1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7
8Test Setup       Test Setup Execution
9Test Teardown    Test Teardown Execution
10
11*** Variables ***
12
13${account_lockout_duration}   ${30}
14${account_lockout_threshold}  ${3}
15
16** Test Cases **
17
18Verify AccountService Available
19    [Documentation]  Verify Redfish account service is available.
20    [Tags]  Verify_AccountService_Available
21
22    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
23    Should Be Equal As Strings  ${resp}  ${True}
24
25Verify Redfish User Persistence After Reboot
26    [Documentation]  Verify Redfish user persistence after reboot.
27    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
28
29    # Create Redfish users.
30    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
31    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
32    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
33    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
34
35    # Reboot BMC.
36    Redfish OBMC Reboot (off)  stack_mode=normal
37    Redfish.Login
38
39    # Verify users after reboot.
40    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
41    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
42    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
43    Redfish Verify User  callback_user  TestPwd123  Callback        ${True}
44
45    # Delete created users.
46    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
47    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
48    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
49    Redfish.Delete  /redfish/v1/AccountService/Accounts/callback_user
50
51Redfish Create and Verify Users
52    [Documentation]  Create Redfish users with various roles.
53    [Tags]  Redfish_Create_and_Verify_Users
54    [Template]  Redfish Create And Verify User
55
56    #username      password    role_id         enabled
57    admin_user     TestPwd123  Administrator   ${True}
58    operator_user  TestPwd123  Operator        ${True}
59    readonly_user  TestPwd123  ReadOnly        ${True}
60    callback_user  TestPwd123  Callback        ${True}
61
62Verify Redfish User with Wrong Password
63    [Documentation]  Verify Redfish User with Wrong Password.
64    [Tags]  Verify_Redfish_User_with_Wrong_Password
65    [Template]  Verify Redfish User with Wrong Password
66
67    #username      password    role_id         enabled  wrong_password
68    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
69    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
70    readonly_user  TestPwd123  ReadOnly        ${True}  12
71    callback_user  TestPwd123  Callback        ${True}  !#@D#RF#@!D
72
73Verify Login with Deleted Redfish Users
74    [Documentation]  Verify login with deleted Redfish Users.
75    [Tags]  Verify_Login_with_Deleted_Redfish_Users
76    [Template]  Verify Login with Deleted Redfish User
77
78    #username     password    role_id         enabled
79    admin_user     TestPwd123  Administrator   ${True}
80    operator_user  TestPwd123  Operator        ${True}
81    readonly_user  TestPwd123  ReadOnly        ${True}
82    callback_user  TestPwd123  Callback        ${True}
83
84Verify User Creation Without Enabling It
85    [Documentation]  Verify User Creation Without Enabling it.
86    [Tags]  Verify_User_Creation_Without_Enabling_It
87    [Template]  Verify Create User Without Enabling
88
89    #username      password    role_id         enabled
90    admin_user     TestPwd123  Administrator   ${False}
91    operator_user  TestPwd123  Operator        ${False}
92    readonly_user  TestPwd123  ReadOnly        ${False}
93    callback_user  TestPwd123  Callback        ${False}
94
95
96Verify User Creation With Invalid Role Id
97    [Documentation]  Verify user creation with invalid role ID.
98    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
99
100    # Make sure the user account in question does not already exist.
101    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
102    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
103
104    # Create specified user.
105    ${payload}=  Create Dictionary
106    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
107    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
108    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
109
110Verify Error Upon Creating Same Users With Different Privileges
111    [Documentation]  Verify error upon creating same users with different privileges.
112    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
113
114    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
115
116    # Create specified user.
117    ${payload}=  Create Dictionary
118    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
119    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
120    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
121
122    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
123
124Verify Modifying User Attributes
125    [Documentation]  Verify modifying user attributes.
126    [Tags]  Verify_Modifying_User_Attributes
127
128    # Create Redfish users.
129    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
130    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
131    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
132    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
133
134    Redfish.Login
135
136    # Make sure the new user account does not already exist.
137    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
138    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
139
140    # Update admin_user username using Redfish.
141    ${payload}=  Create Dictionary  UserName=newadmin_user
142    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
143
144    # Update operator_user password using Redfish.
145    ${payload}=  Create Dictionary  Password=NewTestPwd123
146    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
147
148    # Update readonly_user role using Redfish.
149    ${payload}=  Create Dictionary  RoleId=Operator
150    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
151
152    # Update callback_user to disable using Redfish.
153    ${payload}=  Create Dictionary  Enabled=${False}
154    Redfish.Patch  /redfish/v1/AccountService/Accounts/callback_user  body=&{payload}
155
156    # Verify users after updating
157    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
158    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
159    Redfish Verify User  readonly_user  TestPwd123     Operator        ${True}
160    Redfish Verify User  callback_user  TestPwd123     Callback        ${False}
161
162    # Delete created users.
163    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
164    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
165    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
166    Redfish.Delete  /redfish/v1/AccountService/Accounts/callback_user
167
168Verify User Account Locked
169    [Documentation]  Verify user account locked upon trying with invalid password.
170    [Tags]  Verify_User_Account_Locked
171
172    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
173
174    Redfish.Logout
175
176    Redfish.Login
177
178    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
179    ...  AccountLockoutDuration=${account_lockout_duration}
180    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
181
182    # Make ${account_lockout_threshold} failed login attempts.
183    Repeat Keyword  ${account_lockout_threshold} times
184    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
185
186    # Verify that legitimate login fails due to lockout.
187    Run Keyword And Expect Error  InvalidCredentialsError*
188    ...  Redfish.Login  admin_user  TestPwd123
189
190    # Wait for lockout duration to expire and then verify that login works.
191    Sleep  ${account_lockout_duration}s
192    Redfish.Login  admin_user  TestPwd123
193
194    Redfish.Logout
195
196    Redfish.Login
197
198    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
199
200Verify Admin User Privilege
201    [Documentation]  Verify admin user privilege.
202    [Tags]  Verify_Admin_User_Privilege
203
204    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
205    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
206    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
207
208    # Change role ID of operator user with admin user.
209    # Login with admin user.
210    Redfish.Login  admin_user  TestPwd123
211
212    # Modify Role ID of Operator user.
213    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
214
215    # Verify modified user.
216    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
217
218    # Change password of 'user' user with admin user.
219    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
220
221    # Verify modified user.
222    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
223
224    Redfish.Login
225
226    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
227    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
228    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
229
230Verify Operator User Privilege
231    [Documentation]  Verify operator user privilege.
232    [Tags]  Verify_operator_User_Privilege
233
234    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
235    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
236
237    # Login with operator user.
238    Redfish.Login  operator_user  TestPwd123
239
240    # Verify power on system.
241    Redfish OBMC Reboot (off)  stack_mode=normal
242
243    # Attempt to change password of admin user with operator user.
244    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
245    ...  valid_status_codes=[${HTTP_UNAUTHORIZED}]
246
247    Redfish.Login
248
249    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
250    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
251
252
253Verify ReadOnly User Privilege
254    [Documentation]  Verify ReadOnly user privilege.
255    [Tags]  Verify_ReadOnly_User_Privilege
256
257    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
258
259    # Read system level data.
260    ${system_model}=  Redfish_Utils.Get Attribute
261    ...  ${SYSTEM_BASE_URI}  Model
262
263    Redfish.Login
264
265    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
266
267
268Verify Minimum Password Length For Redfish User
269    [Documentation]  Verify minimum password length for new and existing user.
270    [Tags]  Verify_Minimum_Password_Length_For_Redfish_User
271
272    ${user_name}=  Set Variable  testUser
273
274    # Make sure the user account in question does not already exist.
275    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
276    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
277
278    # Try to create a user with invalid length password.
279    ${payload}=  Create Dictionary
280    ...  UserName=${user_name}  Password=UserPwd  RoleId=Administrator  Enabled=${True}
281    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
282    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
283
284    # Create specified user with valid length password.
285    Set To Dictionary  ${payload}  Password  UserPwd1
286    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
287    ...  valid_status_codes=[${HTTP_CREATED}]
288
289    # Try to change to an invalid password.
290    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
291    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
292
293    # Change to a valid password.
294    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
295
296    # Verify login.
297    Redfish.Logout
298    Redfish.Login  ${user_name}  UserPwd1
299    Redfish.Logout
300    Redfish.Login
301    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
302
303
304*** Keywords ***
305
306Test Setup Execution
307    [Documentation]  Do test case setup tasks.
308
309    Redfish.Login
310
311
312Test Teardown Execution
313    [Documentation]  Do the post test teardown.
314
315    FFDC On Test Case Fail
316    Redfish.Logout
317
318Redfish Create User
319    [Documentation]  Redfish create user.
320    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
321
322    # Description of argument(s):
323    # username            The username to be created.
324    # password            The password to be assigned.
325    # role_id             The role ID of the user to be created
326    #                     (e.g. "Administrator", "Operator", etc.).
327    # enabled             Indicates whether the username being created
328    #                     should be enabled (${True}, ${False}).
329
330    Redfish.Login
331
332    # Make sure the user account in question does not already exist.
333    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
334    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
335
336    # Create specified user.
337    ${payload}=  Create Dictionary
338    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
339    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
340    ...  valid_status_codes=[${HTTP_CREATED}]
341
342    Redfish.Logout
343
344    # Login with created user.
345    Run Keyword If  ${enabled} == ${False}
346    ...    Run Keyword And Expect Error  InvalidCredentialsError*
347    ...    Redfish.Login  ${username}  ${password}
348    ...  ELSE
349    ...    Redfish.Login  ${username}  ${password}
350
351    Run Keyword If  ${enabled} == ${False}
352    ...  Redfish.Login
353
354    Run Keyword If  '${role_id}' == 'Callback'
355    ...  Run Keywords  Redfish.Logout  AND  Redfish.Login
356
357    # Validate Role ID of created user.
358    ${role_config}=  Redfish_Utils.Get Attribute
359    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
360    Should Be Equal  ${role_id}  ${role_config}
361
362
363Redfish Verify User
364    [Documentation]  Redfish user verification.
365    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
366
367    # Description of argument(s):
368    # username            The username to be created.
369    # password            The password to be assigned.
370    # role_id             The role ID of the user to be created
371    #                     (e.g. "Administrator", "Operator", etc.).
372    # enabled             Indicates whether the username being created
373    #                     should be enabled (${True}, ${False}).
374
375    # Trying to do a login with created user.
376    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
377
378    # Doing a check of the returned status.
379    Should Be Equal  ${status}  ${enabled}
380
381    # We do not need to login with created user (user could be in disabled status).
382    Redfish.Login
383
384    # Validate Role Id of user.
385    ${role_config}=  Redfish_Utils.Get Attribute
386    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
387    Should Be Equal  ${role_id}  ${role_config}
388
389
390Redfish Create And Verify User
391    [Documentation]  Redfish create and verify user.
392    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
393
394    # Description of argument(s):
395    # username            The username to be created.
396    # password            The password to be assigned.
397    # role_id             The role ID of the user to be created
398    #                     (e.g. "Administrator", "Operator", etc.).
399    # enabled             Indicates whether the username being created
400    #                     should be enabled (${True}, ${False}).
401
402    # Example:
403    #{
404    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
405    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
406    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
407    #"Description": "User Account",
408    #"Enabled": true,
409    #"Id": "test1",
410    #"Links": {
411    #  "Role": {
412    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
413    #  }
414    #},
415
416    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
417
418    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
419
420    # Delete Specified User
421    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
422
423Verify Redfish User with Wrong Password
424    [Documentation]  Verify Redfish User with Wrong Password.
425    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
426
427    # Description of argument(s):
428    # username            The username to be created.
429    # password            The password to be assigned.
430    # role_id             The role ID of the user to be created
431    #                     (e.g. "Administrator", "Operator", etc.).
432    # enabled             Indicates whether the username being created
433    #                     should be enabled (${True}, ${False}).
434    # wrong_password      Any invalid password.
435
436    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
437
438    # Attempt to login with created user with invalid password.
439    Run Keyword And Expect Error  InvalidCredentialsError*
440    ...  Redfish.Login  ${username}  ${wrong_password}
441
442    Redfish.Login
443
444    # Delete newly created user.
445    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
446
447
448Verify Login with Deleted Redfish User
449    [Documentation]  Verify Login with Deleted Redfish User.
450    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
451
452    # Description of argument(s):
453    # username            The username to be created.
454    # password            The password to be assigned.
455    # role_id             The role ID of the user to be created
456    #                     (e.g. "Administrator", "Operator", etc.).
457    # enabled             Indicates whether the username being created
458    #                     should be enabled (${True}, ${False}).
459
460    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
461    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
462
463    # Doing a check of the rerurned status
464    Should Be Equal  ${status}  ${True}
465
466    Redfish.Login
467
468    # Delete newly created user.
469    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
470
471    # Attempt to login with deleted user account.
472    Run Keyword And Expect Error  InvalidCredentialsError*
473    ...  Redfish.Login  ${username}  ${password}
474
475    Redfish.Login
476
477Verify Create User Without Enabling
478    [Documentation]  Verify Create User Without Enabling.
479    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
480
481    # Description of argument(s):
482    # username            The username to be created.
483    # password            The password to be assigned.
484    # role_id             The role ID of the user to be created
485    #                     (e.g. "Administrator", "Operator", etc.).
486    # enabled             Indicates whether the username being created
487    #                     should be enabled (${True}, ${False}).
488
489    Redfish.Login
490
491    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
492
493    Redfish.Logout
494
495    # Login with created user.
496    Run Keyword And Expect Error  InvalidCredentialsError*
497    ...  Redfish.Login  ${username}  ${password}
498
499    Redfish.Login
500
501    # Delete newly created user.
502    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
503