xref: /openbmc/openbmc-test-automation/redfish/account_service/test_user_account.robot (revision d2bb195787594af7a5ace5d50f908d8882819787) 
1*** Settings ***
2Documentation    Test suite for verifying Redfish admin, readonly operation user accounts.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14Test Tags        User_Account
15
16*** Variables ***
17
18${account_lockout_duration}   ${30}
19${account_lockout_threshold}  ${3}
20${ssh_status}                 ${True}
21
22*** Test Cases ***
23
24Verify AccountService Available
25    [Documentation]  Verify Redfish account service is available.
26    [Tags]  Verify_AccountService_Available
27
28    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
29    Should Be Equal As Strings  ${resp}  ${True}
30
31
32Verify Redfish Admin User Persistence After Reboot
33    [Documentation]  Verify Redfish admin user persistence after reboot.
34    [Tags]  Verify_Redfish_Admin_User_Persistence_After_Reboot
35    [Setup]  Run Keywords  Redfish.Login  AND
36    ...  Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
37    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
38    ...  AND  Test Teardown Execution
39
40    # Reboot BMC.
41    Redfish OBMC Reboot (off)  stack_mode=normal
42
43    # Verify users after reboot.
44    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
45
46
47Verify Redfish Operator User Persistence After Reboot
48    [Documentation]  Verify Redfish operator user persistence after reboot.
49    [Tags]  Verify_Redfish_Operator_User_Persistence_After_Reboot
50    [Setup]  Run Keywords  Redfish.Login  AND
51    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
52    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
53    ...  AND  Test Teardown Execution
54
55    # Reboot BMC.
56    Redfish OBMC Reboot (off)  stack_mode=normal
57
58    # Verify users after reboot.
59    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
60
61
62Verify Redfish Readonly User Persistence After Reboot
63    [Documentation]  Verify Redfish readonly user persistence after reboot.
64    [Tags]  Verify_Redfish_Readonly_User_Persistence_After_Reboot
65    [Setup]  Run Keywords  Redfish.Login  AND
66    ...  Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
67    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
68    ...  AND  Test Teardown Execution
69
70    # Reboot BMC.
71    Redfish OBMC Reboot (off)  stack_mode=normal
72
73    # Verify users after reboot.
74    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
75
76Redfish Create and Verify Admin User
77    [Documentation]  Create a Redfish user with administrator role and verify.
78    [Tags]  Redfish_Create_and_Verify_Admin_User
79    [Template]  Redfish Create And Verify User
80
81    #username      password    role_id         enabled
82    admin_user     TestPwd123  Administrator   ${True}
83
84
85Redfish Create and Verify Operator User
86    [Documentation]  Create a Redfish user with operator role and verify.
87    [Tags]  Redfish_Create_and_Verify_Operator_User
88    [Template]  Redfish Create And Verify User
89
90    #username      password    role_id         enabled
91    operator_user  TestPwd123  Operator        ${True}
92
93
94Redfish Create and Verify Readonly User
95    [Documentation]  Create a Redfish user with readonly role and verify.
96    [Tags]  Redfish_Create_and_Verify_Readonly_User
97    [Template]  Redfish Create And Verify User
98
99    #username      password    role_id         enabled
100    readonly_user  TestPwd123  ReadOnly        ${True}
101
102
103Verify Redfish Admin User Login With Wrong Password
104    [Documentation]  Verify Redfish create admin user with valid password and make sure
105    ...  admin user failed to login with wrong password.
106    [Tags]  Verify_Redfish_Admin_User_Login_With_Wrong_Password
107    [Template]  Verify Redfish User Login With Wrong Password
108
109    #username      password    role_id         enabled  wrong_password
110    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
111
112
113Verify Redfish Operator User Login With Wrong Password
114    [Documentation]  Verify Redfish create operator user with valid password and make sure
115    ...  operator user failed to login with wrong password.
116    [Tags]  Verify_Redfish_Operator_User_Login_With_Wrong_Password
117    [Template]  Verify Redfish User Login With Wrong Password
118
119    #username      password    role_id         enabled  wrong_password
120    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
121
122
123Verify Redfish Readonly User Login With Wrong Password
124    [Documentation]  Verify Redfish create readonly user with valid password and make sure
125    ...  readonly user failed to login with wrong password.
126    [Tags]  Verify_Redfish_Readonly_User_Login_With_Wrong_Password
127    [Template]  Verify Redfish User Login With Wrong Password
128
129    #username      password    role_id         enabled  wrong_password
130    readonly_user  TestPwd123  ReadOnly        ${True}  12
131
132
133Verify Login with Deleted Redfish Admin User
134    [Documentation]  Verify login with deleted Redfish admin user.
135    [Tags]  Verify_Login_with_Deleted_Redfish_Admin_User
136    [Template]  Verify Login with Deleted Redfish User
137
138    #username     password    role_id         enabled
139    admin_user     TestPwd123  Administrator   ${True}
140
141
142Verify Login with Deleted Redfish Operator User
143    [Documentation]  Verify login with deleted Redfish operator user.
144    [Tags]  Verify_Login_with_Deleted_Redfish_Operator_User
145    [Template]  Verify Login with Deleted Redfish User
146
147    #username     password    role_id         enabled
148    operator_user  TestPwd123  Operator        ${True}
149
150
151Verify Login with Deleted Redfish Readonly User
152    [Documentation]  Verify login with deleted Redfish readonly user.
153    [Tags]  Verify_Login_with_Deleted_Redfish_Readonly_User
154    [Template]  Verify Login with Deleted Redfish User
155
156    #username     password    role_id         enabled
157    readonly_user  TestPwd123  ReadOnly        ${True}
158
159
160Verify Admin User Creation Without Enabling It
161    [Documentation]  Verify admin user creation without enabling it.
162    [Tags]  Verify_Admin_User_Creation_Without_Enabling_It
163    [Template]  Verify Create User Without Enabling
164
165    #username      password    role_id         enabled
166    admin_user     TestPwd123  Administrator   ${False}
167
168
169Verify Operator User Creation Without Enabling It
170    [Documentation]  Verify operator user creation without enabling it.
171    [Tags]  Verify_Operator_User_Creation_Without_Enabling_It
172    [Template]  Verify Create User Without Enabling
173
174    #username      password    role_id         enabled
175    operator_user  TestPwd123  Operator        ${False}
176
177
178Verify Readonly User Creation Without Enabling It
179    [Documentation]  Verify readonly user creation without enabling it.
180    [Tags]  Verify_Readonly_User_Creation_Without_Enabling_It
181    [Template]  Verify Create User Without Enabling
182
183    #username      password    role_id         enabled
184    readonly_user  TestPwd123  ReadOnly        ${False}
185
186
187Verify User Creation With Invalid Role Id
188    [Documentation]  Verify user creation with invalid role ID.
189    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
190
191    # Make sure the user account in question does not already exist.
192    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
193    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
194
195    # Create specified user.
196    ${payload}=  Create Dictionary
197    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
198    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
199    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
200
201Verify Error Upon Creating Same Users With Different Privileges
202    [Documentation]  Verify error upon creating same users with different privileges.
203    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
204
205    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
206
207    # Create specified user.
208    ${payload}=  Create Dictionary
209    ...  UserName=test_user  Password=TestPwd123  RoleId=ReadOnly  Enabled=${True}
210    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
211    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
212
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
214
215
216Verify Modifying User Attributes
217    [Documentation]  Verify modifying user attributes.
218    [Tags]  Verify_Modifying_User_Attributes
219
220    # Create Redfish users.
221    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
222    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
223
224    # Make sure the new user account does not already exist.
225    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
226    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
227
228    # Update admin_user username using Redfish.
229    ${payload}=  Create Dictionary  UserName=newadmin_user
230    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
231    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
232
233    # Update readonly_user role using Redfish.
234    ${payload}=  Create Dictionary  RoleId=Administrator
235    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
236    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
237
238    # Verify users after updating
239    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
240    Redfish Verify User  readonly_user  TestPwd123     Administrator   ${True}
241
242    # Delete created users.
243    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
244    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
245
246
247Verify Modifying Operator User Attributes
248    [Documentation]  Verify modifying operator user attributes.
249    [Tags]  Verify_Modifying_Operator_User_Attributes
250    [Setup]  Run Keywords  Redfish.Login  AND
251    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
252    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
253    ...  AND  Test Teardown Execution
254
255    # Update operator_user password using Redfish.
256    ${payload}=  Create Dictionary  Password=NewTestPwd123
257    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
258    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
259
260    # Verify users after updating
261    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
262
263
264Verify User Account Locked
265    [Documentation]  Verify user account locked upon trying with invalid password.
266    [Tags]  Verify_User_Account_Locked
267
268    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
269
270    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
271    ...  AccountLockoutDuration=${account_lockout_duration}
272    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
273    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
274
275    Redfish.Logout
276
277    # Make ${account_lockout_threshold} failed login attempts.
278    Repeat Keyword  ${account_lockout_threshold} times
279    ...  Run Keyword And Expect Error  *InvalidCredentialsError*  Redfish.Login  admin_user  abcd1234
280
281    # Verify that legitimate login fails due to lockout.
282    Run Keyword And Expect Error  *InvalidCredentialsError*
283    ...  Redfish.Login  admin_user  TestPwd123
284
285    # Wait for lockout duration to expire and adding 5 sec delay to the account lock timeout
286    # ... then verify that login works.
287    ${total_wait_duartion}=  Evaluate  ${account_lockout_duration} + 5
288    Sleep  ${total_wait_duartion}s
289
290    Redfish.Login  admin_user  TestPwd123
291
292    Redfish.Logout
293
294    Redfish.Login
295
296    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
297
298
299Verify User Account Unlock
300    [Documentation]  Verify manually unlocking the account before lockout time
301    [Tags]  Verify_User_Account_Unlock
302    [Teardown]  Run Keywords  Redfish.Logout
303    ...  AND  Redfish.Login
304    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
305    ...  AND  SSHLibrary.Close All Connections
306
307    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
308
309    ${payload}=  Create Dictionary
310    ...  AccountLockoutThreshold=${account_lockout_threshold}
311    ...  AccountLockoutDuration=${account_lockout_duration}
312    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
313    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
314
315    Redfish.Logout
316
317    # Make ${account_lockout_threshold} failed login attempts.
318    Repeat Keyword  ${account_lockout_threshold} times
319    ...  Run Keyword And Expect Error  InvalidCredentialsError*
320    ...  Redfish.Login  test_user  abc123
321
322    # Ensure SSH Login with locked account gets failed
323    SSHLibrary.Open Connection  ${OPENBMC_HOST}
324    Run Keyword And Expect Error  Authentication failed*
325    ...  SSHLibrary.Login  test_user  TestPwd123
326
327    # Verify that legitimate login fails due to lockout.
328    Run Keyword And Expect Error  InvalidCredentialsError*
329    ...  Redfish.Login  test_user  TestPwd123
330
331    ${payload}=  Create Dictionary  Locked=${FALSE}
332
333    # Manually unlock the account before lockout threshold expires
334    Redfish.Login
335    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}test_user  body=${payload}
336    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
337    Redfish.Logout
338
339    # Try redfish login with the recently unlocked account
340    Redfish.Login  test_user  TestPwd123
341
342    # Try SSH login with the unlocked account
343    SSHLibrary.Open Connection  ${OPENBMC_HOST}
344    SSHLibrary.Login  test_user  TestPwd123
345
346
347Verify Admin User Privilege
348    [Documentation]  Verify admin user privilege.
349    [Tags]  Verify_Admin_User_Privilege
350
351    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
352    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
353
354    Redfish.Logout
355
356    Redfish.Login  admin_user  TestPwd123
357
358    # Change password of 'readonly' user with admin user.
359    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
360    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
361
362    # Verify modified user.
363    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
364
365    # Note: Delete user would work here because a root login is
366    # performed as part of "Redfish Verify User" keyword's teardown.
367    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
368    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
369
370
371Verify Operator User Role Change Using Admin Privilege User
372    [Documentation]  Verify operator user role change using admin privilege user
373    [Tags]  Verify_Operator_User_Role_Change_Using_Admin_Privilege_User
374
375    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
376    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
377
378    Redfish.Logout
379
380    # Change role ID of operator user with admin user.
381    # Login with admin user.
382    Redfish.Login  admin_user  TestPwd123
383
384    # Modify Role ID of Operator user.
385    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
386    ...  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
387
388    # Verify modified user.
389    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
390
391    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
392    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
393
394
395Verify Operator User Privilege
396    [Documentation]  Verify operator user privilege.
397    [Tags]  Verify_Operator_User_Privilege
398
399    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
400    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
401
402    Redfish.Logout
403    # Login with operator user.
404    Redfish.Login  operator_user  TestPwd123
405
406    # Verify BMC reset.
407    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
408
409    # Attempt to change password of admin user with operator user.
410    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
411    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
412
413    Redfish.Logout
414
415    Redfish.Login
416
417    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
418    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
419
420
421Verify ReadOnly User Privilege
422    [Documentation]  Verify ReadOnly user privilege.
423    [Tags]  Verify_ReadOnly_User_Privilege
424
425    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
426    Redfish.Logout
427
428    # Login with read_only user.
429    Redfish.Login  readonly_user  TestPwd123
430
431    # Read system level data.
432    ${system_model}=  Redfish_Utils.Get Attribute
433    ...  ${SYSTEM_BASE_URI}  Model
434
435    Redfish.Logout
436    Redfish.Login
437    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
438
439
440Verify Minimum Password Length For Redfish Admin And Readonly User
441    [Documentation]  Verify minimum password length for new and existing admin or
442    ...  readonly user.
443    [Template]  Verify Minimum Password Length For Redfish User
444
445    #username        role_id
446    admin_user       Administrator
447    readonly_user    ReadOnly
448
449
450Verify Standard User Roles Defined By Redfish
451    [Documentation]  Verify standard user roles defined by Redfish.
452    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
453
454    ${member_list}=  Redfish_Utils.Get Member List
455    ...  /redfish/v1/AccountService/Roles
456
457    @{roles}=  Create List
458    ...  /redfish/v1/AccountService/Roles/Administrator
459    ...  /redfish/v1/AccountService/Roles/Operator
460    ...  /redfish/v1/AccountService/Roles/ReadOnly
461
462    List Should Contain Sub List  ${member_list}  ${roles}
463
464    # The standard roles are:
465
466    # | Role name | Assigned privileges |
467    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
468    # | Operator | Login, ConfigureComponents, ConfigureSelf |
469    # | ReadOnly | Login, ConfigureSelf |
470
471    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
472    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
473    @{readOnly}=  Create List  Login  ConfigureSelf
474
475    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
476    ...  readOnly_privileges=${readOnly}
477
478    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
479    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
480
481    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
482    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
483
484    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
485    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
486
487
488Verify Error While Deleting Root User
489    [Documentation]  Verify error while deleting root user.
490    [Tags]  Verify_Error_While_Deleting_Root_User
491
492    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
493
494
495Verify SSH Login Access With Admin User
496    [Documentation]  Verify that admin user have SSH login access.
497    ...              By default, admin should have access but there could be
498    ...              case where admin user shell access is restricted by design
499    ...              in the community sphere..
500    [Tags]  Verify_SSH_Login_Access_With_Admin_User
501
502    #Create an admin user and verify SSH login.
503    Create Admin User And Verify SSH Login
504
505    Redfish.Login
506    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
507
508Verify SSH Login Is Revoked For Deleted User
509    [Documentation]  Verify SSH login access is revoked for deleted User.
510    [Tags]    Verify_SSH_Login_Is_Revoked_For_Deleted_User
511
512    #Create an admin user and verify SSH login.
513    Create Admin User And Verify SSH Login
514
515    #Login with root user.
516    Redfish.Login
517
518    # Delete the admin user.
519    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
520    ...  valid_status_codes=[${HTTP_OK}]
521
522    # Attempt SSH login with Deleted user.
523    SSHLibrary.Open Connection  ${OPENBMC_HOST}
524    Run Keyword And Expect Error  Authentication failed*
525    ...  SSHLibrary.Login  new_admin  TestPwd1
526
527Verify Configure BasicAuth Enable And Disable
528    [Documentation]  Verify configure basicauth enable and disable
529    [Tags]  Verify_Configure_BasicAuth_Enable_And_Disable
530    [Template]  Template For Configure Auth Methods
531
532    # auth_method
533    BasicAuth
534    XToken
535
536
537Redfish Create and Verify Admin User With Invalid Password Format
538    [Documentation]  Create a admin user with invalid password format and verify.
539    [Template]  Create User With Unsupported Password Format And Verify
540    [Tags]  Redfish_Create_and_Verify_Admin_User_With_Invalid_Password_Format
541
542    #username       role_id        password
543    admin_user      Administrator  snellens
544    admin_user      Administrator  10000001
545    admin_user      Administrator  12345678
546    admin_user      Administrator  abcdefgh
547    admin_user      Administrator  abf12345
548    admin_user      Administrator  helloworld
549    admin_user      Administrator  HELLOWORLD
550    admin_user      Administrator  &$%**!*@
551    admin_user      Administrator  Dictation
552
553
554Redfish Create and Verify Readonly User With Invalid Password Format
555    [Documentation]  Create a readonly user with invalid password format and verify.
556    [Template]  Create User With Unsupported Password Format And Verify
557    [Tags]  Redfish_Create_and_Verify_Readonly_User_With_Invalid_Password_Format
558
559    #username       role_id        password
560    readonly_user   ReadOnly       snellens
561    readonly_user   ReadOnly       10000001
562    readonly_user   ReadOnly       12345678
563    readonly_user   ReadOnly       abcdefgh
564    readonly_user   ReadOnly       abf12345
565    readonly_user   ReadOnly       helloworld
566    readonly_user   ReadOnly       HELLOWORLD
567    readonly_user   ReadOnly       &$%**!*@
568    readonly_user   ReadOnly       Dictation
569
570
571Verify Admin And Readonly User Password Is Not Same As Username
572    [Documentation]  Verify that admin and readonly user creation is failed if
573    ...  password is same as username.
574    [Template]  Create User With Unsupported Password Format And Verify
575    [Tags]      Verify_Admin_And_Readonly_User_Password_Is_Not_Same_As_Username
576
577    #username        role_id             password
578    AdminUser1       Administrator       AdminUser1
579    ReadOnlyUser1    ReadOnly            ReadOnlyUser1
580
581Verify AccountService Unsupported Methods
582    [Documentation]  Verify Unsupported methods of AccountService
583    [Tags]  Verify_AccountService_Unsupported_Methods
584
585    # Put operation on Account Services
586    Redfish.Put  /redfish/v1/AccountService
587    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
588
589    # Post operation on Account Services
590    Redfish.Post  /redfish/v1/AccountService
591    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
592
593    # Delete operation on Account Services
594    Redfish.Delete  /redfish/v1/AccountService
595    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
596
597Verify AccountService Roles Unsupported Methods
598    [Documentation]  Verify Unsupported methods of AccountService/Roles
599    [Tags]  Verify_AccountService_Roles_Unsupported_Methods
600
601    # Put operation on Account Services Roles
602    Redfish.Put  /redfish/v1/AccountService/Roles
603    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
604
605    # Post operation on Account Services Roles
606    Redfish.Post  /redfish/v1/AccountService/Roles
607    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
608
609    # Delete operation on Account Services Roles
610    Redfish.Delete  /redfish/v1/AccountService/Roles
611    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
612
613    # Patch operation on Account Services Roles
614    Redfish.Patch  /redfish/v1/AccountService/Roles
615    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
616
617Verify AccountService Roles Instance With Unsupported Methods
618    [Documentation]  Verify Instance Roles for AccountService and Unsupported Methods
619    [Tags]    Verify_AccountService_Roles_Instance_With_Unsupported_Methods
620
621    # GET Administrator Role Instance
622    Redfish.Get    /redfish/v1/AccountService/Roles/Administrator
623    ...    valid_status_codes=[${HTTP_OK}]
624
625    # GET Operator Role Instance
626    Redfish.Get    /redfish/v1/AccountService/Roles/Operator
627    ...    valid_status_codes=[${HTTP_OK}]
628
629    # GET ReadOnly RoleInstance
630    Redfish.Get    /redfish/v1/AccountService/Roles/ReadOnly
631    ...    valid_status_codes=[${HTTP_OK}]
632
633    # Post operation on Account Service Roles Instance
634    Redfish.Post    /redfish/v1/AccountService/Roles/Administrator
635    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
636
637    # Put operation on Account Service Roles Instance
638    Redfish.Put    /redfish/v1/AccountService/Roles/Administrator
639    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
640
641    # Patch operation on Account Service Roles Instance
642    Redfish.Patch    /redfish/v1/AccountService/Roles/Administrator
643    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
644
645    #Delete operation on Account Service Roles Instance
646    Redfish.Delete    /redfish/v1/AccountService/Roles/Administrator
647    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
648
649*** Keywords ***
650
651Test Teardown Execution
652    [Documentation]  Do the post test teardown.
653
654    Run Keyword And Ignore Error  Redfish.Logout
655    FFDC On Test Case Fail
656
657
658Redfish Create User
659    [Documentation]  Redfish create user.
660    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
661
662    # Description of argument(s):
663    # username            The username to be created.
664    # password            The password to be assigned.
665    # role_id             The role ID of the user to be created
666    #                     (e.g. "Administrator", "Operator", etc.).
667    # enabled             Indicates whether the username being created
668    #                     should be enabled (${True}, ${False}).
669    # login_check         Checks user login for created user.
670    #                     (e.g. ${True}, ${False}).
671
672    # Make sure the user account in question does not already exist.
673    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
674    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
675
676    # Create specified user.
677    ${payload}=  Create Dictionary
678    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
679    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
680    ...  valid_status_codes=[${HTTP_CREATED}]
681
682    # Resetting faillock count as a workaround for issue
683    # openbmc/phosphor-user-manager#4
684    ${cmd}=  Catenate  /usr/sbin/faillock --user ${username} --reset
685
686    Bmc Execute Command  ${cmd}
687
688    # Verify login with created user.
689    IF  '${login_check}' == '${True}'
690        ${status}=  Run Keyword And Return Status
691        ...  Verify Redfish User Login  ${username}  ${password}
692    ELSE
693        ${status}=  Set Variable  ${False}
694    END
695
696    IF  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
697
698    # Validate Role ID of created user.
699    ${role_config}=  Redfish_Utils.Get Attribute
700    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
701    Should Be Equal  ${role_id}  ${role_config}
702
703
704Redfish Verify User
705    [Documentation]  Redfish user verification.
706    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
707
708    # Description of argument(s):
709    # username            The username to be created.
710    # password            The password to be assigned.
711    # role_id             The role ID of the user to be created
712    #                     (e.g. "Administrator", "Operator", etc.).
713    # enabled             Indicates whether the username being created
714    #                     should be enabled (${True}, ${False}).
715
716    ${status}=  Verify Redfish User Login  ${username}  ${password}
717    # Doing a check of the returned status.
718    Should Be Equal  ${status}  ${enabled}
719
720    # Validate Role Id of user.
721    ${role_config}=  Redfish_Utils.Get Attribute
722    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
723    Should Be Equal  ${role_id}  ${role_config}
724
725
726Verify Redfish User Login
727    [Documentation]  Verify Redfish login with given user id.
728    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
729    [Arguments]   ${username}  ${password}
730
731    # Description of argument(s):
732    # username            Login username.
733    # password            Login password.
734
735    # Logout from current Redfish session.
736    # We don't really care if the current session is flushed out since we are going to login
737    # with new credential in next.
738    Run Keyword And Ignore Error  Redfish.Logout
739
740    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
741    RETURN  ${status}
742
743
744Redfish Create And Verify User
745    [Documentation]  Redfish create and verify user.
746    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
747
748    # Description of argument(s):
749    # username            The username to be created.
750    # password            The password to be assigned.
751    # role_id             The role ID of the user to be created
752    #                     (e.g. "Administrator", "Operator", etc.).
753    # enabled             Indicates whether the username being created
754    #                     should be enabled (${True}, ${False}).
755
756    # Example:
757    #{
758    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
759    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
760    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
761    #"Description": "User Account",
762    #"Enabled": true,
763    #"Id": "test1",
764    #"Links": {
765    #  "Role": {
766    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
767    #  }
768    #},
769
770    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
771
772    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
773
774    # Delete Specified User
775    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
776
777Verify Redfish User Login With Wrong Password
778    [Documentation]  Verify Redfish User failed to login with wrong password.
779    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
780
781    # Description of argument(s):
782    # username            The username to be created.
783    # password            The password to be assigned.
784    # role_id             The role ID of the user to be created
785    #                     (e.g. "Administrator", "Operator", etc.).
786    # enabled             Indicates whether the username being created
787    #                     should be enabled (${True}, ${False}).
788    # wrong_password      Any invalid password.
789
790    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
791
792    Redfish.Logout
793
794    # Attempt to login with created user with invalid password.
795    Run Keyword And Expect Error  InvalidCredentialsError*
796    ...  Redfish.Login  ${username}  ${wrong_password}
797
798    Redfish.Login
799
800    # Delete newly created user.
801    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
802
803
804Verify Login with Deleted Redfish User
805    [Documentation]  Verify Login with Deleted Redfish User.
806    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
807
808    # Description of argument(s):
809    # username            The username to be created.
810    # password            The password to be assigned.
811    # role_id             The role ID of the user to be created
812    #                     (e.g. "Administrator", "Operator", etc.).
813    # enabled             Indicates whether the username being created
814    #                     should be enabled (${True}, ${False}).
815
816    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
817
818    # Delete newly created user.
819    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
820
821    Redfish.Logout
822
823    # Attempt to login with deleted user account.
824    Run Keyword And Expect Error  InvalidCredentialsError*
825    ...  Redfish.Login  ${username}  ${password}
826
827    Redfish.Login
828
829
830Verify Create User Without Enabling
831    [Documentation]  Verify Create User Without Enabling.
832    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
833
834    # Description of argument(s):
835    # username            The username to be created.
836    # password            The password to be assigned.
837    # role_id             The role ID of the user to be created
838    #                     (e.g. "Administrator", "Operator", etc.).
839    # enabled             Indicates whether the username being created
840    #                     should be enabled (${True}, ${False}).
841
842    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
843
844    Redfish.Logout
845
846    # Login with created user.
847    Run Keyword And Expect Error  InvalidCredentialsError*
848    ...  Redfish.Login  ${username}  ${password}
849
850    Redfish.Login
851
852    # Delete newly created user.
853    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
854
855Template For Configure Auth Methods
856    [Documentation]  Template to configure auth methods.
857    [Arguments]  ${auth_method}
858    [Teardown]  Configure AuthMethods  ${auth_method}=${initial_value}
859
860    # Description of Argument(s):
861    # authmethods   The authmethod setting which needs to be
862    #               set in account service URI.
863    # valid values  BasicAuth, XToken.
864
865    Get AuthMethods Default Values  ${auth_method}
866
867    # Patch basicauth to TRUE
868    Configure AuthMethods  ${auth_method}=${TRUE}
869
870    IF  "${auth_method}" == "XToken"
871        Check XToken Works Fine  ${HTTP_OK}
872    ELSE
873        Check BasicAuth Works Fine  ${HTTP_OK}
874    END
875
876    # Patch basicauth to FALSE
877    Configure AuthMethods  ${auth_method}=${FALSE}
878
879    IF  "${auth_method}" == "BasicAuth"
880        Check BasicAuth Works Fine  ${HTTP_UNAUTHORIZED}
881    ELSE
882        Check XToken Works Fine  ${HTTP_UNAUTHORIZED}
883    END
884
885Configure AuthMethods
886    [Documentation]  Enable/disable authmethod types.
887    [Arguments]  &{authmethods}
888
889    # Description of argument(s):
890    # authmethods            The authmethod setting which needs to be
891    #                        set in account service URI.
892    # Usage Example          Configure AuthMethods  XToken=${TRUE}  BasicAuth=${TRUE}
893    #                        This will set the value of "XToken" and "BasicAuth"
894    #                        property in accountservice uri to TRUE.
895
896    ${openbmc}=  Create Dictionary  AuthMethods=${authmethods}
897    ${oem}=  Create Dictionary  OpenBMC=${openbmc}
898    ${payload}=  Create Dictionary  Oem=${oem}
899
900    # Setting authmethod properties using Redfish session based auth
901    ${status}=  Run Keyword And Return Status
902    ...  Redfish.Patch  ${REDFISH_BASE_URI}AccountService
903    ...  body=${payload}  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
904
905    # Setting authmethod properties using basic auth in case the former fails
906    IF  ${status}==${FALSE}
907        # Payload dictionary pre-process to match json formatting
908        ${payload}=  Convert To String  ${payload}
909        ${payload}=  Replace String  ${payload}  '  "
910        ${payload}=  Replace String  ${payload}  False  false
911        ${payload}=  Replace String  ${payload}  True  true
912
913        # Curl Command Framing for PATCH authmethod
914        ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
915        ...  -X PATCH '${AUTH_URI}${REDFISH_ACCOUNTS_SERVICE_URI}'
916        ...  -H 'content-type:application/json' -H 'If-Match:*'
917        ...  -d '${payload}'
918        ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
919
920        #  Check the response of curl command is 200 or 204
921        ${check_no_content}=
922        ...  Run Keyword and Return Status  Should Contain  ${out}  204
923        ${check_ok}=
924        ...  Run Keyword and Return Status  Should Contain  ${out}  200
925        Pass Execution If  ${check_no_content}==${TRUE}
926        ...  OR  ${check_ok}==${TRUE}
927    END
928
929
930Get AuthMethods Default Values
931    [Documentation]  Get enabled/disabled status of all authmethods
932    ...  from Redfish account service URI
933    [Arguments]  ${authmethod}
934
935    # Description of argument(s):
936    # authmethod            The authmethod property whose value needs to be
937    #                       retrieved from account service URI.
938    # Usage Example         Get AuthMethods Default Values  BasicAuth
939    #                       returns >> ${TRUE}
940    # Example:
941    # {
942    #     "@odata.id": "/redfish/v1/AccountService",
943    #     (...)
944    #     "Oem": {
945    #         "OpenBMC": {
946    #             "AuthMethods": {
947    #                 "BasicAuth": true,
948    #                 "Cookie": true,
949    #                 "SessionToken": true,
950    #                 "TLS": true,
951    #                 "XToken": true
952    #             }
953    #         }
954    #     }
955    # }
956
957    ${resp}=  Redfish.Get Attribute  ${REDFISH_ACCOUNTS_SERVICE_URI}  Oem
958    ${authmethods}=  Set Variable  ${resp['OpenBMC']['AuthMethods']}
959    ${initial_value}=  Get From Dictionary  ${authmethods}  ${authmethod}
960    Set Test Variable  ${initial_value}
961
962Check XToken Works Fine
963    [Documentation]  Verify Xtoken works fine.
964    [Arguments]  ${status_code}
965
966    # Description of Argument(s):
967    # status_code : 200, 401.
968
969    # Verify xtoken auth works for xtoken
970    Redfish.Get  ${REDFISH_ACCOUNTS_SERVICE_URI}
971    ...  valid_status_codes=[${status_code}]
972
973Check BasicAuth Works Fine
974    [Documentation]  Verify Basic Auth works fine.
975    [Arguments]  ${status_code}
976
977    # Description of Argument(s):
978    # status_code : 200, 401.
979
980    # Verify basic auth works based on basic auth.
981    ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
982    ...  ${AUTH_URI}/redfish/v1/AccountService
983    ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
984
985    #  Check the response of curl command is 200/401
986    Should Contain  ${out}  ${status_code}
987
988
989Create User With Unsupported Password Format And Verify
990   [Documentation]  Create admin or readonly user with unsupported password format
991   ...  and verify.
992   [Arguments]   ${username}  ${role_id}  ${password}
993
994   # Description of argument(s):
995   # username            The username to be created.
996   # role_id             The role ID of the user to be created
997   #                     (e.g. "Administrator", "ReadOnly").
998   # password            The password to be assigned.
999   #                     Unsupported password format are sequential characters,
1000   #                     sequential digits, palindrome digits, palindrome characters,
1001   #                     only uppercase letters, only lowercase letters, only digits,
1002   #                     only characters, not a dictionary word, username and password
1003   #                     should not be same.
1004
1005   # Make sure the user account in question does not already exist.
1006    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
1007    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
1008
1009   # Create specified user with invalid password format.
1010   ${payload}=  Create Dictionary
1011   ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${True}
1012   Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1013   ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1014
1015
1016Verify Minimum Password Length For Redfish User
1017    [Documentation]  Verify minimum password length for new and existing admin or
1018    ...  readonly user.
1019    [Arguments]  ${user_name}  ${role_id}
1020
1021    # Description of argument(s):
1022    # user_name           The username to be created.
1023    # role_id             The role ID of the user to be created.
1024
1025    # Make sure the user account in question does not already exist.
1026    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
1027    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
1028
1029    # Try to create a user with invalid length password.
1030    ${payload}=  Create Dictionary
1031    ...  UserName=${user_name}  Password=UserPwd  RoleId=${role_id}  Enabled=${True}
1032    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1033    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1034
1035    # Create specified user with valid length password.
1036    Set To Dictionary  ${payload}  Password  UserPwd1
1037    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1038    ...  valid_status_codes=[${HTTP_CREATED}]
1039
1040    # Try to change to an invalid password.
1041    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
1042    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1043
1044    # Change to a valid password.
1045    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
1046    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
1047
1048    # Verify login.
1049    Redfish.Logout
1050    Redfish.Login  ${user_name}  UserPwd1
1051    Redfish.Logout
1052    Redfish.Login
1053    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
1054
1055Create Admin User And Verify SSH Login
1056    [Documentation]  Create admin user and verify SSH login & logout.
1057
1058    # Create an admin User.
1059    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
1060
1061    # Attempt SSH login with admin user.
1062    SSHLibrary.Open Connection  ${OPENBMC_HOST}
1063    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
1064
1065    # By default ssh_status is True, user can change the status via CLI
1066    # -v ssh_status:False
1067    Should Be Equal As Strings  "${status}"  "${ssh_status}"
1068
1069    # Close SSH connection for admin user.
1070    SSHLibrary.Close Connection