1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7
8Test Setup       Test Setup Execution
9Test Teardown    Test Teardown Execution
10
11*** Variables ***
12
13${account_lockout_duration}   ${30}
14${account_lockout_threshold}  ${3}
15
16** Test Cases **
17
18Verify AccountService Available
19    [Documentation]  Verify Redfish account service is available.
20    [Tags]  Verify_AccountService_Available
21
22    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
23    Should Be Equal As Strings  ${resp}  ${True}
24
25Verify Redfish User Persistence After Reboot
26    [Documentation]  Verify Redfish user persistence after reboot.
27    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
28
29    # Create Redfish users.
30    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
31    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
32    Redfish Create User  user_user      TestPwd123  User            ${True}
33    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
34
35    # Reboot BMC.
36    Redfish OBMC Reboot (off)  stack_mode=normal
37    Redfish.Login
38
39    # Verify users after reboot.
40    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
41    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
42    Redfish Verify User  user_user      TestPwd123  User            ${True}
43    Redfish Verify User  callback_user  TestPwd123  Callback        ${True}
44
45    # Delete created users.
46    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
47    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
48    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
49    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}callback_user
50
51Redfish Create and Verify Users
52    [Documentation]  Create Redfish users with various roles.
53    [Tags]  Redfish_Create_and_Verify_Users
54    [Template]  Redfish Create And Verify User
55
56    #username      password    role_id         enabled
57    admin_user     TestPwd123  Administrator   ${True}
58    operator_user  TestPwd123  Operator        ${True}
59    user_user      TestPwd123  User            ${True}
60    callback_user  TestPwd123  Callback        ${True}
61
62Verify Redfish User with Wrong Password
63    [Documentation]  Verify Redfish User with Wrong Password.
64    [Tags]  Verify_Redfish_User_with_Wrong_Password
65    [Template]  Verify Redfish User with Wrong Password
66
67    #username      password    role_id         enabled  wrong_password
68    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
69    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
70    user_user      TestPwd123  User            ${True}  12
71    callback_user  TestPwd123  Callback        ${True}  !#@D#RF#@!D
72
73Verify Login with Deleted Redfish Users
74    [Documentation]  Verify login with deleted Redfish Users.
75    [Tags]  Verify_Login_with_Deleted_Redfish_Users
76    [Template]  Verify Login with Deleted Redfish User
77
78    #username     password    role_id         enabled
79    admin_user     TestPwd123  Administrator   ${True}
80    operator_user  TestPwd123  Operator        ${True}
81    user_user      TestPwd123  User            ${True}
82    callback_user  TestPwd123  Callback        ${True}
83
84Verify User Creation Without Enabling It
85    [Documentation]  Verify User Creation Without Enabling it.
86    [Tags]  Verify_User_Creation_Without_Enabling_It
87    [Template]  Verify Create User Without Enabling
88
89    #username      password    role_id         enabled
90    admin_user     TestPwd123  Administrator   ${False}
91    operator_user  TestPwd123  Operator        ${False}
92    user_user      TestPwd123  User            ${False}
93    callback_user  TestPwd123  Callback        ${False}
94
95
96Verify User Creation With Invalid Role Id
97    [Documentation]  Verify user creation with invalid role ID.
98    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
99
100    # Make sure the user account in question does not already exist.
101    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}test_user
102    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
103
104    # Create specified user.
105    ${payload}=  Create Dictionary
106    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
107    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
108    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
109
110Verify Error Upon Creating Same Users With Different Privileges
111    [Documentation]  Verify error upon creating same users with different privileges.
112    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
113
114    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
115
116    # Create specified user.
117    ${payload}=  Create Dictionary
118    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
119    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
120    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
121
122    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}test_user
123
124Verify Modifying User Attributes
125    [Documentation]  Verify modifying user attributes.
126    [Tags]  Verify_Modifying_User_Attributes
127
128    # Create Redfish users.
129    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
130    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
131    Redfish Create User  user_user      TestPwd123  User            ${True}
132    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
133
134    Redfish.Login
135
136    # Make sure the new user account does not already exist.
137    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}newadmin_user
138    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
139
140    # Update admin_user username using Redfish.
141    ${payload}=  Create Dictionary  UserName=newadmin_user
142    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}admin_user  body=&{payload}
143
144    # Update operator_user password using Redfish.
145    ${payload}=  Create Dictionary  Password=NewTestPwd123
146    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}operator_user  body=&{payload}
147
148    # Update user_user role using Redfish.
149    ${payload}=  Create Dictionary  RoleId=Operator
150    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}user_user  body=&{payload}
151
152    # Update callback_user to disable using Redfish.
153    ${payload}=  Create Dictionary  Enabled=${False}
154    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}callback_user  body=&{payload}
155
156    # Verify users after updating
157    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
158    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
159    Redfish Verify User  user_user      TestPwd123     Operator        ${True}
160    Redfish Verify User  callback_user  TestPwd123     Callback        ${False}
161
162    # Delete created users.
163    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}newadmin_user
164    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
165    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
166    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}callback_user
167
168Verify User Account Locked
169    [Documentation]  Verify user account locked upon trying with invalid password.
170    [Tags]  Verify_User_Account_Locked
171
172    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
173
174    Redfish.Logout
175
176    Redfish.Login
177
178    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
179    ...  AccountLockoutDuration=${account_lockout_duration}
180    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
181
182    # Make ${account_lockout_threshold} failed login attempts.
183    Repeat Keyword  ${account_lockout_threshold} times
184    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
185
186    # Verify that legitimate login fails due to lockout.
187    Run Keyword And Expect Error  InvalidCredentialsError*
188    ...  Redfish.Login  admin_user  TestPwd123
189
190    # Wait for lockout duration to expire and then verify that login works.
191    Sleep  ${account_lockout_duration}s
192    Redfish.Login  admin_user  TestPwd123
193
194    Redfish.Logout
195
196    Redfish.Login
197
198    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
199
200Verify Admin User Privilege
201    [Documentation]  Verify admin user privilege.
202    [Tags]  Verify_Admin_User_Privilege
203
204    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
205    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
206    Redfish Create User  user_user  TestPwd123  User  ${True}
207
208    # Change role ID of operator user with admin user.
209    # Login with admin user.
210    Redfish.Login  admin_user  TestPwd123
211
212    # Modify Role ID of Operator user.
213    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}operator_user  body={'RoleId': 'Administrator'}
214
215    # Verify modified user.
216    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
217
218    # Change password of 'user' user with admin user.
219    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}user_user  body={'Password': 'NewTestPwd123'}
220
221    # Verify modified user.
222    Redfish Verify User  user_user  NewTestPwd123  User  ${True}
223
224    Redfish.Login
225
226    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
227    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
228    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
229
230Verify Operator User Privilege
231    [Documentation]  Verify operator user privilege.
232    [Tags]  Verify_operator_User_Privilege
233
234    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
235    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
236
237    # Login with operator user.
238    Redfish.Login  operator_user  TestPwd123
239
240    # Verify power on system.
241    Redfish OBMC Reboot (off)  stack_mode=normal
242
243    # Attempt to change password of admin user with operator user.
244    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}admin_user  body={'Password': 'NewTestPwd123'}
245    ...  valid_status_codes=[${HTTP_UNAUTHORIZED}]
246
247    Redfish.Login
248
249    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
250    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
251
252
253Verify 'User' User Privilege
254    [Documentation]  Verify 'user' user privilege.
255    [Tags]  Verify_User_User_Privilege
256
257    Redfish Create User  user_user  TestPwd123  User  ${True}
258
259    # Read system level data.
260    ${system_model}=  Redfish_Utils.Get Attribute
261    ...  ${SYSTEM_BASE_URI}  Model
262
263    Redfish.Login
264
265    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
266
267
268*** Keywords ***
269
270Test Setup Execution
271    [Documentation]  Do test case setup tasks.
272
273    Redfish.Login
274
275
276Test Teardown Execution
277    [Documentation]  Do the post test teardown.
278
279    FFDC On Test Case Fail
280    Redfish.Logout
281
282Redfish Create User
283    [Documentation]  Redfish create user.
284    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
285
286    # Description of argument(s):
287    # username            The username to be created.
288    # password            The password to be assigned.
289    # role_id             The role ID of the user to be created
290    #                     (e.g. "Administrator", "Operator", etc.).
291    # enabled             Indicates whether the username being created
292    #                     should be enabled (${True}, ${False}).
293
294    Redfish.Login
295
296    # Make sure the user account in question does not already exist.
297    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${userName}
298    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
299
300    # Create specified user.
301    ${payload}=  Create Dictionary
302    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
303    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
304    ...  valid_status_codes=[${HTTP_CREATED}]
305
306    Redfish.Logout
307
308    # Login with created user.
309    Run Keyword If  ${enabled} == ${False}
310    ...    Run Keyword And Expect Error  InvalidCredentialsError*
311    ...    Redfish.Login  ${username}  ${password}
312    ...  ELSE
313    ...    Redfish.Login  ${username}  ${password}
314
315    Run Keyword If  ${enabled} == ${False}
316    ...  Redfish.Login
317
318    Run Keyword If  '${role_id}' == 'Callback'
319    ...  Run Keywords  Redfish.Logout  AND  Redfish.Login
320
321    # Validate Role ID of created user.
322    ${role_config}=  Redfish_Utils.Get Attribute
323    ...  ${REDFISH_ACCOUNTS_URI}${username}  RoleId
324    Should Be Equal  ${role_id}  ${role_config}
325
326
327Redfish Verify User
328    [Documentation]  Redfish user verification.
329    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
330
331    # Description of argument(s):
332    # username            The username to be created.
333    # password            The password to be assigned.
334    # role_id             The role ID of the user to be created
335    #                     (e.g. "Administrator", "Operator", etc.).
336    # enabled             Indicates whether the username being created
337    #                     should be enabled (${True}, ${False}).
338
339    # Trying to do a login with created user.
340    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
341
342    # Doing a check of the returned status.
343    Should Be Equal  ${status}  ${enabled}
344
345    # We do not need to login with created user (user could be in disabled status).
346    Redfish.Login
347
348    # Validate Role Id of user.
349    ${role_config}=  Redfish_Utils.Get Attribute
350    ...  ${REDFISH_ACCOUNTS_URI}${username}  RoleId
351    Should Be Equal  ${role_id}  ${role_config}
352
353
354Redfish Create And Verify User
355    [Documentation]  Redfish create and verify user.
356    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
357
358    # Description of argument(s):
359    # username            The username to be created.
360    # password            The password to be assigned.
361    # role_id             The role ID of the user to be created
362    #                     (e.g. "Administrator", "Operator", etc.).
363    # enabled             Indicates whether the username being created
364    #                     should be enabled (${True}, ${False}).
365
366    # Example:
367    #{
368    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
369    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
370    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
371    #"Description": "User Account",
372    #"Enabled": true,
373    #"Id": "test1",
374    #"Links": {
375    #  "Role": {
376    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
377    #  }
378    #},
379
380    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
381
382    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
383
384    # Delete Specified User
385    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
386
387Verify Redfish User with Wrong Password
388    [Documentation]  Verify Redfish User with Wrong Password.
389    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
390
391    # Description of argument(s):
392    # username            The username to be created.
393    # password            The password to be assigned.
394    # role_id             The role ID of the user to be created
395    #                     (e.g. "Administrator", "Operator", etc.).
396    # enabled             Indicates whether the username being created
397    #                     should be enabled (${True}, ${False}).
398    # wrong_password      Any invalid password.
399
400    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
401
402    # Attempt to login with created user with invalid password.
403    Run Keyword And Expect Error  InvalidCredentialsError*
404    ...  Redfish.Login  ${username}  ${wrong_password}
405
406    Redfish.Login
407
408    # Delete newly created user.
409    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
410
411
412Verify Login with Deleted Redfish User
413    [Documentation]  Verify Login with Deleted Redfish User.
414    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
415
416    # Description of argument(s):
417    # username            The username to be created.
418    # password            The password to be assigned.
419    # role_id             The role ID of the user to be created
420    #                     (e.g. "Administrator", "Operator", etc.).
421    # enabled             Indicates whether the username being created
422    #                     should be enabled (${True}, ${False}).
423
424    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
425    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
426
427    # Doing a check of the rerurned status
428    Should Be Equal  ${status}  ${True}
429
430    Redfish.Login
431
432    # Delete newly created user.
433    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${userName}
434
435    # Attempt to login with deleted user account.
436    Run Keyword And Expect Error  InvalidCredentialsError*
437    ...  Redfish.Login  ${username}  ${password}
438
439    Redfish.Login
440
441Verify Create User Without Enabling
442    [Documentation]  Verify Create User Without Enabling.
443    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
444
445    # Description of argument(s):
446    # username            The username to be created.
447    # password            The password to be assigned.
448    # role_id             The role ID of the user to be created
449    #                     (e.g. "Administrator", "Operator", etc.).
450    # enabled             Indicates whether the username being created
451    #                     should be enabled (${True}, ${False}).
452
453    Redfish.Login
454
455    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
456
457    Redfish.Logout
458
459    # Login with created user.
460    Run Keyword And Expect Error  InvalidCredentialsError*
461    ...  Redfish.Login  ${username}  ${password}
462
463    Redfish.Login
464
465    # Delete newly created user.
466    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
467