1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7
8Test Setup       Test Setup Execution
9Test Teardown    Test Teardown Execution
10
11*** Variables ***
12
13${account_lockout_duration}   ${30}
14${account_lockout_threshold}  ${3}
15
16** Test Cases **
17
18Verify AccountService Available
19    [Documentation]  Verify Redfish account service is available.
20    [Tags]  Verify_AccountService_Available
21
22    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
23    Should Be Equal As Strings  ${resp}  ${True}
24
25Verify Redfish User Persistence After Reboot
26    [Documentation]  Verify Redfish user persistence after reboot.
27    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
28
29    # Create Redfish users.
30    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
31    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
32    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
33
34    # Reboot BMC.
35    Redfish OBMC Reboot (off)  stack_mode=normal
36    Redfish.Login
37
38    # Verify users after reboot.
39    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
40    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
41    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
42
43    # Delete created users.
44    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
45    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
46    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
47
48Redfish Create and Verify Users
49    [Documentation]  Create Redfish users with various roles.
50    [Tags]  Redfish_Create_and_Verify_Users
51    [Template]  Redfish Create And Verify User
52
53    #username      password    role_id         enabled
54    admin_user     TestPwd123  Administrator   ${True}
55    operator_user  TestPwd123  Operator        ${True}
56    readonly_user  TestPwd123  ReadOnly        ${True}
57
58Verify Redfish User with Wrong Password
59    [Documentation]  Verify Redfish User with Wrong Password.
60    [Tags]  Verify_Redfish_User_with_Wrong_Password
61    [Template]  Verify Redfish User with Wrong Password
62
63    #username      password    role_id         enabled  wrong_password
64    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
65    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
66    readonly_user  TestPwd123  ReadOnly        ${True}  12
67
68Verify Login with Deleted Redfish Users
69    [Documentation]  Verify login with deleted Redfish Users.
70    [Tags]  Verify_Login_with_Deleted_Redfish_Users
71    [Template]  Verify Login with Deleted Redfish User
72
73    #username     password    role_id         enabled
74    admin_user     TestPwd123  Administrator   ${True}
75    operator_user  TestPwd123  Operator        ${True}
76    readonly_user  TestPwd123  ReadOnly        ${True}
77
78Verify User Creation Without Enabling It
79    [Documentation]  Verify User Creation Without Enabling it.
80    [Tags]  Verify_User_Creation_Without_Enabling_It
81    [Template]  Verify Create User Without Enabling
82
83    #username      password    role_id         enabled
84    admin_user     TestPwd123  Administrator   ${False}
85    operator_user  TestPwd123  Operator        ${False}
86    readonly_user  TestPwd123  ReadOnly        ${False}
87
88
89Verify User Creation With Invalid Role Id
90    [Documentation]  Verify user creation with invalid role ID.
91    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
92
93    # Make sure the user account in question does not already exist.
94    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
95    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
96
97    # Create specified user.
98    ${payload}=  Create Dictionary
99    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
100    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
101    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
102
103Verify Error Upon Creating Same Users With Different Privileges
104    [Documentation]  Verify error upon creating same users with different privileges.
105    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
106
107    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
108
109    # Create specified user.
110    ${payload}=  Create Dictionary
111    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
112    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
113    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
114
115    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
116
117Verify Modifying User Attributes
118    [Documentation]  Verify modifying user attributes.
119    [Tags]  Verify_Modifying_User_Attributes
120
121    # Create Redfish users.
122    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
123    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
124    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
125
126    Redfish.Login
127
128    # Make sure the new user account does not already exist.
129    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
130    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
131
132    # Update admin_user username using Redfish.
133    ${payload}=  Create Dictionary  UserName=newadmin_user
134    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
135
136    # Update operator_user password using Redfish.
137    ${payload}=  Create Dictionary  Password=NewTestPwd123
138    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
139
140    # Update readonly_user role using Redfish.
141    ${payload}=  Create Dictionary  RoleId=Operator
142    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
143
144    # Verify users after updating
145    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
146    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
147    Redfish Verify User  readonly_user  TestPwd123     Operator        ${True}
148
149    # Delete created users.
150    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
151    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
152    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
153
154Verify User Account Locked
155    [Documentation]  Verify user account locked upon trying with invalid password.
156    [Tags]  Verify_User_Account_Locked
157
158    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
159
160    Redfish.Logout
161
162    Redfish.Login
163
164    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
165    ...  AccountLockoutDuration=${account_lockout_duration}
166    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
167
168    # Make ${account_lockout_threshold} failed login attempts.
169    Repeat Keyword  ${account_lockout_threshold} times
170    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
171
172    # Verify that legitimate login fails due to lockout.
173    Run Keyword And Expect Error  InvalidCredentialsError*
174    ...  Redfish.Login  admin_user  TestPwd123
175
176    # Wait for lockout duration to expire and then verify that login works.
177    Sleep  ${account_lockout_duration}s
178    Redfish.Login  admin_user  TestPwd123
179
180    Redfish.Logout
181
182    Redfish.Login
183
184    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
185
186Verify Admin User Privilege
187    [Documentation]  Verify admin user privilege.
188    [Tags]  Verify_Admin_User_Privilege
189
190    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
191    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
192    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
193
194    # Change role ID of operator user with admin user.
195    # Login with admin user.
196    Redfish.Login  admin_user  TestPwd123
197
198    # Modify Role ID of Operator user.
199    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
200
201    # Verify modified user.
202    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
203
204    # Change password of 'user' user with admin user.
205    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
206
207    # Verify modified user.
208    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
209
210    Redfish.Login
211
212    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
214    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
215
216Verify Operator User Privilege
217    [Documentation]  Verify operator user privilege.
218    [Tags]  Verify_operator_User_Privilege
219
220    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
221    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
222
223    # Login with operator user.
224    Redfish.Login  operator_user  TestPwd123
225
226    # Verify power on system.
227    Redfish OBMC Reboot (off)  stack_mode=normal
228
229    # Attempt to change password of admin user with operator user.
230    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
231    ...  valid_status_codes=[${HTTP_UNAUTHORIZED}]
232
233    Redfish.Login
234
235    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
236    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
237
238
239Verify ReadOnly User Privilege
240    [Documentation]  Verify ReadOnly user privilege.
241    [Tags]  Verify_ReadOnly_User_Privilege
242
243    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
244
245    # Read system level data.
246    ${system_model}=  Redfish_Utils.Get Attribute
247    ...  ${SYSTEM_BASE_URI}  Model
248
249    Redfish.Login
250
251    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
252
253
254Verify Minimum Password Length For Redfish User
255    [Documentation]  Verify minimum password length for new and existing user.
256    [Tags]  Verify_Minimum_Password_Length_For_Redfish_User
257
258    ${user_name}=  Set Variable  testUser
259
260    # Make sure the user account in question does not already exist.
261    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
262    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
263
264    # Try to create a user with invalid length password.
265    ${payload}=  Create Dictionary
266    ...  UserName=${user_name}  Password=UserPwd  RoleId=Administrator  Enabled=${True}
267    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
268    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
269
270    # Create specified user with valid length password.
271    Set To Dictionary  ${payload}  Password  UserPwd1
272    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
273    ...  valid_status_codes=[${HTTP_CREATED}]
274
275    # Try to change to an invalid password.
276    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
277    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
278
279    # Change to a valid password.
280    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
281
282    # Verify login.
283    Redfish.Logout
284    Redfish.Login  ${user_name}  UserPwd1
285    Redfish.Logout
286    Redfish.Login
287    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
288
289
290*** Keywords ***
291
292Test Setup Execution
293    [Documentation]  Do test case setup tasks.
294
295    Redfish.Login
296
297
298Test Teardown Execution
299    [Documentation]  Do the post test teardown.
300
301    FFDC On Test Case Fail
302    Run Keyword And Ignore Error  Redfish.Logout
303
304Redfish Create User
305    [Documentation]  Redfish create user.
306    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
307
308    # Description of argument(s):
309    # username            The username to be created.
310    # password            The password to be assigned.
311    # role_id             The role ID of the user to be created
312    #                     (e.g. "Administrator", "Operator", etc.).
313    # enabled             Indicates whether the username being created
314    #                     should be enabled (${True}, ${False}).
315
316    Redfish.Login
317
318    # Make sure the user account in question does not already exist.
319    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
320    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
321
322    # Create specified user.
323    ${payload}=  Create Dictionary
324    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
325    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
326    ...  valid_status_codes=[${HTTP_CREATED}]
327
328    Redfish.Logout
329
330    # Login with created user.
331    Run Keyword If  ${enabled} == ${False}
332    ...    Run Keyword And Expect Error  InvalidCredentialsError*
333    ...    Redfish.Login  ${username}  ${password}
334    ...  ELSE
335    ...    Redfish.Login  ${username}  ${password}
336
337    Run Keyword If  ${enabled} == ${False}
338    ...  Redfish.Login
339
340    # Validate Role ID of created user.
341    ${role_config}=  Redfish_Utils.Get Attribute
342    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
343    Should Be Equal  ${role_id}  ${role_config}
344
345
346Redfish Verify User
347    [Documentation]  Redfish user verification.
348    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
349
350    # Description of argument(s):
351    # username            The username to be created.
352    # password            The password to be assigned.
353    # role_id             The role ID of the user to be created
354    #                     (e.g. "Administrator", "Operator", etc.).
355    # enabled             Indicates whether the username being created
356    #                     should be enabled (${True}, ${False}).
357
358    # Trying to do a login with created user.
359    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
360
361    # Doing a check of the returned status.
362    Should Be Equal  ${status}  ${enabled}
363
364    # We do not need to login with created user (user could be in disabled status).
365    Redfish.Login
366
367    # Validate Role Id of user.
368    ${role_config}=  Redfish_Utils.Get Attribute
369    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
370    Should Be Equal  ${role_id}  ${role_config}
371
372
373Redfish Create And Verify User
374    [Documentation]  Redfish create and verify user.
375    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
376
377    # Description of argument(s):
378    # username            The username to be created.
379    # password            The password to be assigned.
380    # role_id             The role ID of the user to be created
381    #                     (e.g. "Administrator", "Operator", etc.).
382    # enabled             Indicates whether the username being created
383    #                     should be enabled (${True}, ${False}).
384
385    # Example:
386    #{
387    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
388    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
389    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
390    #"Description": "User Account",
391    #"Enabled": true,
392    #"Id": "test1",
393    #"Links": {
394    #  "Role": {
395    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
396    #  }
397    #},
398
399    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
400
401    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
402
403    # Delete Specified User
404    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
405
406Verify Redfish User with Wrong Password
407    [Documentation]  Verify Redfish User with Wrong Password.
408    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
409
410    # Description of argument(s):
411    # username            The username to be created.
412    # password            The password to be assigned.
413    # role_id             The role ID of the user to be created
414    #                     (e.g. "Administrator", "Operator", etc.).
415    # enabled             Indicates whether the username being created
416    #                     should be enabled (${True}, ${False}).
417    # wrong_password      Any invalid password.
418
419    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
420
421    # Attempt to login with created user with invalid password.
422    Run Keyword And Expect Error  InvalidCredentialsError*
423    ...  Redfish.Login  ${username}  ${wrong_password}
424
425    Redfish.Login
426
427    # Delete newly created user.
428    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
429
430
431Verify Login with Deleted Redfish User
432    [Documentation]  Verify Login with Deleted Redfish User.
433    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
434
435    # Description of argument(s):
436    # username            The username to be created.
437    # password            The password to be assigned.
438    # role_id             The role ID of the user to be created
439    #                     (e.g. "Administrator", "Operator", etc.).
440    # enabled             Indicates whether the username being created
441    #                     should be enabled (${True}, ${False}).
442
443    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
444    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
445
446    # Doing a check of the rerurned status
447    Should Be Equal  ${status}  ${True}
448
449    Redfish.Login
450
451    # Delete newly created user.
452    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
453
454    # Attempt to login with deleted user account.
455    Run Keyword And Expect Error  InvalidCredentialsError*
456    ...  Redfish.Login  ${username}  ${password}
457
458    Redfish.Login
459
460Verify Create User Without Enabling
461    [Documentation]  Verify Create User Without Enabling.
462    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
463
464    # Description of argument(s):
465    # username            The username to be created.
466    # password            The password to be assigned.
467    # role_id             The role ID of the user to be created
468    #                     (e.g. "Administrator", "Operator", etc.).
469    # enabled             Indicates whether the username being created
470    #                     should be enabled (${True}, ${False}).
471
472    Redfish.Login
473
474    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
475
476    Redfish.Logout
477
478    # Login with created user.
479    Run Keyword And Expect Error  InvalidCredentialsError*
480    ...  Redfish.Login  ${username}  ${password}
481
482    Redfish.Login
483
484    # Delete newly created user.
485    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
486