xref: /openbmc/openbmc-test-automation/redfish/account_service/test_user_account.robot (revision 82ae33bf26b3a76eb8204eae44303bf5d2ae87e0) 
1*** Settings ***
2Documentation    Test suite for verifying Redfish admin, readonly operation user accounts.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14Test Tags        User_Account
15
16*** Variables ***
17
18${account_lockout_duration}   ${30}
19${account_lockout_threshold}  ${3}
20${ssh_status}                 ${True}
21
22*** Test Cases ***
23
24Verify AccountService Available
25    [Documentation]  Verify Redfish account service is available.
26    [Tags]  Verify_AccountService_Available
27
28    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
29    Should Be Equal As Strings  ${resp}  ${True}
30
31
32Verify Redfish Admin And ReadOnly Users Persistence After Reboot
33    [Documentation]  Verify Redfish admin user persistence after reboot.
34    [Tags]  Verify_Redfish_Admin_And_ReadOnly_Users_Persistence_After_Reboot
35    [Setup]  Run Keywords  Redfish.Login  AND
36    ...  Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
37    ...  AND  Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
38    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
39    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
40    ...  AND  Test Teardown Execution
41
42    # Reboot BMC.
43    Redfish OBMC Reboot (off)  stack_mode=normal
44
45    # Verify users after reboot.
46    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
47    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
48
49
50Verify Redfish Operator User Persistence After Reboot
51    [Documentation]  Verify Redfish operator user persistence after reboot.
52    [Tags]  Verify_Redfish_Operator_User_Persistence_After_Reboot
53    [Setup]  Run Keywords  Redfish.Login  AND
54    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
55    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
56    ...  AND  Test Teardown Execution
57
58    # Reboot BMC.
59    Redfish OBMC Reboot (off)  stack_mode=normal
60
61    # Verify users after reboot.
62     Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
63
64
65Redfish Create and Verify Admin User
66    [Documentation]  Create a Redfish user with administrator role and verify.
67    [Tags]  Redfish_Create_and_Verify_Admin_User
68    [Template]  Redfish Create And Verify User
69
70    #username      password    role_id         enabled
71    admin_user     TestPwd123  Administrator   ${True}
72
73
74Redfish Create and Verify Operator User
75    [Documentation]  Create a Redfish user with operator role and verify.
76    [Tags]  Redfish_Create_and_Verify_Operator_User
77    [Template]  Redfish Create And Verify User
78
79    #username      password    role_id         enabled
80    operator_user  TestPwd123  Operator        ${True}
81
82
83Redfish Create and Verify Readonly User
84    [Documentation]  Create a Redfish user with readonly role and verify.
85    [Tags]  Redfish_Create_and_Verify_Readonly_User
86    [Template]  Redfish Create And Verify User
87
88    #username      password    role_id         enabled
89    readonly_user  TestPwd123  ReadOnly        ${True}
90
91
92Verify Redfish Admin User Login With Wrong Password
93    [Documentation]  Verify Redfish create admin user with valid password and make sure
94    ...  admin user failed to login with wrong password.
95    [Tags]  Verify_Redfish_Admin_User_Login_With_Wrong_Password
96    [Template]  Verify Redfish User Login With Wrong Password
97
98    #username      password    role_id         enabled  wrong_password
99    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
100
101
102Verify Redfish Operator User Login With Wrong Password
103    [Documentation]  Verify Redfish create operator user with valid password and make sure
104    ...  operator user failed to login with wrong password.
105    [Tags]  Verify_Redfish_Operator_User_Login_With_Wrong_Password
106    [Template]  Verify Redfish User Login With Wrong Password
107
108    #username      password    role_id         enabled  wrong_password
109    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
110
111
112Verify Redfish Readonly User Login With Wrong Password
113    [Documentation]  Verify Redfish create readonly user with valid password and make sure
114    ...  readonly user failed to login with wrong password.
115    [Tags]  Verify_Redfish_Readonly_User_Login_With_Wrong_Password
116    [Template]  Verify Redfish User Login With Wrong Password
117
118    #username      password    role_id         enabled  wrong_password
119    readonly_user  TestPwd123  ReadOnly        ${True}  12
120
121
122Verify Login with Deleted Redfish Admin User
123    [Documentation]  Verify login with deleted Redfish admin user.
124    [Tags]  Verify_Login_with_Deleted_Redfish_Admin_User
125    [Template]  Verify Login with Deleted Redfish User
126
127    #username     password    role_id         enabled
128    admin_user     TestPwd123  Administrator   ${True}
129
130
131Verify Login with Deleted Redfish Operator User
132    [Documentation]  Verify login with deleted Redfish operator user.
133    [Tags]  Verify_Login_with_Deleted_Redfish_Operator_User
134    [Template]  Verify Login with Deleted Redfish User
135
136    #username     password    role_id         enabled
137    operator_user  TestPwd123  Operator        ${True}
138
139
140Verify Login with Deleted Redfish Readonly User
141    [Documentation]  Verify login with deleted Redfish readonly user.
142    [Tags]  Verify_Login_with_Deleted_Redfish_Readonly_User
143    [Template]  Verify Login with Deleted Redfish User
144
145    #username     password    role_id         enabled
146    readonly_user  TestPwd123  ReadOnly        ${True}
147
148
149Verify Admin User Creation Without Enabling It
150    [Documentation]  Verify admin user creation without enabling it.
151    [Tags]  Verify_Admin_User_Creation_Without_Enabling_It
152    [Template]  Verify Create User Without Enabling
153
154    #username      password    role_id         enabled
155    admin_user     TestPwd123  Administrator   ${False}
156
157
158Verify Operator User Creation Without Enabling It
159    [Documentation]  Verify operator user creation without enabling it.
160    [Tags]  Verify_Operator_User_Creation_Without_Enabling_It
161    [Template]  Verify Create User Without Enabling
162
163    #username      password    role_id         enabled
164    operator_user  TestPwd123  Operator        ${False}
165
166
167Verify Readonly User Creation Without Enabling It
168    [Documentation]  Verify readonly user creation without enabling it.
169    [Tags]  Verify_Readonly_User_Creation_Without_Enabling_It
170    [Template]  Verify Create User Without Enabling
171
172    #username      password    role_id         enabled
173    readonly_user  TestPwd123  ReadOnly        ${False}
174
175
176Verify User Creation With Invalid Role Id
177    [Documentation]  Verify user creation with invalid role ID.
178    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
179
180    # Make sure the user account in question does not already exist.
181    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
182    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
183
184    # Create specified user.
185    ${payload}=  Create Dictionary
186    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
187    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
188    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
189
190Verify Error Upon Creating Same Users With Different Privileges
191    [Documentation]  Verify error upon creating same users with different privileges.
192    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
193
194    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
195
196    # Create specified user.
197    ${payload}=  Create Dictionary
198    ...  UserName=test_user  Password=TestPwd123  RoleId=ReadOnly  Enabled=${True}
199    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
200    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
201
202    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
203
204
205Verify Modifying User Attributes
206    [Documentation]  Verify modifying user attributes.
207    [Tags]  Verify_Modifying_User_Attributes
208
209    # Create Redfish users.
210    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
211    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
212
213    # Make sure the new user account does not already exist.
214    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
215    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
216
217    # Update admin_user username using Redfish.
218    ${payload}=  Create Dictionary  UserName=newadmin_user
219    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
220    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
221
222    # Update readonly_user role using Redfish.
223    ${payload}=  Create Dictionary  RoleId=Administrator
224    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
225    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
226
227    # Verify users after updating
228    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
229    Redfish Verify User  readonly_user  TestPwd123     Administrator   ${True}
230
231    # Delete created users.
232    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
233    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
234
235
236Verify Modifying Operator User Attributes
237    [Documentation]  Verify modifying operator user attributes.
238    [Tags]  Verify_Modifying_Operator_User_Attributes
239    [Setup]  Run Keywords  Redfish.Login  AND
240    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
241    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
242    ...  AND  Test Teardown Execution
243
244    # Update operator_user password using Redfish.
245    ${payload}=  Create Dictionary  Password=NewTestPwd123
246    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
247    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
248
249    # Verify users after updating
250    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
251
252
253Verify User Account Locked
254    [Documentation]  Verify user account locked upon trying with invalid password.
255    [Tags]  Verify_User_Account_Locked
256
257    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
258
259    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
260    ...  AccountLockoutDuration=${account_lockout_duration}
261    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
262    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
263
264    Redfish.Logout
265
266    # Make ${account_lockout_threshold} failed login attempts.
267    Repeat Keyword  ${account_lockout_threshold} times
268    ...  Run Keyword And Expect Error  *InvalidCredentialsError*  Redfish.Login  admin_user  abcd1234
269
270    # Verify that legitimate login fails due to lockout.
271    Run Keyword And Expect Error  *InvalidCredentialsError*
272    ...  Redfish.Login  admin_user  TestPwd123
273
274    # Wait for lockout duration to expire and adding 5 sec delay to the account lock timeout
275    # ... then verify that login works.
276    ${total_wait_duartion}=  Evaluate  ${account_lockout_duration} + 5
277    Sleep  ${total_wait_duartion}s
278
279    Redfish.Login  admin_user  TestPwd123
280
281    Redfish.Logout
282
283    Redfish.Login
284
285    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
286
287
288Verify User Account Unlock
289    [Documentation]  Verify manually unlocking the account before lockout time
290    [Tags]  Verify_User_Account_Unlock
291    [Teardown]  Run Keywords  SSHLibrary.Close All Connections
292    ...  AND  Redfish.Logout
293    ...  AND  Redfish.Login
294    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
295
296    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
297
298    ${payload}=  Create Dictionary
299    ...  AccountLockoutThreshold=${account_lockout_threshold}
300    ...  AccountLockoutDuration=${account_lockout_duration}
301    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
302    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
303
304    Redfish.Logout
305
306    # Make ${account_lockout_threshold} failed login attempts.
307    Repeat Keyword  ${account_lockout_threshold} times
308    ...  Run Keyword And Expect Error  InvalidCredentialsError*
309    ...  Redfish.Login  test_user  abc123
310
311    # Ensure SSH Login with locked account gets failed
312    SSHLibrary.Open Connection  ${OPENBMC_HOST}
313    Run Keyword And Expect Error  Authentication failed*
314    ...  SSHLibrary.Login  test_user  TestPwd123
315
316    # Verify that legitimate login fails due to lockout.
317    Run Keyword And Expect Error  InvalidCredentialsError*
318    ...  Redfish.Login  test_user  TestPwd123
319
320    ${payload}=  Create Dictionary  Locked=${FALSE}
321
322    # Manually unlock the account before lockout threshold expires
323    Redfish.Login
324    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}test_user  body=${payload}
325    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
326    Redfish.Logout
327
328    # Try redfish login with the recently unlocked account
329    Redfish.Login  test_user  TestPwd123
330
331    # Try SSH login with the unlocked account
332    SSHLibrary.Open Connection  ${OPENBMC_HOST}
333    SSHLibrary.Login  test_user  TestPwd123
334
335
336Verify Admin User Privilege
337    [Documentation]  Verify admin user privilege.
338    [Tags]  Verify_Admin_User_Privilege
339
340    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
341    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
342
343    Redfish.Logout
344
345    Redfish.Login  admin_user  TestPwd123
346
347    # Change password of 'readonly' user with admin user.
348    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
349    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
350
351    # Verify modified user.
352    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
353
354    # Note: Delete user would work here because a root login is
355    # performed as part of "Redfish Verify User" keyword's teardown.
356    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
357    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
358
359
360Verify Operator User Role Change Using Admin Privilege User
361    [Documentation]  Verify operator user role change using admin privilege user
362    [Tags]  Verify_Operator_User_Role_Change_Using_Admin_Privilege_User
363
364    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
365    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
366
367    Redfish.Logout
368
369    # Change role ID of operator user with admin user.
370    # Login with admin user.
371    Redfish.Login  admin_user  TestPwd123
372
373    # Modify Role ID of Operator user.
374    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
375    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
376
377    # Verify modified user.
378    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
379
380    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
381    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
382
383
384Verify Operator User Privilege
385    [Documentation]  Verify operator user privilege.
386    [Tags]  Verify_Operator_User_Privilege
387
388    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
389    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
390
391    Redfish.Logout
392    # Login with operator user.
393    Redfish.Login  operator_user  TestPwd123
394
395    # Verify BMC reset.
396    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
397
398    # Attempt to change password of admin user with operator user.
399    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
400    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
401
402    Redfish.Logout
403
404    Redfish.Login
405
406    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
407    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
408
409
410Verify ReadOnly User Privilege
411    [Documentation]  Verify ReadOnly user privilege.
412    [Tags]  Verify_ReadOnly_User_Privilege
413
414    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
415    Redfish.Logout
416
417    # Login with read_only user.
418    Redfish.Login  readonly_user  TestPwd123
419
420    # Read system level data.
421    ${system_model}=  Redfish_Utils.Get Attribute
422    ...  ${SYSTEM_BASE_URI}  Model
423
424    Redfish.Logout
425    Redfish.Login
426    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
427
428
429Verify Minimum Password Length For Redfish Admin And Readonly User
430    [Documentation]  Verify minimum password length for new and existing admin or
431    ...  readonly user.
432    [Template]  Verify Minimum Password Length For Redfish User
433
434    #username        role_id
435    admin_user       Administrator
436    readonly_user    ReadOnly
437
438
439Verify Standard User Roles Defined By Redfish
440    [Documentation]  Verify standard user roles defined by Redfish.
441    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
442
443    ${member_list}=  Redfish_Utils.Get Member List
444    ...  /redfish/v1/AccountService/Roles
445
446    @{roles}=  Create List
447    ...  /redfish/v1/AccountService/Roles/Administrator
448    ...  /redfish/v1/AccountService/Roles/Operator
449    ...  /redfish/v1/AccountService/Roles/ReadOnly
450
451    List Should Contain Sub List  ${member_list}  ${roles}
452
453    # The standard roles are:
454
455    # | Role name | Assigned privileges |
456    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
457    # | Operator | Login, ConfigureComponents, ConfigureSelf |
458    # | ReadOnly | Login, ConfigureSelf |
459
460    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
461    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
462    @{readOnly}=  Create List  Login  ConfigureSelf
463
464    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
465    ...  readOnly_privileges=${readOnly}
466
467    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
468    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
469
470    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
471    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
472
473    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
474    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
475
476
477Verify Error While Deleting Root User
478    [Documentation]  Verify error while deleting root user.
479    [Tags]  Verify_Error_While_Deleting_Root_User
480
481    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
482
483
484Verify SSH Login Access With Admin User
485    [Documentation]  Verify that admin user have SSH login access.
486    ...              By default, admin should have access but there could be
487    ...              case where admin user shell access is restricted by design
488    ...              in the community sphere..
489    [Tags]  Verify_SSH_Login_Access_With_Admin_User
490
491    #Create an admin user and verify SSH login.
492    Create Admin User And Verify SSH Login
493
494    Redfish.Login
495    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
496
497Verify SSH Login Is Revoked For Deleted User
498    [Documentation]  Verify SSH login access is revoked for deleted User.
499    [Tags]    Verify_SSH_Login_Is_Revoked_For_Deleted_User
500
501    #Create an admin user and verify SSH login.
502    Create Admin User And Verify SSH Login
503
504    #Login with root user.
505    Redfish.Login
506
507    # Delete the admin user.
508    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
509    ...  valid_status_codes=[${HTTP_OK}]
510
511    # Attempt SSH login with Deleted user.
512    SSHLibrary.Open Connection  ${OPENBMC_HOST}
513    Run Keyword And Expect Error  Authentication failed*
514    ...  SSHLibrary.Login  new_admin  TestPwd1
515
516Verify Configure BasicAuth Enable And Disable
517    [Documentation]  Verify configure basicauth enable and disable
518    [Tags]  Verify_Configure_BasicAuth_Enable_And_Disable
519    [Template]  Template For Configure Auth Methods
520
521    # auth_method
522    BasicAuth
523    XToken
524
525
526Redfish Create and Verify Admin User With Invalid Password Format
527    [Documentation]  Create a admin user with invalid password format and verify.
528    [Template]  Create User With Unsupported Password Format And Verify
529    [Tags]  Redfish_Create_and_Verify_Admin_User_With_Invalid_Password_Format
530
531    #username       role_id        password
532    admin_user      Administrator  snellens
533    admin_user      Administrator  10000001
534    admin_user      Administrator  12345678
535    admin_user      Administrator  abcdefgh
536    admin_user      Administrator  abf12345
537    admin_user      Administrator  helloworld
538    admin_user      Administrator  HELLOWORLD
539    admin_user      Administrator  &$%**!*@
540    admin_user      Administrator  Dictation
541
542
543Redfish Create and Verify Readonly User With Invalid Password Format
544    [Documentation]  Create a readonly user with invalid password format and verify.
545    [Template]  Create User With Unsupported Password Format And Verify
546    [Tags]  Redfish_Create_and_Verify_Readonly_User_With_Invalid_Password_Format
547
548    #username       role_id        password
549    readonly_user   ReadOnly       snellens
550    readonly_user   ReadOnly       10000001
551    readonly_user   ReadOnly       12345678
552    readonly_user   ReadOnly       abcdefgh
553    readonly_user   ReadOnly       abf12345
554    readonly_user   ReadOnly       helloworld
555    readonly_user   ReadOnly       HELLOWORLD
556    readonly_user   ReadOnly       &$%**!*@
557    readonly_user   ReadOnly       Dictation
558
559
560Verify Admin And Readonly User Password Is Not Same As Username
561    [Documentation]  Verify that admin and readonly user creation is failed if
562    ...  password is same as username.
563    [Template]  Create User With Unsupported Password Format And Verify
564    [Tags]      Verify_Admin_And_Readonly_User_Password_Is_Not_Same_As_Username
565
566    #username        role_id             password
567    AdminUser1       Administrator       AdminUser1
568    ReadOnlyUser1    ReadOnly            ReadOnlyUser1
569
570Verify AccountService Unsupported Methods
571    [Documentation]  Verify Unsupported methods of AccountService
572    [Tags]  Verify_AccountService_Unsupported_Methods
573
574    # Put operation on Account Services
575    Redfish.Put  /redfish/v1/AccountService
576    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
577
578    # Post operation on Account Services
579    Redfish.Post  /redfish/v1/AccountService
580    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
581
582    # Delete operation on Account Services
583    Redfish.Delete  /redfish/v1/AccountService
584    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
585
586Verify AccountService Roles Unsupported Methods
587    [Documentation]  Verify Unsupported methods of AccountService/Roles
588    [Tags]  Verify_AccountService_Roles_Unsupported_Methods
589
590    # Put operation on Account Services Roles
591    Redfish.Put  /redfish/v1/AccountService/Roles
592    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
593
594    # Post operation on Account Services Roles
595    Redfish.Post  /redfish/v1/AccountService/Roles
596    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
597
598    # Delete operation on Account Services Roles
599    Redfish.Delete  /redfish/v1/AccountService/Roles
600    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
601
602    # Patch operation on Account Services Roles
603    Redfish.Patch  /redfish/v1/AccountService/Roles
604    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
605
606Verify AccountService Roles Instance With Unsupported Methods
607    [Documentation]  Verify Instance Roles for AccountService and Unsupported Methods
608    [Tags]    Verify_AccountService_Roles_Instance_With_Unsupported_Methods
609
610    # GET Administrator Role Instance
611    Redfish.Get    /redfish/v1/AccountService/Roles/Administrator
612    ...    valid_status_codes=[${HTTP_OK}]
613
614    # GET Operator Role Instance
615    Redfish.Get    /redfish/v1/AccountService/Roles/Operator
616    ...    valid_status_codes=[${HTTP_OK}]
617
618    # GET ReadOnly RoleInstance
619    Redfish.Get    /redfish/v1/AccountService/Roles/ReadOnly
620    ...    valid_status_codes=[${HTTP_OK}]
621
622    # Post operation on Account Service Roles Instance
623    Redfish.Post    /redfish/v1/AccountService/Roles/Administrator
624    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
625
626    # Put operation on Account Service Roles Instance
627    Redfish.Put    /redfish/v1/AccountService/Roles/Administrator
628    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
629
630    # Patch operation on Account Service Roles Instance
631    Redfish.Patch    /redfish/v1/AccountService/Roles/Administrator
632    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
633
634    #Delete operation on Account Service Roles Instance
635    Redfish.Delete    /redfish/v1/AccountService/Roles/Administrator
636    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
637
638Verify Account Lockout With Invalid Configuration
639    [Documentation]  Verify Account Lockout configuration with invalid values.
640    [Tags]  Verify_Account_Lockout_With_Invalid_Configuration
641
642    @{invalid_values_list}=  Create List  -1  abc  3.5  ${EMPTY}
643
644    FOR  ${invalid_value}  IN  @{invalid_values_list}
645        ${payload}=  Create Dictionary  AccountLockoutThreshold=${invalid_value}
646        Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
647        ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
648
649        ${payload}=  Create Dictionary  AccountLockoutDuration=${invalid_value}
650        Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
651        ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
652
653        ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
654        ...  AccountLockoutDuration=${invalid_value}
655        Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
656        ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
657
658        ${payload}=  Create Dictionary  AccountLockoutThreshold=${invalid_value}
659        ...  AccountLockoutDuration=${account_lockout_duration}
660        Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
661        ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
662    END
663
664*** Keywords ***
665
666Test Teardown Execution
667    [Documentation]  Do the post test teardown.
668
669    Run Keyword And Ignore Error  Redfish.Logout
670    FFDC On Test Case Fail
671
672
673Redfish Create User
674    [Documentation]  Redfish create user.
675    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
676
677    # Description of argument(s):
678    # username            The username to be created.
679    # password            The password to be assigned.
680    # role_id             The role ID of the user to be created
681    #                     (e.g. "Administrator", "Operator", etc.).
682    # enabled             Indicates whether the username being created
683    #                     should be enabled (${True}, ${False}).
684    # login_check         Checks user login for created user.
685    #                     (e.g. ${True}, ${False}).
686
687    # Make sure the user account in question does not already exist.
688    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
689    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
690
691    # Create specified user.
692    ${payload}=  Create Dictionary
693    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
694    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
695    ...  valid_status_codes=[${HTTP_CREATED}]
696
697    # Resetting faillock count as a workaround for issue
698    # openbmc/phosphor-user-manager#4
699    ${cmd}=  Catenate  /usr/sbin/faillock --user ${username} --reset
700
701    Bmc Execute Command  ${cmd}
702
703    # Verify login with created user.
704    IF  '${login_check}' == '${True}'
705        ${status}=  Run Keyword And Return Status
706        ...  Verify Redfish User Login  ${username}  ${password}
707    ELSE
708        ${status}=  Set Variable  ${False}
709    END
710
711    IF  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
712
713    # Validate Role ID of created user.
714    ${role_config}=  Redfish_Utils.Get Attribute
715    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
716    Should Be Equal  ${role_id}  ${role_config}
717
718
719Redfish Verify User
720    [Documentation]  Redfish user verification.
721    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
722
723    # Description of argument(s):
724    # username            The username to be created.
725    # password            The password to be assigned.
726    # role_id             The role ID of the user to be created
727    #                     (e.g. "Administrator", "Operator", etc.).
728    # enabled             Indicates whether the username being created
729    #                     should be enabled (${True}, ${False}).
730
731    ${status}=  Verify Redfish User Login  ${username}  ${password}
732    # Doing a check of the returned status.
733    Should Be Equal  ${status}  ${enabled}
734
735    # Validate Role Id of user.
736    ${role_config}=  Redfish_Utils.Get Attribute
737    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
738    Should Be Equal  ${role_id}  ${role_config}
739
740
741Verify Redfish User Login
742    [Documentation]  Verify Redfish login with given user id.
743    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
744    [Arguments]   ${username}  ${password}
745
746    # Description of argument(s):
747    # username            Login username.
748    # password            Login password.
749
750    # Logout from current Redfish session.
751    # We don't really care if the current session is flushed out since we are going to login
752    # with new credential in next.
753    Run Keyword And Ignore Error  Redfish.Logout
754
755    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
756    RETURN  ${status}
757
758
759Redfish Create And Verify User
760    [Documentation]  Redfish create and verify user.
761    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
762
763    # Description of argument(s):
764    # username            The username to be created.
765    # password            The password to be assigned.
766    # role_id             The role ID of the user to be created
767    #                     (e.g. "Administrator", "Operator", etc.).
768    # enabled             Indicates whether the username being created
769    #                     should be enabled (${True}, ${False}).
770
771    # Example:
772    #{
773    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
774    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
775    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
776    #"Description": "User Account",
777    #"Enabled": true,
778    #"Id": "test1",
779    #"Links": {
780    #  "Role": {
781    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
782    #  }
783    #},
784
785    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
786
787    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
788
789    # Delete Specified User
790    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
791
792Verify Redfish User Login With Wrong Password
793    [Documentation]  Verify Redfish User failed to login with wrong password.
794    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
795
796    # Description of argument(s):
797    # username            The username to be created.
798    # password            The password to be assigned.
799    # role_id             The role ID of the user to be created
800    #                     (e.g. "Administrator", "Operator", etc.).
801    # enabled             Indicates whether the username being created
802    #                     should be enabled (${True}, ${False}).
803    # wrong_password      Any invalid password.
804
805    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
806
807    Redfish.Logout
808
809    # Attempt to login with created user with invalid password.
810    Run Keyword And Expect Error  InvalidCredentialsError*
811    ...  Redfish.Login  ${username}  ${wrong_password}
812
813    Redfish.Login
814
815    # Delete newly created user.
816    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
817
818
819Verify Login with Deleted Redfish User
820    [Documentation]  Verify Login with Deleted Redfish User.
821    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
822
823    # Description of argument(s):
824    # username            The username to be created.
825    # password            The password to be assigned.
826    # role_id             The role ID of the user to be created
827    #                     (e.g. "Administrator", "Operator", etc.).
828    # enabled             Indicates whether the username being created
829    #                     should be enabled (${True}, ${False}).
830
831    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
832
833    # Delete newly created user.
834    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
835
836    Redfish.Logout
837
838    # Attempt to login with deleted user account.
839    Run Keyword And Expect Error  InvalidCredentialsError*
840    ...  Redfish.Login  ${username}  ${password}
841
842    Redfish.Login
843
844
845Verify Create User Without Enabling
846    [Documentation]  Verify Create User Without Enabling.
847    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
848
849    # Description of argument(s):
850    # username            The username to be created.
851    # password            The password to be assigned.
852    # role_id             The role ID of the user to be created
853    #                     (e.g. "Administrator", "Operator", etc.).
854    # enabled             Indicates whether the username being created
855    #                     should be enabled (${True}, ${False}).
856
857    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
858
859    Redfish.Logout
860
861    # Login with created user.
862    Run Keyword And Expect Error  InvalidCredentialsError*
863    ...  Redfish.Login  ${username}  ${password}
864
865    Redfish.Login
866
867    # Delete newly created user.
868    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
869
870Template For Configure Auth Methods
871    [Documentation]  Template to configure auth methods.
872    [Arguments]  ${auth_method}
873    [Teardown]  Configure AuthMethods  ${auth_method}=${initial_value}
874
875    # Description of Argument(s):
876    # authmethods   The authmethod setting which needs to be
877    #               set in account service URI.
878    # valid values  BasicAuth, XToken.
879
880    Get AuthMethods Default Values  ${auth_method}
881
882    # Patch basicauth to TRUE
883    Configure AuthMethods  ${auth_method}=${TRUE}
884
885    IF  "${auth_method}" == "XToken"
886        Check XToken Works Fine  ${HTTP_OK}
887    ELSE
888        Check BasicAuth Works Fine  ${HTTP_OK}
889    END
890
891    # Patch basicauth to FALSE
892    Configure AuthMethods  ${auth_method}=${FALSE}
893
894    IF  "${auth_method}" == "BasicAuth"
895        Check BasicAuth Works Fine  ${HTTP_UNAUTHORIZED}
896    ELSE
897        Check XToken Works Fine  ${HTTP_UNAUTHORIZED}
898    END
899
900Configure AuthMethods
901    [Documentation]  Enable/disable authmethod types.
902    [Arguments]  &{authmethods}
903
904    # Description of argument(s):
905    # authmethods            The authmethod setting which needs to be
906    #                        set in account service URI.
907    # Usage Example          Configure AuthMethods  XToken=${TRUE}  BasicAuth=${TRUE}
908    #                        This will set the value of "XToken" and "BasicAuth"
909    #                        property in accountservice uri to TRUE.
910
911    ${openbmc}=  Create Dictionary  AuthMethods=${authmethods}
912    ${oem}=  Create Dictionary  OpenBMC=${openbmc}
913    ${payload}=  Create Dictionary  Oem=${oem}
914
915    # Setting authmethod properties using Redfish session based auth
916    ${status}=  Run Keyword And Return Status
917    ...  Redfish.Patch  ${REDFISH_BASE_URI}AccountService
918    ...  body=${payload}  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
919
920    # Setting authmethod properties using basic auth in case the former fails
921    IF  ${status}==${FALSE}
922        # Payload dictionary pre-process to match json formatting
923        ${payload}=  Convert To String  ${payload}
924        ${payload}=  Replace String  ${payload}  '  "
925        ${payload}=  Replace String  ${payload}  False  false
926        ${payload}=  Replace String  ${payload}  True  true
927
928        # Curl Command Framing for PATCH authmethod
929        ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
930        ...  -X PATCH '${AUTH_URI}${REDFISH_ACCOUNTS_SERVICE_URI}'
931        ...  -H 'content-type:application/json' -H 'If-Match:*'
932        ...  -d '${payload}'
933        ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
934
935        #  Check the response of curl command is 200 or 204
936        ${check_no_content}=
937        ...  Run Keyword and Return Status  Should Contain  ${out}  204
938        ${check_ok}=
939        ...  Run Keyword and Return Status  Should Contain  ${out}  200
940        Pass Execution If  ${check_no_content}==${TRUE}
941        ...  OR  ${check_ok}==${TRUE}
942    END
943
944
945Get AuthMethods Default Values
946    [Documentation]  Get enabled/disabled status of all authmethods
947    ...  from Redfish account service URI
948    [Arguments]  ${authmethod}
949
950    # Description of argument(s):
951    # authmethod            The authmethod property whose value needs to be
952    #                       retrieved from account service URI.
953    # Usage Example         Get AuthMethods Default Values  BasicAuth
954    #                       returns >> ${TRUE}
955    # Example:
956    # {
957    #     "@odata.id": "/redfish/v1/AccountService",
958    #     (...)
959    #     "Oem": {
960    #         "OpenBMC": {
961    #             "AuthMethods": {
962    #                 "BasicAuth": true,
963    #                 "Cookie": true,
964    #                 "SessionToken": true,
965    #                 "TLS": true,
966    #                 "XToken": true
967    #             }
968    #         }
969    #     }
970    # }
971
972    ${resp}=  Redfish.Get Attribute  ${REDFISH_ACCOUNTS_SERVICE_URI}  Oem
973    ${authmethods}=  Set Variable  ${resp['OpenBMC']['AuthMethods']}
974    ${initial_value}=  Get From Dictionary  ${authmethods}  ${authmethod}
975    Set Test Variable  ${initial_value}
976
977Check XToken Works Fine
978    [Documentation]  Verify Xtoken works fine.
979    [Arguments]  ${status_code}
980
981    # Description of Argument(s):
982    # status_code : 200, 401.
983
984    # Verify xtoken auth works for xtoken
985    Redfish.Get  ${REDFISH_ACCOUNTS_SERVICE_URI}
986    ...  valid_status_codes=[${status_code}]
987
988Check BasicAuth Works Fine
989    [Documentation]  Verify Basic Auth works fine.
990    [Arguments]  ${status_code}
991
992    # Description of Argument(s):
993    # status_code : 200, 401.
994
995    # Verify basic auth works based on basic auth.
996    ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
997    ...  ${AUTH_URI}/redfish/v1/AccountService
998    ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
999
1000    #  Check the response of curl command is 200/401
1001    Should Contain  ${out}  ${status_code}
1002
1003
1004Create User With Unsupported Password Format And Verify
1005   [Documentation]  Create admin or readonly user with unsupported password format
1006   ...  and verify.
1007   [Arguments]   ${username}  ${role_id}  ${password}
1008
1009   # Description of argument(s):
1010   # username            The username to be created.
1011   # role_id             The role ID of the user to be created
1012   #                     (e.g. "Administrator", "ReadOnly").
1013   # password            The password to be assigned.
1014   #                     Unsupported password format are sequential characters,
1015   #                     sequential digits, palindrome digits, palindrome characters,
1016   #                     only uppercase letters, only lowercase letters, only digits,
1017   #                     only characters, not a dictionary word, username and password
1018   #                     should not be same.
1019
1020   # Make sure the user account in question does not already exist.
1021    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
1022    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
1023
1024   # Create specified user with invalid password format.
1025   ${payload}=  Create Dictionary
1026   ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${True}
1027   Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1028   ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1029
1030
1031Verify Minimum Password Length For Redfish User
1032    [Documentation]  Verify minimum password length for new and existing admin or
1033    ...  readonly user.
1034    [Arguments]  ${user_name}  ${role_id}
1035
1036    # Description of argument(s):
1037    # user_name           The username to be created.
1038    # role_id             The role ID of the user to be created.
1039
1040    # Make sure the user account in question does not already exist.
1041    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
1042    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
1043
1044    # Try to create a user with invalid length password.
1045    ${payload}=  Create Dictionary
1046    ...  UserName=${user_name}  Password=UserPwd  RoleId=${role_id}  Enabled=${True}
1047    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1048    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1049
1050    # Create specified user with valid length password.
1051    Set To Dictionary  ${payload}  Password  UserPwd1
1052    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1053    ...  valid_status_codes=[${HTTP_CREATED}]
1054
1055    # Try to change to an invalid password.
1056    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
1057    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1058
1059    # Change to a valid password.
1060    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
1061    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
1062
1063    # Verify login.
1064    Redfish.Logout
1065    Redfish.Login  ${user_name}  UserPwd1
1066    Redfish.Logout
1067    Redfish.Login
1068    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
1069
1070Create Admin User And Verify SSH Login
1071    [Documentation]  Create admin user and verify SSH login & logout.
1072
1073    # Create an admin User.
1074    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
1075
1076    # Attempt SSH login with admin user.
1077    SSHLibrary.Open Connection  ${OPENBMC_HOST}
1078    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
1079
1080    # By default ssh_status is True, user can change the status via CLI
1081    # -v ssh_status:False
1082    Should Be Equal As Strings  "${status}"  "${ssh_status}"
1083
1084    # Close SSH connection for admin user.
1085    SSHLibrary.Close Connection
1086