xref: /openbmc/openbmc-test-automation/redfish/account_service/test_user_account.robot (revision bd8ec926808c9886f128de826943e5d19c12f971)
1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14*** Variables ***
15
16${account_lockout_duration}   ${30}
17${account_lockout_threshold}  ${3}
18
19** Test Cases **
20
21Verify AccountService Available
22    [Documentation]  Verify Redfish account service is available.
23    [Tags]  Verify_AccountService_Available
24
25    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
26    Should Be Equal As Strings  ${resp}  ${True}
27
28Verify Redfish User Persistence After Reboot
29    [Documentation]  Verify Redfish user persistence after reboot.
30    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
31
32    # Create Redfish users.
33    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
34    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
35    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
36
37    # Reboot BMC.
38    Redfish OBMC Reboot (off)  stack_mode=normal
39
40    # Verify users after reboot.
41    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
42    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
43    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
44
45    # Delete created users.
46    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
47    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
48    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
49
50Redfish Create and Verify Users
51    [Documentation]  Create Redfish users with various roles.
52    [Tags]  Redfish_Create_and_Verify_Users
53    [Template]  Redfish Create And Verify User
54
55    #username      password    role_id         enabled
56    admin_user     TestPwd123  Administrator   ${True}
57    operator_user  TestPwd123  Operator        ${True}
58    readonly_user  TestPwd123  ReadOnly        ${True}
59
60Verify Redfish User with Wrong Password
61    [Documentation]  Verify Redfish User with Wrong Password.
62    [Tags]  Verify_Redfish_User_with_Wrong_Password
63    [Template]  Verify Redfish User with Wrong Password
64
65    #username      password    role_id         enabled  wrong_password
66    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
67    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
68    readonly_user  TestPwd123  ReadOnly        ${True}  12
69
70Verify Login with Deleted Redfish Users
71    [Documentation]  Verify login with deleted Redfish Users.
72    [Tags]  Verify_Login_with_Deleted_Redfish_Users
73    [Template]  Verify Login with Deleted Redfish User
74
75    #username     password    role_id         enabled
76    admin_user     TestPwd123  Administrator   ${True}
77    operator_user  TestPwd123  Operator        ${True}
78    readonly_user  TestPwd123  ReadOnly        ${True}
79
80Verify User Creation Without Enabling It
81    [Documentation]  Verify User Creation Without Enabling it.
82    [Tags]  Verify_User_Creation_Without_Enabling_It
83    [Template]  Verify Create User Without Enabling
84
85    #username      password    role_id         enabled
86    admin_user     TestPwd123  Administrator   ${False}
87    operator_user  TestPwd123  Operator        ${False}
88    readonly_user  TestPwd123  ReadOnly        ${False}
89
90Verify User Creation With Invalid Role Id
91    [Documentation]  Verify user creation with invalid role ID.
92    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
93
94    # Make sure the user account in question does not already exist.
95    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
96    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
97
98    # Create specified user.
99    ${payload}=  Create Dictionary
100    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
101    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
102    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
103
104Verify Error Upon Creating Same Users With Different Privileges
105    [Documentation]  Verify error upon creating same users with different privileges.
106    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
107
108    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
109
110    # Create specified user.
111    ${payload}=  Create Dictionary
112    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
113    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
114    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
115
116    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
117
118Verify Modifying User Attributes
119    [Documentation]  Verify modifying user attributes.
120    [Tags]  Verify_Modifying_User_Attributes
121
122    # Create Redfish users.
123    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
124    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
125    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
126
127    # Make sure the new user account does not already exist.
128    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
129    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
130
131    # Update admin_user username using Redfish.
132    ${payload}=  Create Dictionary  UserName=newadmin_user
133    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
134
135    # Update operator_user password using Redfish.
136    ${payload}=  Create Dictionary  Password=NewTestPwd123
137    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
138
139    # Update readonly_user role using Redfish.
140    ${payload}=  Create Dictionary  RoleId=Operator
141    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
142
143    # Verify users after updating
144    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
145    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
146    Redfish Verify User  readonly_user  TestPwd123     Operator        ${True}
147
148    # Delete created users.
149    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
150    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
151    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
152
153Verify User Account Locked
154    [Documentation]  Verify user account locked upon trying with invalid password.
155    [Tags]  Verify_User_Account_Locked
156
157    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
158
159    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
160    ...  AccountLockoutDuration=${account_lockout_duration}
161    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
162
163    Redfish.Logout
164
165    # Make ${account_lockout_threshold} failed login attempts.
166    Repeat Keyword  ${account_lockout_threshold} times
167    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
168
169    # Verify that legitimate login fails due to lockout.
170    Run Keyword And Expect Error  InvalidCredentialsError*
171    ...  Redfish.Login  admin_user  TestPwd123
172
173    # Wait for lockout duration to expire and then verify that login works.
174    Sleep  ${account_lockout_duration}s
175    Redfish.Login  admin_user  TestPwd123
176
177    Redfish.Logout
178
179    Redfish.Login
180
181    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
182
183Verify Admin User Privilege
184    [Documentation]  Verify admin user privilege.
185    [Tags]  Verify_Admin_User_Privilege
186
187    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
188    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
189    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
190
191    Redfish.Logout
192
193    # Change role ID of operator user with admin user.
194    # Login with admin user.
195    Redfish.Login  admin_user  TestPwd123
196
197    # Modify Role ID of Operator user.
198    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
199
200    # Verify modified user.
201    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
202
203    Redfish.Logout
204    Redfish.Login  admin_user  TestPwd123
205
206    # Change password of 'user' user with admin user.
207    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
208
209    # Verify modified user.
210    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
211
212    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
214    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
215
216Verify Operator User Privilege
217    [Documentation]  Verify operator user privilege.
218    [Tags]  Verify_Operator_User_Privilege
219
220    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
221    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
222
223    Redfish.Logout
224    # Login with operator user.
225    Redfish.Login  operator_user  TestPwd123
226
227    # Verify BMC reset.
228    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
229
230    # Attempt to change password of admin user with operator user.
231    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
232    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
233
234    Redfish.Logout
235
236    Redfish.Login
237
238    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
239    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
240
241
242Verify ReadOnly User Privilege
243    [Documentation]  Verify ReadOnly user privilege.
244    [Tags]  Verify_ReadOnly_User_Privilege
245
246    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
247    Redfish.Logout
248
249    # Login with read_only user.
250    Redfish.Login  readonly_user  TestPwd123
251
252    # Read system level data.
253    ${system_model}=  Redfish_Utils.Get Attribute
254    ...  ${SYSTEM_BASE_URI}  Model
255
256    Redfish.Logout
257    Redfish.Login
258    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
259
260
261Verify Minimum Password Length For Redfish User
262    [Documentation]  Verify minimum password length for new and existing user.
263    [Tags]  Verify_Minimum_Password_Length_For_Redfish_User
264
265    ${user_name}=  Set Variable  testUser
266
267    # Make sure the user account in question does not already exist.
268    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
269    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
270
271    # Try to create a user with invalid length password.
272    ${payload}=  Create Dictionary
273    ...  UserName=${user_name}  Password=UserPwd  RoleId=Administrator  Enabled=${True}
274    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
275    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
276
277    # Create specified user with valid length password.
278    Set To Dictionary  ${payload}  Password  UserPwd1
279    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
280    ...  valid_status_codes=[${HTTP_CREATED}]
281
282    # Try to change to an invalid password.
283    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
284    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
285
286    # Change to a valid password.
287    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
288
289    # Verify login.
290    Redfish.Logout
291    Redfish.Login  ${user_name}  UserPwd1
292    Redfish.Logout
293    Redfish.Login
294    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
295
296
297Verify Standard User Roles Defined By Redfish
298    [Documentation]  Verify standard user roles defined by Redfish.
299    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
300
301    ${member_list}=  Redfish_Utils.Get Member List
302    ...  /redfish/v1/AccountService/Roles
303
304    @{roles}=  Create List
305    ...  /redfish/v1/AccountService/Roles/Administrator
306    ...  /redfish/v1/AccountService/Roles/Operator
307    ...  /redfish/v1/AccountService/Roles/ReadOnly
308
309    List Should Contain Sub List  ${member_list}  ${roles}
310
311    # The standard roles are:
312
313    # | Role name | Assigned privileges |
314    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
315    # | Operator | Login, ConfigureComponents, ConfigureSelf |
316    # | ReadOnly | Login, ConfigureSelf |
317
318    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
319    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
320    @{readOnly}=  Create List  Login  ConfigureSelf
321
322    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
323    ...  readOnly_privileges=${readOnly}
324
325    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
326    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
327
328    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
329    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
330
331    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
332    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
333
334
335Verify Error While Deleting Root User
336    [Documentation]  Verify error while deleting root user.
337    [Tags]  Verify_Error_While_Deleting_Root_User
338
339    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
340
341
342Verify SSH Login Access With Admin User
343    [Documentation]  Verify that admin user does not have SSH login access.
344    [Tags]  Verify_SSH_Login_Access_With_Admin_User
345
346    # Create an admin User.
347    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
348
349    # Attempt SSH login with admin user.
350    SSHLibrary.Open Connection  ${OPENBMC_HOST}
351    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
352    Should Be Equal  ${status}  ${False}
353
354
355*** Keywords ***
356
357Test Teardown Execution
358    [Documentation]  Do the post test teardown.
359
360    Run Keyword And Ignore Error  Redfish.Logout
361    FFDC On Test Case Fail
362
363
364Redfish Create User
365    [Documentation]  Redfish create user.
366    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
367
368    # Description of argument(s):
369    # username            The username to be created.
370    # password            The password to be assigned.
371    # role_id             The role ID of the user to be created
372    #                     (e.g. "Administrator", "Operator", etc.).
373    # enabled             Indicates whether the username being created
374    #                     should be enabled (${True}, ${False}).
375    # login_check         Checks user login for created user.
376    #                     (e.g. ${True}, ${False}).
377
378    # Make sure the user account in question does not already exist.
379    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
380    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
381
382    # Create specified user.
383    ${payload}=  Create Dictionary
384    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
385    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
386    ...  valid_status_codes=[${HTTP_CREATED}]
387
388    # Resetting faillock count as a workaround for issue
389    # openbmc/phosphor-user-manager#4
390    ${cmd}=  Catenate  test -f /usr/sbin/faillock && /usr/sbin/faillock --user USER --reset
391    ...  || /usr/sbin/pam_tally2 -u ${username} --reset
392    Bmc Execute Command  ${cmd}
393
394    # Verify login with created user.
395    ${status}=  Run Keyword If  '${login_check}' == '${True}'
396    ...  Verify Redfish User Login  ${username}  ${password}
397    Run Keyword If  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
398
399    # Validate Role ID of created user.
400    ${role_config}=  Redfish_Utils.Get Attribute
401    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
402    Should Be Equal  ${role_id}  ${role_config}
403
404
405Redfish Verify User
406    [Documentation]  Redfish user verification.
407    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
408
409    # Description of argument(s):
410    # username            The username to be created.
411    # password            The password to be assigned.
412    # role_id             The role ID of the user to be created
413    #                     (e.g. "Administrator", "Operator", etc.).
414    # enabled             Indicates whether the username being created
415    #                     should be enabled (${True}, ${False}).
416
417    ${status}=  Verify Redfish User Login  ${username}  ${password}
418    # Doing a check of the returned status.
419    Should Be Equal  ${status}  ${enabled}
420
421    # Validate Role Id of user.
422    ${role_config}=  Redfish_Utils.Get Attribute
423    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
424    Should Be Equal  ${role_id}  ${role_config}
425
426
427Verify Redfish User Login
428    [Documentation]  Verify Redfish login with given user id.
429    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
430    [Arguments]   ${username}  ${password}
431
432    # Description of argument(s):
433    # username            Login username.
434    # password            Login password.
435
436    # Logout from current Redfish session.
437    # We don't really care if the current session is flushed out since we are going to login
438    # with new credential in next.
439    Run Keyword And Ignore Error  Redfish.Logout
440
441    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
442    [Return]  ${status}
443
444
445Redfish Create And Verify User
446    [Documentation]  Redfish create and verify user.
447    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
448
449    # Description of argument(s):
450    # username            The username to be created.
451    # password            The password to be assigned.
452    # role_id             The role ID of the user to be created
453    #                     (e.g. "Administrator", "Operator", etc.).
454    # enabled             Indicates whether the username being created
455    #                     should be enabled (${True}, ${False}).
456
457    # Example:
458    #{
459    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
460    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
461    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
462    #"Description": "User Account",
463    #"Enabled": true,
464    #"Id": "test1",
465    #"Links": {
466    #  "Role": {
467    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
468    #  }
469    #},
470
471    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
472
473    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
474
475    # Delete Specified User
476    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
477
478Verify Redfish User with Wrong Password
479    [Documentation]  Verify Redfish User with Wrong Password.
480    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
481
482    # Description of argument(s):
483    # username            The username to be created.
484    # password            The password to be assigned.
485    # role_id             The role ID of the user to be created
486    #                     (e.g. "Administrator", "Operator", etc.).
487    # enabled             Indicates whether the username being created
488    #                     should be enabled (${True}, ${False}).
489    # wrong_password      Any invalid password.
490
491    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
492
493    Redfish.Logout
494
495    # Attempt to login with created user with invalid password.
496    Run Keyword And Expect Error  InvalidCredentialsError*
497    ...  Redfish.Login  ${username}  ${wrong_password}
498
499    Redfish.Login
500
501    # Delete newly created user.
502    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
503
504
505Verify Login with Deleted Redfish User
506    [Documentation]  Verify Login with Deleted Redfish User.
507    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
508
509    # Description of argument(s):
510    # username            The username to be created.
511    # password            The password to be assigned.
512    # role_id             The role ID of the user to be created
513    #                     (e.g. "Administrator", "Operator", etc.).
514    # enabled             Indicates whether the username being created
515    #                     should be enabled (${True}, ${False}).
516
517    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
518
519    # Delete newly created user.
520    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
521
522    Redfish.Logout
523
524    # Attempt to login with deleted user account.
525    Run Keyword And Expect Error  InvalidCredentialsError*
526    ...  Redfish.Login  ${username}  ${password}
527
528    Redfish.Login
529
530
531Verify Create User Without Enabling
532    [Documentation]  Verify Create User Without Enabling.
533    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
534
535    # Description of argument(s):
536    # username            The username to be created.
537    # password            The password to be assigned.
538    # role_id             The role ID of the user to be created
539    #                     (e.g. "Administrator", "Operator", etc.).
540    # enabled             Indicates whether the username being created
541    #                     should be enabled (${True}, ${False}).
542
543    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
544
545    Redfish.Logout
546
547    # Login with created user.
548    Run Keyword And Expect Error  InvalidCredentialsError*
549    ...  Redfish.Login  ${username}  ${password}
550
551    Redfish.Login
552
553    # Delete newly created user.
554    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
555
556