1*** Settings *** 2Documentation Test Redfish user account. 3 4Resource ../../lib/resource.robot 5Resource ../../lib/bmc_redfish_resource.robot 6Resource ../../lib/openbmc_ffdc.robot 7Resource ../../lib/bmc_redfish_utils.robot 8 9Library SSHLibrary 10 11Test Setup Redfish.Login 12Test Teardown Test Teardown Execution 13 14*** Variables *** 15 16${account_lockout_duration} ${30} 17${account_lockout_threshold} ${3} 18 19** Test Cases ** 20 21Verify AccountService Available 22 [Documentation] Verify Redfish account service is available. 23 [Tags] Verify_AccountService_Available 24 25 ${resp} = Redfish_utils.Get Attribute /redfish/v1/AccountService ServiceEnabled 26 Should Be Equal As Strings ${resp} ${True} 27 28Verify Redfish User Persistence After Reboot 29 [Documentation] Verify Redfish user persistence after reboot. 30 [Tags] Verify_Redfish_User_Persistence_After_Reboot 31 32 # Create Redfish users. 33 Redfish Create User admin_user TestPwd123 Administrator ${True} 34 Redfish Create User operator_user TestPwd123 Operator ${True} 35 Redfish Create User readonly_user TestPwd123 ReadOnly ${True} 36 37 # Reboot BMC. 38 Redfish OBMC Reboot (off) stack_mode=normal 39 40 # Verify users after reboot. 41 Redfish Verify User admin_user TestPwd123 Administrator ${True} 42 Redfish Verify User operator_user TestPwd123 Operator ${True} 43 Redfish Verify User readonly_user TestPwd123 ReadOnly ${True} 44 45 # Delete created users. 46 Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user 47 Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user 48 Redfish.Delete /redfish/v1/AccountService/Accounts/readonly_user 49 50Redfish Create and Verify Users 51 [Documentation] Create Redfish users with various roles. 52 [Tags] Redfish_Create_and_Verify_Users 53 [Template] Redfish Create And Verify User 54 55 #username password role_id enabled 56 admin_user TestPwd123 Administrator ${True} 57 operator_user TestPwd123 Operator ${True} 58 readonly_user TestPwd123 ReadOnly ${True} 59 60Verify Redfish User with Wrong Password 61 [Documentation] Verify Redfish User with Wrong Password. 62 [Tags] Verify_Redfish_User_with_Wrong_Password 63 [Template] Verify Redfish User with Wrong Password 64 65 #username password role_id enabled wrong_password 66 admin_user TestPwd123 Administrator ${True} alskjhfwurh 67 operator_user TestPwd123 Operator ${True} 12j8a8uakjhdaosiruf024 68 readonly_user TestPwd123 ReadOnly ${True} 12 69 70Verify Login with Deleted Redfish Users 71 [Documentation] Verify login with deleted Redfish Users. 72 [Tags] Verify_Login_with_Deleted_Redfish_Users 73 [Template] Verify Login with Deleted Redfish User 74 75 #username password role_id enabled 76 admin_user TestPwd123 Administrator ${True} 77 operator_user TestPwd123 Operator ${True} 78 readonly_user TestPwd123 ReadOnly ${True} 79 80Verify User Creation Without Enabling It 81 [Documentation] Verify User Creation Without Enabling it. 82 [Tags] Verify_User_Creation_Without_Enabling_It 83 [Template] Verify Create User Without Enabling 84 85 #username password role_id enabled 86 admin_user TestPwd123 Administrator ${False} 87 operator_user TestPwd123 Operator ${False} 88 readonly_user TestPwd123 ReadOnly ${False} 89 90Verify User Creation With Invalid Role Id 91 [Documentation] Verify user creation with invalid role ID. 92 [Tags] Verify_User_Creation_With_Invalid_Role_Id 93 94 # Make sure the user account in question does not already exist. 95 Redfish.Delete /redfish/v1/AccountService/Accounts/test_user 96 ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] 97 98 # Create specified user. 99 ${payload}= Create Dictionary 100 ... UserName=test_user Password=TestPwd123 RoleId=wrongroleid Enabled=${True} 101 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 102 ... valid_status_codes=[${HTTP_BAD_REQUEST}] 103 104Verify Error Upon Creating Same Users With Different Privileges 105 [Documentation] Verify error upon creating same users with different privileges. 106 [Tags] Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges 107 108 Redfish Create User test_user TestPwd123 Administrator ${True} 109 110 # Create specified user. 111 ${payload}= Create Dictionary 112 ... UserName=test_user Password=TestPwd123 RoleId=Operator Enabled=${True} 113 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 114 ... valid_status_codes=[${HTTP_BAD_REQUEST}] 115 116 Redfish.Delete /redfish/v1/AccountService/Accounts/test_user 117 118Verify Modifying User Attributes 119 [Documentation] Verify modifying user attributes. 120 [Tags] Verify_Modifying_User_Attributes 121 122 # Create Redfish users. 123 Redfish Create User admin_user TestPwd123 Administrator ${True} 124 Redfish Create User operator_user TestPwd123 Operator ${True} 125 Redfish Create User readonly_user TestPwd123 ReadOnly ${True} 126 127 # Make sure the new user account does not already exist. 128 Redfish.Delete /redfish/v1/AccountService/Accounts/newadmin_user 129 ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] 130 131 # Update admin_user username using Redfish. 132 ${payload}= Create Dictionary UserName=newadmin_user 133 Redfish.Patch /redfish/v1/AccountService/Accounts/admin_user body=&{payload} 134 135 # Update operator_user password using Redfish. 136 ${payload}= Create Dictionary Password=NewTestPwd123 137 Redfish.Patch /redfish/v1/AccountService/Accounts/operator_user body=&{payload} 138 139 # Update readonly_user role using Redfish. 140 ${payload}= Create Dictionary RoleId=Operator 141 Redfish.Patch /redfish/v1/AccountService/Accounts/readonly_user body=&{payload} 142 143 # Verify users after updating 144 Redfish Verify User newadmin_user TestPwd123 Administrator ${True} 145 Redfish Verify User operator_user NewTestPwd123 Operator ${True} 146 Redfish Verify User readonly_user TestPwd123 Operator ${True} 147 148 # Delete created users. 149 Redfish.Delete /redfish/v1/AccountService/Accounts/newadmin_user 150 Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user 151 Redfish.Delete /redfish/v1/AccountService/Accounts/readonly_user 152 153Verify User Account Locked 154 [Documentation] Verify user account locked upon trying with invalid password. 155 [Tags] Verify_User_Account_Locked 156 157 Redfish Create User admin_user TestPwd123 Administrator ${True} 158 159 ${payload}= Create Dictionary AccountLockoutThreshold=${account_lockout_threshold} 160 ... AccountLockoutDuration=${account_lockout_duration} 161 Redfish.Patch ${REDFISH_ACCOUNTS_SERVICE_URI} body=${payload} 162 163 Redfish.Logout 164 165 # Make ${account_lockout_threshold} failed login attempts. 166 Repeat Keyword ${account_lockout_threshold} times 167 ... Run Keyword And Expect Error InvalidCredentialsError* Redfish.Login admin_user abc123 168 169 # Verify that legitimate login fails due to lockout. 170 Run Keyword And Expect Error InvalidCredentialsError* 171 ... Redfish.Login admin_user TestPwd123 172 173 # Wait for lockout duration to expire and then verify that login works. 174 Sleep ${account_lockout_duration}s 175 Redfish.Login admin_user TestPwd123 176 177 Redfish.Logout 178 179 Redfish.Login 180 181 Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user 182 183Verify Admin User Privilege 184 [Documentation] Verify admin user privilege. 185 [Tags] Verify_Admin_User_Privilege 186 187 Redfish Create User admin_user TestPwd123 Administrator ${True} 188 Redfish Create User operator_user TestPwd123 Operator ${True} 189 Redfish Create User readonly_user TestPwd123 ReadOnly ${True} 190 191 Redfish.Logout 192 193 # Change role ID of operator user with admin user. 194 # Login with admin user. 195 Redfish.Login admin_user TestPwd123 196 197 # Modify Role ID of Operator user. 198 Redfish.Patch /redfish/v1/AccountService/Accounts/operator_user body={'RoleId': 'Administrator'} 199 200 # Verify modified user. 201 Redfish Verify User operator_user TestPwd123 Administrator ${True} 202 203 Redfish.Logout 204 Redfish.Login admin_user TestPwd123 205 206 # Change password of 'user' user with admin user. 207 Redfish.Patch /redfish/v1/AccountService/Accounts/readonly_user body={'Password': 'NewTestPwd123'} 208 209 # Verify modified user. 210 Redfish Verify User readonly_user NewTestPwd123 ReadOnly ${True} 211 212 Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user 213 Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user 214 Redfish.Delete /redfish/v1/AccountService/Accounts/readonly_user 215 216Verify Operator User Privilege 217 [Documentation] Verify operator user privilege. 218 [Tags] Verify_operator_User_Privilege 219 220 Redfish Create User admin_user TestPwd123 Administrator ${True} 221 Redfish Create User operator_user TestPwd123 Operator ${True} 222 223 Redfish.Logout 224 # Login with operator user. 225 Redfish.Login operator_user TestPwd123 226 227 # Verify BMC reset. 228 Run Keyword And Expect Error ValueError* Redfish BMC Reset Operation 229 230 # Attempt to change password of admin user with operator user. 231 Redfish.Patch /redfish/v1/AccountService/Accounts/admin_user body={'Password': 'NewTestPwd123'} 232 ... valid_status_codes=[${HTTP_FORBIDDEN}] 233 234 Redfish.Logout 235 236 Redfish.Login 237 238 Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user 239 Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user 240 241 242Verify ReadOnly User Privilege 243 [Documentation] Verify ReadOnly user privilege. 244 [Tags] Verify_ReadOnly_User_Privilege 245 246 Redfish Create User readonly_user TestPwd123 ReadOnly ${True} 247 Redfish.Logout 248 249 # Login with read_only user. 250 Redfish.Login readonly_user TestPwd123 251 252 # Read system level data. 253 ${system_model}= Redfish_Utils.Get Attribute 254 ... ${SYSTEM_BASE_URI} Model 255 256 Redfish.Logout 257 Redfish.Login 258 Redfish.Delete ${REDFISH_ACCOUNTS_URI}readonly_user 259 260 261Verify Minimum Password Length For Redfish User 262 [Documentation] Verify minimum password length for new and existing user. 263 [Tags] Verify_Minimum_Password_Length_For_Redfish_User 264 265 ${user_name}= Set Variable testUser 266 267 # Make sure the user account in question does not already exist. 268 Redfish.Delete /redfish/v1/AccountService/Accounts/${user_name} 269 ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] 270 271 # Try to create a user with invalid length password. 272 ${payload}= Create Dictionary 273 ... UserName=${user_name} Password=UserPwd RoleId=Administrator Enabled=${True} 274 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 275 ... valid_status_codes=[${HTTP_BAD_REQUEST}] 276 277 # Create specified user with valid length password. 278 Set To Dictionary ${payload} Password UserPwd1 279 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 280 ... valid_status_codes=[${HTTP_CREATED}] 281 282 # Try to change to an invalid password. 283 Redfish.Patch /redfish/v1/AccountService/Accounts/${user_name} body={'Password': 'UserPwd'} 284 ... valid_status_codes=[${HTTP_BAD_REQUEST}] 285 286 # Change to a valid password. 287 Redfish.Patch /redfish/v1/AccountService/Accounts/${user_name} body={'Password': 'UserPwd1'} 288 289 # Verify login. 290 Redfish.Logout 291 Redfish.Login ${user_name} UserPwd1 292 Redfish.Logout 293 Redfish.Login 294 Redfish.Delete /redfish/v1/AccountService/Accounts/${user_name} 295 296 297Verify Standard User Roles Defined By Redfish 298 [Documentation] Verify standard user roles defined by Redfish. 299 [Tags] Verify_Standard_User_Roles_Defined_By_Redfish 300 301 ${member_list}= Redfish_Utils.Get Member List 302 ... /redfish/v1/AccountService/Roles 303 304 @{roles}= Create List 305 ... /redfish/v1/AccountService/Roles/Administrator 306 ... /redfish/v1/AccountService/Roles/Operator 307 ... /redfish/v1/AccountService/Roles/ReadOnly 308 309 List Should Contain Sub List ${member_list} ${roles} 310 311 # The standard roles are: 312 313 # | Role name | Assigned privileges | 314 # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf | 315 # | Operator | Login, ConfigureComponents, ConfigureSelf | 316 # | ReadOnly | Login, ConfigureSelf | 317 318 @{admin}= Create List Login ConfigureManager ConfigureUsers ConfigureComponents ConfigureSelf 319 @{operator}= Create List Login ConfigureComponents ConfigureSelf 320 @{readOnly}= Create List Login ConfigureSelf 321 322 ${roles_dict}= create dictionary admin_privileges=${admin} operator_privileges=${operator} 323 ... readOnly_privileges=${readOnly} 324 325 ${resp}= redfish.Get /redfish/v1/AccountService/Roles/Administrator 326 List Should Contain Sub List ${resp.dict['AssignedPrivileges']} ${roles_dict['admin_privileges']} 327 328 ${resp}= redfish.Get /redfish/v1/AccountService/Roles/Operator 329 List Should Contain Sub List ${resp.dict['AssignedPrivileges']} ${roles_dict['operator_privileges']} 330 331 ${resp}= redfish.Get /redfish/v1/AccountService/Roles/ReadOnly 332 List Should Contain Sub List ${resp.dict['AssignedPrivileges']} ${roles_dict['readOnly_privileges']} 333 334 335Verify Error While Deleting Root User 336 [Documentation] Verify error while deleting root user. 337 [Tags] Verify_Error_While_Deleting_Root_User 338 339 Redfish.Delete /redfish/v1/AccountService/Accounts/root valid_status_codes=[${HTTP_FORBIDDEN}] 340 341 342Verify SSH Login Access With Admin User 343 [Documentation] Verify that admin user does not have SSH login access. 344 [Tags] Verify_SSH_Login_Access_With_Admin_User 345 346 # Create an admin User. 347 Redfish Create User new_admin TestPwd1 Administrator ${True} 348 349 # Attempt SSH login with admin user. 350 SSHLibrary.Open Connection ${OPENBMC_HOST} 351 ${status}= Run Keyword And Return Status SSHLibrary.Login new_admin TestPwd1 352 Should Be Equal ${status} ${False} 353 354 355*** Keywords *** 356 357Test Teardown Execution 358 [Documentation] Do the post test teardown. 359 360 Run Keyword And Ignore Error Redfish.Logout 361 FFDC On Test Case Fail 362 363 364Redfish Create User 365 [Documentation] Redfish create user. 366 [Arguments] ${username} ${password} ${role_id} ${enabled} ${login_check}=${True} 367 368 # Description of argument(s): 369 # username The username to be created. 370 # password The password to be assigned. 371 # role_id The role ID of the user to be created 372 # (e.g. "Administrator", "Operator", etc.). 373 # enabled Indicates whether the username being created 374 # should be enabled (${True}, ${False}). 375 # login_check Checks user login for created user. 376 # (e.g. ${True}, ${False}). 377 378 # Make sure the user account in question does not already exist. 379 Redfish.Delete /redfish/v1/AccountService/Accounts/${userName} 380 ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] 381 382 # Create specified user. 383 ${payload}= Create Dictionary 384 ... UserName=${username} Password=${password} RoleId=${role_id} Enabled=${enabled} 385 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 386 ... valid_status_codes=[${HTTP_CREATED}] 387 388 # Resetting faillock count as a workaround for issue 389 # openbmc/phosphor-user-manager#4 390 ${cmd}= Catenate /usr/sbin/faillock --user USER --reset 391 Bmc Execute Command ${cmd} 392 393 # Verify login with created user. 394 ${status}= Run Keyword If '${login_check}' == '${True}' 395 ... Verify Redfish User Login ${username} ${password} 396 Run Keyword If '${login_check}' == '${True}' Should Be Equal ${status} ${enabled} 397 398 # Validate Role ID of created user. 399 ${role_config}= Redfish_Utils.Get Attribute 400 ... /redfish/v1/AccountService/Accounts/${username} RoleId 401 Should Be Equal ${role_id} ${role_config} 402 403 404Redfish Verify User 405 [Documentation] Redfish user verification. 406 [Arguments] ${username} ${password} ${role_id} ${enabled} 407 408 # Description of argument(s): 409 # username The username to be created. 410 # password The password to be assigned. 411 # role_id The role ID of the user to be created 412 # (e.g. "Administrator", "Operator", etc.). 413 # enabled Indicates whether the username being created 414 # should be enabled (${True}, ${False}). 415 416 ${status}= Verify Redfish User Login ${username} ${password} 417 # Doing a check of the returned status. 418 Should Be Equal ${status} ${enabled} 419 420 # Validate Role Id of user. 421 ${role_config}= Redfish_Utils.Get Attribute 422 ... /redfish/v1/AccountService/Accounts/${username} RoleId 423 Should Be Equal ${role_id} ${role_config} 424 425 426Verify Redfish User Login 427 [Documentation] Verify Redfish login with given user id. 428 [Teardown] Run Keywords Run Keyword And Ignore Error Redfish.Logout AND Redfish.Login 429 [Arguments] ${username} ${password} 430 431 # Description of argument(s): 432 # username Login username. 433 # password Login password. 434 435 # Logout from current Redfish session. 436 # We don't really care if the current session is flushed out since we are going to login 437 # with new credential in next. 438 Run Keyword And Ignore Error Redfish.Logout 439 440 ${status}= Run Keyword And Return Status Redfish.Login ${username} ${password} 441 [Return] ${status} 442 443 444Redfish Create And Verify User 445 [Documentation] Redfish create and verify user. 446 [Arguments] ${username} ${password} ${role_id} ${enabled} 447 448 # Description of argument(s): 449 # username The username to be created. 450 # password The password to be assigned. 451 # role_id The role ID of the user to be created 452 # (e.g. "Administrator", "Operator", etc.). 453 # enabled Indicates whether the username being created 454 # should be enabled (${True}, ${False}). 455 456 # Example: 457 #{ 458 #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount", 459 #"@odata.id": "/redfish/v1/AccountService/Accounts/test1", 460 #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount", 461 #"Description": "User Account", 462 #"Enabled": true, 463 #"Id": "test1", 464 #"Links": { 465 # "Role": { 466 # "@odata.id": "/redfish/v1/AccountService/Roles/Administrator" 467 # } 468 #}, 469 470 Redfish Create User ${username} ${password} ${role_id} ${enabled} 471 472 Redfish Verify User ${username} ${password} ${role_id} ${enabled} 473 474 # Delete Specified User 475 Redfish.Delete /redfish/v1/AccountService/Accounts/${username} 476 477Verify Redfish User with Wrong Password 478 [Documentation] Verify Redfish User with Wrong Password. 479 [Arguments] ${username} ${password} ${role_id} ${enabled} ${wrong_password} 480 481 # Description of argument(s): 482 # username The username to be created. 483 # password The password to be assigned. 484 # role_id The role ID of the user to be created 485 # (e.g. "Administrator", "Operator", etc.). 486 # enabled Indicates whether the username being created 487 # should be enabled (${True}, ${False}). 488 # wrong_password Any invalid password. 489 490 Redfish Create User ${username} ${password} ${role_id} ${enabled} 491 492 Redfish.Logout 493 494 # Attempt to login with created user with invalid password. 495 Run Keyword And Expect Error InvalidCredentialsError* 496 ... Redfish.Login ${username} ${wrong_password} 497 498 Redfish.Login 499 500 # Delete newly created user. 501 Redfish.Delete /redfish/v1/AccountService/Accounts/${username} 502 503 504Verify Login with Deleted Redfish User 505 [Documentation] Verify Login with Deleted Redfish User. 506 [Arguments] ${username} ${password} ${role_id} ${enabled} 507 508 # Description of argument(s): 509 # username The username to be created. 510 # password The password to be assigned. 511 # role_id The role ID of the user to be created 512 # (e.g. "Administrator", "Operator", etc.). 513 # enabled Indicates whether the username being created 514 # should be enabled (${True}, ${False}). 515 516 Redfish Create User ${username} ${password} ${role_id} ${enabled} 517 518 # Delete newly created user. 519 Redfish.Delete /redfish/v1/AccountService/Accounts/${userName} 520 521 Redfish.Logout 522 523 # Attempt to login with deleted user account. 524 Run Keyword And Expect Error InvalidCredentialsError* 525 ... Redfish.Login ${username} ${password} 526 527 Redfish.Login 528 529 530Verify Create User Without Enabling 531 [Documentation] Verify Create User Without Enabling. 532 [Arguments] ${username} ${password} ${role_id} ${enabled} 533 534 # Description of argument(s): 535 # username The username to be created. 536 # password The password to be assigned. 537 # role_id The role ID of the user to be created 538 # (e.g. "Administrator", "Operator", etc.). 539 # enabled Indicates whether the username being created 540 # should be enabled (${True}, ${False}). 541 542 Redfish Create User ${username} ${password} ${role_id} ${enabled} ${False} 543 544 Redfish.Logout 545 546 # Login with created user. 547 Run Keyword And Expect Error InvalidCredentialsError* 548 ... Redfish.Login ${username} ${password} 549 550 Redfish.Login 551 552 # Delete newly created user. 553 Redfish.Delete /redfish/v1/AccountService/Accounts/${username} 554 555