1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7
8Test Setup       Test Setup Execution
9Test Teardown    Test Teardown Execution
10
11*** Variables ***
12
13${account_lockout_duration}   ${30}
14${account_lockout_threshold}  ${3}
15
16
17** Test Cases **
18
19Verify AccountService Available
20    [Documentation]  Verify Redfish account service is available.
21    [Tags]  Verify_AccountService_Available
22
23    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
24    Should Be Equal As Strings  ${resp}  ${True}
25
26Redfish Create and Verify Users
27    [Documentation]  Create Redfish users with various roles.
28    [Tags]  Redfish_Create_and_Verify_Users
29    [Template]  Redfish Create And Verify User
30
31    #username      password    role_id         enabled
32    admin_user     TestPwd123  Administrator   ${True}
33    operator_user  TestPwd123  Operator        ${True}
34    user_user      TestPwd123  User            ${True}
35    callback_user  TestPwd123  Callback        ${True}
36
37Verify Redfish User with Wrong Password
38    [Documentation]  Verify Redfish User with Wrong Password.
39    [Tags]  Verify_Redfish_User_with_Wrong_Password
40    [Template]  Verify Redfish User with Wrong Password
41
42    #username      password    role_id         enabled  wrong_password
43    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
44    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
45    user_user      TestPwd123  User            ${True}  12
46    callback_user  TestPwd123  Callback        ${True}  !#@D#RF#@!D
47
48Verify Login with Deleted Redfish Users
49    [Documentation]  Verify login with deleted Redfish Users.
50    [Tags]  Verify_Login_with_Deleted_Redfish_Users
51    [Template]  Verify Login with Deleted Redfish User
52
53    #username     password    role_id         enabled
54    admin_user     TestPwd123  Administrator   ${True}
55    operator_user  TestPwd123  Operator        ${True}
56    user_user      TestPwd123  User            ${True}
57    callback_user  TestPwd123  Callback        ${True}
58
59Verify User Creation Without Enabling It
60    [Documentation]  Verify User Creation Without Enabling it.
61    [Tags]  Verify_User_Creation_Without_Enabling_It
62    [Template]  Verify Create User Without Enabling
63
64    #username      password    role_id         enabled
65    admin_user     TestPwd123  Administrator   ${False}
66    operator_user  TestPwd123  Operator        ${False}
67    user_user      TestPwd123  User            ${False}
68    callback_user  TestPwd123  Callback        ${False}
69
70Verify Redfish User Persistence After Reboot
71    [Documentation]  Verify Redfish user persistence after reboot.
72    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
73
74    # Create Redfish users.
75    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
76    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
77    Redfish Create User  user_user      TestPwd123  User            ${True}
78    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
79
80    # Reboot BMC.
81    Redfish OBMC Reboot (off)  stack_mode=normal
82
83    # Verify users after reboot.
84    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
85    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
86    Redfish Verify User  user_user      TestPwd123  User            ${True}
87    Redfish Verify User  callback_user  TestPwd123  Callback        ${True}
88
89    # Delete created users.
90    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
91    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
92    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
93    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}callback_user
94
95Verify User Creation With Invalid Role Id
96    [Documentation]  Verify user creation with invalid role id.
97    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
98
99    # Make sure the user account in question does not already exist.
100    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}test_user
101    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
102
103    # Create specified user.
104    ${payload}=  Create Dictionary
105    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
106    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
107    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
108
109Verify Error Upon Creating Same Users With Different Privileges
110    [Documentation]  Verify error upon creating same users with different privileges.
111    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
112
113    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
114
115    # Create specified user.
116    ${payload}=  Create Dictionary
117    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
118    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
119    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
120
121
122Verify Modifying User Attributes
123    [Documentation]  Verify modifying user attributes.
124    [Tags]  Verify_Modifying_User_Attributes
125
126    # Create Redfish users.
127    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
128    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
129    Redfish Create User  user_user      TestPwd123  User            ${True}
130    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
131
132    Redfish.Login
133
134    # Make sure the new user account does not already exist.
135    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}newadmin_user
136    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
137
138    # Update admin_user username using Redfish.
139    ${payload}=  Create Dictionary  UserName=newadmin_user
140    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}admin_user  body=&{payload}
141
142    # Update operator_user password using Redfish.
143    ${payload}=  Create Dictionary  Password=NewTestPwd123
144    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}operator_user  body=&{payload}
145
146    # Update user_user role using Redfish.
147    ${payload}=  Create Dictionary  RoleId=Operator
148    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}user_user  body=&{payload}
149
150    # Update callback_user to disable using Redfish.
151    ${payload}=  Create Dictionary  Enabled=${False}
152    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}callback_user  body=&{payload}
153
154    # Verify users after updating
155    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
156    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
157    Redfish Verify User  user_user      TestPwd123     Operator        ${True}
158    Redfish Verify User  callback_user  TestPwd123     Callback        ${False}
159
160    # Delete created users.
161    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}newadmin_user
162    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
163    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
164    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}callback_user
165
166Verify User Account Locked
167    [Documentation]  Verify user account locked upon trying with invalid password.
168    [Tags]  Verify_User_Account_Locked
169
170    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
171
172    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}
173    ...  body={'AccountLockoutThreshold': ${account_lockout_threshold}, 'AccountLockoutDuration': ${account_lockout_duration}}
174
175    # Make ${account_lockout_threshold} failed login attempts.
176    Repeat Keyword  ${account_lockout_threshold} times
177    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
178
179    # Verify that legitimate login fails due to lockout.
180    Run Keyword And Expect Error  InvalidCredentialsError*
181    ...  Redfish.Login  admin_user  TestPwd123
182
183    # Wait for lockout duration to expire and then verify that login works.
184    Sleep  ${account_lockout_duration}s
185    Redfish.Login  admin_user  TestPwd123
186
187    Redfish.Logout
188
189
190*** Keywords ***
191
192Test Setup Execution
193    [Documentation]  Do test case setup tasks.
194
195    Redfish.Login
196
197
198Test Teardown Execution
199    [Documentation]  Do the post test teardown.
200
201    FFDC On Test Case Fail
202    Redfish.Logout
203
204Redfish Create User
205    [Documentation]  Redfish create user.
206    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
207
208    # Description of argument(s):
209    # username            The username to be created.
210    # password            The password to be assigned.
211    # role_id             The role id of the user to be created
212    #                     (e.g. "Administrator", "Operator", etc.).
213    # enabled             Indicates whether the username being created
214    #                     should be enabled (${True}, ${False}).
215
216    Redfish.Login
217
218    # Make sure the user account in question does not already exist.
219    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${userName}
220    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
221
222    # Create specified user.
223    ${payload}=  Create Dictionary
224    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
225    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
226    ...  valid_status_codes=[${HTTP_CREATED}]
227
228    Redfish.Logout
229
230    # Login with created user.
231    Run Keyword If  ${enabled} == False
232    ...    Run Keyword And Expect Error  InvalidCredentialsError*
233    ...    Redfish.Login  ${username}  ${password}
234    ...  ELSE
235    ...    Redfish.Login  ${username}  ${password}
236
237    Run Keyword If  ${enabled} == False
238    ...  Redfish.Login
239
240    # Validate Role Id of created user.
241    ${role_config}=  Redfish_Utils.Get Attribute
242    ...  ${REDFISH_ACCOUNTS_URI}${username}  RoleId
243    Should Be Equal  ${role_id}  ${role_config}
244
245
246Redfish Verify User
247    [Documentation]  Redfish user verification.
248    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
249
250    # Description of argument(s):
251    # username            The username to be created.
252    # password            The password to be assigned.
253    # role_id             The role id of the user to be created
254    #                     (e.g. "Administrator", "Operator", etc.).
255    # enabled             Indicates whether the username being created
256    #                     should be enabled (${True}, ${False}).
257
258    # Trying to do a login with created user.
259    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
260
261    # Doing a check of the returned status.
262    Should Be Equal  ${status}  ${enabled}
263
264    # We do not need to login with created user (user could be in disabled status).
265    Redfish.Login
266
267    # Validate Role Id of user.
268    ${role_config}=  Redfish_Utils.Get Attribute
269    ...  ${REDFISH_ACCOUNTS_URI}${username}  RoleId
270    Should Be Equal  ${role_id}  ${role_config}
271
272
273Redfish Create And Verify User
274    [Documentation]  Redfish create and verify user.
275    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
276
277    # Description of argument(s):
278    # username            The username to be created.
279    # password            The password to be assigned.
280    # role_id             The role id of the user to be created
281    #                     (e.g. "Administrator", "Operator", etc.).
282    # enabled             Indicates whether the username being created
283    #                     should be enabled (${True}, ${False}).
284
285    # Example:
286    #{
287    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
288    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
289    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
290    #"Description": "User Account",
291    #"Enabled": true,
292    #"Id": "test1",
293    #"Links": {
294    #  "Role": {
295    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
296    #  }
297    #},
298
299    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
300
301    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
302
303    # Delete Specified User
304    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
305
306Verify Redfish User with Wrong Password
307    [Documentation]  Verify Redfish User with Wrong Password.
308    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
309
310    # Description of argument(s):
311    # username            The username to be created.
312    # password            The password to be assigned.
313    # role_id             The role id of the user to be created
314    #                     (e.g. "Administrator", "Operator", etc.).
315    # enabled             Indicates whether the username being created
316    #                     should be enabled (${True}, ${False}).
317    # wrong_password      Any invalid password.
318
319    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
320
321    # Attempt to login with created user with invalid password.
322    Run Keyword And Expect Error  InvalidCredentialsError*
323    ...  Redfish.Login  ${username}  ${wrong_password}
324
325    Redfish.Login
326
327    # Delete newly created user.
328    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
329
330
331Verify Login with Deleted Redfish User
332    [Documentation]  Verify Login with Deleted Redfish User.
333    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
334
335    # Description of argument(s):
336    # username            The username to be created.
337    # password            The password to be assigned.
338    # role_id             The role id of the user to be created
339    #                     (e.g. "Administrator", "Operator", etc.).
340    # enabled             Indicates whether the username being created
341    #                     should be enabled (${True}, ${False}).
342
343    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
344    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
345
346    # Doing a check of the rerurned status
347    Should Be Equal  ${status}  ${True}
348
349    Redfish.Login
350
351    # Delete newly created user.
352    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${userName}
353
354    # Attempt to login with deleted user account.
355    Run Keyword And Expect Error  InvalidCredentialsError*
356    ...  Redfish.Login  ${username}  ${password}
357
358    Redfish.Login
359
360Verify Create User Without Enabling
361    [Documentation]  Verify Create User Without Enabling.
362    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
363
364    # Description of argument(s):
365    # username            The username to be created.
366    # password            The password to be assigned.
367    # role_id             The role id of the user to be created
368    #                     (e.g. "Administrator", "Operator", etc.).
369    # enabled             Indicates whether the username being created
370    #                     should be enabled (${True}, ${False}).
371
372    Redfish.Login
373
374    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
375
376    Redfish.Logout
377
378    # Login with created user.
379    Run Keyword And Expect Error  InvalidCredentialsError*
380    ...  Redfish.Login  ${username}  ${password}
381
382    Redfish.Login
383
384    # Delete newly created user.
385    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
386