Without Enabling It
179    [Documentation]  Verify readonly user creation without enabling it.
180    [Tags]  Verify_Readonly_User_Creation_Without_Enabling_It
181    [Template]  Verify Create User Without Enabling
182
183    #username      password    role_id         enabled
184    readonly_user  TestPwd123  ReadOnly        ${False}
185
186
187Verify User Creation With Invalid Role Id
188    [Documentation]  Verify user creation with invalid role ID.
189    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
190
191    # Make sure the user account in question does not already exist.
192    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
193    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
194
195    # Create specified user.
196    ${payload}=  Create Dictionary
197    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
198    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
199    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
200
201Verify Error Upon Creating Same Users With Different Privileges
202    [Documentation]  Verify error upon creating same users with different privileges.
203    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
204
205    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
206
207    # Create specified user.
208    ${payload}=  Create Dictionary
209    ...  UserName=test_user  Password=TestPwd123  RoleId=ReadOnly  Enabled=${True}
210    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
211    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
212
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
214
215
216Verify Modifying User Attributes
217    [Documentation]  Verify modifying user attributes.
218    [Tags]  Verify_Modifying_User_Attributes
219
220    # Create Redfish users.
221    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
222    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
223
224    # Make sure the new user account does not already exist.
225    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
226    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
227
228    # Update admin_user username using Redfish.
229    ${payload}=  Create Dictionary  UserName=newadmin_user
230    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
231    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
232
233    # Update readonly_user role using Redfish.
234    ${payload}=  Create Dictionary  RoleId=Administrator
235    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
236    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
237
238    # Verify users after updating
239    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
240    Redfish Verify User  readonly_user  TestPwd123     Administrator   ${True}
241
242    # Delete created users.
243    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
244    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
245
246
247Verify Modifying Operator User Attributes
248    [Documentation]  Verify modifying operator user attributes.
249    [Tags]  Verify_Modifying_Operator_User_Attributes
250    [Setup]  Run Keywords  Redfish.Login  AND
251    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
252    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
253    ...  AND  Test Teardown Execution
254
255    # Update operator_user password using Redfish.
256    ${payload}=  Create Dictionary  Password=NewTestPwd123
257    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
258    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
259
260    # Verify users after updating
261    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
262
263
264Verify User Account Locked
265    [Documentation]  Verify user account locked upon trying with invalid password.
266    [Tags]  Verify_User_Account_Locked
267
268    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
269
270    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
271    ...  AccountLockoutDuration=${account_lockout_duration}
272    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
273    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
274
275    Redfish.Logout
276
277    # Make ${account_lockout_threshold} failed login attempts.
278    Repeat Keyword  ${account_lockout_threshold} times
279    ...  Run Keyword And Expect Error  *InvalidCredentialsError*  Redfish.Login  admin_user  abcd1234
280
281    # Verify that legitimate login fails due to lockout.
282    Run Keyword And Expect Error  *InvalidCredentialsError*
283    ...  Redfish.Login  admin_user  TestPwd123
284
285    # Wait for lockout duration to expire and adding 5 sec delay to the account lock timeout
286    # ... then verify that login works.
287    ${total_wait_duartion}=  Evaluate  ${account_lockout_duration} + 5
288    Sleep  ${total_wait_duartion}s
289
290    Redfish.Login  admin_user  TestPwd123
291
292    Redfish.Logout
293
294    Redfish.Login
295
296    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
297
298
299Verify User Account Unlock
300    [Documentation]  Verify manually unlocking the account before lockout time
301    [Tags]  Verify_User_Account_Unlock
302    [Teardown]  Run Keywords  SSHLibrary.Close All Connections
303    ...  AND  Redfish.Logout
304    ...  AND  Redfish.Login
305    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
306
307    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
308
309    ${payload}=  Create Dictionary
310    ...  AccountLockoutThreshold=${account_lockout_threshold}
311    ...  AccountLockoutDuration=${account_lockout_duration}
312    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
313    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
314
315    Redfish.Logout
316
317    # Make ${account_lockout_threshold} failed login attempts.
318    Repeat Keyword  ${account_lockout_threshold} times
319    ...  Run Keyword And Expect Error  InvalidCredentialsError*
320    ...  Redfish.Login  test_user  abc123
321
322    # Ensure SSH Login with locked account gets failed
323    SSHLibrary.Open Connection  ${OPENBMC_HOST}
324    Run Keyword And Expect Error  Authentication failed*
325    ...  SSHLibrary.Login  test_user  TestPwd123
326
327    # Verify that legitimate login fails due to lockout.
328    Run Keyword And Expect Error  InvalidCredentialsError*
329    ...  Redfish.Login  test_user  TestPwd123
330
331    ${payload}=  Create Dictionary  Locked=${FALSE}
332
333    # Manually unlock the account before lockout threshold expires
334    Redfish.Login
335    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}test_user  body=${payload}
336    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
337    Redfish.Logout
338
339    # Try redfish login with the recently unlocked account
340    Redfish.Login  test_user  TestPwd123
341
342    # Try SSH login with the unlocked account
343    SSHLibrary.Open Connection  ${OPENBMC_HOST}
344    SSHLibrary.Login  test_user  TestPwd123
345
346
347Verify Admin User Privilege
348    [Documentation]  Verify admin user privilege.
349    [Tags]  Verify_Admin_User_Privilege
350
351    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
352    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
353
354    Redfish.Logout
355
356    Redfish.Login  admin_user  TestPwd123
357
358    # Change password of 'readonly' user with admin user.
359    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
360    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
361
362    # Verify modified user.
363    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
364
365    # Note: Delete user would work here because a root login is
366    # performed as part of "Redfish Verify User" keyword's teardown.
367    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
368    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
369
370
371Verify Operator User Role Change Using Admin Privilege User
372    [Documentation]  Verify operator user role change using admin privilege user
373    [Tags]  Verify_Operator_User_Role_Change_Using_Admin_Privilege_User
374
375    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
376    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
377
378    Redfish.Logout
379
380    # Change role ID of operator user with admin user.
381    # Login with admin user.
382    Redfish.Login  admin_user  TestPwd123
383
384    # Modify Role ID of Operator user.
385    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
386    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
387
388    # Verify modified user.
389    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
390
391    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
392    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
393
394
395Verify Operator User Privilege
396    [Documentation]  Verify operator user privilege.
397    [Tags]  Verify_Operator_User_Privilege
398
399    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
400    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
401
402    Redfish.Logout
403    # Login with operator user.
404    Redfish.Login  operator_user  TestPwd123
405
406    # Verify BMC reset.
407    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
408
409    # Attempt to change password of admin user with operator user.
410    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
411    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
412
413    Redfish.Logout
414
415    Redfish.Login
416
417    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
418    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
419
420
421Verify ReadOnly User Privilege
422    [Documentation]  Verify ReadOnly user privilege.
423    [Tags]  Verify_ReadOnly_User_Privilege
424
425    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
426    Redfish.Logout
427
428    # Login with read_only user.
429    Redfish.Login  readonly_user  TestPwd123
430
431    # Read system level data.
432    ${system_model}=  Redfish_Utils.Get Attribute
433    ...  ${SYSTEM_BASE_URI}  Model
434
435    Redfish.Logout
436    Redfish.Login
437    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
438
439
440Verify Minimum Password Length For Redfish Admin And Readonly User
441    [Documentation]  Verify minimum password length for new and existing admin or
442    ...  readonly user.
443    [Template]  Verify Minimum Password Length For Redfish User
444
445    #username        role_id
446    admin_user       Administrator
447    readonly_user    ReadOnly
448
449
450Verify Standard User Roles Defined By Redfish
451    [Documentation]  Verify standard user roles defined by Redfish.
452    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
453
454    ${member_list}=  Redfish_Utils.Get Member List
455    ...  /redfish/v1/AccountService/Roles
456
457    @{roles}=  Create List
458    ...  /redfish/v1/AccountService/Roles/Administrator
459    ...  /redfish/v1/AccountService/Roles/Operator
460    ...  /redfish/v1/AccountService/Roles/ReadOnly
461
462    List Should Contain Sub List  ${member_list}  ${roles}
463
464    # The standard roles are:
465
466    # | Role name | Assigned privileges |
467    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
468    # | Operator | Login, ConfigureComponents, ConfigureSelf |
469    # | ReadOnly | Login, ConfigureSelf |
470
471    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
472    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
473    @{readOnly}=  Create List  Login  ConfigureSelf
474
475    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
476    ...  readOnly_privileges=${readOnly}
477
478    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
479    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
480
481    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
482    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
483
484    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
485    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
486
487
488Verify Error While Deleting Root User
489    [Documentation]  Verify error while deleting root user.
490    [Tags]  Verify_Error_While_Deleting_Root_User
491
492    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
493
494
495Verify SSH Login Access With Admin User
496    [Documentation]  Verify that admin user have SSH login access.
497    ...              By default, admin should have access but there could be
498    ...              case where admin user shell access is restricted by design
499    ...              in the community sphere..
500    [Tags]  Verify_SSH_Login_Access_With_Admin_User
501
502    #Create an admin user and verify SSH login.
503    Create Admin User And Verify SSH Login
504
505    Redfish.Login
506    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
507
508Verify SSH Login Is Revoked For Deleted User
509    [Documentation]  Verify SSH login access is revoked for deleted User.
510    [Tags]    Verify_SSH_Login_Is_Revoked_For_Deleted_User
511
512    #Create an admin user and verify SSH login.
513    Create Admin User And Verify SSH Login
514
515    #Login with root user.
516    Redfish.Login
517
518    # Delete the admin user.
519    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
520    ...  valid_status_codes=[${HTTP_OK}]
521
522    # Attempt SSH login with Deleted user.
523    SSHLibrary.Open Connection  ${OPENBMC_HOST}
524    Run Keyword And Expect Error  Authentication failed*
525    ...  SSHLibrary.Login  new_admin  TestPwd1
526
527Verify Configure BasicAuth Enable And Disable
528    [Documentation]  Verify configure basicauth enable and disable
529    [Tags]  Verify_Configure_BasicAuth_Enable_And_Disable
530    [Template]  Template For Configure Auth Methods
531
532    # auth_method
533    BasicAuth
534    XToken
535
536
537Redfish Create and Verify Admin User With Invalid Password Format
538    [Documentation]  Create a admin user with invalid password format and verify.
539    [Template]  Create User With Unsupported Password Format And Verify
540    [Tags]  Redfish_Create_and_Verify_Admin_User_With_Invalid_Password_Format
541
542    #username       role_id        password
543    admin_user      Administrator  snellens
544    admin_user      Administrator  10000001
545    admin_user      Administrator  12345678
546    admin_user      Administrator  abcdefgh
547    admin_user      Administrator  abf12345
548    admin_user      Administrator  helloworld
549    admin_user      Administrator  HELLOWORLD
550    admin_user      Administrator  &$%**!*@
551    admin_user      Administrator  Dictation
552
553
554Redfish Create and Verify Readonly User With Invalid Password Format
555    [Documentation]  Create a readonly user with invalid password format and verify.
556    [Template]  Create User With Unsupported Password Format And Verify
557    [Tags]  Redfish_Create_and_Verify_Readonly_User_With_Invalid_Password_Format
558
559    #username       role_id        password
560    readonly_user   ReadOnly       snellens
561    readonly_user   ReadOnly       10000001
562    readonly_user   ReadOnly       12345678
563    readonly_user   ReadOnly       abcdefgh
564    readonly_user   ReadOnly       abf12345
565    readonly_user   ReadOnly       helloworld
566    readonly_user   ReadOnly       HELLOWORLD
567    readonly_user   ReadOnly       &$%**!*@
568    readonly_user   ReadOnly       Dictation
569
570
571Verify Admin And Readonly User Password Is Not Same As Username
572    [Documentation]  Verify that admin and readonly user creation is failed if
573    ...  password is same as username.
574    [Template]  Create User With Unsupported Password Format And Verify
575    [Tags]      Verify_Admin_And_Readonly_User_Password_Is_Not_Same_As_Username
576
577    #username        role_id             password
578    AdminUser1       Administrator       AdminUser1
579    ReadOnlyUser1    ReadOnly            ReadOnlyUser1
580
581Verify AccountService Unsupported Methods
582    [Documentation]  Verify Unsupported methods of AccountService
583    [Tags]  Verify_AccountService_Unsupported_Methods
584
585    # Put operation on Account Services
586    Redfish.Put  /redfish/v1/AccountService
587    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
588
589    # Post operation on Account Services
590    Redfish.Post  /redfish/v1/AccountService
591    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
592
593    # Delete operation on Account Services
594    Redfish.Delete  /redfish/v1/AccountService
595    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
596
597Verify AccountService Roles Unsupported Methods
598    [Documentation]  Verify Unsupported methods of AccountService/Roles
599    [Tags]  Verify_AccountService_Roles_Unsupported_Methods
600
601    # Put operation on Account Services Roles
602    Redfish.Put  /redfish/v1/AccountService/Roles
603    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
604
605    # Post operation on Account Services Roles
606    Redfish.Post  /redfish/v1/AccountService/Roles
607    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
608
609    # Delete operation on Account Services Roles
610    Redfish.Delete  /redfish/v1/AccountService/Roles
611    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
612
613    # Patch operation on Account Services Roles
614    Redfish.Patch  /redfish/v1/AccountService/Roles
615    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
616
617Verify AccountService Roles Instance With Unsupported Methods
618    [Documentation]  Verify Instance Roles for AccountService and Unsupported Methods
619    [Tags]    Verify_AccountService_Roles_Instance_With_Unsupported_Methods
620
621    # GET Administrator Role Instance
622    Redfish.Get    /redfish/v1/AccountService/Roles/Administrator
623    ...    valid_status_codes=[${HTTP_OK}]
624
625    # GET Operator Role Instance
626    Redfish.Get    /redfish/v1/AccountService/Roles/Operator
627    ...    valid_status_codes=[${HTTP_OK}]
628
629    # GET ReadOnly RoleInstance
630    Redfish.Get    /redfish/v1/AccountService/Roles/ReadOnly
631    ...    valid_status_codes=[${HTTP_OK}]
632
633    # Post operation on Account Service Roles Instance
634    Redfish.Post    /redfish/v1/AccountService/Roles/Administrator
635    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
636
637    # Put operation on Account Service Roles Instance
638    Redfish.Put    /redfish/v1/AccountService/Roles/Administrator
639    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
640
641    # Patch operation on Account Service Roles Instance
642    Redfish.Patch    /redfish/v1/AccountService/Roles/Administrator
643    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
644
645    #Delete operation on Account Service Roles Instance
646    Redfish.Delete    /redfish/v1/AccountService/Roles/Administrator
647    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
648
649Verify Account Lockout With Invalid Configuration
650    [Documentation]  Verify Account Lockout configuration with invalid values.
651    [Tags]  Verify_Account_Lockout_With_Invalid_Configuration
652
653    @{invalid_values_list}=  Create List  -1  abc  3.5  ${EMPTY}
654
655    FOR  ${invalid_value}  IN  @{invalid_values_list}
656        ${payload}=  Create Dictionary  AccountLockoutThreshold=${invalid_value}
657        Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
658        ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
659
660        ${payload}=  Create Dictionary  AccountLockoutDuration=${invalid_value}
661        Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
662        ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
663
664        ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
665        ...  AccountLockoutDuration=${invalid_value}
666        Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
667        ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
668
669        ${payload}=  Create Dictionary  AccountLockoutThreshold=${invalid_value}
670        ...  AccountLockoutDuration=${account_lockout_duration}
671        Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
672        ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
673    END
674
675*** Keywords ***
676
677Test Teardown Execution
678    [Documentation]  Do the post test teardown.
679
680    Run Keyword And Ignore Error  Redfish.Logout
681    FFDC On Test Case Fail
682
683
684Redfish Create User
685    [Documentation]  Redfish create user.
686    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
687
688    # Description of argument(s):
689    # username            The username to be created.
690    # password            The password to be assigned.
691    # role_id             The role ID of the user to be created
692    #                     (e.g. "Administrator", "Operator", etc.).
693    # enabled             Indicates whether the username being created
694    #                     should be enabled (${True}, ${False}).
695    # login_check         Checks user login for created user.
696    #                     (e.g. ${True}, ${False}).
697
698    # Make sure the user account in question does not already exist.
699    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
700    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
701
702    # Create specified user.
703    ${payload}=  Create Dictionary
704    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
705    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
706    ...  valid_status_codes=[${HTTP_CREATED}]
707
708    # Resetting faillock count as a workaround for issue
709    # openbmc/phosphor-user-manager#4
710    ${cmd}=  Catenate  /usr/sbin/faillock --user ${username} --reset
711
712    Bmc Execute Command  ${cmd}
713
714    # Verify login with created user.
715    IF  '${login_check}' == '${True}'
716        ${status}=  Run Keyword And Return Status
717        ...  Verify Redfish User Login  ${username}  ${password}
718    ELSE
719        ${status}=  Set Variable  ${False}
720    END
721
722    IF  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
723
724    # Validate Role ID of created user.
725    ${role_config}=  Redfish_Utils.Get Attribute
726    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
727    Should Be Equal  ${role_id}  ${role_config}
728
729
730Redfish Verify User
731    [Documentation]  Redfish user verification.
732    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
733
734    # Description of argument(s):
735    # username            The username to be created.
736    # password            The password to be assigned.
737    # role_id             The role ID of the user to be created
738    #                     (e.g. "Administrator", "Operator", etc.).
739    # enabled             Indicates whether the username being created
740    #                     should be enabled (${True}, ${False}).
741
742    ${status}=  Verify Redfish User Login  ${username}  ${password}
743    # Doing a check of the returned status.
744    Should Be Equal  ${status}  ${enabled}
745
746    # Validate Role Id of user.
747    ${role_config}=  Redfish_Utils.Get Attribute
748    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
749    Should Be Equal  ${role_id}  ${role_config}
750
751
752Verify Redfish User Login
753    [Documentation]  Verify Redfish login with given user id.
754    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
755    [Arguments]   ${username}  ${password}
756
757    # Description of argument(s):
758    # username            Login username.
759    # password            Login password.
760
761    # Logout from current Redfish session.
762    # We don't really care if the current session is flushed out since we are going to login
763    # with new credential in next.
764    Run Keyword And Ignore Error  Redfish.Logout
765
766    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
767    RETURN  ${status}
768
769
770Redfish Create And Verify User
771    [Documentation]  Redfish create and verify user.
772    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
773
774    # Description of argument(s):
775    # username            The username to be created.
776    # password            The password to be assigned.
777    # role_id             The role ID of the user to be created
778    #                     (e.g. "Administrator", "Operator", etc.).
779    # enabled             Indicates whether the username being created
780    #                     should be enabled (${True}, ${False}).
781
782    # Example:
783    #{
784    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
785    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
786    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
787    #"Description": "User Account",
788    #"Enabled": true,
789    #"Id": "test1",
790    #"Links": {
791    #  "Role": {
792    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
793    #  }
794    #},
795
796    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
797
798    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
799
800    # Delete Specified User
801    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
802
803Verify Redfish User Login With Wrong Password
804    [Documentation]  Verify Redfish User failed to login with wrong password.
805    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
806
807    # Description of argument(s):
808    # username            The username to be created.
809    # password            The password to be assigned.
810    # role_id             The role ID of the user to be created
811    #                     (e.g. "Administrator", "Operator", etc.).
812    # enabled             Indicates whether the username being created
813    #                     should be enabled (${True}, ${False}).
814    # wrong_password      Any invalid password.
815
816    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
817
818    Redfish.Logout
819
820    # Attempt to login with created user with invalid password.
821    Run Keyword And Expect Error  InvalidCredentialsError*
822    ...  Redfish.Login  ${username}  ${wrong_password}
823
824    Redfish.Login
825
826    # Delete newly created user.
827    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
828
829
830Verify Login with Deleted Redfish User
831    [Documentation]  Verify Login with Deleted Redfish User.
832    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
833
834    # Description of argument(s):
835    # username            The username to be created.
836    # password            The password to be assigned.
837    # role_id             The role ID of the user to be created
838    #                     (e.g. "Administrator", "Operator", etc.).
839    # enabled             Indicates whether the username being created
840    #                     should be enabled (${True}, ${False}).
841
842    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
843
844    # Delete newly created user.
845    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
846
847    Redfish.Logout
848
849    # Attempt to login with deleted user account.
850    Run Keyword And Expect Error  InvalidCredentialsError*
851    ...  Redfish.Login  ${username}  ${password}
852
853    Redfish.Login
854
855
856Verify Create User Without Enabling
857    [Documentation]  Verify Create User Without Enabling.
858    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
859
860    # Description of argument(s):
861    # username            The username to be created.
862    # password            The password to be assigned.
863    # role_id             The role ID of the user to be created
864    #                     (e.g. "Administrator", "Operator", etc.).
865    # enabled             Indicates whether the username being created
866    #                     should be enabled (${True}, ${False}).
867
868    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
869
870    Redfish.Logout
871
872    # Login with created user.
873    Run Keyword And Expect Error  InvalidCredentialsError*
874    ...  Redfish.Login  ${username}  ${password}
875
876    Redfish.Login
877
878    # Delete newly created user.
879    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
880
881Template For Configure Auth Methods
882    [Documentation]  Template to configure auth methods.
883    [Arguments]  ${auth_method}
884    [Teardown]  Configure AuthMethods  ${auth_method}=${initial_value}
885
886    # Description of Argument(s):
887    # authmethods   The authmethod setting which needs to be
888    #               set in account service URI.
889    # valid values  BasicAuth, XToken.
890
891    Get AuthMethods Default Values  ${auth_method}
892
893    # Patch basicauth to TRUE
894    Configure AuthMethods  ${auth_method}=${TRUE}
895
896    IF  "${auth_method}" == "XToken"
897        Check XToken Works Fine  ${HTTP_OK}
898    ELSE
899        Check BasicAuth Works Fine  ${HTTP_OK}
900    END
901
902    # Patch basicauth to FALSE
903    Configure AuthMethods  ${auth_method}=${FALSE}
904
905    IF  "${auth_method}" == "BasicAuth"
906        Check BasicAuth Works Fine  ${HTTP_UNAUTHORIZED}
907    ELSE
908        Check XToken Works Fine  ${HTTP_UNAUTHORIZED}
909    END
910
911Configure AuthMethods
912    [Documentation]  Enable/disable authmethod types.
913    [Arguments]  &{authmethods}
914
915    # Description of argument(s):
916    # authmethods            The authmethod setting which needs to be
917    #                        set in account service URI.
918    # Usage Example          Configure AuthMethods  XToken=${TRUE}  BasicAuth=${TRUE}
919    #                        This will set the value of "XToken" and "BasicAuth"
920    #                        property in accountservice uri to TRUE.
921
922    ${openbmc}=  Create Dictionary  AuthMethods=${authmethods}
923    ${oem}=  Create Dictionary  OpenBMC=${openbmc}
924    ${payload}=  Create Dictionary  Oem=${oem}
925
926    # Setting authmethod properties using Redfish session based auth
927    ${status}=  Run Keyword And Return Status
928    ...  Redfish.Patch  ${REDFISH_BASE_URI}AccountService
929    ...  body=${payload}  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
930
931    # Setting authmethod properties using basic auth in case the former fails
932    IF  ${status}==${FALSE}
933        # Payload dictionary pre-process to match json formatting
934        ${payload}=  Convert To String  ${payload}
935        ${payload}=  Replace String  ${payload}  '  "
936        ${payload}=  Replace String  ${payload}  False  false
937        ${payload}=  Replace String  ${payload}  True  true
938
939        # Curl Command Framing for PATCH authmethod
940        ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
941        ...  -X PATCH '${AUTH_URI}${REDFISH_ACCOUNTS_SERVICE_URI}'
942        ...  -H 'content-type:application/json' -H 'If-Match:*'
943        ...  -d '${payload}'
944        ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
945
946        #  Check the response of curl command is 200 or 204
947        ${check_no_content}=
948        ...  Run Keyword and Return Status  Should Contain  ${out}  204
949        ${check_ok}=
950        ...  Run Keyword and Return Status  Should Contain  ${out}  200
951        Pass Execution If  ${check_no_content}==${TRUE}
952        ...  OR  ${check_ok}==${TRUE}
953    END
954
955
956Get AuthMethods Default Values
957    [Documentation]  Get enabled/disabled status of all authmethods
958    ...  from Redfish account service URI
959    [Arguments]  ${authmethod}
960
961    # Description of argument(s):
962    # authmethod            The authmethod property whose value needs to be
963    #                       retrieved from account service URI.
964    # Usage Example         Get AuthMethods Default Values  BasicAuth
965    #                       returns >> ${TRUE}
966    # Example:
967    # {
968    #     "@odata.id": "/redfish/v1/AccountService",
969    #     (...)
970    #     "Oem": {
971    #         "OpenBMC": {
972    #             "AuthMethods": {
973    #                 "BasicAuth": true,
974    #                 "Cookie": true,
975    #                 "SessionToken": true,
976    #                 "TLS": true,
977    #                 "XToken": true
978    #             }
979    #         }
980    #     }
981    # }
982
983    ${resp}=  Redfish.Get Attribute  ${REDFISH_ACCOUNTS_SERVICE_URI}  Oem
984    ${authmethods}=  Set Variable  ${resp['OpenBMC']['AuthMethods']}
985    ${initial_value}=  Get From Dictionary  ${authmethods}  ${authmethod}
986    Set Test Variable  ${initial_value}
987
988Check XToken Works Fine
989    [Documentation]  Verify Xtoken works fine.
990    [Arguments]  ${status_code}
991
992    # Description of Argument(s):
993    # status_code : 200, 401.
994
995    # Verify xtoken auth works for xtoken
996    Redfish.Get  ${REDFISH_ACCOUNTS_SERVICE_URI}
997    ...  valid_status_codes=[${status_code}]
998
999Check BasicAuth Works Fine
1000    [Documentation]  Verify Basic Auth works fine.
1001    [Arguments]  ${status_code}
1002
1003    # Description of Argument(s):
1004    # status_code : 200, 401.
1005
1006    # Verify basic auth works based on basic auth.
1007    ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
1008    ...  ${AUTH_URI}/redfish/v1/AccountService
1009    ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
1010
1011    #  Check the response of curl command is 200/401
1012    Should Contain  ${out}  ${status_code}
1013
1014
1015Create User With Unsupported Password Format And Verify
1016   [Documentation]  Create admin or readonly user with unsupported password format
1017   ...  and verify.
1018   [Arguments]   ${username}  ${role_id}  ${password}
1019
1020   # Description of argument(s):
1021   # username            The username to be created.
1022   # role_id             The role ID of the user to be created
1023   #                     (e.g. "Administrator", "ReadOnly").
1024   # password            The password to be assigned.
1025   #                     Unsupported password format are sequential characters,
1026   #                     sequential digits, palindrome digits, palindrome characters,
1027   #                     only uppercase letters, only lowercase letters, only digits,
1028   #                     only characters, not a dictionary word, username and password
1029   #                     should not be same.
1030
1031   # Make sure the user account in question does not already exist.
1032    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
1033    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
1034
1035   # Create specified user with invalid password format.
1036   ${payload}=  Create Dictionary
1037   ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${True}
1038   Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1039   ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1040
1041
1042Verify Minimum Password Length For Redfish User
1043    [Documentation]  Verify minimum password length for new and existing admin or
1044    ...  readonly user.
1045    [Arguments]  ${user_name}  ${role_id}
1046
1047    # Description of argument(s):
1048    # user_name           The username to be created.
1049    # role_id             The role ID of the user to be created.
1050
1051    # Make sure the user account in question does not already exist.
1052    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
1053    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
1054
1055    # Try to create a user with invalid length password.
1056    ${payload}=  Create Dictionary
1057    ...  UserName=${user_name}  Password=UserPwd  RoleId=${role_id}  Enabled=${True}
1058    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1059    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1060
1061    # Create specified user with valid length password.
1062    Set To Dictionary  ${payload}  Password  UserPwd1
1063    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1064    ...  valid_status_codes=[${HTTP_CREATED}]
1065
1066    # Try to change to an invalid password.
1067    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
1068    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1069
1070    # Change to a valid password.
1071    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
1072    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
1073
1074    # Verify login.
1075    Redfish.Logout
1076    Redfish.Login  ${user_name}  UserPwd1
1077    Redfish.Logout
1078    Redfish.Login
1079    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
1080
1081Create Admin User And Verify SSH Login
1082    [Documentation]  Create admin user and verify SSH login & logout.
1083
1084    # Create an admin User.
1085    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
1086
1087    # Attempt SSH login with admin user.
1088    SSHLibrary.Open Connection  ${OPENBMC_HOST}
1089    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
1090
1091    # By default ssh_status is True, user can change the status via CLI
1092    # -v ssh_status:False
1093    Should Be Equal As Strings  "${status}"  "${ssh_status}"
1094
1095    # Close SSH connection for admin user.
1096    SSHLibrary.Close Connection
1097