1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7
8Test Setup       Test Setup Execution
9Test Teardown    Test Teardown Execution
10
11*** Variables ***
12
13${account_lockout_duration}   ${30}
14${account_lockout_threshold}  ${3}
15
16** Test Cases **
17
18Verify AccountService Available
19    [Documentation]  Verify Redfish account service is available.
20    [Tags]  Verify_AccountService_Available
21
22    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
23    Should Be Equal As Strings  ${resp}  ${True}
24
25Verify Redfish User Persistence After Reboot
26    [Documentation]  Verify Redfish user persistence after reboot.
27    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
28
29    # Create Redfish users.
30    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
31    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
32    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
33
34    # Reboot BMC.
35    Redfish OBMC Reboot (off)  stack_mode=normal
36    Redfish.Login
37
38    # Verify users after reboot.
39    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
40    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
41    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
42
43    # Delete created users.
44    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
45    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
46    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
47
48Redfish Create and Verify Users
49    [Documentation]  Create Redfish users with various roles.
50    [Tags]  Redfish_Create_and_Verify_Users
51    [Template]  Redfish Create And Verify User
52
53    #username      password    role_id         enabled
54    admin_user     TestPwd123  Administrator   ${True}
55    operator_user  TestPwd123  Operator        ${True}
56    readonly_user  TestPwd123  ReadOnly        ${True}
57
58Verify Redfish User with Wrong Password
59    [Documentation]  Verify Redfish User with Wrong Password.
60    [Tags]  Verify_Redfish_User_with_Wrong_Password
61    [Template]  Verify Redfish User with Wrong Password
62
63    #username      password    role_id         enabled  wrong_password
64    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
65    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
66    readonly_user  TestPwd123  ReadOnly        ${True}  12
67
68Verify Login with Deleted Redfish Users
69    [Documentation]  Verify login with deleted Redfish Users.
70    [Tags]  Verify_Login_with_Deleted_Redfish_Users
71    [Template]  Verify Login with Deleted Redfish User
72
73    #username     password    role_id         enabled
74    admin_user     TestPwd123  Administrator   ${True}
75    operator_user  TestPwd123  Operator        ${True}
76    readonly_user  TestPwd123  ReadOnly        ${True}
77
78Verify User Creation Without Enabling It
79    [Documentation]  Verify User Creation Without Enabling it.
80    [Tags]  Verify_User_Creation_Without_Enabling_It
81    [Template]  Verify Create User Without Enabling
82
83    #username      password    role_id         enabled
84    admin_user     TestPwd123  Administrator   ${False}
85    operator_user  TestPwd123  Operator        ${False}
86    readonly_user  TestPwd123  ReadOnly        ${False}
87
88Verify User Creation With Invalid Role Id
89    [Documentation]  Verify user creation with invalid role ID.
90    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
91
92    # Make sure the user account in question does not already exist.
93    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
94    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
95
96    # Create specified user.
97    ${payload}=  Create Dictionary
98    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
99    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
100    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
101
102Verify Error Upon Creating Same Users With Different Privileges
103    [Documentation]  Verify error upon creating same users with different privileges.
104    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
105
106    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
107
108    # Create specified user.
109    ${payload}=  Create Dictionary
110    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
111    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
112    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
113
114    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
115
116Verify Modifying User Attributes
117    [Documentation]  Verify modifying user attributes.
118    [Tags]  Verify_Modifying_User_Attributes
119
120    # Create Redfish users.
121    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
122    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
123    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
124
125    Redfish.Login
126
127    # Make sure the new user account does not already exist.
128    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
129    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
130
131    # Update admin_user username using Redfish.
132    ${payload}=  Create Dictionary  UserName=newadmin_user
133    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
134
135    # Update operator_user password using Redfish.
136    ${payload}=  Create Dictionary  Password=NewTestPwd123
137    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
138
139    # Update readonly_user role using Redfish.
140    ${payload}=  Create Dictionary  RoleId=Operator
141    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
142
143    # Verify users after updating
144    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
145    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
146    Redfish Verify User  readonly_user  TestPwd123     Operator        ${True}
147
148    # Delete created users.
149    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
150    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
151    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
152
153Verify User Account Locked
154    [Documentation]  Verify user account locked upon trying with invalid password.
155    [Tags]  Verify_User_Account_Locked
156
157    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
158
159    Redfish.Logout
160
161    Redfish.Login
162
163    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
164    ...  AccountLockoutDuration=${account_lockout_duration}
165    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
166
167    # Make ${account_lockout_threshold} failed login attempts.
168    Repeat Keyword  ${account_lockout_threshold} times
169    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
170
171    # Verify that legitimate login fails due to lockout.
172    Run Keyword And Expect Error  InvalidCredentialsError*
173    ...  Redfish.Login  admin_user  TestPwd123
174
175    # Wait for lockout duration to expire and then verify that login works.
176    Sleep  ${account_lockout_duration}s
177    Redfish.Login  admin_user  TestPwd123
178
179    Redfish.Logout
180
181    Redfish.Login
182
183    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
184
185Verify Admin User Privilege
186    [Documentation]  Verify admin user privilege.
187    [Tags]  Verify_Admin_User_Privilege
188
189    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
190    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
191    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
192
193    # Change role ID of operator user with admin user.
194    # Login with admin user.
195    Redfish.Login  admin_user  TestPwd123
196
197    # Modify Role ID of Operator user.
198    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
199
200    # Verify modified user.
201    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
202
203    # Change password of 'user' user with admin user.
204    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
205
206    # Verify modified user.
207    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
208
209    Redfish.Login
210
211    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
212    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
214
215Verify Operator User Privilege
216    [Documentation]  Verify operator user privilege.
217    [Tags]  Verify_operator_User_Privilege
218
219    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
220    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
221
222    # Login with operator user.
223    Redfish.Login  operator_user  TestPwd123
224
225    # Verify BMC reset.
226    Redfish OBMC Reboot (off)  stack_mode=normal
227
228    # Attempt to change password of admin user with operator user.
229    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
230    ...  valid_status_codes=[${HTTP_UNAUTHORIZED}]
231
232    Redfish.Login
233
234    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
235    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
236
237
238Verify ReadOnly User Privilege
239    [Documentation]  Verify ReadOnly user privilege.
240    [Tags]  Verify_ReadOnly_User_Privilege
241
242    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
243
244    # Read system level data.
245    ${system_model}=  Redfish_Utils.Get Attribute
246    ...  ${SYSTEM_BASE_URI}  Model
247
248    Redfish.Login
249
250    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
251
252
253Verify Minimum Password Length For Redfish User
254    [Documentation]  Verify minimum password length for new and existing user.
255    [Tags]  Verify_Minimum_Password_Length_For_Redfish_User
256
257    ${user_name}=  Set Variable  testUser
258
259    # Make sure the user account in question does not already exist.
260    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
261    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
262
263    # Try to create a user with invalid length password.
264    ${payload}=  Create Dictionary
265    ...  UserName=${user_name}  Password=UserPwd  RoleId=Administrator  Enabled=${True}
266    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
267    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
268
269    # Create specified user with valid length password.
270    Set To Dictionary  ${payload}  Password  UserPwd1
271    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
272    ...  valid_status_codes=[${HTTP_CREATED}]
273
274    # Try to change to an invalid password.
275    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
276    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
277
278    # Change to a valid password.
279    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
280
281    # Verify login.
282    Redfish.Logout
283    Redfish.Login  ${user_name}  UserPwd1
284    Redfish.Logout
285    Redfish.Login
286    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
287
288
289*** Keywords ***
290
291Test Setup Execution
292    [Documentation]  Do test case setup tasks.
293
294    Redfish.Login
295
296
297Test Teardown Execution
298    [Documentation]  Do the post test teardown.
299
300    FFDC On Test Case Fail
301    Run Keyword And Ignore Error  Redfish.Logout
302
303Redfish Create User
304    [Documentation]  Redfish create user.
305    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
306
307    # Description of argument(s):
308    # username            The username to be created.
309    # password            The password to be assigned.
310    # role_id             The role ID of the user to be created
311    #                     (e.g. "Administrator", "Operator", etc.).
312    # enabled             Indicates whether the username being created
313    #                     should be enabled (${True}, ${False}).
314
315    Redfish.Login
316
317    # Make sure the user account in question does not already exist.
318    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
319    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
320
321    # Create specified user.
322    ${payload}=  Create Dictionary
323    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
324    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
325    ...  valid_status_codes=[${HTTP_CREATED}]
326
327    # Resetting pam tally count as a workaround for issue
328    # openbmc/phosphor-user-manager#4
329    ${cmd}=  Catenate  /usr/sbin/pam_tally2 -u ${username} --reset
330    Bmc Execute Command  ${cmd}
331
332    Redfish.Logout
333
334    # Login with created user.
335    Run Keyword If  ${enabled} == ${False}
336    ...    Run Keyword And Expect Error  InvalidCredentialsError*
337    ...    Redfish.Login  ${username}  ${password}
338    ...  ELSE
339    ...    Redfish.Login  ${username}  ${password}
340
341    Run Keyword If  ${enabled} == ${False}
342    ...  Redfish.Login
343
344    # Validate Role ID of created user.
345    ${role_config}=  Redfish_Utils.Get Attribute
346    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
347    Should Be Equal  ${role_id}  ${role_config}
348
349
350Redfish Verify User
351    [Documentation]  Redfish user verification.
352    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
353
354    # Description of argument(s):
355    # username            The username to be created.
356    # password            The password to be assigned.
357    # role_id             The role ID of the user to be created
358    #                     (e.g. "Administrator", "Operator", etc.).
359    # enabled             Indicates whether the username being created
360    #                     should be enabled (${True}, ${False}).
361
362    # Trying to do a login with created user.
363    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
364
365    # Doing a check of the returned status.
366    Should Be Equal  ${status}  ${enabled}
367
368    # We do not need to login with created user (user could be in disabled status).
369    Redfish.Login
370
371    # Validate Role Id of user.
372    ${role_config}=  Redfish_Utils.Get Attribute
373    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
374    Should Be Equal  ${role_id}  ${role_config}
375
376
377Redfish Create And Verify User
378    [Documentation]  Redfish create and verify user.
379    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
380
381    # Description of argument(s):
382    # username            The username to be created.
383    # password            The password to be assigned.
384    # role_id             The role ID of the user to be created
385    #                     (e.g. "Administrator", "Operator", etc.).
386    # enabled             Indicates whether the username being created
387    #                     should be enabled (${True}, ${False}).
388
389    # Example:
390    #{
391    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
392    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
393    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
394    #"Description": "User Account",
395    #"Enabled": true,
396    #"Id": "test1",
397    #"Links": {
398    #  "Role": {
399    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
400    #  }
401    #},
402
403    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
404
405    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
406
407    # Delete Specified User
408    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
409
410Verify Redfish User with Wrong Password
411    [Documentation]  Verify Redfish User with Wrong Password.
412    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
413
414    # Description of argument(s):
415    # username            The username to be created.
416    # password            The password to be assigned.
417    # role_id             The role ID of the user to be created
418    #                     (e.g. "Administrator", "Operator", etc.).
419    # enabled             Indicates whether the username being created
420    #                     should be enabled (${True}, ${False}).
421    # wrong_password      Any invalid password.
422
423    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
424
425    # Attempt to login with created user with invalid password.
426    Run Keyword And Expect Error  InvalidCredentialsError*
427    ...  Redfish.Login  ${username}  ${wrong_password}
428
429    Redfish.Login
430
431    # Delete newly created user.
432    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
433
434
435Verify Login with Deleted Redfish User
436    [Documentation]  Verify Login with Deleted Redfish User.
437    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
438
439    # Description of argument(s):
440    # username            The username to be created.
441    # password            The password to be assigned.
442    # role_id             The role ID of the user to be created
443    #                     (e.g. "Administrator", "Operator", etc.).
444    # enabled             Indicates whether the username being created
445    #                     should be enabled (${True}, ${False}).
446
447    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
448    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
449
450    # Doing a check of the rerurned status
451    Should Be Equal  ${status}  ${True}
452
453    Redfish.Login
454
455    # Delete newly created user.
456    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
457
458    # Attempt to login with deleted user account.
459    Run Keyword And Expect Error  InvalidCredentialsError*
460    ...  Redfish.Login  ${username}  ${password}
461
462    Redfish.Login
463
464Verify Create User Without Enabling
465    [Documentation]  Verify Create User Without Enabling.
466    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
467
468    # Description of argument(s):
469    # username            The username to be created.
470    # password            The password to be assigned.
471    # role_id             The role ID of the user to be created
472    #                     (e.g. "Administrator", "Operator", etc.).
473    # enabled             Indicates whether the username being created
474    #                     should be enabled (${True}, ${False}).
475
476    Redfish.Login
477
478    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
479
480    Redfish.Logout
481
482    # Login with created user.
483    Run Keyword And Expect Error  InvalidCredentialsError*
484    ...  Redfish.Login  ${username}  ${password}
485
486    Redfish.Login
487
488    # Delete newly created user.
489    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
490