1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7
8Test Setup       Test Setup Execution
9Test Teardown    Test Teardown Execution
10
11*** Variables ***
12
13${account_lockout_duration}   ${30}
14${account_lockout_threshold}  ${3}
15
16
17** Test Cases **
18
19Verify AccountService Available
20    [Documentation]  Verify Redfish account service is available.
21    [Tags]  Verify_AccountService_Available
22
23    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
24    Should Be Equal As Strings  ${resp}  ${True}
25
26Redfish Create and Verify Users
27    [Documentation]  Create Redfish users with various roles.
28    [Tags]  Redfish_Create_and_Verify_Users
29    [Template]  Redfish Create And Verify User
30
31    #username      password    role_id         enabled
32    admin_user     TestPwd123  Administrator   ${True}
33    operator_user  TestPwd123  Operator        ${True}
34    user_user      TestPwd123  User            ${True}
35    callback_user  TestPwd123  Callback        ${True}
36
37Verify Redfish User with Wrong Password
38    [Documentation]  Verify Redfish User with Wrong Password.
39    [Tags]  Verify_Redfish_User_with_Wrong_Password
40    [Template]  Verify Redfish User with Wrong Password
41
42    #username      password    role_id         enabled  wrong_password
43    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
44    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
45    user_user      TestPwd123  User            ${True}  12
46    callback_user  TestPwd123  Callback        ${True}  !#@D#RF#@!D
47
48Verify Login with Deleted Redfish Users
49    [Documentation]  Verify login with deleted Redfish Users.
50    [Tags]  Verify_Login_with_Deleted_Redfish_Users
51    [Template]  Verify Login with Deleted Redfish User
52
53    #username     password    role_id         enabled
54    admin_user     TestPwd123  Administrator   ${True}
55    operator_user  TestPwd123  Operator        ${True}
56    user_user      TestPwd123  User            ${True}
57    callback_user  TestPwd123  Callback        ${True}
58
59Verify User Creation Without Enabling It
60    [Documentation]  Verify User Creation Without Enabling it.
61    [Tags]  Verify_User_Creation_Without_Enabling_It
62    [Template]  Verify Create User Without Enabling
63
64    #username      password    role_id         enabled
65    admin_user     TestPwd123  Administrator   ${False}
66    operator_user  TestPwd123  Operator        ${False}
67    user_user      TestPwd123  User            ${False}
68    callback_user  TestPwd123  Callback        ${False}
69
70Verify Redfish User Persistence After Reboot
71    [Documentation]  Verify Redfish user persistence after reboot.
72    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
73
74    # Create Redfish users.
75    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
76    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
77    Redfish Create User  user_user      TestPwd123  User            ${True}
78    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
79
80    # Reboot BMC.
81    Redfish OBMC Reboot (off)  stack_mode=normal
82    Redfish.Login
83
84    # Verify users after reboot.
85    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
86    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
87    Redfish Verify User  user_user      TestPwd123  User            ${True}
88    Redfish Verify User  callback_user  TestPwd123  Callback        ${True}
89
90    # Delete created users.
91    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
92    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
93    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
94    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}callback_user
95
96Verify User Creation With Invalid Role Id
97    [Documentation]  Verify user creation with invalid role ID.
98    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
99
100    # Make sure the user account in question does not already exist.
101    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}test_user
102    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
103
104    # Create specified user.
105    ${payload}=  Create Dictionary
106    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
107    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
108    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
109
110Verify Error Upon Creating Same Users With Different Privileges
111    [Documentation]  Verify error upon creating same users with different privileges.
112    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
113
114    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
115
116    # Create specified user.
117    ${payload}=  Create Dictionary
118    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
119    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
120    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
121
122    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}test_user
123
124Verify Modifying User Attributes
125    [Documentation]  Verify modifying user attributes.
126    [Tags]  Verify_Modifying_User_Attributes
127
128    # Create Redfish users.
129    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
130    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
131    Redfish Create User  user_user      TestPwd123  User            ${True}
132    Redfish Create User  callback_user  TestPwd123  Callback        ${True}
133
134    Redfish.Login
135
136    # Make sure the new user account does not already exist.
137    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}newadmin_user
138    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
139
140    # Update admin_user username using Redfish.
141    ${payload}=  Create Dictionary  UserName=newadmin_user
142    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}admin_user  body=&{payload}
143
144    # Update operator_user password using Redfish.
145    ${payload}=  Create Dictionary  Password=NewTestPwd123
146    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}operator_user  body=&{payload}
147
148    # Update user_user role using Redfish.
149    ${payload}=  Create Dictionary  RoleId=Operator
150    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}user_user  body=&{payload}
151
152    # Update callback_user to disable using Redfish.
153    ${payload}=  Create Dictionary  Enabled=${False}
154    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}callback_user  body=&{payload}
155
156    # Verify users after updating
157    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
158    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
159    Redfish Verify User  user_user      TestPwd123     Operator        ${True}
160    Redfish Verify User  callback_user  TestPwd123     Callback        ${False}
161
162    # Delete created users.
163    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}newadmin_user
164    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
165    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
166    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}callback_user
167
168Verify User Account Locked
169    [Documentation]  Verify user account locked upon trying with invalid password.
170    [Tags]  Verify_User_Account_Locked
171
172    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
173
174    Redfish.Logout
175
176    Redfish.Login
177
178    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
179    ...  AccountLockoutDuration=${account_lockout_duration}
180    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
181
182    # Make ${account_lockout_threshold} failed login attempts.
183    Repeat Keyword  ${account_lockout_threshold} times
184    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
185
186    # Verify that legitimate login fails due to lockout.
187    Run Keyword And Expect Error  InvalidCredentialsError*
188    ...  Redfish.Login  admin_user  TestPwd123
189
190    # Wait for lockout duration to expire and then verify that login works.
191    Sleep  ${account_lockout_duration}s
192    Redfish.Login  admin_user  TestPwd123
193
194    Redfish.Logout
195
196    Redfish.Login
197
198    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
199
200Verify Admin User Privilege
201    [Documentation]  Verify admin user privilege.
202    [Tags]  Verify_Admin_User_Privilege
203
204    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
205    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
206    Redfish Create User  user_user  TestPwd123  User  ${True}
207
208    # Change role ID of operator user with admin user.
209    # Login with admin user.
210    Redfish.Login  admin_user  TestPwd123
211
212    # Modify Role ID of Operator user.
213    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}operator_user  body={'RoleId': 'Administrator'}
214
215    # Verify modified user.
216    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
217
218    # Change password of 'user' user with admin user.
219    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}user_user  body={'Password': 'NewTestPwd123'}
220
221    # Verify modified user.
222    Redfish Verify User  user_user  NewTestPwd123  User  ${True}
223
224    Redfish.Login
225
226    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
227    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
228    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
229
230Verify Operator User Privilege
231    [Documentation]  Verify operator user privilege.
232    [Tags]  Verify_operator_User_Privilege
233
234    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
235    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
236
237    # Login with operator user.
238    Redfish.Login  operator_user  TestPwd123
239
240    # Verify power on system.
241    Redfish OBMC Reboot (off)  stack_mode=normal
242
243    # Attempt to change password of admin user with operator user.
244    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}admin_user  body={'Password': 'NewTestPwd123'}
245    ...  valid_status_codes=[${HTTP_UNAUTHORIZED}]
246
247    Redfish.Login
248
249    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}admin_user
250    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}operator_user
251
252
253Verify 'User' User Privilege
254    [Documentation]  Verify 'user' user privilege.
255    [Tags]  Verify_User_User_Privilege
256
257    Redfish Create User  user_user  TestPwd123  User  ${True}
258
259    # Read system level data.
260    ${system_model}=  Redfish_Utils.Get Attribute
261    ...  ${SYSTEM_BASE_URI}  Model
262
263    Redfish.Login
264
265    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}user_user
266
267
268*** Keywords ***
269
270Test Setup Execution
271    [Documentation]  Do test case setup tasks.
272
273    Redfish.Login
274
275
276Test Teardown Execution
277    [Documentation]  Do the post test teardown.
278
279    FFDC On Test Case Fail
280    Redfish.Logout
281
282Redfish Create User
283    [Documentation]  Redfish create user.
284    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
285
286    # Description of argument(s):
287    # username            The username to be created.
288    # password            The password to be assigned.
289    # role_id             The role ID of the user to be created
290    #                     (e.g. "Administrator", "Operator", etc.).
291    # enabled             Indicates whether the username being created
292    #                     should be enabled (${True}, ${False}).
293
294    Redfish.Login
295
296    # Make sure the user account in question does not already exist.
297    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${userName}
298    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
299
300    # Create specified user.
301    ${payload}=  Create Dictionary
302    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
303    Redfish.Post  ${REDFISH_ACCOUNTS_URI}  body=&{payload}
304    ...  valid_status_codes=[${HTTP_CREATED}]
305
306    Redfish.Logout
307
308    # Login with created user.
309    Run Keyword If  ${enabled} == ${False}
310    ...    Run Keyword And Expect Error  InvalidCredentialsError*
311    ...    Redfish.Login  ${username}  ${password}
312    ...  ELSE
313    ...    Redfish.Login  ${username}  ${password}
314
315    Run Keyword If  ${enabled} == False
316    ...  Redfish.Login
317
318    # Validate Role ID of created user.
319    ${role_config}=  Redfish_Utils.Get Attribute
320    ...  ${REDFISH_ACCOUNTS_URI}${username}  RoleId
321    Should Be Equal  ${role_id}  ${role_config}
322
323
324Redfish Verify User
325    [Documentation]  Redfish user verification.
326    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
327
328    # Description of argument(s):
329    # username            The username to be created.
330    # password            The password to be assigned.
331    # role_id             The role ID of the user to be created
332    #                     (e.g. "Administrator", "Operator", etc.).
333    # enabled             Indicates whether the username being created
334    #                     should be enabled (${True}, ${False}).
335
336    # Trying to do a login with created user.
337    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
338
339    # Doing a check of the returned status.
340    Should Be Equal  ${status}  ${enabled}
341
342    # We do not need to login with created user (user could be in disabled status).
343    Redfish.Login
344
345    # Validate Role Id of user.
346    ${role_config}=  Redfish_Utils.Get Attribute
347    ...  ${REDFISH_ACCOUNTS_URI}${username}  RoleId
348    Should Be Equal  ${role_id}  ${role_config}
349
350
351Redfish Create And Verify User
352    [Documentation]  Redfish create and verify user.
353    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
354
355    # Description of argument(s):
356    # username            The username to be created.
357    # password            The password to be assigned.
358    # role_id             The role ID of the user to be created
359    #                     (e.g. "Administrator", "Operator", etc.).
360    # enabled             Indicates whether the username being created
361    #                     should be enabled (${True}, ${False}).
362
363    # Example:
364    #{
365    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
366    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
367    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
368    #"Description": "User Account",
369    #"Enabled": true,
370    #"Id": "test1",
371    #"Links": {
372    #  "Role": {
373    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
374    #  }
375    #},
376
377    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
378
379    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
380
381    # Delete Specified User
382    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
383
384Verify Redfish User with Wrong Password
385    [Documentation]  Verify Redfish User with Wrong Password.
386    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
387
388    # Description of argument(s):
389    # username            The username to be created.
390    # password            The password to be assigned.
391    # role_id             The role ID of the user to be created
392    #                     (e.g. "Administrator", "Operator", etc.).
393    # enabled             Indicates whether the username being created
394    #                     should be enabled (${True}, ${False}).
395    # wrong_password      Any invalid password.
396
397    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
398
399    # Attempt to login with created user with invalid password.
400    Run Keyword And Expect Error  InvalidCredentialsError*
401    ...  Redfish.Login  ${username}  ${wrong_password}
402
403    Redfish.Login
404
405    # Delete newly created user.
406    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
407
408
409Verify Login with Deleted Redfish User
410    [Documentation]  Verify Login with Deleted Redfish User.
411    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
412
413    # Description of argument(s):
414    # username            The username to be created.
415    # password            The password to be assigned.
416    # role_id             The role ID of the user to be created
417    #                     (e.g. "Administrator", "Operator", etc.).
418    # enabled             Indicates whether the username being created
419    #                     should be enabled (${True}, ${False}).
420
421    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
422    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
423
424    # Doing a check of the rerurned status
425    Should Be Equal  ${status}  ${True}
426
427    Redfish.Login
428
429    # Delete newly created user.
430    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${userName}
431
432    # Attempt to login with deleted user account.
433    Run Keyword And Expect Error  InvalidCredentialsError*
434    ...  Redfish.Login  ${username}  ${password}
435
436    Redfish.Login
437
438Verify Create User Without Enabling
439    [Documentation]  Verify Create User Without Enabling.
440    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
441
442    # Description of argument(s):
443    # username            The username to be created.
444    # password            The password to be assigned.
445    # role_id             The role ID of the user to be created
446    #                     (e.g. "Administrator", "Operator", etc.).
447    # enabled             Indicates whether the username being created
448    #                     should be enabled (${True}, ${False}).
449
450    Redfish.Login
451
452    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
453
454    Redfish.Logout
455
456    # Login with created user.
457    Run Keyword And Expect Error  InvalidCredentialsError*
458    ...  Redfish.Login  ${username}  ${password}
459
460    Redfish.Login
461
462    # Delete newly created user.
463    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}${username}
464