1*** Settings *** 2Documentation Test Redfish user account. 3 4Resource ../../lib/resource.robot 5Resource ../../lib/bmc_redfish_resource.robot 6Resource ../../lib/openbmc_ffdc.robot 7Resource ../../lib/bmc_redfish_utils.robot 8 9Library SSHLibrary 10 11Test Setup Redfish.Login 12Test Teardown Test Teardown Execution 13 14*** Variables *** 15 16${account_lockout_duration} ${30} 17${account_lockout_threshold} ${3} 18 19** Test Cases ** 20 21Verify AccountService Available 22 [Documentation] Verify Redfish account service is available. 23 [Tags] Verify_AccountService_Available 24 25 ${resp} = Redfish_utils.Get Attribute /redfish/v1/AccountService ServiceEnabled 26 Should Be Equal As Strings ${resp} ${True} 27 28Verify Redfish User Persistence After Reboot 29 [Documentation] Verify Redfish user persistence after reboot. 30 [Tags] Verify_Redfish_User_Persistence_After_Reboot 31 32 # Create Redfish users. 33 Redfish Create User admin_user TestPwd123 Administrator ${True} 34 Redfish Create User operator_user TestPwd123 Operator ${True} 35 Redfish Create User readonly_user TestPwd123 ReadOnly ${True} 36 37 # Reboot BMC. 38 Redfish OBMC Reboot (off) stack_mode=normal 39 40 # Verify users after reboot. 41 Redfish Verify User admin_user TestPwd123 Administrator ${True} 42 Redfish Verify User operator_user TestPwd123 Operator ${True} 43 Redfish Verify User readonly_user TestPwd123 ReadOnly ${True} 44 45 # Delete created users. 46 Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user 47 Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user 48 Redfish.Delete /redfish/v1/AccountService/Accounts/readonly_user 49 50Redfish Create and Verify Users 51 [Documentation] Create Redfish users with various roles. 52 [Tags] Redfish_Create_and_Verify_Users 53 [Template] Redfish Create And Verify User 54 55 #username password role_id enabled 56 admin_user TestPwd123 Administrator ${True} 57 operator_user TestPwd123 Operator ${True} 58 readonly_user TestPwd123 ReadOnly ${True} 59 60Verify Redfish User with Wrong Password 61 [Documentation] Verify Redfish User with Wrong Password. 62 [Tags] Verify_Redfish_User_with_Wrong_Password 63 [Template] Verify Redfish User with Wrong Password 64 65 #username password role_id enabled wrong_password 66 admin_user TestPwd123 Administrator ${True} alskjhfwurh 67 operator_user TestPwd123 Operator ${True} 12j8a8uakjhdaosiruf024 68 readonly_user TestPwd123 ReadOnly ${True} 12 69 70Verify Login with Deleted Redfish Users 71 [Documentation] Verify login with deleted Redfish Users. 72 [Tags] Verify_Login_with_Deleted_Redfish_Users 73 [Template] Verify Login with Deleted Redfish User 74 75 #username password role_id enabled 76 admin_user TestPwd123 Administrator ${True} 77 operator_user TestPwd123 Operator ${True} 78 readonly_user TestPwd123 ReadOnly ${True} 79 80Verify User Creation Without Enabling It 81 [Documentation] Verify User Creation Without Enabling it. 82 [Tags] Verify_User_Creation_Without_Enabling_It 83 [Template] Verify Create User Without Enabling 84 85 #username password role_id enabled 86 admin_user TestPwd123 Administrator ${False} 87 operator_user TestPwd123 Operator ${False} 88 readonly_user TestPwd123 ReadOnly ${False} 89 90Verify User Creation With Invalid Role Id 91 [Documentation] Verify user creation with invalid role ID. 92 [Tags] Verify_User_Creation_With_Invalid_Role_Id 93 94 # Make sure the user account in question does not already exist. 95 Redfish.Delete /redfish/v1/AccountService/Accounts/test_user 96 ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] 97 98 # Create specified user. 99 ${payload}= Create Dictionary 100 ... UserName=test_user Password=TestPwd123 RoleId=wrongroleid Enabled=${True} 101 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 102 ... valid_status_codes=[${HTTP_BAD_REQUEST}] 103 104Verify Error Upon Creating Same Users With Different Privileges 105 [Documentation] Verify error upon creating same users with different privileges. 106 [Tags] Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges 107 108 Redfish Create User test_user TestPwd123 Administrator ${True} 109 110 # Create specified user. 111 ${payload}= Create Dictionary 112 ... UserName=test_user Password=TestPwd123 RoleId=Operator Enabled=${True} 113 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 114 ... valid_status_codes=[${HTTP_BAD_REQUEST}] 115 116 Redfish.Delete /redfish/v1/AccountService/Accounts/test_user 117 118Verify Modifying User Attributes 119 [Documentation] Verify modifying user attributes. 120 [Tags] Verify_Modifying_User_Attributes 121 122 # Create Redfish users. 123 Redfish Create User admin_user TestPwd123 Administrator ${True} 124 Redfish Create User operator_user TestPwd123 Operator ${True} 125 Redfish Create User readonly_user TestPwd123 ReadOnly ${True} 126 127 # Make sure the new user account does not already exist. 128 Redfish.Delete /redfish/v1/AccountService/Accounts/newadmin_user 129 ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] 130 131 # Update admin_user username using Redfish. 132 ${payload}= Create Dictionary UserName=newadmin_user 133 Redfish.Patch /redfish/v1/AccountService/Accounts/admin_user body=&{payload} 134 135 # Update operator_user password using Redfish. 136 ${payload}= Create Dictionary Password=NewTestPwd123 137 Redfish.Patch /redfish/v1/AccountService/Accounts/operator_user body=&{payload} 138 139 # Update readonly_user role using Redfish. 140 ${payload}= Create Dictionary RoleId=Operator 141 Redfish.Patch /redfish/v1/AccountService/Accounts/readonly_user body=&{payload} 142 143 # Verify users after updating 144 Redfish Verify User newadmin_user TestPwd123 Administrator ${True} 145 Redfish Verify User operator_user NewTestPwd123 Operator ${True} 146 Redfish Verify User readonly_user TestPwd123 Operator ${True} 147 148 # Delete created users. 149 Redfish.Delete /redfish/v1/AccountService/Accounts/newadmin_user 150 Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user 151 Redfish.Delete /redfish/v1/AccountService/Accounts/readonly_user 152 153Verify User Account Locked 154 [Documentation] Verify user account locked upon trying with invalid password. 155 [Tags] Verify_User_Account_Locked 156 157 Redfish Create User admin_user TestPwd123 Administrator ${True} 158 159 ${payload}= Create Dictionary AccountLockoutThreshold=${account_lockout_threshold} 160 ... AccountLockoutDuration=${account_lockout_duration} 161 Redfish.Patch ${REDFISH_ACCOUNTS_SERVICE_URI} body=${payload} 162 163 Redfish.Logout 164 165 # Make ${account_lockout_threshold} failed login attempts. 166 Repeat Keyword ${account_lockout_threshold} times 167 ... Run Keyword And Expect Error InvalidCredentialsError* Redfish.Login admin_user abc123 168 169 # Verify that legitimate login fails due to lockout. 170 Run Keyword And Expect Error InvalidCredentialsError* 171 ... Redfish.Login admin_user TestPwd123 172 173 # Wait for lockout duration to expire and then verify that login works. 174 Sleep ${account_lockout_duration}s 175 Redfish.Login admin_user TestPwd123 176 177 Redfish.Logout 178 179 Redfish.Login 180 181 Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user 182 183Verify Admin User Privilege 184 [Documentation] Verify admin user privilege. 185 [Tags] Verify_Admin_User_Privilege 186 187 Redfish Create User admin_user TestPwd123 Administrator ${True} 188 Redfish Create User operator_user TestPwd123 Operator ${True} 189 Redfish Create User readonly_user TestPwd123 ReadOnly ${True} 190 191 Redfish.Logout 192 193 # Change role ID of operator user with admin user. 194 # Login with admin user. 195 Redfish.Login admin_user TestPwd123 196 197 # Modify Role ID of Operator user. 198 Redfish.Patch /redfish/v1/AccountService/Accounts/operator_user body={'RoleId': 'Administrator'} 199 200 # Verify modified user. 201 Redfish Verify User operator_user TestPwd123 Administrator ${True} 202 203 Redfish.Logout 204 Redfish.Login admin_user TestPwd123 205 206 # Change password of 'user' user with admin user. 207 Redfish.Patch /redfish/v1/AccountService/Accounts/readonly_user body={'Password': 'NewTestPwd123'} 208 209 # Verify modified user. 210 Redfish Verify User readonly_user NewTestPwd123 ReadOnly ${True} 211 212 Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user 213 Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user 214 Redfish.Delete /redfish/v1/AccountService/Accounts/readonly_user 215 216Verify Operator User Privilege 217 [Documentation] Verify operator user privilege. 218 [Tags] Verify_Operator_User_Privilege 219 220 Redfish Create User admin_user TestPwd123 Administrator ${True} 221 Redfish Create User operator_user TestPwd123 Operator ${True} 222 223 Redfish.Logout 224 # Login with operator user. 225 Redfish.Login operator_user TestPwd123 226 227 # Verify BMC reset. 228 Run Keyword And Expect Error ValueError* Redfish BMC Reset Operation 229 230 # Attempt to change password of admin user with operator user. 231 Redfish.Patch /redfish/v1/AccountService/Accounts/admin_user body={'Password': 'NewTestPwd123'} 232 ... valid_status_codes=[${HTTP_FORBIDDEN}] 233 234 Redfish.Logout 235 236 Redfish.Login 237 238 Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user 239 Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user 240 241 242Verify ReadOnly User Privilege 243 [Documentation] Verify ReadOnly user privilege. 244 [Tags] Verify_ReadOnly_User_Privilege 245 246 Redfish Create User readonly_user TestPwd123 ReadOnly ${True} 247 Redfish.Logout 248 249 # Login with read_only user. 250 Redfish.Login readonly_user TestPwd123 251 252 # Read system level data. 253 ${system_model}= Redfish_Utils.Get Attribute 254 ... ${SYSTEM_BASE_URI} Model 255 256 Redfish.Logout 257 Redfish.Login 258 Redfish.Delete ${REDFISH_ACCOUNTS_URI}readonly_user 259 260 261Verify Minimum Password Length For Redfish User 262 [Documentation] Verify minimum password length for new and existing user. 263 [Tags] Verify_Minimum_Password_Length_For_Redfish_User 264 265 ${user_name}= Set Variable testUser 266 267 # Make sure the user account in question does not already exist. 268 Redfish.Delete /redfish/v1/AccountService/Accounts/${user_name} 269 ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] 270 271 # Try to create a user with invalid length password. 272 ${payload}= Create Dictionary 273 ... UserName=${user_name} Password=UserPwd RoleId=Administrator Enabled=${True} 274 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 275 ... valid_status_codes=[${HTTP_BAD_REQUEST}] 276 277 # Create specified user with valid length password. 278 Set To Dictionary ${payload} Password UserPwd1 279 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 280 ... valid_status_codes=[${HTTP_CREATED}] 281 282 # Try to change to an invalid password. 283 Redfish.Patch /redfish/v1/AccountService/Accounts/${user_name} body={'Password': 'UserPwd'} 284 ... valid_status_codes=[${HTTP_BAD_REQUEST}] 285 286 # Change to a valid password. 287 Redfish.Patch /redfish/v1/AccountService/Accounts/${user_name} body={'Password': 'UserPwd1'} 288 289 # Verify login. 290 Redfish.Logout 291 Redfish.Login ${user_name} UserPwd1 292 Redfish.Logout 293 Redfish.Login 294 Redfish.Delete /redfish/v1/AccountService/Accounts/${user_name} 295 296 297Verify Standard User Roles Defined By Redfish 298 [Documentation] Verify standard user roles defined by Redfish. 299 [Tags] Verify_Standard_User_Roles_Defined_By_Redfish 300 301 ${member_list}= Redfish_Utils.Get Member List 302 ... /redfish/v1/AccountService/Roles 303 304 @{roles}= Create List 305 ... /redfish/v1/AccountService/Roles/Administrator 306 ... /redfish/v1/AccountService/Roles/Operator 307 ... /redfish/v1/AccountService/Roles/ReadOnly 308 309 List Should Contain Sub List ${member_list} ${roles} 310 311 # The standard roles are: 312 313 # | Role name | Assigned privileges | 314 # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf | 315 # | Operator | Login, ConfigureComponents, ConfigureSelf | 316 # | ReadOnly | Login, ConfigureSelf | 317 318 @{admin}= Create List Login ConfigureManager ConfigureUsers ConfigureComponents ConfigureSelf 319 @{operator}= Create List Login ConfigureComponents ConfigureSelf 320 @{readOnly}= Create List Login ConfigureSelf 321 322 ${roles_dict}= create dictionary admin_privileges=${admin} operator_privileges=${operator} 323 ... readOnly_privileges=${readOnly} 324 325 ${resp}= redfish.Get /redfish/v1/AccountService/Roles/Administrator 326 List Should Contain Sub List ${resp.dict['AssignedPrivileges']} ${roles_dict['admin_privileges']} 327 328 ${resp}= redfish.Get /redfish/v1/AccountService/Roles/Operator 329 List Should Contain Sub List ${resp.dict['AssignedPrivileges']} ${roles_dict['operator_privileges']} 330 331 ${resp}= redfish.Get /redfish/v1/AccountService/Roles/ReadOnly 332 List Should Contain Sub List ${resp.dict['AssignedPrivileges']} ${roles_dict['readOnly_privileges']} 333 334 335Verify Error While Deleting Root User 336 [Documentation] Verify error while deleting root user. 337 [Tags] Verify_Error_While_Deleting_Root_User 338 339 Redfish.Delete /redfish/v1/AccountService/Accounts/root valid_status_codes=[${HTTP_FORBIDDEN}] 340 341 342Verify SSH Login Access With Admin User 343 [Documentation] Verify that admin user does not have SSH login access. 344 [Tags] Verify_SSH_Login_Access_With_Admin_User 345 346 # Create an admin User. 347 Redfish Create User new_admin TestPwd1 Administrator ${True} 348 349 # Attempt SSH login with admin user. 350 SSHLibrary.Open Connection ${OPENBMC_HOST} 351 ${status}= Run Keyword And Return Status SSHLibrary.Login new_admin TestPwd1 352 Should Be Equal ${status} ${False} 353 354 355*** Keywords *** 356 357Test Teardown Execution 358 [Documentation] Do the post test teardown. 359 360 Run Keyword And Ignore Error Redfish.Logout 361 FFDC On Test Case Fail 362 363 364Redfish Create User 365 [Documentation] Redfish create user. 366 [Arguments] ${username} ${password} ${role_id} ${enabled} ${login_check}=${True} 367 368 # Description of argument(s): 369 # username The username to be created. 370 # password The password to be assigned. 371 # role_id The role ID of the user to be created 372 # (e.g. "Administrator", "Operator", etc.). 373 # enabled Indicates whether the username being created 374 # should be enabled (${True}, ${False}). 375 # login_check Checks user login for created user. 376 # (e.g. ${True}, ${False}). 377 378 # Make sure the user account in question does not already exist. 379 Redfish.Delete /redfish/v1/AccountService/Accounts/${userName} 380 ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] 381 382 # Create specified user. 383 ${payload}= Create Dictionary 384 ... UserName=${username} Password=${password} RoleId=${role_id} Enabled=${enabled} 385 Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} 386 ... valid_status_codes=[${HTTP_CREATED}] 387 388 # Resetting faillock count as a workaround for issue 389 # openbmc/phosphor-user-manager#4 390 ${cmd}= Catenate test -f /usr/sbin/faillock && /usr/sbin/faillock --user USER --reset 391 ... || /usr/sbin/pam_tally2 -u ${username} --reset 392 Bmc Execute Command ${cmd} 393 394 # Verify login with created user. 395 ${status}= Run Keyword If '${login_check}' == '${True}' 396 ... Verify Redfish User Login ${username} ${password} 397 Run Keyword If '${login_check}' == '${True}' Should Be Equal ${status} ${enabled} 398 399 # Validate Role ID of created user. 400 ${role_config}= Redfish_Utils.Get Attribute 401 ... /redfish/v1/AccountService/Accounts/${username} RoleId 402 Should Be Equal ${role_id} ${role_config} 403 404 405Redfish Verify User 406 [Documentation] Redfish user verification. 407 [Arguments] ${username} ${password} ${role_id} ${enabled} 408 409 # Description of argument(s): 410 # username The username to be created. 411 # password The password to be assigned. 412 # role_id The role ID of the user to be created 413 # (e.g. "Administrator", "Operator", etc.). 414 # enabled Indicates whether the username being created 415 # should be enabled (${True}, ${False}). 416 417 ${status}= Verify Redfish User Login ${username} ${password} 418 # Doing a check of the returned status. 419 Should Be Equal ${status} ${enabled} 420 421 # Validate Role Id of user. 422 ${role_config}= Redfish_Utils.Get Attribute 423 ... /redfish/v1/AccountService/Accounts/${username} RoleId 424 Should Be Equal ${role_id} ${role_config} 425 426 427Verify Redfish User Login 428 [Documentation] Verify Redfish login with given user id. 429 [Teardown] Run Keywords Run Keyword And Ignore Error Redfish.Logout AND Redfish.Login 430 [Arguments] ${username} ${password} 431 432 # Description of argument(s): 433 # username Login username. 434 # password Login password. 435 436 # Logout from current Redfish session. 437 # We don't really care if the current session is flushed out since we are going to login 438 # with new credential in next. 439 Run Keyword And Ignore Error Redfish.Logout 440 441 ${status}= Run Keyword And Return Status Redfish.Login ${username} ${password} 442 [Return] ${status} 443 444 445Redfish Create And Verify User 446 [Documentation] Redfish create and verify user. 447 [Arguments] ${username} ${password} ${role_id} ${enabled} 448 449 # Description of argument(s): 450 # username The username to be created. 451 # password The password to be assigned. 452 # role_id The role ID of the user to be created 453 # (e.g. "Administrator", "Operator", etc.). 454 # enabled Indicates whether the username being created 455 # should be enabled (${True}, ${False}). 456 457 # Example: 458 #{ 459 #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount", 460 #"@odata.id": "/redfish/v1/AccountService/Accounts/test1", 461 #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount", 462 #"Description": "User Account", 463 #"Enabled": true, 464 #"Id": "test1", 465 #"Links": { 466 # "Role": { 467 # "@odata.id": "/redfish/v1/AccountService/Roles/Administrator" 468 # } 469 #}, 470 471 Redfish Create User ${username} ${password} ${role_id} ${enabled} 472 473 Redfish Verify User ${username} ${password} ${role_id} ${enabled} 474 475 # Delete Specified User 476 Redfish.Delete /redfish/v1/AccountService/Accounts/${username} 477 478Verify Redfish User with Wrong Password 479 [Documentation] Verify Redfish User with Wrong Password. 480 [Arguments] ${username} ${password} ${role_id} ${enabled} ${wrong_password} 481 482 # Description of argument(s): 483 # username The username to be created. 484 # password The password to be assigned. 485 # role_id The role ID of the user to be created 486 # (e.g. "Administrator", "Operator", etc.). 487 # enabled Indicates whether the username being created 488 # should be enabled (${True}, ${False}). 489 # wrong_password Any invalid password. 490 491 Redfish Create User ${username} ${password} ${role_id} ${enabled} 492 493 Redfish.Logout 494 495 # Attempt to login with created user with invalid password. 496 Run Keyword And Expect Error InvalidCredentialsError* 497 ... Redfish.Login ${username} ${wrong_password} 498 499 Redfish.Login 500 501 # Delete newly created user. 502 Redfish.Delete /redfish/v1/AccountService/Accounts/${username} 503 504 505Verify Login with Deleted Redfish User 506 [Documentation] Verify Login with Deleted Redfish User. 507 [Arguments] ${username} ${password} ${role_id} ${enabled} 508 509 # Description of argument(s): 510 # username The username to be created. 511 # password The password to be assigned. 512 # role_id The role ID of the user to be created 513 # (e.g. "Administrator", "Operator", etc.). 514 # enabled Indicates whether the username being created 515 # should be enabled (${True}, ${False}). 516 517 Redfish Create User ${username} ${password} ${role_id} ${enabled} 518 519 # Delete newly created user. 520 Redfish.Delete /redfish/v1/AccountService/Accounts/${userName} 521 522 Redfish.Logout 523 524 # Attempt to login with deleted user account. 525 Run Keyword And Expect Error InvalidCredentialsError* 526 ... Redfish.Login ${username} ${password} 527 528 Redfish.Login 529 530 531Verify Create User Without Enabling 532 [Documentation] Verify Create User Without Enabling. 533 [Arguments] ${username} ${password} ${role_id} ${enabled} 534 535 # Description of argument(s): 536 # username The username to be created. 537 # password The password to be assigned. 538 # role_id The role ID of the user to be created 539 # (e.g. "Administrator", "Operator", etc.). 540 # enabled Indicates whether the username being created 541 # should be enabled (${True}, ${False}). 542 543 Redfish Create User ${username} ${password} ${role_id} ${enabled} ${False} 544 545 Redfish.Logout 546 547 # Login with created user. 548 Run Keyword And Expect Error InvalidCredentialsError* 549 ... Redfish.Login ${username} ${password} 550 551 Redfish.Login 552 553 # Delete newly created user. 554 Redfish.Delete /redfish/v1/AccountService/Accounts/${username} 555 556