1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7
8Test Setup       Test Setup Execution
9Test Teardown    Test Teardown Execution
10
11*** Variables ***
12
13${account_lockout_duration}   ${30}
14${account_lockout_threshold}  ${3}
15
16
17** Test Cases **
18
19Verify AccountService Available
20    [Documentation]  Verify Redfish account service is available.
21    [Tags]  Verify_AccountService_Available
22
23    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
24    Should Be Equal As Strings  ${resp}  ${True}
25
26Verify Redfish User Persistence After Reboot
27    [Documentation]  Verify Redfish user persistence after reboot.
28    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
29
30    # Create Redfish users.
31    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
32    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
33    Redfish Create User  user_user      TestPwd123  User            ${True}
34    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
35
36    # Reboot BMC.
37    Redfish OBMC Reboot (off)  stack_mode=normal
38    Redfish.Login
39
40    # Verify users after reboot.
41    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
42    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
43    Redfish Verify User  user_user      TestPwd123  User            ${True}
44    Redfish Verify User  callback_user  TestPwd123  Callback        ${True}
45
46    # Delete created users.
47    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
48    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
49    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
50    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}callback_user
51
52Redfish Create and Verify Users
53    [Documentation]  Create Redfish users with various roles.
54    [Tags]  Redfish_Create_and_Verify_Users
55    [Template]  Redfish Create And Verify User
56
57    #username      password    role_id         enabled
58    admin_user     TestPwd123  Administrator   ${True}
59    operator_user  TestPwd123  Operator        ${True}
60    user_user      TestPwd123  User            ${True}
61    callback_user  TestPwd123  Callback        ${True}
62
63Verify Redfish User with Wrong Password
64    [Documentation]  Verify Redfish User with Wrong Password.
65    [Tags]  Verify_Redfish_User_with_Wrong_Password
66    [Template]  Verify Redfish User with Wrong Password
67
68    #username      password    role_id         enabled  wrong_password
69    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
70    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
71    user_user      TestPwd123  User            ${True}  12
72    callback_user  TestPwd123  Callback        ${True}  !#@D#RF#@!D
73
74Verify Login with Deleted Redfish Users
75    [Documentation]  Verify login with deleted Redfish Users.
76    [Tags]  Verify_Login_with_Deleted_Redfish_Users
77    [Template]  Verify Login with Deleted Redfish User
78
79    #username     password    role_id         enabled
80    admin_user     TestPwd123  Administrator   ${True}
81    operator_user  TestPwd123  Operator        ${True}
82    user_user      TestPwd123  User            ${True}
83    callback_user  TestPwd123  Callback        ${True}
84
85Verify User Creation Without Enabling It
86    [Documentation]  Verify User Creation Without Enabling it.
87    [Tags]  Verify_User_Creation_Without_Enabling_It
88    [Template]  Verify Create User Without Enabling
89
90    #username      password    role_id         enabled
91    admin_user     TestPwd123  Administrator   ${False}
92    operator_user  TestPwd123  Operator        ${False}
93    user_user      TestPwd123  User            ${False}
94    callback_user  TestPwd123  Callback        ${False}
95
96
97Verify User Creation With Invalid Role Id
98    [Documentation]  Verify user creation with invalid role ID.
99    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
100
101    # Make sure the user account in question does not already exist.
102    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}test_user
103    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
104
105    # Create specified user.
106    ${payload}=  Create Dictionary
107    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
108    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
109    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
110
111Verify Error Upon Creating Same Users With Different Privileges
112    [Documentation]  Verify error upon creating same users with different privileges.
113    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
114
115    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
116
117    # Create specified user.
118    ${payload}=  Create Dictionary
119    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
120    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
121    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
122
123    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}test_user
124
125Verify Modifying User Attributes
126    [Documentation]  Verify modifying user attributes.
127    [Tags]  Verify_Modifying_User_Attributes
128
129    # Create Redfish users.
130    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
131    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
132    Redfish Create User  user_user      TestPwd123  User            ${True}
133    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
134
135    Redfish.Login
136
137    # Make sure the new user account does not already exist.
138    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}newadmin_user
139    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
140
141    # Update admin_user username using Redfish.
142    ${payload}=  Create Dictionary  UserName=newadmin_user
143    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}admin_user  body=&{payload}
144
145    # Update operator_user password using Redfish.
146    ${payload}=  Create Dictionary  Password=NewTestPwd123
147    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}operator_user  body=&{payload}
148
149    # Update user_user role using Redfish.
150    ${payload}=  Create Dictionary  RoleId=Operator
151    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}user_user  body=&{payload}
152
153    # Update callback_user to disable using Redfish.
154    ${payload}=  Create Dictionary  Enabled=${False}
155    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}callback_user  body=&{payload}
156
157    # Verify users after updating
158    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
159    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
160    Redfish Verify User  user_user      TestPwd123     Operator        ${True}
161    Redfish Verify User  callback_user  TestPwd123     Callback        ${False}
162
163    # Delete created users.
164    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}newadmin_user
165    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
166    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
167    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}callback_user
168
169Verify User Account Locked
170    [Documentation]  Verify user account locked upon trying with invalid password.
171    [Tags]  Verify_User_Account_Locked
172
173    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
174
175    Redfish.Logout
176
177    Redfish.Login
178
179    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
180    ...  AccountLockoutDuration=${account_lockout_duration}
181    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
182
183    # Make ${account_lockout_threshold} failed login attempts.
184    Repeat Keyword  ${account_lockout_threshold} times
185    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
186
187    # Verify that legitimate login fails due to lockout.
188    Run Keyword And Expect Error  InvalidCredentialsError*
189    ...  Redfish.Login  admin_user  TestPwd123
190
191    # Wait for lockout duration to expire and then verify that login works.
192    Sleep  ${account_lockout_duration}s
193    Redfish.Login  admin_user  TestPwd123
194
195    Redfish.Logout
196
197    Redfish.Login
198
199    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
200
201Verify Admin User Privilege
202    [Documentation]  Verify admin user privilege.
203    [Tags]  Verify_Admin_User_Privilege
204
205    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
206    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
207    Redfish Create User  user_user  TestPwd123  User  ${True}
208
209    # Change role ID of operator user with admin user.
210    # Login with admin user.
211    Redfish.Login  admin_user  TestPwd123
212
213    # Modify Role ID of Operator user.
214    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}operator_user  body={'RoleId': 'Administrator'}
215
216    # Verify modified user.
217    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
218
219    # Change password of 'user' user with admin user.
220    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}user_user  body={'Password': 'NewTestPwd123'}
221
222    # Verify modified user.
223    Redfish Verify User  user_user  NewTestPwd123  User  ${True}
224
225    Redfish.Login
226
227    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
228    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
229    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
230
231Verify Operator User Privilege
232    [Documentation]  Verify operator user privilege.
233    [Tags]  Verify_operator_User_Privilege
234
235    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
236    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
237
238    # Login with operator user.
239    Redfish.Login  operator_user  TestPwd123
240
241    # Verify power on system.
242    Redfish OBMC Reboot (off)  stack_mode=normal
243
244    # Attempt to change password of admin user with operator user.
245    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}admin_user  body={'Password': 'NewTestPwd123'}
246    ...  valid_status_codes=[${HTTP_UNAUTHORIZED}]
247
248    Redfish.Login
249
250    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
251    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
252
253
254Verify 'User' User Privilege
255    [Documentation]  Verify 'user' user privilege.
256    [Tags]  Verify_User_User_Privilege
257
258    Redfish Create User  user_user  TestPwd123  User  ${True}
259
260    # Read system level data.
261    ${system_model}=  Redfish_Utils.Get Attribute
262    ...  ${SYSTEM_BASE_URI}  Model
263
264    Redfish.Login
265
266    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
267
268
269*** Keywords ***
270
271Test Setup Execution
272    [Documentation]  Do test case setup tasks.
273
274    Redfish.Login
275
276
277Test Teardown Execution
278    [Documentation]  Do the post test teardown.
279
280    FFDC On Test Case Fail
281    Redfish.Logout
282
283Redfish Create User
284    [Documentation]  Redfish create user.
285    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
286
287    # Description of argument(s):
288    # username            The username to be created.
289    # password            The password to be assigned.
290    # role_id             The role ID of the user to be created
291    #                     (e.g. "Administrator", "Operator", etc.).
292    # enabled             Indicates whether the username being created
293    #                     should be enabled (${True}, ${False}).
294
295    Redfish.Login
296
297    # Make sure the user account in question does not already exist.
298    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${userName}
299    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
300
301    # Create specified user.
302    ${payload}=  Create Dictionary
303    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
304    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
305    ...  valid_status_codes=[${HTTP_CREATED}]
306
307    Redfish.Logout
308
309    # Login with created user.
310    Run Keyword If  ${enabled} == ${False}
311    ...    Run Keyword And Expect Error  InvalidCredentialsError*
312    ...    Redfish.Login  ${username}  ${password}
313    ...  ELSE
314    ...    Redfish.Login  ${username}  ${password}
315
316    Run Keyword If  ${enabled} == ${False}
317    ...  Redfish.Login
318
319    # Validate Role ID of created user.
320    ${role_config}=  Redfish_Utils.Get Attribute
321    ...  ${REDFISH_ACCOUNTS_URI}${username}  RoleId
322    Should Be Equal  ${role_id}  ${role_config}
323
324
325Redfish Verify User
326    [Documentation]  Redfish user verification.
327    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
328
329    # Description of argument(s):
330    # username            The username to be created.
331    # password            The password to be assigned.
332    # role_id             The role ID of the user to be created
333    #                     (e.g. "Administrator", "Operator", etc.).
334    # enabled             Indicates whether the username being created
335    #                     should be enabled (${True}, ${False}).
336
337    # Trying to do a login with created user.
338    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
339
340    # Doing a check of the returned status.
341    Should Be Equal  ${status}  ${enabled}
342
343    # We do not need to login with created user (user could be in disabled status).
344    Redfish.Login
345
346    # Validate Role Id of user.
347    ${role_config}=  Redfish_Utils.Get Attribute
348    ...  ${REDFISH_ACCOUNTS_URI}${username}  RoleId
349    Should Be Equal  ${role_id}  ${role_config}
350
351
352Redfish Create And Verify User
353    [Documentation]  Redfish create and verify user.
354    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
355
356    # Description of argument(s):
357    # username            The username to be created.
358    # password            The password to be assigned.
359    # role_id             The role ID of the user to be created
360    #                     (e.g. "Administrator", "Operator", etc.).
361    # enabled             Indicates whether the username being created
362    #                     should be enabled (${True}, ${False}).
363
364    # Example:
365    #{
366    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
367    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
368    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
369    #"Description": "User Account",
370    #"Enabled": true,
371    #"Id": "test1",
372    #"Links": {
373    #  "Role": {
374    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
375    #  }
376    #},
377
378    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
379
380    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
381
382    # Delete Specified User
383    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
384
385Verify Redfish User with Wrong Password
386    [Documentation]  Verify Redfish User with Wrong Password.
387    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
388
389    # Description of argument(s):
390    # username            The username to be created.
391    # password            The password to be assigned.
392    # role_id             The role ID of the user to be created
393    #                     (e.g. "Administrator", "Operator", etc.).
394    # enabled             Indicates whether the username being created
395    #                     should be enabled (${True}, ${False}).
396    # wrong_password      Any invalid password.
397
398    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
399
400    # Attempt to login with created user with invalid password.
401    Run Keyword And Expect Error  InvalidCredentialsError*
402    ...  Redfish.Login  ${username}  ${wrong_password}
403
404    Redfish.Login
405
406    # Delete newly created user.
407    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
408
409
410Verify Login with Deleted Redfish User
411    [Documentation]  Verify Login with Deleted Redfish User.
412    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
413
414    # Description of argument(s):
415    # username            The username to be created.
416    # password            The password to be assigned.
417    # role_id             The role ID of the user to be created
418    #                     (e.g. "Administrator", "Operator", etc.).
419    # enabled             Indicates whether the username being created
420    #                     should be enabled (${True}, ${False}).
421
422    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
423    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
424
425    # Doing a check of the rerurned status
426    Should Be Equal  ${status}  ${True}
427
428    Redfish.Login
429
430    # Delete newly created user.
431    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${userName}
432
433    # Attempt to login with deleted user account.
434    Run Keyword And Expect Error  InvalidCredentialsError*
435    ...  Redfish.Login  ${username}  ${password}
436
437    Redfish.Login
438
439Verify Create User Without Enabling
440    [Documentation]  Verify Create User Without Enabling.
441    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
442
443    # Description of argument(s):
444    # username            The username to be created.
445    # password            The password to be assigned.
446    # role_id             The role ID of the user to be created
447    #                     (e.g. "Administrator", "Operator", etc.).
448    # enabled             Indicates whether the username being created
449    #                     should be enabled (${True}, ${False}).
450
451    Redfish.Login
452
453    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
454
455    Redfish.Logout
456
457    # Login with created user.
458    Run Keyword And Expect Error  InvalidCredentialsError*
459    ...  Redfish.Login  ${username}  ${password}
460
461    Redfish.Login
462
463    # Delete newly created user.
464    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
465