xref: /openbmc/openbmc-test-automation/redfish/account_service/test_user_account.robot (revision 59fed68eeb67f0ab2ff107c29de4c9789ef6e3b9) 
1*** Settings ***
2Documentation    Test suite for verifying Redfish admin, readonly operation user accounts.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14Test Tags        User_Account
15
16*** Variables ***
17
18${account_lockout_duration}   ${30}
19${account_lockout_threshold}  ${3}
20${ssh_status}                 ${True}
21
22*** Test Cases ***
23
24Verify AccountService Available
25    [Documentation]  Verify Redfish account service is available.
26    [Tags]  Verify_AccountService_Available
27
28    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
29    Should Be Equal As Strings  ${resp}  ${True}
30
31
32Verify Redfish Admin User Persistence After Reboot
33    [Documentation]  Verify Redfish admin user persistence after reboot.
34    [Tags]  Verify_Redfish_Admin_User_Persistence_After_Reboot
35    [Setup]  Run Keywords  Redfish.Login  AND
36    ...  Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
37    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
38    ...  AND  Test Teardown Execution
39
40    # Reboot BMC.
41    Redfish OBMC Reboot (off)  stack_mode=normal
42
43    # Verify users after reboot.
44    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
45
46
47Verify Redfish Operator User Persistence After Reboot
48    [Documentation]  Verify Redfish operator user persistence after reboot.
49    [Tags]  Verify_Redfish_Operator_User_Persistence_After_Reboot
50    [Setup]  Run Keywords  Redfish.Login  AND
51    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
52    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
53    ...  AND  Test Teardown Execution
54
55    # Reboot BMC.
56    Redfish OBMC Reboot (off)  stack_mode=normal
57
58    # Verify users after reboot.
59    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
60
61
62Verify Redfish Readonly User Persistence After Reboot
63    [Documentation]  Verify Redfish readonly user persistence after reboot.
64    [Tags]  Verify_Redfish_Readonly_User_Persistence_After_Reboot
65    [Setup]  Run Keywords  Redfish.Login  AND
66    ...  Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
67    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
68    ...  AND  Test Teardown Execution
69
70    # Reboot BMC.
71    Redfish OBMC Reboot (off)  stack_mode=normal
72
73    # Verify users after reboot.
74    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
75
76Redfish Create and Verify Admin User
77    [Documentation]  Create a Redfish user with administrator role and verify.
78    [Tags]  Redfish_Create_and_Verify_Admin_User
79    [Template]  Redfish Create And Verify User
80
81    #username      password    role_id         enabled
82    admin_user     TestPwd123  Administrator   ${True}
83
84
85Redfish Create and Verify Operator User
86    [Documentation]  Create a Redfish user with operator role and verify.
87    [Tags]  Redfish_Create_and_Verify_Operator_User
88    [Template]  Redfish Create And Verify User
89
90    #username      password    role_id         enabled
91    operator_user  TestPwd123  Operator        ${True}
92
93
94Redfish Create and Verify Readonly User
95    [Documentation]  Create a Redfish user with readonly role and verify.
96    [Tags]  Redfish_Create_and_Verify_Readonly_User
97    [Template]  Redfish Create And Verify User
98
99    #username      password    role_id         enabled
100    readonly_user  TestPwd123  ReadOnly        ${True}
101
102
103Verify Redfish Admin User Login With Wrong Password
104    [Documentation]  Verify Redfish create admin user with valid password and make sure
105    ...  admin user failed to login with wrong password.
106    [Tags]  Verify_Redfish_Admin_User_Login_With_Wrong_Password
107    [Template]  Verify Redfish User Login With Wrong Password
108
109    #username      password    role_id         enabled  wrong_password
110    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
111
112
113Verify Redfish Operator User Login With Wrong Password
114    [Documentation]  Verify Redfish create operator user with valid password and make sure
115    ...  operator user failed to login with wrong password.
116    [Tags]  Verify_Redfish_Operator_User_Login_With_Wrong_Password
117    [Template]  Verify Redfish User Login With Wrong Password
118
119    #username      password    role_id         enabled  wrong_password
120    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
121
122
123Verify Redfish Readonly User Login With Wrong Password
124    [Documentation]  Verify Redfish create readonly user with valid password and make sure
125    ...  readonly user failed to login with wrong password.
126    [Tags]  Verify_Redfish_Readonly_User_Login_With_Wrong_Password
127    [Template]  Verify Redfish User Login With Wrong Password
128
129    #username      password    role_id         enabled  wrong_password
130    readonly_user  TestPwd123  ReadOnly        ${True}  12
131
132
133Verify Login with Deleted Redfish Admin User
134    [Documentation]  Verify login with deleted Redfish admin user.
135    [Tags]  Verify_Login_with_Deleted_Redfish_Admin_User
136    [Template]  Verify Login with Deleted Redfish User
137
138    #username     password    role_id         enabled
139    admin_user     TestPwd123  Administrator   ${True}
140
141
142Verify Login with Deleted Redfish Operator User
143    [Documentation]  Verify login with deleted Redfish operator user.
144    [Tags]  Verify_Login_with_Deleted_Redfish_Operator_User
145    [Template]  Verify Login with Deleted Redfish User
146
147    #username     password    role_id         enabled
148    operator_user  TestPwd123  Operator        ${True}
149
150
151Verify Login with Deleted Redfish Readonly User
152    [Documentation]  Verify login with deleted Redfish readonly user.
153    [Tags]  Verify_Login_with_Deleted_Redfish_Readonly_User
154    [Template]  Verify Login with Deleted Redfish User
155
156    #username     password    role_id         enabled
157    readonly_user  TestPwd123  ReadOnly        ${True}
158
159
160Verify Admin User Creation Without Enabling It
161    [Documentation]  Verify admin user creation without enabling it.
162    [Tags]  Verify_Admin_User_Creation_Without_Enabling_It
163    [Template]  Verify Create User Without Enabling
164
165    #username      password    role_id         enabled
166    admin_user     TestPwd123  Administrator   ${False}
167
168
169Verify Operator User Creation Without Enabling It
170    [Documentation]  Verify operator user creation without enabling it.
171    [Tags]  Verify_Operator_User_Creation_Without_Enabling_It
172    [Template]  Verify Create User Without Enabling
173
174    #username      password    role_id         enabled
175    operator_user  TestPwd123  Operator        ${False}
176
177
178Verify Readonly User Creation Without Enabling It
179    [Documentation]  Verify readonly user creation without enabling it.
180    [Tags]  Verify_Readonly_User_Creation_Without_Enabling_It
181    [Template]  Verify Create User Without Enabling
182
183    #username      password    role_id         enabled
184    readonly_user  TestPwd123  ReadOnly        ${False}
185
186
187Verify User Creation With Invalid Role Id
188    [Documentation]  Verify user creation with invalid role ID.
189    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
190
191    # Make sure the user account in question does not already exist.
192    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
193    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
194
195    # Create specified user.
196    ${payload}=  Create Dictionary
197    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
198    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
199    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
200
201Verify Error Upon Creating Same Users With Different Privileges
202    [Documentation]  Verify error upon creating same users with different privileges.
203    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
204
205    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
206
207    # Create specified user.
208    ${payload}=  Create Dictionary
209    ...  UserName=test_user  Password=TestPwd123  RoleId=ReadOnly  Enabled=${True}
210    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
211    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
212
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
214
215
216Verify Modifying User Attributes
217    [Documentation]  Verify modifying user attributes.
218    [Tags]  Verify_Modifying_User_Attributes
219
220    # Create Redfish users.
221    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
222    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
223
224    # Make sure the new user account does not already exist.
225    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
226    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
227
228    # Update admin_user username using Redfish.
229    ${payload}=  Create Dictionary  UserName=newadmin_user
230    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
231    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
232
233    # Update readonly_user role using Redfish.
234    ${payload}=  Create Dictionary  RoleId=Administrator
235    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
236    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
237
238    # Verify users after updating
239    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
240    Redfish Verify User  readonly_user  TestPwd123     Administrator   ${True}
241
242    # Delete created users.
243    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
244    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
245
246
247Verify Modifying Operator User Attributes
248    [Documentation]  Verify modifying operator user attributes.
249    [Tags]  Verify_Modifying_Operator_User_Attributes
250    [Setup]  Run Keywords  Redfish.Login  AND
251    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
252    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
253    ...  AND  Test Teardown Execution
254
255    # Update operator_user password using Redfish.
256    ${payload}=  Create Dictionary  Password=NewTestPwd123
257    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
258
259    # Verify users after updating
260    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
261
262
263Verify User Account Locked
264    [Documentation]  Verify user account locked upon trying with invalid password.
265    [Tags]  Verify_User_Account_Locked
266
267    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
268
269    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
270    ...  AccountLockoutDuration=${account_lockout_duration}
271    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
272    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
273
274    Redfish.Logout
275
276    # Make ${account_lockout_threshold} failed login attempts.
277    Repeat Keyword  ${account_lockout_threshold} times
278    ...  Run Keyword And Expect Error  *InvalidCredentialsError*  Redfish.Login  admin_user  abcd1234
279
280    # Verify that legitimate login fails due to lockout.
281    Run Keyword And Expect Error  *InvalidCredentialsError*
282    ...  Redfish.Login  admin_user  TestPwd123
283
284    # Wait for lockout duration to expire and adding 5 sec delay to the account lock timeout
285    # ... then verify that login works.
286    ${total_wait_duartion}=  Evaluate  ${account_lockout_duration} + 5
287    Sleep  ${total_wait_duartion}s
288
289    Redfish.Login  admin_user  TestPwd123
290
291    Redfish.Logout
292
293    Redfish.Login
294
295    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
296
297
298Verify User Account Unlock
299    [Documentation]  Verify manually unlocking the account before lockout time
300    [Tags]  Verify_User_Account_Unlock
301    [Teardown]  Run Keywords  Redfish.Logout
302    ...  AND  Redfish.Login
303    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
304    ...  AND  SSHLibrary.Close All Connections
305
306    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
307
308    ${payload}=  Create Dictionary
309    ...  AccountLockoutThreshold=${account_lockout_threshold}
310    ...  AccountLockoutDuration=${account_lockout_duration}
311    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
312
313    Redfish.Logout
314
315    # Make ${account_lockout_threshold} failed login attempts.
316    Repeat Keyword  ${account_lockout_threshold} times
317    ...  Run Keyword And Expect Error  InvalidCredentialsError*
318    ...  Redfish.Login  test_user  abc123
319
320    # Ensure SSH Login with locked account gets failed
321    SSHLibrary.Open Connection  ${OPENBMC_HOST}
322    Run Keyword And Expect Error  Authentication failed*
323    ...  SSHLibrary.Login  test_user  TestPwd123
324
325    # Verify that legitimate login fails due to lockout.
326    Run Keyword And Expect Error  InvalidCredentialsError*
327    ...  Redfish.Login  test_user  TestPwd123
328
329    ${payload}=  Create Dictionary  Locked=${FALSE}
330
331    # Manually unlock the account before lockout threshold expires
332    Redfish.Login
333    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}test_user  body=${payload}
334    Redfish.Logout
335
336    # Try redfish login with the recently unlocked account
337    Redfish.Login  test_user  TestPwd123
338
339    # Try SSH login with the unlocked account
340    SSHLibrary.Open Connection  ${OPENBMC_HOST}
341    SSHLibrary.Login  test_user  TestPwd123
342
343
344Verify Admin User Privilege
345    [Documentation]  Verify admin user privilege.
346    [Tags]  Verify_Admin_User_Privilege
347
348    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
349    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
350
351    Redfish.Logout
352
353    Redfish.Login  admin_user  TestPwd123
354
355    # Change password of 'readonly' user with admin user.
356    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
357
358    # Verify modified user.
359    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
360
361    # Note: Delete user would work here because a root login is
362    # performed as part of "Redfish Verify User" keyword's teardown.
363    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
364    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
365
366
367Verify Operator User Role Change Using Admin Privilege User
368    [Documentation]  Verify operator user role change using admin privilege user
369    [Tags]  Verify_Operator_User_Role_Change_Using_Admin_Privilege_User
370
371    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
372    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
373
374    Redfish.Logout
375
376    # Change role ID of operator user with admin user.
377    # Login with admin user.
378    Redfish.Login  admin_user  TestPwd123
379
380    # Modify Role ID of Operator user.
381    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
382
383    # Verify modified user.
384    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
385
386    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
387    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
388
389
390Verify Operator User Privilege
391    [Documentation]  Verify operator user privilege.
392    [Tags]  Verify_Operator_User_Privilege
393
394    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
395    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
396
397    Redfish.Logout
398    # Login with operator user.
399    Redfish.Login  operator_user  TestPwd123
400
401    # Verify BMC reset.
402    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
403
404    # Attempt to change password of admin user with operator user.
405    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
406    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
407
408    Redfish.Logout
409
410    Redfish.Login
411
412    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
413    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
414
415
416Verify ReadOnly User Privilege
417    [Documentation]  Verify ReadOnly user privilege.
418    [Tags]  Verify_ReadOnly_User_Privilege
419
420    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
421    Redfish.Logout
422
423    # Login with read_only user.
424    Redfish.Login  readonly_user  TestPwd123
425
426    # Read system level data.
427    ${system_model}=  Redfish_Utils.Get Attribute
428    ...  ${SYSTEM_BASE_URI}  Model
429
430    Redfish.Logout
431    Redfish.Login
432    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
433
434
435Verify Minimum Password Length For Redfish Admin And Readonly User
436    [Documentation]  Verify minimum password length for new and existing admin or
437    ...  readonly user.
438    [Template]  Verify Minimum Password Length For Redfish User
439
440    #username        role_id
441    admin_user       Administrator
442    readonly_user    ReadOnly
443
444
445Verify Standard User Roles Defined By Redfish
446    [Documentation]  Verify standard user roles defined by Redfish.
447    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
448
449    ${member_list}=  Redfish_Utils.Get Member List
450    ...  /redfish/v1/AccountService/Roles
451
452    @{roles}=  Create List
453    ...  /redfish/v1/AccountService/Roles/Administrator
454    ...  /redfish/v1/AccountService/Roles/Operator
455    ...  /redfish/v1/AccountService/Roles/ReadOnly
456
457    List Should Contain Sub List  ${member_list}  ${roles}
458
459    # The standard roles are:
460
461    # | Role name | Assigned privileges |
462    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
463    # | Operator | Login, ConfigureComponents, ConfigureSelf |
464    # | ReadOnly | Login, ConfigureSelf |
465
466    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
467    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
468    @{readOnly}=  Create List  Login  ConfigureSelf
469
470    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
471    ...  readOnly_privileges=${readOnly}
472
473    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
474    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
475
476    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
477    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
478
479    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
480    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
481
482
483Verify Error While Deleting Root User
484    [Documentation]  Verify error while deleting root user.
485    [Tags]  Verify_Error_While_Deleting_Root_User
486
487    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
488
489
490Verify SSH Login Access With Admin User
491    [Documentation]  Verify that admin user have SSH login access.
492    ...              By default, admin should have access but there could be
493    ...              case where admin user shell access is restricted by design
494    ...              in the community sphere..
495    [Tags]  Verify_SSH_Login_Access_With_Admin_User
496
497    # Create an admin User.
498    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
499
500    # Attempt SSH login with admin user.
501    SSHLibrary.Open Connection  ${OPENBMC_HOST}
502    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
503
504    # By default ssh_status is True, user can change the status via CLI
505    # -v ssh_status:False
506    Should Be Equal As Strings  "${status}"  "${ssh_status}"
507
508    Redfish.Login
509    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
510
511
512Verify Configure BasicAuth Enable And Disable
513    [Documentation]  Verify configure basicauth enable and disable
514    [Tags]  Verify_Configure_BasicAuth_Enable_And_Disable
515    [Template]  Template For Configure Auth Methods
516
517    # auth_method
518    BasicAuth
519    XToken
520
521
522Redfish Create and Verify Admin User With Invalid Password Format
523    [Documentation]  Create a admin user with invalid password format and verify.
524    [Template]  Create User With Unsupported Password Format And Verify
525    [Tags]  Redfish_Create_and_Verify_Admin_User_With_Invalid_Password_Format
526
527    #username       role_id        password
528    admin_user      Administrator  snellens
529    admin_user      Administrator  10000001
530    admin_user      Administrator  12345678
531    admin_user      Administrator  abcdefgh
532    admin_user      Administrator  abf12345
533    admin_user      Administrator  helloworld
534    admin_user      Administrator  HELLOWORLD
535    admin_user      Administrator  &$%**!*@
536    admin_user      Administrator  Dictation
537
538
539Redfish Create and Verify Readonly User With Invalid Password Format
540    [Documentation]  Create a readonly user with invalid password format and verify.
541    [Template]  Create User With Unsupported Password Format And Verify
542    [Tags]  Redfish_Create_and_Verify_Readonly_User_With_Invalid_Password_Format
543
544    #username       role_id        password
545    readonly_user   ReadOnly       snellens
546    readonly_user   ReadOnly       10000001
547    readonly_user   ReadOnly       12345678
548    readonly_user   ReadOnly       abcdefgh
549    readonly_user   ReadOnly       abf12345
550    readonly_user   ReadOnly       helloworld
551    readonly_user   ReadOnly       HELLOWORLD
552    readonly_user   ReadOnly       &$%**!*@
553    readonly_user   ReadOnly       Dictation
554
555
556Verify Admin And Readonly User Password Is Not Same As Username
557    [Documentation]  Verify that admin and readonly user creation is failed if
558    ...  password is same as username.
559    [Template]  Create User With Unsupported Password Format And Verify
560    [Tags]      Verify_Admin_And_Readonly_User_Password_Is_Not_Same_As_Username
561
562    #username        role_id             password
563    AdminUser1       Administrator       AdminUser1
564    ReadOnlyUser1    ReadOnly            ReadOnlyUser1
565
566Verify AccountService Unsupported Methods
567    [Documentation]  Verify Unsupported methods of AccountService
568    [Tags]  Verify_AccountService_Unsupported_Methods
569
570    # Put operation on Account Services
571    Redfish.Put  /redfish/v1/AccountService
572    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
573
574    # Post operation on Account Services
575    Redfish.Post  /redfish/v1/AccountService
576    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
577
578    # Delete operation on Account Services
579    Redfish.Delete  /redfish/v1/AccountService
580    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
581
582Verify AccountService Roles Unsupported Methods
583    [Documentation]  Verify Unsupported methods of AccountService/Roles
584    [Tags]  Verify_AccountService_Roles_Unsupported_Methods
585
586    # Put operation on Account Services Roles
587    Redfish.Put  /redfish/v1/AccountService/Roles
588    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
589
590    # Post operation on Account Services Roles
591    Redfish.Post  /redfish/v1/AccountService/Roles
592    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
593
594    # Delete operation on Account Services Roles
595    Redfish.Delete  /redfish/v1/AccountService/Roles
596    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
597
598    # Patch operation on Account Services Roles
599    Redfish.Patch  /redfish/v1/AccountService/Roles
600    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
601
602
603*** Keywords ***
604
605Test Teardown Execution
606    [Documentation]  Do the post test teardown.
607
608    Run Keyword And Ignore Error  Redfish.Logout
609    FFDC On Test Case Fail
610
611
612Redfish Create User
613    [Documentation]  Redfish create user.
614    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
615
616    # Description of argument(s):
617    # username            The username to be created.
618    # password            The password to be assigned.
619    # role_id             The role ID of the user to be created
620    #                     (e.g. "Administrator", "Operator", etc.).
621    # enabled             Indicates whether the username being created
622    #                     should be enabled (${True}, ${False}).
623    # login_check         Checks user login for created user.
624    #                     (e.g. ${True}, ${False}).
625
626    # Make sure the user account in question does not already exist.
627    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
628    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
629
630    # Create specified user.
631    ${payload}=  Create Dictionary
632    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
633    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
634    ...  valid_status_codes=[${HTTP_CREATED}]
635
636    # Resetting faillock count as a workaround for issue
637    # openbmc/phosphor-user-manager#4
638    ${cmd}=  Catenate  /usr/sbin/faillock --user ${username} --reset
639
640    Bmc Execute Command  ${cmd}
641
642    # Verify login with created user.
643    IF  '${login_check}' == '${True}'
644        ${status}=  Run Keyword And Return Status
645        ...  Verify Redfish User Login  ${username}  ${password}
646    ELSE
647        ${status}=  Set Variable  ${False}
648    END
649
650    IF  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
651
652    # Validate Role ID of created user.
653    ${role_config}=  Redfish_Utils.Get Attribute
654    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
655    Should Be Equal  ${role_id}  ${role_config}
656
657
658Redfish Verify User
659    [Documentation]  Redfish user verification.
660    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
661
662    # Description of argument(s):
663    # username            The username to be created.
664    # password            The password to be assigned.
665    # role_id             The role ID of the user to be created
666    #                     (e.g. "Administrator", "Operator", etc.).
667    # enabled             Indicates whether the username being created
668    #                     should be enabled (${True}, ${False}).
669
670    ${status}=  Verify Redfish User Login  ${username}  ${password}
671    # Doing a check of the returned status.
672    Should Be Equal  ${status}  ${enabled}
673
674    # Validate Role Id of user.
675    ${role_config}=  Redfish_Utils.Get Attribute
676    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
677    Should Be Equal  ${role_id}  ${role_config}
678
679
680Verify Redfish User Login
681    [Documentation]  Verify Redfish login with given user id.
682    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
683    [Arguments]   ${username}  ${password}
684
685    # Description of argument(s):
686    # username            Login username.
687    # password            Login password.
688
689    # Logout from current Redfish session.
690    # We don't really care if the current session is flushed out since we are going to login
691    # with new credential in next.
692    Run Keyword And Ignore Error  Redfish.Logout
693
694    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
695    RETURN  ${status}
696
697
698Redfish Create And Verify User
699    [Documentation]  Redfish create and verify user.
700    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
701
702    # Description of argument(s):
703    # username            The username to be created.
704    # password            The password to be assigned.
705    # role_id             The role ID of the user to be created
706    #                     (e.g. "Administrator", "Operator", etc.).
707    # enabled             Indicates whether the username being created
708    #                     should be enabled (${True}, ${False}).
709
710    # Example:
711    #{
712    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
713    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
714    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
715    #"Description": "User Account",
716    #"Enabled": true,
717    #"Id": "test1",
718    #"Links": {
719    #  "Role": {
720    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
721    #  }
722    #},
723
724    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
725
726    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
727
728    # Delete Specified User
729    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
730
731Verify Redfish User Login With Wrong Password
732    [Documentation]  Verify Redfish User failed to login with wrong password.
733    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
734
735    # Description of argument(s):
736    # username            The username to be created.
737    # password            The password to be assigned.
738    # role_id             The role ID of the user to be created
739    #                     (e.g. "Administrator", "Operator", etc.).
740    # enabled             Indicates whether the username being created
741    #                     should be enabled (${True}, ${False}).
742    # wrong_password      Any invalid password.
743
744    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
745
746    Redfish.Logout
747
748    # Attempt to login with created user with invalid password.
749    Run Keyword And Expect Error  InvalidCredentialsError*
750    ...  Redfish.Login  ${username}  ${wrong_password}
751
752    Redfish.Login
753
754    # Delete newly created user.
755    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
756
757
758Verify Login with Deleted Redfish User
759    [Documentation]  Verify Login with Deleted Redfish User.
760    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
761
762    # Description of argument(s):
763    # username            The username to be created.
764    # password            The password to be assigned.
765    # role_id             The role ID of the user to be created
766    #                     (e.g. "Administrator", "Operator", etc.).
767    # enabled             Indicates whether the username being created
768    #                     should be enabled (${True}, ${False}).
769
770    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
771
772    # Delete newly created user.
773    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
774
775    Redfish.Logout
776
777    # Attempt to login with deleted user account.
778    Run Keyword And Expect Error  InvalidCredentialsError*
779    ...  Redfish.Login  ${username}  ${password}
780
781    Redfish.Login
782
783
784Verify Create User Without Enabling
785    [Documentation]  Verify Create User Without Enabling.
786    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
787
788    # Description of argument(s):
789    # username            The username to be created.
790    # password            The password to be assigned.
791    # role_id             The role ID of the user to be created
792    #                     (e.g. "Administrator", "Operator", etc.).
793    # enabled             Indicates whether the username being created
794    #                     should be enabled (${True}, ${False}).
795
796    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
797
798    Redfish.Logout
799
800    # Login with created user.
801    Run Keyword And Expect Error  InvalidCredentialsError*
802    ...  Redfish.Login  ${username}  ${password}
803
804    Redfish.Login
805
806    # Delete newly created user.
807    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
808
809Template For Configure Auth Methods
810    [Documentation]  Template to configure auth methods.
811    [Arguments]  ${auth_method}
812    [Teardown]  Configure AuthMethods  ${auth_method}=${initial_value}
813
814    # Description of Argument(s):
815    # authmethods   The authmethod setting which needs to be
816    #               set in account service URI.
817    # valid values  BasicAuth, XToken.
818
819    Get AuthMethods Default Values  ${auth_method}
820
821    # Patch basicauth to TRUE
822    Configure AuthMethods  ${auth_method}=${TRUE}
823
824    IF  "${auth_method}" == "XToken"
825        Check XToken Works Fine  ${HTTP_OK}
826    ELSE
827        Check BasicAuth Works Fine  ${HTTP_OK}
828    END
829
830    # Patch basicauth to FALSE
831    Configure AuthMethods  ${auth_method}=${FALSE}
832
833    IF  "${auth_method}" == "BasicAuth"
834        Check BasicAuth Works Fine  ${HTTP_UNAUTHORIZED}
835    ELSE
836        Check XToken Works Fine  ${HTTP_UNAUTHORIZED}
837    END
838
839Configure AuthMethods
840    [Documentation]  Enable/disable authmethod types.
841    [Arguments]  &{authmethods}
842
843    # Description of argument(s):
844    # authmethods            The authmethod setting which needs to be
845    #                        set in account service URI.
846    # Usage Example          Configure AuthMethods  XToken=${TRUE}  BasicAuth=${TRUE}
847    #                        This will set the value of "XToken" and "BasicAuth"
848    #                        property in accountservice uri to TRUE.
849
850    ${openbmc}=  Create Dictionary  AuthMethods=${authmethods}
851    ${oem}=  Create Dictionary  OpenBMC=${openbmc}
852    ${payload}=  Create Dictionary  Oem=${oem}
853
854    # Setting authmethod properties using Redfish session based auth
855    ${status}=  Run Keyword And Return Status
856    ...  Redfish.Patch  ${REDFISH_BASE_URI}AccountService
857    ...  body=${payload}  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
858
859    # Setting authmethod properties using basic auth in case the former fails
860    IF  ${status}==${FALSE}
861        # Payload dictionary pre-process to match json formatting
862        ${payload}=  Convert To String  ${payload}
863        ${payload}=  Replace String  ${payload}  '  "
864        ${payload}=  Replace String  ${payload}  False  false
865        ${payload}=  Replace String  ${payload}  True  true
866
867        # Curl Command Framing for PATCH authmethod
868        ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
869        ...  -X PATCH '${AUTH_URI}${REDFISH_ACCOUNTS_SERVICE_URI}'
870        ...  -H 'content-type:application/json' -H 'If-Match:*'
871        ...  -d '${payload}'
872        ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
873
874        #  Check the response of curl command is 200 or 204
875        ${check_no_content}=
876        ...  Run Keyword and Return Status  Should Contain  ${out}  204
877        ${check_ok}=
878        ...  Run Keyword and Return Status  Should Contain  ${out}  200
879        Pass Execution If  ${check_no_content}==${TRUE}
880        ...  OR  ${check_ok}==${TRUE}
881    END
882
883
884Get AuthMethods Default Values
885    [Documentation]  Get enabled/disabled status of all authmethods
886    ...  from Redfish account service URI
887    [Arguments]  ${authmethod}
888
889    # Description of argument(s):
890    # authmethod            The authmethod property whose value needs to be
891    #                       retrieved from account service URI.
892    # Usage Example         Get AuthMethods Default Values  BasicAuth
893    #                       returns >> ${TRUE}
894    # Example:
895    # {
896    #     "@odata.id": "/redfish/v1/AccountService",
897    #     (...)
898    #     "Oem": {
899    #         "OpenBMC": {
900    #             "AuthMethods": {
901    #                 "BasicAuth": true,
902    #                 "Cookie": true,
903    #                 "SessionToken": true,
904    #                 "TLS": true,
905    #                 "XToken": true
906    #             }
907    #         }
908    #     }
909    # }
910
911    ${resp}=  Redfish.Get Attribute  ${REDFISH_ACCOUNTS_SERVICE_URI}  Oem
912    ${authmethods}=  Set Variable  ${resp['OpenBMC']['AuthMethods']}
913    ${initial_value}=  Get From Dictionary  ${authmethods}  ${authmethod}
914    Set Test Variable  ${initial_value}
915
916Check XToken Works Fine
917    [Documentation]  Verify Xtoken works fine.
918    [Arguments]  ${status_code}
919
920    # Description of Argument(s):
921    # status_code : 200, 401.
922
923    # Verify xtoken auth works for xtoken
924    Redfish.Get  ${REDFISH_ACCOUNTS_SERVICE_URI}
925    ...  valid_status_codes=[${status_code}]
926
927Check BasicAuth Works Fine
928    [Documentation]  Verify Basic Auth works fine.
929    [Arguments]  ${status_code}
930
931    # Description of Argument(s):
932    # status_code : 200, 401.
933
934    # Verify basic auth works based on basic auth.
935    ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
936    ...  ${AUTH_URI}/redfish/v1/AccountService
937    ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
938
939    #  Check the response of curl command is 200/401
940    Should Contain  ${out}  ${status_code}
941
942
943Create User With Unsupported Password Format And Verify
944   [Documentation]  Create admin or readonly user with unsupported password format
945   ...  and verify.
946   [Arguments]   ${username}  ${role_id}  ${password}
947
948   # Description of argument(s):
949   # username            The username to be created.
950   # role_id             The role ID of the user to be created
951   #                     (e.g. "Administrator", "ReadOnly").
952   # password            The password to be assigned.
953   #                     Unsupported password format are sequential characters,
954   #                     sequential digits, palindrome digits, palindrome characters,
955   #                     only uppercase letters, only lowercase letters, only digits,
956   #                     only characters, not a dictionary word, username and password
957   #                     should not be same.
958
959   # Make sure the user account in question does not already exist.
960    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
961    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
962
963   # Create specified user with invalid password format.
964   ${payload}=  Create Dictionary
965   ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${True}
966   Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
967   ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
968
969
970Verify Minimum Password Length For Redfish User
971    [Documentation]  Verify minimum password length for new and existing admin or
972    ...  readonly user.
973    [Arguments]  ${user_name}  ${role_id}
974
975    # Description of argument(s):
976    # user_name           The username to be created.
977    # role_id             The role ID of the user to be created.
978
979    # Make sure the user account in question does not already exist.
980    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
981    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
982
983    # Try to create a user with invalid length password.
984    ${payload}=  Create Dictionary
985    ...  UserName=${user_name}  Password=UserPwd  RoleId=${role_id}  Enabled=${True}
986    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
987    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
988
989    # Create specified user with valid length password.
990    Set To Dictionary  ${payload}  Password  UserPwd1
991    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
992    ...  valid_status_codes=[${HTTP_CREATED}]
993
994    # Try to change to an invalid password.
995    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
996    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
997
998    # Change to a valid password.
999    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
1000
1001    # Verify login.
1002    Redfish.Logout
1003    Redfish.Login  ${user_name}  UserPwd1
1004    Redfish.Logout
1005    Redfish.Login
1006    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
1007