xref: /openbmc/openbmc-test-automation/redfish/account_service/test_user_account.robot (revision fcbb5542e56b65b84d3b53c77785a979c900647c) 
1*** Settings ***
2Documentation    Test suite for verifying Redfish admin, readonly operation user accounts.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14Test Tags        User_Account
15
16*** Variables ***
17
18${account_lockout_duration}   ${30}
19${account_lockout_threshold}  ${3}
20${ssh_status}                 ${True}
21
22*** Test Cases ***
23
24Verify AccountService Available
25    [Documentation]  Verify Redfish account service is available.
26    [Tags]  Verify_AccountService_Available
27
28    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
29    Should Be Equal As Strings  ${resp}  ${True}
30
31
32Verify Redfish Admin User Persistence After Reboot
33    [Documentation]  Verify Redfish admin user persistence after reboot.
34    [Tags]  Verify_Redfish_Admin_User_Persistence_After_Reboot
35    [Setup]  Run Keywords  Redfish.Login  AND
36    ...  Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
37    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
38    ...  AND  Test Teardown Execution
39
40    # Reboot BMC.
41    Redfish OBMC Reboot (off)  stack_mode=normal
42
43    # Verify users after reboot.
44    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
45
46
47Verify Redfish Operator User Persistence After Reboot
48    [Documentation]  Verify Redfish operator user persistence after reboot.
49    [Tags]  Verify_Redfish_Operator_User_Persistence_After_Reboot
50    [Setup]  Run Keywords  Redfish.Login  AND
51    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
52    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
53    ...  AND  Test Teardown Execution
54
55    # Reboot BMC.
56    Redfish OBMC Reboot (off)  stack_mode=normal
57
58    # Verify users after reboot.
59    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
60
61
62Verify Redfish Readonly User Persistence After Reboot
63    [Documentation]  Verify Redfish readonly user persistence after reboot.
64    [Tags]  Verify_Redfish_Readonly_User_Persistence_After_Reboot
65    [Setup]  Run Keywords  Redfish.Login  AND
66    ...  Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
67    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
68    ...  AND  Test Teardown Execution
69
70    # Reboot BMC.
71    Redfish OBMC Reboot (off)  stack_mode=normal
72
73    # Verify users after reboot.
74    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
75
76Redfish Create and Verify Admin User
77    [Documentation]  Create a Redfish user with administrator role and verify.
78    [Tags]  Redfish_Create_and_Verify_Admin_User
79    [Template]  Redfish Create And Verify User
80
81    #username      password    role_id         enabled
82    admin_user     TestPwd123  Administrator   ${True}
83
84
85Redfish Create and Verify Operator User
86    [Documentation]  Create a Redfish user with operator role and verify.
87    [Tags]  Redfish_Create_and_Verify_Operator_User
88    [Template]  Redfish Create And Verify User
89
90    #username      password    role_id         enabled
91    operator_user  TestPwd123  Operator        ${True}
92
93
94Redfish Create and Verify Readonly User
95    [Documentation]  Create a Redfish user with readonly role and verify.
96    [Tags]  Redfish_Create_and_Verify_Readonly_User
97    [Template]  Redfish Create And Verify User
98
99    #username      password    role_id         enabled
100    readonly_user  TestPwd123  ReadOnly        ${True}
101
102
103Verify Redfish Admin User Login With Wrong Password
104    [Documentation]  Verify Redfish create admin user with valid password and make sure
105    ...  admin user failed to login with wrong password.
106    [Tags]  Verify_Redfish_Admin_User_Login_With_Wrong_Password
107    [Template]  Verify Redfish User Login With Wrong Password
108
109    #username      password    role_id         enabled  wrong_password
110    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
111
112
113Verify Redfish Operator User Login With Wrong Password
114    [Documentation]  Verify Redfish create operator user with valid password and make sure
115    ...  operator user failed to login with wrong password.
116    [Tags]  Verify_Redfish_Operator_User_Login_With_Wrong_Password
117    [Template]  Verify Redfish User Login With Wrong Password
118
119    #username      password    role_id         enabled  wrong_password
120    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
121
122
123Verify Redfish Readonly User Login With Wrong Password
124    [Documentation]  Verify Redfish create readonly user with valid password and make sure
125    ...  readonly user failed to login with wrong password.
126    [Tags]  Verify_Redfish_Readonly_User_Login_With_Wrong_Password
127    [Template]  Verify Redfish User Login With Wrong Password
128
129    #username      password    role_id         enabled  wrong_password
130    readonly_user  TestPwd123  ReadOnly        ${True}  12
131
132
133Verify Login with Deleted Redfish Admin User
134    [Documentation]  Verify login with deleted Redfish admin user.
135    [Tags]  Verify_Login_with_Deleted_Redfish_Admin_User
136    [Template]  Verify Login with Deleted Redfish User
137
138    #username     password    role_id         enabled
139    admin_user     TestPwd123  Administrator   ${True}
140
141
142Verify Login with Deleted Redfish Operator User
143    [Documentation]  Verify login with deleted Redfish operator user.
144    [Tags]  Verify_Login_with_Deleted_Redfish_Operator_User
145    [Template]  Verify Login with Deleted Redfish User
146
147    #username     password    role_id         enabled
148    operator_user  TestPwd123  Operator        ${True}
149
150
151Verify Login with Deleted Redfish Readonly User
152    [Documentation]  Verify login with deleted Redfish readonly user.
153    [Tags]  Verify_Login_with_Deleted_Redfish_Readonly_User
154    [Template]  Verify Login with Deleted Redfish User
155
156    #username     password    role_id         enabled
157    readonly_user  TestPwd123  ReadOnly        ${True}
158
159
160Verify Admin User Creation Without Enabling It
161    [Documentation]  Verify admin user creation without enabling it.
162    [Tags]  Verify_Admin_User_Creation_Without_Enabling_It
163    [Template]  Verify Create User Without Enabling
164
165    #username      password    role_id         enabled
166    admin_user     TestPwd123  Administrator   ${False}
167
168
169Verify Operator User Creation Without Enabling It
170    [Documentation]  Verify operator user creation without enabling it.
171    [Tags]  Verify_Operator_User_Creation_Without_Enabling_It
172    [Template]  Verify Create User Without Enabling
173
174    #username      password    role_id         enabled
175    operator_user  TestPwd123  Operator        ${False}
176
177
178Verify Readonly User Creation Without Enabling It
179    [Documentation]  Verify readonly user creation without enabling it.
180    [Tags]  Verify_Readonly_User_Creation_Without_Enabling_It
181    [Template]  Verify Create User Without Enabling
182
183    #username      password    role_id         enabled
184    readonly_user  TestPwd123  ReadOnly        ${False}
185
186
187Verify User Creation With Invalid Role Id
188    [Documentation]  Verify user creation with invalid role ID.
189    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
190
191    # Make sure the user account in question does not already exist.
192    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
193    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
194
195    # Create specified user.
196    ${payload}=  Create Dictionary
197    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
198    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
199    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
200
201Verify Error Upon Creating Same Users With Different Privileges
202    [Documentation]  Verify error upon creating same users with different privileges.
203    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
204
205    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
206
207    # Create specified user.
208    ${payload}=  Create Dictionary
209    ...  UserName=test_user  Password=TestPwd123  RoleId=ReadOnly  Enabled=${True}
210    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
211    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
212
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
214
215
216Verify Modifying User Attributes
217    [Documentation]  Verify modifying user attributes.
218    [Tags]  Verify_Modifying_User_Attributes
219
220    # Create Redfish users.
221    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
222    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
223
224    # Make sure the new user account does not already exist.
225    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
226    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
227
228    # Update admin_user username using Redfish.
229    ${payload}=  Create Dictionary  UserName=newadmin_user
230    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
231    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
232
233    # Update readonly_user role using Redfish.
234    ${payload}=  Create Dictionary  RoleId=Administrator
235    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
236    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
237
238    # Verify users after updating
239    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
240    Redfish Verify User  readonly_user  TestPwd123     Administrator   ${True}
241
242    # Delete created users.
243    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
244    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
245
246
247Verify Modifying Operator User Attributes
248    [Documentation]  Verify modifying operator user attributes.
249    [Tags]  Verify_Modifying_Operator_User_Attributes
250    [Setup]  Run Keywords  Redfish.Login  AND
251    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
252    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
253    ...  AND  Test Teardown Execution
254
255    # Update operator_user password using Redfish.
256    ${payload}=  Create Dictionary  Password=NewTestPwd123
257    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
258
259    # Verify users after updating
260    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
261
262
263Verify User Account Locked
264    [Documentation]  Verify user account locked upon trying with invalid password.
265    [Tags]  Verify_User_Account_Locked
266
267    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
268
269    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
270    ...  AccountLockoutDuration=${account_lockout_duration}
271    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
272    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
273
274    Redfish.Logout
275
276    # Make ${account_lockout_threshold} failed login attempts.
277    Repeat Keyword  ${account_lockout_threshold} times
278    ...  Run Keyword And Expect Error  *InvalidCredentialsError*  Redfish.Login  admin_user  abcd1234
279
280    # Verify that legitimate login fails due to lockout.
281    Run Keyword And Expect Error  *InvalidCredentialsError*
282    ...  Redfish.Login  admin_user  TestPwd123
283
284    # Wait for lockout duration to expire and adding 5 sec delay to the account lock timeout
285    # ... then verify that login works.
286    ${total_wait_duartion}=  Evaluate  ${account_lockout_duration} + 5
287    Sleep  ${total_wait_duartion}s
288
289    Redfish.Login  admin_user  TestPwd123
290
291    Redfish.Logout
292
293    Redfish.Login
294
295    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
296
297
298Verify User Account Unlock
299    [Documentation]  Verify manually unlocking the account before lockout time
300    [Tags]  Verify_User_Account_Unlock
301    [Teardown]  Run Keywords  Redfish.Logout
302    ...  AND  Redfish.Login
303    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
304    ...  AND  SSHLibrary.Close All Connections
305
306    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
307
308    ${payload}=  Create Dictionary
309    ...  AccountLockoutThreshold=${account_lockout_threshold}
310    ...  AccountLockoutDuration=${account_lockout_duration}
311    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
312
313    Redfish.Logout
314
315    # Make ${account_lockout_threshold} failed login attempts.
316    Repeat Keyword  ${account_lockout_threshold} times
317    ...  Run Keyword And Expect Error  InvalidCredentialsError*
318    ...  Redfish.Login  test_user  abc123
319
320    # Ensure SSH Login with locked account gets failed
321    SSHLibrary.Open Connection  ${OPENBMC_HOST}
322    Run Keyword And Expect Error  Authentication failed*
323    ...  SSHLibrary.Login  test_user  TestPwd123
324
325    # Verify that legitimate login fails due to lockout.
326    Run Keyword And Expect Error  InvalidCredentialsError*
327    ...  Redfish.Login  test_user  TestPwd123
328
329    ${payload}=  Create Dictionary  Locked=${FALSE}
330
331    # Manually unlock the account before lockout threshold expires
332    Redfish.Login
333    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}test_user  body=${payload}
334    Redfish.Logout
335
336    # Try redfish login with the recently unlocked account
337    Redfish.Login  test_user  TestPwd123
338
339    # Try SSH login with the unlocked account
340    SSHLibrary.Open Connection  ${OPENBMC_HOST}
341    SSHLibrary.Login  test_user  TestPwd123
342
343
344Verify Admin User Privilege
345    [Documentation]  Verify admin user privilege.
346    [Tags]  Verify_Admin_User_Privilege
347
348    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
349    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
350
351    Redfish.Logout
352
353    Redfish.Login  admin_user  TestPwd123
354
355    # Change password of 'readonly' user with admin user.
356    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
357
358    # Verify modified user.
359    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
360
361    # Note: Delete user would work here because a root login is
362    # performed as part of "Redfish Verify User" keyword's teardown.
363    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
364    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
365
366
367Verify Operator User Role Change Using Admin Privilege User
368    [Documentation]  Verify operator user role change using admin privilege user
369    [Tags]  Verify_Operator_User_Role_Change_Using_Admin_Privilege_User
370
371    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
372    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
373
374    Redfish.Logout
375
376    # Change role ID of operator user with admin user.
377    # Login with admin user.
378    Redfish.Login  admin_user  TestPwd123
379
380    # Modify Role ID of Operator user.
381    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
382
383    # Verify modified user.
384    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
385
386    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
387    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
388
389
390Verify Operator User Privilege
391    [Documentation]  Verify operator user privilege.
392    [Tags]  Verify_Operator_User_Privilege
393
394    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
395    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
396
397    Redfish.Logout
398    # Login with operator user.
399    Redfish.Login  operator_user  TestPwd123
400
401    # Verify BMC reset.
402    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
403
404    # Attempt to change password of admin user with operator user.
405    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
406    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
407
408    Redfish.Logout
409
410    Redfish.Login
411
412    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
413    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
414
415
416Verify ReadOnly User Privilege
417    [Documentation]  Verify ReadOnly user privilege.
418    [Tags]  Verify_ReadOnly_User_Privilege
419
420    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
421    Redfish.Logout
422
423    # Login with read_only user.
424    Redfish.Login  readonly_user  TestPwd123
425
426    # Read system level data.
427    ${system_model}=  Redfish_Utils.Get Attribute
428    ...  ${SYSTEM_BASE_URI}  Model
429
430    Redfish.Logout
431    Redfish.Login
432    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
433
434
435Verify Minimum Password Length For Redfish Admin And Readonly User
436    [Documentation]  Verify minimum password length for new and existing admin or
437    ...  readonly user.
438    [Template]  Verify Minimum Password Length For Redfish User
439
440    #username        role_id
441    admin_user       Administrator
442    readonly_user    ReadOnly
443
444
445Verify Standard User Roles Defined By Redfish
446    [Documentation]  Verify standard user roles defined by Redfish.
447    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
448
449    ${member_list}=  Redfish_Utils.Get Member List
450    ...  /redfish/v1/AccountService/Roles
451
452    @{roles}=  Create List
453    ...  /redfish/v1/AccountService/Roles/Administrator
454    ...  /redfish/v1/AccountService/Roles/Operator
455    ...  /redfish/v1/AccountService/Roles/ReadOnly
456
457    List Should Contain Sub List  ${member_list}  ${roles}
458
459    # The standard roles are:
460
461    # | Role name | Assigned privileges |
462    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
463    # | Operator | Login, ConfigureComponents, ConfigureSelf |
464    # | ReadOnly | Login, ConfigureSelf |
465
466    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
467    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
468    @{readOnly}=  Create List  Login  ConfigureSelf
469
470    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
471    ...  readOnly_privileges=${readOnly}
472
473    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
474    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
475
476    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
477    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
478
479    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
480    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
481
482
483Verify Error While Deleting Root User
484    [Documentation]  Verify error while deleting root user.
485    [Tags]  Verify_Error_While_Deleting_Root_User
486
487    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
488
489
490Verify SSH Login Access With Admin User
491    [Documentation]  Verify that admin user have SSH login access.
492    ...              By default, admin should have access but there could be
493    ...              case where admin user shell access is restricted by design
494    ...              in the community sphere..
495    [Tags]  Verify_SSH_Login_Access_With_Admin_User
496
497    #Create an admin user and verify SSH login.
498    Create Admin User And Verify SSH Login
499
500    Redfish.Login
501    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
502
503Verify SSH Login Is Revoked For Deleted User
504    [Documentation]  Verify SSH login access is revoked for deleted User.
505    [Tags]    Verify_SSH_Login_Is_Revoked_For_Deleted_User
506
507    #Create an admin user and verify SSH login.
508    Create Admin User And Verify SSH Login
509
510    #Login with root user.
511    Redfish.Login
512
513    # Delete the admin user.
514    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
515    ...  valid_status_codes=[${HTTP_OK}]
516
517    # Attempt SSH login with Deleted user.
518    SSHLibrary.Open Connection  ${OPENBMC_HOST}
519    Run Keyword And Expect Error  Authentication failed*
520    ...  SSHLibrary.Login  new_admin  TestPwd1
521
522Verify Configure BasicAuth Enable And Disable
523    [Documentation]  Verify configure basicauth enable and disable
524    [Tags]  Verify_Configure_BasicAuth_Enable_And_Disable
525    [Template]  Template For Configure Auth Methods
526
527    # auth_method
528    BasicAuth
529    XToken
530
531
532Redfish Create and Verify Admin User With Invalid Password Format
533    [Documentation]  Create a admin user with invalid password format and verify.
534    [Template]  Create User With Unsupported Password Format And Verify
535    [Tags]  Redfish_Create_and_Verify_Admin_User_With_Invalid_Password_Format
536
537    #username       role_id        password
538    admin_user      Administrator  snellens
539    admin_user      Administrator  10000001
540    admin_user      Administrator  12345678
541    admin_user      Administrator  abcdefgh
542    admin_user      Administrator  abf12345
543    admin_user      Administrator  helloworld
544    admin_user      Administrator  HELLOWORLD
545    admin_user      Administrator  &$%**!*@
546    admin_user      Administrator  Dictation
547
548
549Redfish Create and Verify Readonly User With Invalid Password Format
550    [Documentation]  Create a readonly user with invalid password format and verify.
551    [Template]  Create User With Unsupported Password Format And Verify
552    [Tags]  Redfish_Create_and_Verify_Readonly_User_With_Invalid_Password_Format
553
554    #username       role_id        password
555    readonly_user   ReadOnly       snellens
556    readonly_user   ReadOnly       10000001
557    readonly_user   ReadOnly       12345678
558    readonly_user   ReadOnly       abcdefgh
559    readonly_user   ReadOnly       abf12345
560    readonly_user   ReadOnly       helloworld
561    readonly_user   ReadOnly       HELLOWORLD
562    readonly_user   ReadOnly       &$%**!*@
563    readonly_user   ReadOnly       Dictation
564
565
566Verify Admin And Readonly User Password Is Not Same As Username
567    [Documentation]  Verify that admin and readonly user creation is failed if
568    ...  password is same as username.
569    [Template]  Create User With Unsupported Password Format And Verify
570    [Tags]      Verify_Admin_And_Readonly_User_Password_Is_Not_Same_As_Username
571
572    #username        role_id             password
573    AdminUser1       Administrator       AdminUser1
574    ReadOnlyUser1    ReadOnly            ReadOnlyUser1
575
576Verify AccountService Unsupported Methods
577    [Documentation]  Verify Unsupported methods of AccountService
578    [Tags]  Verify_AccountService_Unsupported_Methods
579
580    # Put operation on Account Services
581    Redfish.Put  /redfish/v1/AccountService
582    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
583
584    # Post operation on Account Services
585    Redfish.Post  /redfish/v1/AccountService
586    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
587
588    # Delete operation on Account Services
589    Redfish.Delete  /redfish/v1/AccountService
590    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
591
592Verify AccountService Roles Unsupported Methods
593    [Documentation]  Verify Unsupported methods of AccountService/Roles
594    [Tags]  Verify_AccountService_Roles_Unsupported_Methods
595
596    # Put operation on Account Services Roles
597    Redfish.Put  /redfish/v1/AccountService/Roles
598    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
599
600    # Post operation on Account Services Roles
601    Redfish.Post  /redfish/v1/AccountService/Roles
602    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
603
604    # Delete operation on Account Services Roles
605    Redfish.Delete  /redfish/v1/AccountService/Roles
606    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
607
608    # Patch operation on Account Services Roles
609    Redfish.Patch  /redfish/v1/AccountService/Roles
610    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
611
612Verify AccountService Roles Instance With Unsupported Methods
613    [Documentation]  Verify Instance Roles for AccountService and Unsupported Methods
614    [Tags]    Verify_AccountService_Roles_Instance_With_Unsupported_Methods
615
616    # GET Administrator Role Instance
617    Redfish.Get    /redfish/v1/AccountService/Roles/Administrator
618    ...    valid_status_codes=[${HTTP_OK}]
619
620    # GET Operator Role Instance
621    Redfish.Get    /redfish/v1/AccountService/Roles/Operator
622    ...    valid_status_codes=[${HTTP_OK}]
623
624    # GET ReadOnly RoleInstance
625    Redfish.Get    /redfish/v1/AccountService/Roles/ReadOnly
626    ...    valid_status_codes=[${HTTP_OK}]
627
628    # Post operation on Account Service Roles Instance
629    Redfish.Post    /redfish/v1/AccountService/Roles/Administrator
630    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
631
632    # Put operation on Account Service Roles Instance
633    Redfish.Put    /redfish/v1/AccountService/Roles/Administrator
634    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
635
636    # Patch operation on Account Service Roles Instance
637    Redfish.Patch    /redfish/v1/AccountService/Roles/Administrator
638    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
639
640    #Delete operation on Account Service Roles Instance
641    Redfish.Delete    /redfish/v1/AccountService/Roles/Administrator
642    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
643
644*** Keywords ***
645
646Test Teardown Execution
647    [Documentation]  Do the post test teardown.
648
649    Run Keyword And Ignore Error  Redfish.Logout
650    FFDC On Test Case Fail
651
652
653Redfish Create User
654    [Documentation]  Redfish create user.
655    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
656
657    # Description of argument(s):
658    # username            The username to be created.
659    # password            The password to be assigned.
660    # role_id             The role ID of the user to be created
661    #                     (e.g. "Administrator", "Operator", etc.).
662    # enabled             Indicates whether the username being created
663    #                     should be enabled (${True}, ${False}).
664    # login_check         Checks user login for created user.
665    #                     (e.g. ${True}, ${False}).
666
667    # Make sure the user account in question does not already exist.
668    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
669    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
670
671    # Create specified user.
672    ${payload}=  Create Dictionary
673    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
674    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
675    ...  valid_status_codes=[${HTTP_CREATED}]
676
677    # Resetting faillock count as a workaround for issue
678    # openbmc/phosphor-user-manager#4
679    ${cmd}=  Catenate  /usr/sbin/faillock --user ${username} --reset
680
681    Bmc Execute Command  ${cmd}
682
683    # Verify login with created user.
684    IF  '${login_check}' == '${True}'
685        ${status}=  Run Keyword And Return Status
686        ...  Verify Redfish User Login  ${username}  ${password}
687    ELSE
688        ${status}=  Set Variable  ${False}
689    END
690
691    IF  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
692
693    # Validate Role ID of created user.
694    ${role_config}=  Redfish_Utils.Get Attribute
695    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
696    Should Be Equal  ${role_id}  ${role_config}
697
698
699Redfish Verify User
700    [Documentation]  Redfish user verification.
701    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
702
703    # Description of argument(s):
704    # username            The username to be created.
705    # password            The password to be assigned.
706    # role_id             The role ID of the user to be created
707    #                     (e.g. "Administrator", "Operator", etc.).
708    # enabled             Indicates whether the username being created
709    #                     should be enabled (${True}, ${False}).
710
711    ${status}=  Verify Redfish User Login  ${username}  ${password}
712    # Doing a check of the returned status.
713    Should Be Equal  ${status}  ${enabled}
714
715    # Validate Role Id of user.
716    ${role_config}=  Redfish_Utils.Get Attribute
717    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
718    Should Be Equal  ${role_id}  ${role_config}
719
720
721Verify Redfish User Login
722    [Documentation]  Verify Redfish login with given user id.
723    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
724    [Arguments]   ${username}  ${password}
725
726    # Description of argument(s):
727    # username            Login username.
728    # password            Login password.
729
730    # Logout from current Redfish session.
731    # We don't really care if the current session is flushed out since we are going to login
732    # with new credential in next.
733    Run Keyword And Ignore Error  Redfish.Logout
734
735    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
736    RETURN  ${status}
737
738
739Redfish Create And Verify User
740    [Documentation]  Redfish create and verify user.
741    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
742
743    # Description of argument(s):
744    # username            The username to be created.
745    # password            The password to be assigned.
746    # role_id             The role ID of the user to be created
747    #                     (e.g. "Administrator", "Operator", etc.).
748    # enabled             Indicates whether the username being created
749    #                     should be enabled (${True}, ${False}).
750
751    # Example:
752    #{
753    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
754    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
755    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
756    #"Description": "User Account",
757    #"Enabled": true,
758    #"Id": "test1",
759    #"Links": {
760    #  "Role": {
761    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
762    #  }
763    #},
764
765    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
766
767    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
768
769    # Delete Specified User
770    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
771
772Verify Redfish User Login With Wrong Password
773    [Documentation]  Verify Redfish User failed to login with wrong password.
774    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
775
776    # Description of argument(s):
777    # username            The username to be created.
778    # password            The password to be assigned.
779    # role_id             The role ID of the user to be created
780    #                     (e.g. "Administrator", "Operator", etc.).
781    # enabled             Indicates whether the username being created
782    #                     should be enabled (${True}, ${False}).
783    # wrong_password      Any invalid password.
784
785    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
786
787    Redfish.Logout
788
789    # Attempt to login with created user with invalid password.
790    Run Keyword And Expect Error  InvalidCredentialsError*
791    ...  Redfish.Login  ${username}  ${wrong_password}
792
793    Redfish.Login
794
795    # Delete newly created user.
796    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
797
798
799Verify Login with Deleted Redfish User
800    [Documentation]  Verify Login with Deleted Redfish User.
801    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
802
803    # Description of argument(s):
804    # username            The username to be created.
805    # password            The password to be assigned.
806    # role_id             The role ID of the user to be created
807    #                     (e.g. "Administrator", "Operator", etc.).
808    # enabled             Indicates whether the username being created
809    #                     should be enabled (${True}, ${False}).
810
811    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
812
813    # Delete newly created user.
814    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
815
816    Redfish.Logout
817
818    # Attempt to login with deleted user account.
819    Run Keyword And Expect Error  InvalidCredentialsError*
820    ...  Redfish.Login  ${username}  ${password}
821
822    Redfish.Login
823
824
825Verify Create User Without Enabling
826    [Documentation]  Verify Create User Without Enabling.
827    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
828
829    # Description of argument(s):
830    # username            The username to be created.
831    # password            The password to be assigned.
832    # role_id             The role ID of the user to be created
833    #                     (e.g. "Administrator", "Operator", etc.).
834    # enabled             Indicates whether the username being created
835    #                     should be enabled (${True}, ${False}).
836
837    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
838
839    Redfish.Logout
840
841    # Login with created user.
842    Run Keyword And Expect Error  InvalidCredentialsError*
843    ...  Redfish.Login  ${username}  ${password}
844
845    Redfish.Login
846
847    # Delete newly created user.
848    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
849
850Template For Configure Auth Methods
851    [Documentation]  Template to configure auth methods.
852    [Arguments]  ${auth_method}
853    [Teardown]  Configure AuthMethods  ${auth_method}=${initial_value}
854
855    # Description of Argument(s):
856    # authmethods   The authmethod setting which needs to be
857    #               set in account service URI.
858    # valid values  BasicAuth, XToken.
859
860    Get AuthMethods Default Values  ${auth_method}
861
862    # Patch basicauth to TRUE
863    Configure AuthMethods  ${auth_method}=${TRUE}
864
865    IF  "${auth_method}" == "XToken"
866        Check XToken Works Fine  ${HTTP_OK}
867    ELSE
868        Check BasicAuth Works Fine  ${HTTP_OK}
869    END
870
871    # Patch basicauth to FALSE
872    Configure AuthMethods  ${auth_method}=${FALSE}
873
874    IF  "${auth_method}" == "BasicAuth"
875        Check BasicAuth Works Fine  ${HTTP_UNAUTHORIZED}
876    ELSE
877        Check XToken Works Fine  ${HTTP_UNAUTHORIZED}
878    END
879
880Configure AuthMethods
881    [Documentation]  Enable/disable authmethod types.
882    [Arguments]  &{authmethods}
883
884    # Description of argument(s):
885    # authmethods            The authmethod setting which needs to be
886    #                        set in account service URI.
887    # Usage Example          Configure AuthMethods  XToken=${TRUE}  BasicAuth=${TRUE}
888    #                        This will set the value of "XToken" and "BasicAuth"
889    #                        property in accountservice uri to TRUE.
890
891    ${openbmc}=  Create Dictionary  AuthMethods=${authmethods}
892    ${oem}=  Create Dictionary  OpenBMC=${openbmc}
893    ${payload}=  Create Dictionary  Oem=${oem}
894
895    # Setting authmethod properties using Redfish session based auth
896    ${status}=  Run Keyword And Return Status
897    ...  Redfish.Patch  ${REDFISH_BASE_URI}AccountService
898    ...  body=${payload}  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
899
900    # Setting authmethod properties using basic auth in case the former fails
901    IF  ${status}==${FALSE}
902        # Payload dictionary pre-process to match json formatting
903        ${payload}=  Convert To String  ${payload}
904        ${payload}=  Replace String  ${payload}  '  "
905        ${payload}=  Replace String  ${payload}  False  false
906        ${payload}=  Replace String  ${payload}  True  true
907
908        # Curl Command Framing for PATCH authmethod
909        ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
910        ...  -X PATCH '${AUTH_URI}${REDFISH_ACCOUNTS_SERVICE_URI}'
911        ...  -H 'content-type:application/json' -H 'If-Match:*'
912        ...  -d '${payload}'
913        ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
914
915        #  Check the response of curl command is 200 or 204
916        ${check_no_content}=
917        ...  Run Keyword and Return Status  Should Contain  ${out}  204
918        ${check_ok}=
919        ...  Run Keyword and Return Status  Should Contain  ${out}  200
920        Pass Execution If  ${check_no_content}==${TRUE}
921        ...  OR  ${check_ok}==${TRUE}
922    END
923
924
925Get AuthMethods Default Values
926    [Documentation]  Get enabled/disabled status of all authmethods
927    ...  from Redfish account service URI
928    [Arguments]  ${authmethod}
929
930    # Description of argument(s):
931    # authmethod            The authmethod property whose value needs to be
932    #                       retrieved from account service URI.
933    # Usage Example         Get AuthMethods Default Values  BasicAuth
934    #                       returns >> ${TRUE}
935    # Example:
936    # {
937    #     "@odata.id": "/redfish/v1/AccountService",
938    #     (...)
939    #     "Oem": {
940    #         "OpenBMC": {
941    #             "AuthMethods": {
942    #                 "BasicAuth": true,
943    #                 "Cookie": true,
944    #                 "SessionToken": true,
945    #                 "TLS": true,
946    #                 "XToken": true
947    #             }
948    #         }
949    #     }
950    # }
951
952    ${resp}=  Redfish.Get Attribute  ${REDFISH_ACCOUNTS_SERVICE_URI}  Oem
953    ${authmethods}=  Set Variable  ${resp['OpenBMC']['AuthMethods']}
954    ${initial_value}=  Get From Dictionary  ${authmethods}  ${authmethod}
955    Set Test Variable  ${initial_value}
956
957Check XToken Works Fine
958    [Documentation]  Verify Xtoken works fine.
959    [Arguments]  ${status_code}
960
961    # Description of Argument(s):
962    # status_code : 200, 401.
963
964    # Verify xtoken auth works for xtoken
965    Redfish.Get  ${REDFISH_ACCOUNTS_SERVICE_URI}
966    ...  valid_status_codes=[${status_code}]
967
968Check BasicAuth Works Fine
969    [Documentation]  Verify Basic Auth works fine.
970    [Arguments]  ${status_code}
971
972    # Description of Argument(s):
973    # status_code : 200, 401.
974
975    # Verify basic auth works based on basic auth.
976    ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
977    ...  ${AUTH_URI}/redfish/v1/AccountService
978    ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
979
980    #  Check the response of curl command is 200/401
981    Should Contain  ${out}  ${status_code}
982
983
984Create User With Unsupported Password Format And Verify
985   [Documentation]  Create admin or readonly user with unsupported password format
986   ...  and verify.
987   [Arguments]   ${username}  ${role_id}  ${password}
988
989   # Description of argument(s):
990   # username            The username to be created.
991   # role_id             The role ID of the user to be created
992   #                     (e.g. "Administrator", "ReadOnly").
993   # password            The password to be assigned.
994   #                     Unsupported password format are sequential characters,
995   #                     sequential digits, palindrome digits, palindrome characters,
996   #                     only uppercase letters, only lowercase letters, only digits,
997   #                     only characters, not a dictionary word, username and password
998   #                     should not be same.
999
1000   # Make sure the user account in question does not already exist.
1001    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
1002    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
1003
1004   # Create specified user with invalid password format.
1005   ${payload}=  Create Dictionary
1006   ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${True}
1007   Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1008   ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1009
1010
1011Verify Minimum Password Length For Redfish User
1012    [Documentation]  Verify minimum password length for new and existing admin or
1013    ...  readonly user.
1014    [Arguments]  ${user_name}  ${role_id}
1015
1016    # Description of argument(s):
1017    # user_name           The username to be created.
1018    # role_id             The role ID of the user to be created.
1019
1020    # Make sure the user account in question does not already exist.
1021    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
1022    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
1023
1024    # Try to create a user with invalid length password.
1025    ${payload}=  Create Dictionary
1026    ...  UserName=${user_name}  Password=UserPwd  RoleId=${role_id}  Enabled=${True}
1027    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1028    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1029
1030    # Create specified user with valid length password.
1031    Set To Dictionary  ${payload}  Password  UserPwd1
1032    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
1033    ...  valid_status_codes=[${HTTP_CREATED}]
1034
1035    # Try to change to an invalid password.
1036    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
1037    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
1038
1039    # Change to a valid password.
1040    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
1041
1042    # Verify login.
1043    Redfish.Logout
1044    Redfish.Login  ${user_name}  UserPwd1
1045    Redfish.Logout
1046    Redfish.Login
1047    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
1048
1049Create Admin User And Verify SSH Login
1050    [Documentation]  Create admin user and verify SSH login & logout.
1051
1052    # Create an admin User.
1053    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
1054
1055    # Attempt SSH login with admin user.
1056    SSHLibrary.Open Connection  ${OPENBMC_HOST}
1057    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
1058
1059    # By default ssh_status is True, user can change the status via CLI
1060    # -v ssh_status:False
1061    Should Be Equal As Strings  "${status}"  "${ssh_status}"
1062
1063    # Close SSH connection for admin user.
1064    SSHLibrary.Close Connection