1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14*** Variables ***
15
16${account_lockout_duration}   ${30}
17${account_lockout_threshold}  ${3}
18
19** Test Cases **
20
21Verify AccountService Available
22    [Documentation]  Verify Redfish account service is available.
23    [Tags]  Verify_AccountService_Available
24
25    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
26    Should Be Equal As Strings  ${resp}  ${True}
27
28Verify Redfish User Persistence After Reboot
29    [Documentation]  Verify Redfish user persistence after reboot.
30    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
31
32    # Create Redfish users.
33    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
34    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
35    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
36
37    # Reboot BMC.
38    Redfish OBMC Reboot (off)  stack_mode=normal
39
40    # Verify users after reboot.
41    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
42    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
43    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
44
45    # Delete created users.
46    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
47    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
48    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
49
50Redfish Create and Verify Users
51    [Documentation]  Create Redfish users with various roles.
52    [Tags]  Redfish_Create_and_Verify_Users
53    [Template]  Redfish Create And Verify User
54
55    #username      password    role_id         enabled
56    admin_user     TestPwd123  Administrator   ${True}
57    operator_user  TestPwd123  Operator        ${True}
58    readonly_user  TestPwd123  ReadOnly        ${True}
59
60Verify Redfish User with Wrong Password
61    [Documentation]  Verify Redfish User with Wrong Password.
62    [Tags]  Verify_Redfish_User_with_Wrong_Password
63    [Template]  Verify Redfish User with Wrong Password
64
65    #username      password    role_id         enabled  wrong_password
66    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
67    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
68    readonly_user  TestPwd123  ReadOnly        ${True}  12
69
70Verify Login with Deleted Redfish Users
71    [Documentation]  Verify login with deleted Redfish Users.
72    [Tags]  Verify_Login_with_Deleted_Redfish_Users
73    [Template]  Verify Login with Deleted Redfish User
74
75    #username     password    role_id         enabled
76    admin_user     TestPwd123  Administrator   ${True}
77    operator_user  TestPwd123  Operator        ${True}
78    readonly_user  TestPwd123  ReadOnly        ${True}
79
80Verify User Creation Without Enabling It
81    [Documentation]  Verify User Creation Without Enabling it.
82    [Tags]  Verify_User_Creation_Without_Enabling_It
83    [Template]  Verify Create User Without Enabling
84
85    #username      password    role_id         enabled
86    admin_user     TestPwd123  Administrator   ${False}
87    operator_user  TestPwd123  Operator        ${False}
88    readonly_user  TestPwd123  ReadOnly        ${False}
89
90Verify User Creation With Invalid Role Id
91    [Documentation]  Verify user creation with invalid role ID.
92    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
93
94    # Make sure the user account in question does not already exist.
95    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
96    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
97
98    # Create specified user.
99    ${payload}=  Create Dictionary
100    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
101    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
102    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
103
104Verify Error Upon Creating Same Users With Different Privileges
105    [Documentation]  Verify error upon creating same users with different privileges.
106    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
107
108    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
109
110    # Create specified user.
111    ${payload}=  Create Dictionary
112    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
113    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
114    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
115
116    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
117
118Verify Modifying User Attributes
119    [Documentation]  Verify modifying user attributes.
120    [Tags]  Verify_Modifying_User_Attributes
121
122    # Create Redfish users.
123    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
124    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
125    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
126
127    # Make sure the new user account does not already exist.
128    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
129    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
130
131    # Update admin_user username using Redfish.
132    ${payload}=  Create Dictionary  UserName=newadmin_user
133    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
134
135    # Update operator_user password using Redfish.
136    ${payload}=  Create Dictionary  Password=NewTestPwd123
137    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
138
139    # Update readonly_user role using Redfish.
140    ${payload}=  Create Dictionary  RoleId=Operator
141    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
142
143    # Verify users after updating
144    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
145    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
146    Redfish Verify User  readonly_user  TestPwd123     Operator        ${True}
147
148    # Delete created users.
149    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
150    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
151    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
152
153Verify User Account Locked
154    [Documentation]  Verify user account locked upon trying with invalid password.
155    [Tags]  Verify_User_Account_Locked
156
157    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
158
159    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
160    ...  AccountLockoutDuration=${account_lockout_duration}
161    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
162
163    Redfish.Logout
164
165    # Make ${account_lockout_threshold} failed login attempts.
166    Repeat Keyword  ${account_lockout_threshold} times
167    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
168
169    # Verify that legitimate login fails due to lockout.
170    Run Keyword And Expect Error  InvalidCredentialsError*
171    ...  Redfish.Login  admin_user  TestPwd123
172
173    # Wait for lockout duration to expire and then verify that login works.
174    Sleep  ${account_lockout_duration}s
175    Redfish.Login  admin_user  TestPwd123
176
177    Redfish.Logout
178
179    Redfish.Login
180
181    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
182
183Verify Admin User Privilege
184    [Documentation]  Verify admin user privilege.
185    [Tags]  Verify_Admin_User_Privilege
186
187    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
188    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
189    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
190
191    Redfish.Logout
192
193    # Change role ID of operator user with admin user.
194    # Login with admin user.
195    Redfish.Login  admin_user  TestPwd123
196
197    # Modify Role ID of Operator user.
198    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
199
200    # Verify modified user.
201    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
202
203    Redfish.Logout
204    Redfish.Login  admin_user  TestPwd123
205
206    # Change password of 'user' user with admin user.
207    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
208
209    # Verify modified user.
210    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
211
212    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
214    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
215
216Verify Operator User Privilege
217    [Documentation]  Verify operator user privilege.
218    [Tags]  Verify_operator_User_Privilege
219
220    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
221    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
222
223    Redfish.Logout
224    # Login with operator user.
225    Redfish.Login  operator_user  TestPwd123
226
227    # Verify BMC reset.
228    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
229
230    # Attempt to change password of admin user with operator user.
231    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
232    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
233
234    Redfish.Logout
235
236    Redfish.Login
237
238    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
239    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
240
241
242Verify ReadOnly User Privilege
243    [Documentation]  Verify ReadOnly user privilege.
244    [Tags]  Verify_ReadOnly_User_Privilege
245
246    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
247    Redfish.Logout
248
249    # Login with read_only user.
250    Redfish.Login  readonly_user  TestPwd123
251
252    # Read system level data.
253    ${system_model}=  Redfish_Utils.Get Attribute
254    ...  ${SYSTEM_BASE_URI}  Model
255
256    Redfish.Logout
257    Redfish.Login
258    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
259
260
261Verify Minimum Password Length For Redfish User
262    [Documentation]  Verify minimum password length for new and existing user.
263    [Tags]  Verify_Minimum_Password_Length_For_Redfish_User
264
265    ${user_name}=  Set Variable  testUser
266
267    # Make sure the user account in question does not already exist.
268    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
269    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
270
271    # Try to create a user with invalid length password.
272    ${payload}=  Create Dictionary
273    ...  UserName=${user_name}  Password=UserPwd  RoleId=Administrator  Enabled=${True}
274    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
275    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
276
277    # Create specified user with valid length password.
278    Set To Dictionary  ${payload}  Password  UserPwd1
279    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
280    ...  valid_status_codes=[${HTTP_CREATED}]
281
282    # Try to change to an invalid password.
283    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
284    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
285
286    # Change to a valid password.
287    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
288
289    # Verify login.
290    Redfish.Logout
291    Redfish.Login  ${user_name}  UserPwd1
292    Redfish.Logout
293    Redfish.Login
294    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
295
296
297Verify Standard User Roles Defined By Redfish
298    [Documentation]  Verify standard user roles defined by Redfish.
299    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
300
301    ${member_list}=  Redfish_Utils.Get Member List
302    ...  /redfish/v1/AccountService/Roles
303
304    @{roles}=  Create List
305    ...  /redfish/v1/AccountService/Roles/Administrator
306    ...  /redfish/v1/AccountService/Roles/Operator
307    ...  /redfish/v1/AccountService/Roles/ReadOnly
308
309    List Should Contain Sub List  ${member_list}  ${roles}
310
311    # The standard roles are:
312
313    # | Role name | Assigned privileges |
314    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
315    # | Operator | Login, ConfigureComponents, ConfigureSelf |
316    # | ReadOnly | Login, ConfigureSelf |
317
318    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
319    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
320    @{readOnly}=  Create List  Login  ConfigureSelf
321
322    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
323    ...  readOnly_privileges=${readOnly}
324
325    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
326    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
327
328    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
329    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
330
331    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
332    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
333
334
335Verify Error While Deleting Root User
336    [Documentation]  Verify error while deleting root user.
337    [Tags]  Verify_Error_While_Deleting_Root_User
338
339    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
340
341
342Verify SSH Login Access With Admin User
343    [Documentation]  Verify that admin user does not have SSH login access.
344    [Tags]  Verify_SSH_Login_Access_With_Admin_User
345
346    # Create an admin User.
347    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
348
349    # Attempt SSH login with admin user.
350    SSHLibrary.Open Connection  ${OPENBMC_HOST}
351    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
352    Should Be Equal  ${status}  ${False}
353
354
355*** Keywords ***
356
357Test Teardown Execution
358    [Documentation]  Do the post test teardown.
359
360    Run Keyword And Ignore Error  Redfish.Logout
361    FFDC On Test Case Fail
362
363
364Redfish Create User
365    [Documentation]  Redfish create user.
366    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
367
368    # Description of argument(s):
369    # username            The username to be created.
370    # password            The password to be assigned.
371    # role_id             The role ID of the user to be created
372    #                     (e.g. "Administrator", "Operator", etc.).
373    # enabled             Indicates whether the username being created
374    #                     should be enabled (${True}, ${False}).
375    # login_check         Checks user login for created user.
376    #                     (e.g. ${True}, ${False}).
377
378    # Make sure the user account in question does not already exist.
379    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
380    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
381
382    # Create specified user.
383    ${payload}=  Create Dictionary
384    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
385    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
386    ...  valid_status_codes=[${HTTP_CREATED}]
387
388    # Resetting faillock count as a workaround for issue
389    # openbmc/phosphor-user-manager#4
390    ${cmd}=  Catenate  /usr/sbin/faillock --user USER --reset
391    Bmc Execute Command  ${cmd}
392
393    # Verify login with created user.
394    ${status}=  Run Keyword If  '${login_check}' == '${True}'
395    ...  Verify Redfish User Login  ${username}  ${password}
396    Run Keyword If  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
397
398    # Validate Role ID of created user.
399    ${role_config}=  Redfish_Utils.Get Attribute
400    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
401    Should Be Equal  ${role_id}  ${role_config}
402
403
404Redfish Verify User
405    [Documentation]  Redfish user verification.
406    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
407
408    # Description of argument(s):
409    # username            The username to be created.
410    # password            The password to be assigned.
411    # role_id             The role ID of the user to be created
412    #                     (e.g. "Administrator", "Operator", etc.).
413    # enabled             Indicates whether the username being created
414    #                     should be enabled (${True}, ${False}).
415
416    ${status}=  Verify Redfish User Login  ${username}  ${password}
417    # Doing a check of the returned status.
418    Should Be Equal  ${status}  ${enabled}
419
420    # Validate Role Id of user.
421    ${role_config}=  Redfish_Utils.Get Attribute
422    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
423    Should Be Equal  ${role_id}  ${role_config}
424
425
426Verify Redfish User Login
427    [Documentation]  Verify Redfish login with given user id.
428    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
429    [Arguments]   ${username}  ${password}
430
431    # Description of argument(s):
432    # username            Login username.
433    # password            Login password.
434
435    # Logout from current Redfish session.
436    # We don't really care if the current session is flushed out since we are going to login
437    # with new credential in next.
438    Run Keyword And Ignore Error  Redfish.Logout
439
440    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
441    [Return]  ${status}
442
443
444Redfish Create And Verify User
445    [Documentation]  Redfish create and verify user.
446    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
447
448    # Description of argument(s):
449    # username            The username to be created.
450    # password            The password to be assigned.
451    # role_id             The role ID of the user to be created
452    #                     (e.g. "Administrator", "Operator", etc.).
453    # enabled             Indicates whether the username being created
454    #                     should be enabled (${True}, ${False}).
455
456    # Example:
457    #{
458    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
459    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
460    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
461    #"Description": "User Account",
462    #"Enabled": true,
463    #"Id": "test1",
464    #"Links": {
465    #  "Role": {
466    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
467    #  }
468    #},
469
470    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
471
472    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
473
474    # Delete Specified User
475    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
476
477Verify Redfish User with Wrong Password
478    [Documentation]  Verify Redfish User with Wrong Password.
479    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
480
481    # Description of argument(s):
482    # username            The username to be created.
483    # password            The password to be assigned.
484    # role_id             The role ID of the user to be created
485    #                     (e.g. "Administrator", "Operator", etc.).
486    # enabled             Indicates whether the username being created
487    #                     should be enabled (${True}, ${False}).
488    # wrong_password      Any invalid password.
489
490    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
491
492    Redfish.Logout
493
494    # Attempt to login with created user with invalid password.
495    Run Keyword And Expect Error  InvalidCredentialsError*
496    ...  Redfish.Login  ${username}  ${wrong_password}
497
498    Redfish.Login
499
500    # Delete newly created user.
501    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
502
503
504Verify Login with Deleted Redfish User
505    [Documentation]  Verify Login with Deleted Redfish User.
506    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
507
508    # Description of argument(s):
509    # username            The username to be created.
510    # password            The password to be assigned.
511    # role_id             The role ID of the user to be created
512    #                     (e.g. "Administrator", "Operator", etc.).
513    # enabled             Indicates whether the username being created
514    #                     should be enabled (${True}, ${False}).
515
516    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
517
518    # Delete newly created user.
519    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
520
521    Redfish.Logout
522
523    # Attempt to login with deleted user account.
524    Run Keyword And Expect Error  InvalidCredentialsError*
525    ...  Redfish.Login  ${username}  ${password}
526
527    Redfish.Login
528
529
530Verify Create User Without Enabling
531    [Documentation]  Verify Create User Without Enabling.
532    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
533
534    # Description of argument(s):
535    # username            The username to be created.
536    # password            The password to be assigned.
537    # role_id             The role ID of the user to be created
538    #                     (e.g. "Administrator", "Operator", etc.).
539    # enabled             Indicates whether the username being created
540    #                     should be enabled (${True}, ${False}).
541
542    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
543
544    Redfish.Logout
545
546    # Login with created user.
547    Run Keyword And Expect Error  InvalidCredentialsError*
548    ...  Redfish.Login  ${username}  ${password}
549
550    Redfish.Login
551
552    # Delete newly created user.
553    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
554
555