1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14*** Variables ***
15
16${account_lockout_duration}   ${30}
17${account_lockout_threshold}  ${3}
18
19${ssh_status}                 ${True}
20
21** Test Cases **
22
23Verify AccountService Available
24    [Documentation]  Verify Redfish account service is available.
25    [Tags]  Verify_AccountService_Available
26
27    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
28    Should Be Equal As Strings  ${resp}  ${True}
29
30
31Verify Redfish Admin User Persistence After Reboot
32    [Documentation]  Verify Redfish admin user persistence after reboot.
33    [Tags]  Verify_Redfish_Admin_User_Persistence_After_Reboot
34    [Setup]  Run Keywords  Redfish.Login  AND
35    ...  Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
36    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
37    ...  AND  Test Teardown Execution
38
39    # Reboot BMC.
40    Redfish OBMC Reboot (off)  stack_mode=normal
41
42    # Verify users after reboot.
43    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
44
45
46Verify Redfish Operator User Persistence After Reboot
47    [Documentation]  Verify Redfish operator user persistence after reboot.
48    [Tags]  Verify_Redfish_Operator_User_Persistence_After_Reboot
49    [Setup]  Run Keywords  Redfish.Login  AND
50    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
51    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
52    ...  AND  Test Teardown Execution
53
54    # Reboot BMC.
55    Redfish OBMC Reboot (off)  stack_mode=normal
56
57    # Verify users after reboot.
58    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
59
60
61Verify Redfish Readonly User Persistence After Reboot
62    [Documentation]  Verify Redfish readonly user persistence after reboot.
63    [Tags]  Verify_Redfish_Readonly_User_Persistence_After_Reboot
64    [Setup]  Run Keywords  Redfish.Login  AND
65    ...  Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
66    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
67    ...  AND  Test Teardown Execution
68
69    # Reboot BMC.
70    Redfish OBMC Reboot (off)  stack_mode=normal
71
72    # Verify users after reboot.
73    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
74
75
76Redfish Create and Verify Admin User
77    [Documentation]  Create a Redfish user with administrator role and verify.
78    [Tags]  Redfish_Create_and_Verify_Admin_User
79    [Template]  Redfish Create And Verify User
80
81    #username      password    role_id         enabled
82    admin_user     TestPwd123  Administrator   ${True}
83
84
85Redfish Create and Verify Operator User
86    [Documentation]  Create a Redfish user with operator role and verify.
87    [Tags]  Redfish_Create_and_Verify_Operator_User
88    [Template]  Redfish Create And Verify User
89
90    #username      password    role_id         enabled
91    operator_user  TestPwd123  Operator        ${True}
92
93
94Redfish Create and Verify Readonly User
95    [Documentation]  Create a Redfish user with readonly role and verify.
96    [Tags]  Redfish_Create_and_Verify_Readonly_User
97    [Template]  Redfish Create And Verify User
98
99    #username      password    role_id         enabled
100    readonly_user  TestPwd123  ReadOnly        ${True}
101
102
103Verify Redfish Admin User With Wrong Password
104    [Documentation]  Verify Redfish admin user with wrong password.
105    [Tags]  Verify_Redfish_Admin_User_With_Wrong_Password
106    [Template]  Verify Redfish User with Wrong Password
107
108    #username      password    role_id         enabled  wrong_password
109    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
110
111
112Verify Redfish Operator User with Wrong Password
113    [Documentation]  Verify Redfish operator user with wrong password.
114    [Tags]  Verify_Redfish_Operator_User_with_Wrong_Password
115    [Template]  Verify Redfish User with Wrong Password
116
117    #username      password    role_id         enabled  wrong_password
118    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
119
120
121Verify Redfish Readonly User With Wrong Password
122    [Documentation]  Verify Redfish readonly user with wrong password.
123    [Tags]  Verify_Redfish_Readonly_User_With_Wrong_Password
124    [Template]  Verify Redfish User with Wrong Password
125
126    #username      password    role_id         enabled  wrong_password
127    readonly_user  TestPwd123  ReadOnly        ${True}  12
128
129
130Verify Login with Deleted Redfish Admin User
131    [Documentation]  Verify login with deleted Redfish admin user.
132    [Tags]  Verify_Login_with_Deleted_Redfish_Admin_User
133    [Template]  Verify Login with Deleted Redfish User
134
135    #username     password    role_id         enabled
136    admin_user     TestPwd123  Administrator   ${True}
137
138
139Verify Login with Deleted Redfish Operator User
140    [Documentation]  Verify login with deleted Redfish operator user.
141    [Tags]  Verify_Login_with_Deleted_Redfish_Operator_User
142    [Template]  Verify Login with Deleted Redfish User
143
144    #username     password    role_id         enabled
145    operator_user  TestPwd123  Operator        ${True}
146
147
148Verify Login with Deleted Redfish Readonly User
149    [Documentation]  Verify login with deleted Redfish readonly user.
150    [Tags]  Verify_Login_with_Deleted_Redfish_Readonly_User
151    [Template]  Verify Login with Deleted Redfish User
152
153    #username     password    role_id         enabled
154    readonly_user  TestPwd123  ReadOnly        ${True}
155
156
157Verify Admin User Creation Without Enabling It
158    [Documentation]  Verify admin user creation without enabling it.
159    [Tags]  Verify_Admin_User_Creation_Without_Enabling_It
160    [Template]  Verify Create User Without Enabling
161
162    #username      password    role_id         enabled
163    admin_user     TestPwd123  Administrator   ${False}
164
165
166Verify Operator User Creation Without Enabling It
167    [Documentation]  Verify operator user creation without enabling it.
168    [Tags]  Verify_Operator_User_Creation_Without_Enabling_It
169    [Template]  Verify Create User Without Enabling
170
171    #username      password    role_id         enabled
172    operator_user  TestPwd123  Operator        ${False}
173
174
175Verify Readonly User Creation Without Enabling It
176    [Documentation]  Verify readonly user creation without enabling it.
177    [Tags]  Verify_Readonly_User_Creation_Without_Enabling_It
178    [Template]  Verify Create User Without Enabling
179
180    #username      password    role_id         enabled
181    readonly_user  TestPwd123  ReadOnly        ${False}
182
183
184Verify User Creation With Invalid Role Id
185    [Documentation]  Verify user creation with invalid role ID.
186    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
187
188    # Make sure the user account in question does not already exist.
189    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
190    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
191
192    # Create specified user.
193    ${payload}=  Create Dictionary
194    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
195    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
196    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
197
198Verify Error Upon Creating Same Users With Different Privileges
199    [Documentation]  Verify error upon creating same users with different privileges.
200    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
201
202    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
203
204    # Create specified user.
205    ${payload}=  Create Dictionary
206    ...  UserName=test_user  Password=TestPwd123  RoleId=ReadOnly  Enabled=${True}
207    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
208    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
209
210    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
211
212
213Verify Modifying User Attributes
214    [Documentation]  Verify modifying user attributes.
215    [Tags]  Verify_Modifying_User_Attributes
216
217    # Create Redfish users.
218    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
219    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
220
221    # Make sure the new user account does not already exist.
222    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
223    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
224
225    # Update admin_user username using Redfish.
226    ${payload}=  Create Dictionary  UserName=newadmin_user
227    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
228
229    # Update readonly_user role using Redfish.
230    ${payload}=  Create Dictionary  RoleId=Administrator
231    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
232
233    # Verify users after updating
234    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
235    Redfish Verify User  readonly_user  TestPwd123     Administrator   ${True}
236
237    # Delete created users.
238    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
239    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
240
241
242Verify Modifying Operator User Attributes
243    [Documentation]  Verify modifying operator user attributes.
244    [Tags]  Verify_Modifying_Operator_User_Attributes
245    [Setup]  Run Keywords  Redfish.Login  AND
246    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
247    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
248    ...  AND  Test Teardown Execution
249
250    # Update operator_user password using Redfish.
251    ${payload}=  Create Dictionary  Password=NewTestPwd123
252    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
253
254    # Verify users after updating
255    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
256
257
258Verify User Account Locked
259    [Documentation]  Verify user account locked upon trying with invalid password.
260    [Tags]  Verify_User_Account_Locked
261
262    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
263
264    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
265    ...  AccountLockoutDuration=${account_lockout_duration}
266    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
267
268    Redfish.Logout
269
270    # Make ${account_lockout_threshold} failed login attempts.
271    Repeat Keyword  ${account_lockout_threshold} times
272    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
273
274    # Verify that legitimate login fails due to lockout.
275    Run Keyword And Expect Error  InvalidCredentialsError*
276    ...  Redfish.Login  admin_user  TestPwd123
277
278    # Wait for lockout duration to expire and then verify that login works.
279    Sleep  ${account_lockout_duration}s
280    Redfish.Login  admin_user  TestPwd123
281
282    Redfish.Logout
283
284    Redfish.Login
285
286    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
287
288
289Verify User Account Unlock
290    [Documentation]  Verify manually unlocking the account before lockout time
291    [Tags]  Verify_User_Account_Unlock
292    [Teardown]  Run Keywords  Redfish.Logout
293    ...  AND  Redfish.Login
294    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
295    ...  AND  SSHLibrary.Close All Connections
296
297    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
298
299    ${payload}=  Create Dictionary
300    ...  AccountLockoutThreshold=${account_lockout_threshold}
301    ...  AccountLockoutDuration=${account_lockout_duration}
302    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
303
304    Redfish.Logout
305
306    # Make ${account_lockout_threshold} failed login attempts.
307    Repeat Keyword  ${account_lockout_threshold} times
308    ...  Run Keyword And Expect Error  InvalidCredentialsError*
309    ...  Redfish.Login  test_user  abc123
310
311    # Ensure SSH Login with locked account gets failed
312    SSHLibrary.Open Connection  ${OPENBMC_HOST}
313    Run Keyword And Expect Error  Authentication failed*
314    ...  SSHLibrary.Login  test_user  TestPwd123
315
316    # Verify that legitimate login fails due to lockout.
317    Run Keyword And Expect Error  InvalidCredentialsError*
318    ...  Redfish.Login  test_user  TestPwd123
319
320    ${payload}=  Create Dictionary  Locked=${FALSE}
321
322    # Manually unlock the account before lockout threshold expires
323    Redfish.Login
324    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}test_user  body=${payload}
325    Redfish.Logout
326
327    # Try redfish login with the recently unlocked account
328    Redfish.Login  test_user  TestPwd123
329
330    # Try SSH login with the unlocked account
331    SSHLibrary.Open Connection  ${OPENBMC_HOST}
332    SSHLibrary.Login  test_user  TestPwd123
333
334
335Verify Admin User Privilege
336    [Documentation]  Verify admin user privilege.
337    [Tags]  Verify_Admin_User_Privilege
338
339    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
340    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
341
342    Redfish.Logout
343
344    Redfish.Login  admin_user  TestPwd123
345
346    # Change password of 'readonly' user with admin user.
347    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
348
349    # Verify modified user.
350    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
351
352    # Note: Delete user would work here because a root login is
353    # performed as part of "Redfish Verify User" keyword's teardown.
354    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
355    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
356
357
358Verify Operator User Role Change Using Admin Privilege User
359    [Documentation]  Verify operator user role change using admin privilege user
360    [Tags]  Verify_Operator_User_Role_Change_Using_Admin_Privilege_User
361
362    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
363    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
364
365    Redfish.Logout
366
367    # Change role ID of operator user with admin user.
368    # Login with admin user.
369    Redfish.Login  admin_user  TestPwd123
370
371    # Modify Role ID of Operator user.
372    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
373
374    # Verify modified user.
375    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
376
377    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
378    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
379
380
381Verify Operator User Privilege
382    [Documentation]  Verify operator user privilege.
383    [Tags]  Verify_Operator_User_Privilege
384
385    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
386    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
387
388    Redfish.Logout
389    # Login with operator user.
390    Redfish.Login  operator_user  TestPwd123
391
392    # Verify BMC reset.
393    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
394
395    # Attempt to change password of admin user with operator user.
396    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
397    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
398
399    Redfish.Logout
400
401    Redfish.Login
402
403    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
404    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
405
406
407Verify ReadOnly User Privilege
408    [Documentation]  Verify ReadOnly user privilege.
409    [Tags]  Verify_ReadOnly_User_Privilege
410
411    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
412    Redfish.Logout
413
414    # Login with read_only user.
415    Redfish.Login  readonly_user  TestPwd123
416
417    # Read system level data.
418    ${system_model}=  Redfish_Utils.Get Attribute
419    ...  ${SYSTEM_BASE_URI}  Model
420
421    Redfish.Logout
422    Redfish.Login
423    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
424
425
426Verify Minimum Password Length For Redfish User
427    [Documentation]  Verify minimum password length for new and existing user.
428    [Tags]  Verify_Minimum_Password_Length_For_Redfish_User
429
430    ${user_name}=  Set Variable  testUser
431
432    # Make sure the user account in question does not already exist.
433    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
434    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
435
436    # Try to create a user with invalid length password.
437    ${payload}=  Create Dictionary
438    ...  UserName=${user_name}  Password=UserPwd  RoleId=Administrator  Enabled=${True}
439    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
440    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
441
442    # Create specified user with valid length password.
443    Set To Dictionary  ${payload}  Password  UserPwd1
444    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
445    ...  valid_status_codes=[${HTTP_CREATED}]
446
447    # Try to change to an invalid password.
448    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
449    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
450
451    # Change to a valid password.
452    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
453
454    # Verify login.
455    Redfish.Logout
456    Redfish.Login  ${user_name}  UserPwd1
457    Redfish.Logout
458    Redfish.Login
459    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
460
461
462Verify Standard User Roles Defined By Redfish
463    [Documentation]  Verify standard user roles defined by Redfish.
464    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
465
466    ${member_list}=  Redfish_Utils.Get Member List
467    ...  /redfish/v1/AccountService/Roles
468
469    @{roles}=  Create List
470    ...  /redfish/v1/AccountService/Roles/Administrator
471    ...  /redfish/v1/AccountService/Roles/Operator
472    ...  /redfish/v1/AccountService/Roles/ReadOnly
473
474    List Should Contain Sub List  ${member_list}  ${roles}
475
476    # The standard roles are:
477
478    # | Role name | Assigned privileges |
479    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
480    # | Operator | Login, ConfigureComponents, ConfigureSelf |
481    # | ReadOnly | Login, ConfigureSelf |
482
483    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
484    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
485    @{readOnly}=  Create List  Login  ConfigureSelf
486
487    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
488    ...  readOnly_privileges=${readOnly}
489
490    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
491    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
492
493    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
494    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
495
496    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
497    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
498
499
500Verify Error While Deleting Root User
501    [Documentation]  Verify error while deleting root user.
502    [Tags]  Verify_Error_While_Deleting_Root_User
503
504    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
505
506
507Verify SSH Login Access With Admin User
508    [Documentation]  Verify that admin user have SSH login access.
509    ...              By default, admin should have access but there could be
510    ...              case where admin user shell access is restricted by design
511    ...              in the community sphere..
512    [Tags]  Verify_SSH_Login_Access_With_Admin_User
513
514    # Create an admin User.
515    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
516
517    # Attempt SSH login with admin user.
518    SSHLibrary.Open Connection  ${OPENBMC_HOST}
519    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
520
521    # By default ssh_status is True, user can change the status via CLI
522    # -v ssh_status:False
523    Should Be Equal As Strings  "${status}"  "${ssh_status}"
524
525    Redfish.Login
526    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
527
528
529Verify Configure BasicAuth Enable And Disable
530    [Documentation]  Verify configure basicauth enable and disable
531    [Tags]  Verify_Configure_BasicAuth_Enable_And_Disable
532    [Template]  Template For Configure Auth Methods
533
534    # auth_method
535    BasicAuth
536    XToken
537
538*** Keywords ***
539
540Test Teardown Execution
541    [Documentation]  Do the post test teardown.
542
543    Run Keyword And Ignore Error  Redfish.Logout
544    FFDC On Test Case Fail
545
546
547Redfish Create User
548    [Documentation]  Redfish create user.
549    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
550
551    # Description of argument(s):
552    # username            The username to be created.
553    # password            The password to be assigned.
554    # role_id             The role ID of the user to be created
555    #                     (e.g. "Administrator", "Operator", etc.).
556    # enabled             Indicates whether the username being created
557    #                     should be enabled (${True}, ${False}).
558    # login_check         Checks user login for created user.
559    #                     (e.g. ${True}, ${False}).
560
561    # Make sure the user account in question does not already exist.
562    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
563    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
564
565    # Create specified user.
566    ${payload}=  Create Dictionary
567    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
568    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
569    ...  valid_status_codes=[${HTTP_CREATED}]
570
571    # Resetting faillock count as a workaround for issue
572    # openbmc/phosphor-user-manager#4
573    ${cmd}=  Catenate  test -f /usr/sbin/faillock && /usr/sbin/faillock --user USER --reset
574    ...  || /usr/sbin/pam_tally2 -u ${username} --reset
575    Bmc Execute Command  ${cmd}
576
577    # Verify login with created user.
578    ${status}=  Run Keyword If  '${login_check}' == '${True}'
579    ...  Verify Redfish User Login  ${username}  ${password}
580    Run Keyword If  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
581
582    # Validate Role ID of created user.
583    ${role_config}=  Redfish_Utils.Get Attribute
584    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
585    Should Be Equal  ${role_id}  ${role_config}
586
587
588Redfish Verify User
589    [Documentation]  Redfish user verification.
590    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
591
592    # Description of argument(s):
593    # username            The username to be created.
594    # password            The password to be assigned.
595    # role_id             The role ID of the user to be created
596    #                     (e.g. "Administrator", "Operator", etc.).
597    # enabled             Indicates whether the username being created
598    #                     should be enabled (${True}, ${False}).
599
600    ${status}=  Verify Redfish User Login  ${username}  ${password}
601    # Doing a check of the returned status.
602    Should Be Equal  ${status}  ${enabled}
603
604    # Validate Role Id of user.
605    ${role_config}=  Redfish_Utils.Get Attribute
606    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
607    Should Be Equal  ${role_id}  ${role_config}
608
609
610Verify Redfish User Login
611    [Documentation]  Verify Redfish login with given user id.
612    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
613    [Arguments]   ${username}  ${password}
614
615    # Description of argument(s):
616    # username            Login username.
617    # password            Login password.
618
619    # Logout from current Redfish session.
620    # We don't really care if the current session is flushed out since we are going to login
621    # with new credential in next.
622    Run Keyword And Ignore Error  Redfish.Logout
623
624    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
625    [Return]  ${status}
626
627
628Redfish Create And Verify User
629    [Documentation]  Redfish create and verify user.
630    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
631
632    # Description of argument(s):
633    # username            The username to be created.
634    # password            The password to be assigned.
635    # role_id             The role ID of the user to be created
636    #                     (e.g. "Administrator", "Operator", etc.).
637    # enabled             Indicates whether the username being created
638    #                     should be enabled (${True}, ${False}).
639
640    # Example:
641    #{
642    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
643    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
644    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
645    #"Description": "User Account",
646    #"Enabled": true,
647    #"Id": "test1",
648    #"Links": {
649    #  "Role": {
650    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
651    #  }
652    #},
653
654    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
655
656    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
657
658    # Delete Specified User
659    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
660
661Verify Redfish User with Wrong Password
662    [Documentation]  Verify Redfish User with Wrong Password.
663    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
664
665    # Description of argument(s):
666    # username            The username to be created.
667    # password            The password to be assigned.
668    # role_id             The role ID of the user to be created
669    #                     (e.g. "Administrator", "Operator", etc.).
670    # enabled             Indicates whether the username being created
671    #                     should be enabled (${True}, ${False}).
672    # wrong_password      Any invalid password.
673
674    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
675
676    Redfish.Logout
677
678    # Attempt to login with created user with invalid password.
679    Run Keyword And Expect Error  InvalidCredentialsError*
680    ...  Redfish.Login  ${username}  ${wrong_password}
681
682    Redfish.Login
683
684    # Delete newly created user.
685    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
686
687
688Verify Login with Deleted Redfish User
689    [Documentation]  Verify Login with Deleted Redfish User.
690    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
691
692    # Description of argument(s):
693    # username            The username to be created.
694    # password            The password to be assigned.
695    # role_id             The role ID of the user to be created
696    #                     (e.g. "Administrator", "Operator", etc.).
697    # enabled             Indicates whether the username being created
698    #                     should be enabled (${True}, ${False}).
699
700    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
701
702    # Delete newly created user.
703    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
704
705    Redfish.Logout
706
707    # Attempt to login with deleted user account.
708    Run Keyword And Expect Error  InvalidCredentialsError*
709    ...  Redfish.Login  ${username}  ${password}
710
711    Redfish.Login
712
713
714Verify Create User Without Enabling
715    [Documentation]  Verify Create User Without Enabling.
716    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
717
718    # Description of argument(s):
719    # username            The username to be created.
720    # password            The password to be assigned.
721    # role_id             The role ID of the user to be created
722    #                     (e.g. "Administrator", "Operator", etc.).
723    # enabled             Indicates whether the username being created
724    #                     should be enabled (${True}, ${False}).
725
726    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
727
728    Redfish.Logout
729
730    # Login with created user.
731    Run Keyword And Expect Error  InvalidCredentialsError*
732    ...  Redfish.Login  ${username}  ${password}
733
734    Redfish.Login
735
736    # Delete newly created user.
737    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
738
739Template For Configure Auth Methods
740    [Documentation]  Template to configure auth methods.
741    [Arguments]  ${auth_method}
742    [Teardown]  Configure AuthMethods  ${auth_method}=${initial_value}
743
744    # Description of Argument(s):
745    # authmethods   The authmethod setting which needs to be
746    #               set in account service URI.
747    # valid values  BasicAuth, XToken.
748
749    Get AuthMethods Default Values  ${auth_method}
750
751    # Patch basicauth to TRUE
752    Configure AuthMethods  ${auth_method}=${TRUE}
753
754    Run Keyword IF  "${auth_method}" == "XToken"
755    ...    Check XToken Works Fine  ${HTTP_OK}
756    ...  ELSE
757    ...    Check BasicAuth Works Fine  ${HTTP_OK}
758
759    # Patch basicauth to FALSE
760    Configure AuthMethods  ${auth_method}=${FALSE}
761
762    Run Keyword IF  "${auth_method}" == "BasicAuth"
763    ...    Check BasicAuth Works Fine  ${HTTP_UNAUTHORIZED}
764    ...  ELSE
765    ...    Check XToken Works Fine  ${HTTP_UNAUTHORIZED}
766
767Configure AuthMethods
768    [Documentation]  Enable/disable authmethod types.
769    [Arguments]  &{authmethods}
770
771    # Description of argument(s):
772    # authmethods            The authmethod setting which needs to be
773    #                        set in account service URI.
774    # Usage Example          Configure AuthMethods  XToken=${TRUE}  BasicAuth=${TRUE}
775    #                        This will set the value of "XToken" and "BasicAuth"
776    #                        property in accountservice uri to TRUE.
777
778    ${openbmc}=  Create Dictionary  AuthMethods=${authmethods}
779    ${oem}=  Create Dictionary  OpenBMC=${openbmc}
780    ${payload}=  Create Dictionary  Oem=${oem}
781
782    # Setting authmethod properties using Redfish session based auth
783    ${status}=  Run Keyword And Return Status
784    ...  Redfish.Patch  ${REDFISH_BASE_URI}AccountService
785    ...  body=${payload}  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
786
787    # Setting authmethod properties using basic auth incase the former fails
788    IF  ${status}==${FALSE}
789        # Payload dictionary pre-process to match json formatting
790        ${payload}=  Convert To String  ${payload}
791        ${payload}=  Replace String  ${payload}  '  "
792        ${payload}=  Replace String  ${payload}  False  false
793        ${payload}=  Replace String  ${payload}  True  true
794
795        # Curl Command Framing for PATCH authmethod
796        ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
797        ...  -X PATCH '${AUTH_URI}${REDFISH_ACCOUNTS_SERVICE_URI}'
798        ...  -H 'content-type:application/json' -H 'If-Match:*'
799        ...  -d '${payload}'
800        ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
801
802        #  Check the response of curl command is 200 or 204
803        ${check_no_content}=
804        ...  Run Keyword and Return Status  Should Contain  ${out}  204
805        ${check_ok}=
806        ...  Run Keyword and Return Status  Should Contain  ${out}  200
807        Pass Execution If  ${check_no_content}==${TRUE}
808        ...  OR  ${check_ok}==${TRUE}
809    END
810
811
812Get AuthMethods Default Values
813    [Documentation]  Get enabled/disabled status of all authmethods
814    ...  from Redfish account service URI
815    [Arguments]  ${authmethod}
816
817    # Description of argument(s):
818    # authmethod            The authmethod property whose value needs to be
819    #                       retrieved from account service URI.
820    # Usage Example         Get AuthMethods Default Values  BasicAuth
821    #                       returns >> ${TRUE}
822    # Example:
823    # {
824    #     "@odata.id": "/redfish/v1/AccountService",
825    #     (...)
826    #     "Oem": {
827    #         "OpenBMC": {
828    #             "AuthMethods": {
829    #                 "BasicAuth": true,
830    #                 "Cookie": true,
831    #                 "SessionToken": true,
832    #                 "TLS": true,
833    #                 "XToken": true
834    #             }
835    #         }
836    #     }
837    # }
838
839    ${resp}=  Redfish.Get Attribute  ${REDFISH_ACCOUNTS_SERVICE_URI}  Oem
840    ${authmethods}=  Set Variable  ${resp['OpenBMC']['AuthMethods']}
841    ${initial_value}=  Get From Dictionary  ${authmethods}  ${authmethod}
842    Set Test Variable  ${initial_value}
843
844Check XToken Works Fine
845    [Documentation]  Verify Xtoken works fine.
846    [Arguments]  ${status_code}
847
848    # Description of Argument(s):
849    # status_code : 200, 401.
850
851    # Verify xtoken auth works for xtoken
852    Redfish.Get  ${REDFISH_ACCOUNTS_SERVICE_URI}
853    ...  valid_status_codes=[${status_code}]
854
855Check BasicAuth Works Fine
856    [Documentation]  Verify Basic Auth works fine.
857    [Arguments]  ${status_code}
858
859    # Description of Argument(s):
860    # status_code : 200, 401.
861
862    # Verify basic auth works based on basic auth.
863    ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
864    ...  ${AUTH_URI}/redfish/v1/AccountService
865    ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
866
867    #  Check the response of curl command is 200/401
868    Should Contain  ${out}  ${status_code}
869