1*** Settings ***
2Documentation    Test Redfish user account.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Test Setup       Redfish.Login
10Test Teardown    Test Teardown Execution
11
12*** Variables ***
13
14${account_lockout_duration}   ${30}
15${account_lockout_threshold}  ${3}
16
17** Test Cases **
18
19Verify AccountService Available
20    [Documentation]  Verify Redfish account service is available.
21    [Tags]  Verify_AccountService_Available
22
23    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
24    Should Be Equal As Strings  ${resp}  ${True}
25
26Verify Redfish User Persistence After Reboot
27    [Documentation]  Verify Redfish user persistence after reboot.
28    [Tags]  Verify_Redfish_User_Persistence_After_Reboot
29
30    # Create Redfish users.
31    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
32    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
33    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
34
35    # Reboot BMC.
36    Redfish OBMC Reboot (off)  stack_mode=normal
37
38    # Verify users after reboot.
39    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
40    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
41    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
42
43    # Delete created users.
44    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
45    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
46    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
47
48Redfish Create and Verify Users
49    [Documentation]  Create Redfish users with various roles.
50    [Tags]  Redfish_Create_and_Verify_Users
51    [Template]  Redfish Create And Verify User
52
53    #username      password    role_id         enabled
54    admin_user     TestPwd123  Administrator   ${True}
55    operator_user  TestPwd123  Operator        ${True}
56    readonly_user  TestPwd123  ReadOnly        ${True}
57
58Verify Redfish User with Wrong Password
59    [Documentation]  Verify Redfish User with Wrong Password.
60    [Tags]  Verify_Redfish_User_with_Wrong_Password
61    [Template]  Verify Redfish User with Wrong Password
62
63    #username      password    role_id         enabled  wrong_password
64    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
65    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
66    readonly_user  TestPwd123  ReadOnly        ${True}  12
67
68Verify Login with Deleted Redfish Users
69    [Documentation]  Verify login with deleted Redfish Users.
70    [Tags]  Verify_Login_with_Deleted_Redfish_Users
71    [Template]  Verify Login with Deleted Redfish User
72
73    #username     password    role_id         enabled
74    admin_user     TestPwd123  Administrator   ${True}
75    operator_user  TestPwd123  Operator        ${True}
76    readonly_user  TestPwd123  ReadOnly        ${True}
77
78Verify User Creation Without Enabling It
79    [Documentation]  Verify User Creation Without Enabling it.
80    [Tags]  Verify_User_Creation_Without_Enabling_It
81    [Template]  Verify Create User Without Enabling
82
83    #username      password    role_id         enabled
84    admin_user     TestPwd123  Administrator   ${False}
85    operator_user  TestPwd123  Operator        ${False}
86    readonly_user  TestPwd123  ReadOnly        ${False}
87
88Verify User Creation With Invalid Role Id
89    [Documentation]  Verify user creation with invalid role ID.
90    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
91
92    # Make sure the user account in question does not already exist.
93    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
94    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
95
96    # Create specified user.
97    ${payload}=  Create Dictionary
98    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
99    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
100    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
101
102Verify Error Upon Creating Same Users With Different Privileges
103    [Documentation]  Verify error upon creating same users with different privileges.
104    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
105
106    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
107
108    # Create specified user.
109    ${payload}=  Create Dictionary
110    ...  UserName=test_user  Password=TestPwd123  RoleId=Operator  Enabled=${True}
111    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
112    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
113
114    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
115
116Verify Modifying User Attributes
117    [Documentation]  Verify modifying user attributes.
118    [Tags]  Verify_Modifying_User_Attributes
119
120    # Create Redfish users.
121    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
122    Redfish Create User  operator_user  TestPwd123  Operator        ${True}
123    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
124
125    # Make sure the new user account does not already exist.
126    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
127    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
128
129    # Update admin_user username using Redfish.
130    ${payload}=  Create Dictionary  UserName=newadmin_user
131    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
132
133    # Update operator_user password using Redfish.
134    ${payload}=  Create Dictionary  Password=NewTestPwd123
135    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
136
137    # Update readonly_user role using Redfish.
138    ${payload}=  Create Dictionary  RoleId=Operator
139    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
140
141    # Verify users after updating
142    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
143    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
144    Redfish Verify User  readonly_user  TestPwd123     Operator        ${True}
145
146    # Delete created users.
147    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
148    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
149    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
150
151Verify User Account Locked
152    [Documentation]  Verify user account locked upon trying with invalid password.
153    [Tags]  Verify_User_Account_Locked
154
155    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
156
157    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
158    ...  AccountLockoutDuration=${account_lockout_duration}
159    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
160
161    Redfish.Logout
162
163    # Make ${account_lockout_threshold} failed login attempts.
164    Repeat Keyword  ${account_lockout_threshold} times
165    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  admin_user  abc123
166
167    # Verify that legitimate login fails due to lockout.
168    Run Keyword And Expect Error  InvalidCredentialsError*
169    ...  Redfish.Login  admin_user  TestPwd123
170
171    # Wait for lockout duration to expire and then verify that login works.
172    Sleep  ${account_lockout_duration}s
173    Redfish.Login  admin_user  TestPwd123
174
175    Redfish.Logout
176
177    Redfish.Login
178
179    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
180
181Verify Admin User Privilege
182    [Documentation]  Verify admin user privilege.
183    [Tags]  Verify_Admin_User_Privilege
184
185    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
186    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
187    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
188
189    Redfish.Logout
190
191    # Change role ID of operator user with admin user.
192    # Login with admin user.
193    Redfish.Login  admin_user  TestPwd123
194
195    # Modify Role ID of Operator user.
196    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
197
198    # Verify modified user.
199    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
200
201    Redfish.Logout
202    Redfish.Login  admin_user  TestPwd123
203
204    # Change password of 'user' user with admin user.
205    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
206
207    # Verify modified user.
208    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
209
210    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
211    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
212    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
213
214Verify Operator User Privilege
215    [Documentation]  Verify operator user privilege.
216    [Tags]  Verify_operator_User_Privilege
217
218    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
219    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
220
221    Redfish.Logout
222    # Login with operator user.
223    Redfish.Login  operator_user  TestPwd123
224
225    # Verify BMC reset.
226    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
227
228    # Attempt to change password of admin user with operator user.
229    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
230    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
231
232    Redfish.Logout
233
234    Redfish.Login
235
236    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
237    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
238
239
240Verify ReadOnly User Privilege
241    [Documentation]  Verify ReadOnly user privilege.
242    [Tags]  Verify_ReadOnly_User_Privilege
243
244    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
245    Redfish.Logout
246
247    # Login with read_only user.
248    Redfish.Login  readonly_user  TestPwd123
249
250    # Read system level data.
251    ${system_model}=  Redfish_Utils.Get Attribute
252    ...  ${SYSTEM_BASE_URI}  Model
253
254    Redfish.Logout
255    Redfish.Login
256    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
257
258
259Verify Minimum Password Length For Redfish User
260    [Documentation]  Verify minimum password length for new and existing user.
261    [Tags]  Verify_Minimum_Password_Length_For_Redfish_User
262
263    ${user_name}=  Set Variable  testUser
264
265    # Make sure the user account in question does not already exist.
266    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
267    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
268
269    # Try to create a user with invalid length password.
270    ${payload}=  Create Dictionary
271    ...  UserName=${user_name}  Password=UserPwd  RoleId=Administrator  Enabled=${True}
272    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
273    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
274
275    # Create specified user with valid length password.
276    Set To Dictionary  ${payload}  Password  UserPwd1
277    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
278    ...  valid_status_codes=[${HTTP_CREATED}]
279
280    # Try to change to an invalid password.
281    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
282    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
283
284    # Change to a valid password.
285    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
286
287    # Verify login.
288    Redfish.Logout
289    Redfish.Login  ${user_name}  UserPwd1
290    Redfish.Logout
291    Redfish.Login
292    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
293
294
295Verify Standard User Roles Defined By Redfish
296    [Documentation]  Verify standard user roles defined by Redfish.
297    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
298
299    ${member_list}=  Redfish_Utils.Get Member List
300    ...  /redfish/v1/AccountService/Roles
301
302    @{roles}=  Create List
303    ...  /redfish/v1/AccountService/Roles/Administrator
304    ...  /redfish/v1/AccountService/Roles/Operator
305    ...  /redfish/v1/AccountService/Roles/ReadOnly
306
307    List Should Contain Sub List  ${member_list}  ${roles}
308
309    # The standard roles are:
310
311    # | Role name | Assigned privileges |
312    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
313    # | Operator | Login, ConfigureComponents, ConfigureSelf |
314    # | ReadOnly | Login, ConfigureSelf |
315
316    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
317    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
318    @{readOnly}=  Create List  Login  ConfigureSelf
319
320    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
321    ...  readOnly_privileges=${readOnly}
322
323    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
324    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
325
326    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
327    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
328
329    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
330    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
331
332
333Verify Error While Deleting Root User
334    [Documentation]  Verify error while deleting root user.
335    [Tags]  Verify_Error_While_Deleting_Root_User
336
337    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
338
339
340*** Keywords ***
341
342Test Teardown Execution
343    [Documentation]  Do the post test teardown.
344
345    Run Keyword And Ignore Error  Redfish.Logout
346    FFDC On Test Case Fail
347
348
349Redfish Create User
350    [Documentation]  Redfish create user.
351    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
352
353    # Description of argument(s):
354    # username            The username to be created.
355    # password            The password to be assigned.
356    # role_id             The role ID of the user to be created
357    #                     (e.g. "Administrator", "Operator", etc.).
358    # enabled             Indicates whether the username being created
359    #                     should be enabled (${True}, ${False}).
360    # login_check         Checks user login for created user.
361    #                     (e.g. ${True}, ${False}).
362
363    # Make sure the user account in question does not already exist.
364    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
365    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
366
367    # Create specified user.
368    ${payload}=  Create Dictionary
369    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
370    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
371    ...  valid_status_codes=[${HTTP_CREATED}]
372
373    # Resetting faillock count as a workaround for issue
374    # openbmc/phosphor-user-manager#4
375    ${cmd}=  Catenate  /usr/sbin/faillock --user USER --reset
376    Bmc Execute Command  ${cmd}
377
378    # Verify login with created user.
379    ${status}=  Run Keyword If  '${login_check}' == '${True}'
380    ...  Verify Redfish User Login  ${username}  ${password}
381    Run Keyword If  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
382
383    # Validate Role ID of created user.
384    ${role_config}=  Redfish_Utils.Get Attribute
385    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
386    Should Be Equal  ${role_id}  ${role_config}
387
388
389Redfish Verify User
390    [Documentation]  Redfish user verification.
391    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
392
393    # Description of argument(s):
394    # username            The username to be created.
395    # password            The password to be assigned.
396    # role_id             The role ID of the user to be created
397    #                     (e.g. "Administrator", "Operator", etc.).
398    # enabled             Indicates whether the username being created
399    #                     should be enabled (${True}, ${False}).
400
401    ${status}=  Verify Redfish User Login  ${username}  ${password}
402    # Doing a check of the returned status.
403    Should Be Equal  ${status}  ${enabled}
404
405    # Validate Role Id of user.
406    ${role_config}=  Redfish_Utils.Get Attribute
407    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
408    Should Be Equal  ${role_id}  ${role_config}
409
410
411Verify Redfish User Login
412    [Documentation]  Verify Redfish login with given user id.
413    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
414    [Arguments]   ${username}  ${password}
415
416    # Description of argument(s):
417    # username            Login username.
418    # password            Login password.
419
420    # Logout from current Redfish session.
421    # We don't really care if the current session is flushed out since we are going to login
422    # with new credential in next.
423    Run Keyword And Ignore Error  Redfish.Logout
424
425    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
426    [Return]  ${status}
427
428
429Redfish Create And Verify User
430    [Documentation]  Redfish create and verify user.
431    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
432
433    # Description of argument(s):
434    # username            The username to be created.
435    # password            The password to be assigned.
436    # role_id             The role ID of the user to be created
437    #                     (e.g. "Administrator", "Operator", etc.).
438    # enabled             Indicates whether the username being created
439    #                     should be enabled (${True}, ${False}).
440
441    # Example:
442    #{
443    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
444    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
445    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
446    #"Description": "User Account",
447    #"Enabled": true,
448    #"Id": "test1",
449    #"Links": {
450    #  "Role": {
451    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
452    #  }
453    #},
454
455    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
456
457    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
458
459    # Delete Specified User
460    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
461
462Verify Redfish User with Wrong Password
463    [Documentation]  Verify Redfish User with Wrong Password.
464    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
465
466    # Description of argument(s):
467    # username            The username to be created.
468    # password            The password to be assigned.
469    # role_id             The role ID of the user to be created
470    #                     (e.g. "Administrator", "Operator", etc.).
471    # enabled             Indicates whether the username being created
472    #                     should be enabled (${True}, ${False}).
473    # wrong_password      Any invalid password.
474
475    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
476
477    Redfish.Logout
478
479    # Attempt to login with created user with invalid password.
480    Run Keyword And Expect Error  InvalidCredentialsError*
481    ...  Redfish.Login  ${username}  ${wrong_password}
482
483    Redfish.Login
484
485    # Delete newly created user.
486    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
487
488
489Verify Login with Deleted Redfish User
490    [Documentation]  Verify Login with Deleted Redfish User.
491    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
492
493    # Description of argument(s):
494    # username            The username to be created.
495    # password            The password to be assigned.
496    # role_id             The role ID of the user to be created
497    #                     (e.g. "Administrator", "Operator", etc.).
498    # enabled             Indicates whether the username being created
499    #                     should be enabled (${True}, ${False}).
500
501    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
502
503    # Delete newly created user.
504    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
505
506    Redfish.Logout
507
508    # Attempt to login with deleted user account.
509    Run Keyword And Expect Error  InvalidCredentialsError*
510    ...  Redfish.Login  ${username}  ${password}
511
512    Redfish.Login
513
514
515Verify Create User Without Enabling
516    [Documentation]  Verify Create User Without Enabling.
517    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
518
519    # Description of argument(s):
520    # username            The username to be created.
521    # password            The password to be assigned.
522    # role_id             The role ID of the user to be created
523    #                     (e.g. "Administrator", "Operator", etc.).
524    # enabled             Indicates whether the username being created
525    #                     should be enabled (${True}, ${False}).
526
527    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
528
529    Redfish.Logout
530
531    # Login with created user.
532    Run Keyword And Expect Error  InvalidCredentialsError*
533    ...  Redfish.Login  ${username}  ${password}
534
535    Redfish.Login
536
537    # Delete newly created user.
538    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
539
540