xref: /openbmc/openbmc-test-automation/redfish/account_service/test_user_account.robot (revision feb79d60e26d78a6e91521ee41b1af5b8ba71f4c) 
1*** Settings ***
2Documentation    Test suite for verifying Redfish admin, readonly operation user accounts.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/bmc_redfish_utils.robot
8
9Library          SSHLibrary
10
11Test Setup       Redfish.Login
12Test Teardown    Test Teardown Execution
13
14Test Tags        User_Account
15
16*** Variables ***
17
18${account_lockout_duration}   ${30}
19${account_lockout_threshold}  ${3}
20${ssh_status}                 ${True}
21
22*** Test Cases ***
23
24Verify AccountService Available
25    [Documentation]  Verify Redfish account service is available.
26    [Tags]  Verify_AccountService_Available
27
28    ${resp} =  Redfish_utils.Get Attribute  /redfish/v1/AccountService  ServiceEnabled
29    Should Be Equal As Strings  ${resp}  ${True}
30
31
32Verify Redfish Admin User Persistence After Reboot
33    [Documentation]  Verify Redfish admin user persistence after reboot.
34    [Tags]  Verify_Redfish_Admin_User_Persistence_After_Reboot
35    [Setup]  Run Keywords  Redfish.Login  AND
36    ...  Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
37    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
38    ...  AND  Test Teardown Execution
39
40    # Reboot BMC.
41    Redfish OBMC Reboot (off)  stack_mode=normal
42
43    # Verify users after reboot.
44    Redfish Verify User  admin_user     TestPwd123  Administrator   ${True}
45
46
47Verify Redfish Operator User Persistence After Reboot
48    [Documentation]  Verify Redfish operator user persistence after reboot.
49    [Tags]  Verify_Redfish_Operator_User_Persistence_After_Reboot
50    [Setup]  Run Keywords  Redfish.Login  AND
51    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
52    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
53    ...  AND  Test Teardown Execution
54
55    # Reboot BMC.
56    Redfish OBMC Reboot (off)  stack_mode=normal
57
58    # Verify users after reboot.
59    Redfish Verify User  operator_user  TestPwd123  Operator        ${True}
60
61
62Verify Redfish Readonly User Persistence After Reboot
63    [Documentation]  Verify Redfish readonly user persistence after reboot.
64    [Tags]  Verify_Redfish_Readonly_User_Persistence_After_Reboot
65    [Setup]  Run Keywords  Redfish.Login  AND
66    ...  Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
67    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
68    ...  AND  Test Teardown Execution
69
70    # Reboot BMC.
71    Redfish OBMC Reboot (off)  stack_mode=normal
72
73    # Verify users after reboot.
74    Redfish Verify User  readonly_user  TestPwd123  ReadOnly        ${True}
75
76Redfish Create and Verify Admin User
77    [Documentation]  Create a Redfish user with administrator role and verify.
78    [Tags]  Redfish_Create_and_Verify_Admin_User
79    [Template]  Redfish Create And Verify User
80
81    #username      password    role_id         enabled
82    admin_user     TestPwd123  Administrator   ${True}
83
84
85Redfish Create and Verify Operator User
86    [Documentation]  Create a Redfish user with operator role and verify.
87    [Tags]  Redfish_Create_and_Verify_Operator_User
88    [Template]  Redfish Create And Verify User
89
90    #username      password    role_id         enabled
91    operator_user  TestPwd123  Operator        ${True}
92
93
94Redfish Create and Verify Readonly User
95    [Documentation]  Create a Redfish user with readonly role and verify.
96    [Tags]  Redfish_Create_and_Verify_Readonly_User
97    [Template]  Redfish Create And Verify User
98
99    #username      password    role_id         enabled
100    readonly_user  TestPwd123  ReadOnly        ${True}
101
102
103Verify Redfish Admin User Login With Wrong Password
104    [Documentation]  Verify Redfish create admin user with valid password and make sure
105    ...  admin user failed to login with wrong password.
106    [Tags]  Verify_Redfish_Admin_User_Login_With_Wrong_Password
107    [Template]  Verify Redfish User Login With Wrong Password
108
109    #username      password    role_id         enabled  wrong_password
110    admin_user     TestPwd123  Administrator   ${True}  alskjhfwurh
111
112
113Verify Redfish Operator User Login With Wrong Password
114    [Documentation]  Verify Redfish create operator user with valid password and make sure
115    ...  operator user failed to login with wrong password.
116    [Tags]  Verify_Redfish_Operator_User_Login_With_Wrong_Password
117    [Template]  Verify Redfish User Login With Wrong Password
118
119    #username      password    role_id         enabled  wrong_password
120    operator_user  TestPwd123  Operator        ${True}  12j8a8uakjhdaosiruf024
121
122
123Verify Redfish Readonly User Login With Wrong Password
124    [Documentation]  Verify Redfish create readonly user with valid password and make sure
125    ...  readonly user failed to login with wrong password.
126    [Tags]  Verify_Redfish_Readonly_User_Login_With_Wrong_Password
127    [Template]  Verify Redfish User Login With Wrong Password
128
129    #username      password    role_id         enabled  wrong_password
130    readonly_user  TestPwd123  ReadOnly        ${True}  12
131
132
133Verify Login with Deleted Redfish Admin User
134    [Documentation]  Verify login with deleted Redfish admin user.
135    [Tags]  Verify_Login_with_Deleted_Redfish_Admin_User
136    [Template]  Verify Login with Deleted Redfish User
137
138    #username     password    role_id         enabled
139    admin_user     TestPwd123  Administrator   ${True}
140
141
142Verify Login with Deleted Redfish Operator User
143    [Documentation]  Verify login with deleted Redfish operator user.
144    [Tags]  Verify_Login_with_Deleted_Redfish_Operator_User
145    [Template]  Verify Login with Deleted Redfish User
146
147    #username     password    role_id         enabled
148    operator_user  TestPwd123  Operator        ${True}
149
150
151Verify Login with Deleted Redfish Readonly User
152    [Documentation]  Verify login with deleted Redfish readonly user.
153    [Tags]  Verify_Login_with_Deleted_Redfish_Readonly_User
154    [Template]  Verify Login with Deleted Redfish User
155
156    #username     password    role_id         enabled
157    readonly_user  TestPwd123  ReadOnly        ${True}
158
159
160Verify Admin User Creation Without Enabling It
161    [Documentation]  Verify admin user creation without enabling it.
162    [Tags]  Verify_Admin_User_Creation_Without_Enabling_It
163    [Template]  Verify Create User Without Enabling
164
165    #username      password    role_id         enabled
166    admin_user     TestPwd123  Administrator   ${False}
167
168
169Verify Operator User Creation Without Enabling It
170    [Documentation]  Verify operator user creation without enabling it.
171    [Tags]  Verify_Operator_User_Creation_Without_Enabling_It
172    [Template]  Verify Create User Without Enabling
173
174    #username      password    role_id         enabled
175    operator_user  TestPwd123  Operator        ${False}
176
177
178Verify Readonly User Creation Without Enabling It
179    [Documentation]  Verify readonly user creation without enabling it.
180    [Tags]  Verify_Readonly_User_Creation_Without_Enabling_It
181    [Template]  Verify Create User Without Enabling
182
183    #username      password    role_id         enabled
184    readonly_user  TestPwd123  ReadOnly        ${False}
185
186
187Verify User Creation With Invalid Role Id
188    [Documentation]  Verify user creation with invalid role ID.
189    [Tags]  Verify_User_Creation_With_Invalid_Role_Id
190
191    # Make sure the user account in question does not already exist.
192    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
193    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
194
195    # Create specified user.
196    ${payload}=  Create Dictionary
197    ...  UserName=test_user  Password=TestPwd123  RoleId=wrongroleid  Enabled=${True}
198    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
199    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
200
201Verify Error Upon Creating Same Users With Different Privileges
202    [Documentation]  Verify error upon creating same users with different privileges.
203    [Tags]  Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges
204
205    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
206
207    # Create specified user.
208    ${payload}=  Create Dictionary
209    ...  UserName=test_user  Password=TestPwd123  RoleId=ReadOnly  Enabled=${True}
210    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
211    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
212
213    Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
214
215
216Verify Modifying User Attributes
217    [Documentation]  Verify modifying user attributes.
218    [Tags]  Verify_Modifying_User_Attributes
219
220    # Create Redfish users.
221    Redfish Create User  admin_user     TestPwd123  Administrator   ${True}
222    Redfish Create User  readonly_user  TestPwd123  ReadOnly        ${True}
223
224    # Make sure the new user account does not already exist.
225    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
226    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
227
228    # Update admin_user username using Redfish.
229    ${payload}=  Create Dictionary  UserName=newadmin_user
230    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body=&{payload}
231    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
232
233    # Update readonly_user role using Redfish.
234    ${payload}=  Create Dictionary  RoleId=Administrator
235    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body=&{payload}
236    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
237
238    # Verify users after updating
239    Redfish Verify User  newadmin_user  TestPwd123     Administrator   ${True}
240    Redfish Verify User  readonly_user  TestPwd123     Administrator   ${True}
241
242    # Delete created users.
243    Redfish.Delete  /redfish/v1/AccountService/Accounts/newadmin_user
244    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
245
246
247Verify Modifying Operator User Attributes
248    [Documentation]  Verify modifying operator user attributes.
249    [Tags]  Verify_Modifying_Operator_User_Attributes
250    [Setup]  Run Keywords  Redfish.Login  AND
251    ...  Redfish Create User  operator_user  TestPwd123  Operator  ${True}
252    [Teardown]  Run Keywords  Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
253    ...  AND  Test Teardown Execution
254
255    # Update operator_user password using Redfish.
256    ${payload}=  Create Dictionary  Password=NewTestPwd123
257    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body=&{payload}
258
259    # Verify users after updating
260    Redfish Verify User  operator_user  NewTestPwd123  Operator        ${True}
261
262
263Verify User Account Locked
264    [Documentation]  Verify user account locked upon trying with invalid password.
265    [Tags]  Verify_User_Account_Locked
266
267    Redfish Create User  admin_user  TestPwd123  Administrator   ${True}
268
269    ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
270    ...  AccountLockoutDuration=${account_lockout_duration}
271    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
272    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
273
274    Redfish.Logout
275
276    # Make ${account_lockout_threshold} failed login attempts.
277    Repeat Keyword  ${account_lockout_threshold} times
278    ...  Run Keyword And Expect Error  *InvalidCredentialsError*  Redfish.Login  admin_user  abcd1234
279
280    # Verify that legitimate login fails due to lockout.
281    Run Keyword And Expect Error  *InvalidCredentialsError*
282    ...  Redfish.Login  admin_user  TestPwd123
283
284    # Wait for lockout duration to expire and adding 5 sec delay to the account lock timeout
285    # ... then verify that login works.
286    ${total_wait_duartion}=  Evaluate  ${account_lockout_duration} + 5
287    Sleep  ${total_wait_duartion}s
288
289    Redfish.Login  admin_user  TestPwd123
290
291    Redfish.Logout
292
293    Redfish.Login
294
295    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
296
297
298Verify User Account Unlock
299    [Documentation]  Verify manually unlocking the account before lockout time
300    [Tags]  Verify_User_Account_Unlock
301    [Teardown]  Run Keywords  Redfish.Logout
302    ...  AND  Redfish.Login
303    ...  AND  Redfish.Delete  /redfish/v1/AccountService/Accounts/test_user
304    ...  AND  SSHLibrary.Close All Connections
305
306    Redfish Create User  test_user  TestPwd123  Administrator  ${True}
307
308    ${payload}=  Create Dictionary
309    ...  AccountLockoutThreshold=${account_lockout_threshold}
310    ...  AccountLockoutDuration=${account_lockout_duration}
311    Redfish.Patch  ${REDFISH_ACCOUNTS_SERVICE_URI}  body=${payload}
312
313    Redfish.Logout
314
315    # Make ${account_lockout_threshold} failed login attempts.
316    Repeat Keyword  ${account_lockout_threshold} times
317    ...  Run Keyword And Expect Error  InvalidCredentialsError*
318    ...  Redfish.Login  test_user  abc123
319
320    # Ensure SSH Login with locked account gets failed
321    SSHLibrary.Open Connection  ${OPENBMC_HOST}
322    Run Keyword And Expect Error  Authentication failed*
323    ...  SSHLibrary.Login  test_user  TestPwd123
324
325    # Verify that legitimate login fails due to lockout.
326    Run Keyword And Expect Error  InvalidCredentialsError*
327    ...  Redfish.Login  test_user  TestPwd123
328
329    ${payload}=  Create Dictionary  Locked=${FALSE}
330
331    # Manually unlock the account before lockout threshold expires
332    Redfish.Login
333    Redfish.Patch  ${REDFISH_ACCOUNTS_URI}test_user  body=${payload}
334    Redfish.Logout
335
336    # Try redfish login with the recently unlocked account
337    Redfish.Login  test_user  TestPwd123
338
339    # Try SSH login with the unlocked account
340    SSHLibrary.Open Connection  ${OPENBMC_HOST}
341    SSHLibrary.Login  test_user  TestPwd123
342
343
344Verify Admin User Privilege
345    [Documentation]  Verify admin user privilege.
346    [Tags]  Verify_Admin_User_Privilege
347
348    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
349    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
350
351    Redfish.Logout
352
353    Redfish.Login  admin_user  TestPwd123
354
355    # Change password of 'readonly' user with admin user.
356    Redfish.Patch  /redfish/v1/AccountService/Accounts/readonly_user  body={'Password': 'NewTestPwd123'}
357
358    # Verify modified user.
359    Redfish Verify User  readonly_user  NewTestPwd123  ReadOnly  ${True}
360
361    # Note: Delete user would work here because a root login is
362    # performed as part of "Redfish Verify User" keyword's teardown.
363    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
364    Redfish.Delete  /redfish/v1/AccountService/Accounts/readonly_user
365
366
367Verify Operator User Role Change Using Admin Privilege User
368    [Documentation]  Verify operator user role change using admin privilege user
369    [Tags]  Verify_Operator_User_Role_Change_Using_Admin_Privilege_User
370
371    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
372    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
373
374    Redfish.Logout
375
376    # Change role ID of operator user with admin user.
377    # Login with admin user.
378    Redfish.Login  admin_user  TestPwd123
379
380    # Modify Role ID of Operator user.
381    Redfish.Patch  /redfish/v1/AccountService/Accounts/operator_user  body={'RoleId': 'Administrator'}
382
383    # Verify modified user.
384    Redfish Verify User  operator_user  TestPwd123  Administrator  ${True}
385
386    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
387    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
388
389
390Verify Operator User Privilege
391    [Documentation]  Verify operator user privilege.
392    [Tags]  Verify_Operator_User_Privilege
393
394    Redfish Create User  admin_user  TestPwd123  Administrator  ${True}
395    Redfish Create User  operator_user  TestPwd123  Operator  ${True}
396
397    Redfish.Logout
398    # Login with operator user.
399    Redfish.Login  operator_user  TestPwd123
400
401    # Verify BMC reset.
402    Run Keyword And Expect Error  ValueError*  Redfish BMC Reset Operation
403
404    # Attempt to change password of admin user with operator user.
405    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user  body={'Password': 'NewTestPwd123'}
406    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
407
408    Redfish.Logout
409
410    Redfish.Login
411
412    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
413    Redfish.Delete  /redfish/v1/AccountService/Accounts/operator_user
414
415
416Verify ReadOnly User Privilege
417    [Documentation]  Verify ReadOnly user privilege.
418    [Tags]  Verify_ReadOnly_User_Privilege
419
420    Redfish Create User  readonly_user  TestPwd123  ReadOnly  ${True}
421    Redfish.Logout
422
423    # Login with read_only user.
424    Redfish.Login  readonly_user  TestPwd123
425
426    # Read system level data.
427    ${system_model}=  Redfish_Utils.Get Attribute
428    ...  ${SYSTEM_BASE_URI}  Model
429
430    Redfish.Logout
431    Redfish.Login
432    Redfish.Delete  ${REDFISH_ACCOUNTS_URI}readonly_user
433
434
435Verify Minimum Password Length For Redfish Admin And Readonly User
436    [Documentation]  Verify minimum password length for new and existing admin or
437    ...  readonly user.
438    [Template]  Verify Minimum Password Length For Redfish User
439
440    #username        role_id
441    admin_user       Administrator
442    readonly_user    ReadOnly
443
444
445Verify Standard User Roles Defined By Redfish
446    [Documentation]  Verify standard user roles defined by Redfish.
447    [Tags]  Verify_Standard_User_Roles_Defined_By_Redfish
448
449    ${member_list}=  Redfish_Utils.Get Member List
450    ...  /redfish/v1/AccountService/Roles
451
452    @{roles}=  Create List
453    ...  /redfish/v1/AccountService/Roles/Administrator
454    ...  /redfish/v1/AccountService/Roles/Operator
455    ...  /redfish/v1/AccountService/Roles/ReadOnly
456
457    List Should Contain Sub List  ${member_list}  ${roles}
458
459    # The standard roles are:
460
461    # | Role name | Assigned privileges |
462    # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf |
463    # | Operator | Login, ConfigureComponents, ConfigureSelf |
464    # | ReadOnly | Login, ConfigureSelf |
465
466    @{admin}=  Create List  Login  ConfigureManager  ConfigureUsers  ConfigureComponents  ConfigureSelf
467    @{operator}=  Create List  Login  ConfigureComponents  ConfigureSelf
468    @{readOnly}=  Create List  Login  ConfigureSelf
469
470    ${roles_dict}=  create dictionary  admin_privileges=${admin}  operator_privileges=${operator}
471    ...  readOnly_privileges=${readOnly}
472
473    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Administrator
474    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['admin_privileges']}
475
476    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/Operator
477    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['operator_privileges']}
478
479    ${resp}=  redfish.Get  /redfish/v1/AccountService/Roles/ReadOnly
480    List Should Contain Sub List  ${resp.dict['AssignedPrivileges']}  ${roles_dict['readOnly_privileges']}
481
482
483Verify Error While Deleting Root User
484    [Documentation]  Verify error while deleting root user.
485    [Tags]  Verify_Error_While_Deleting_Root_User
486
487    Redfish.Delete  /redfish/v1/AccountService/Accounts/root  valid_status_codes=[${HTTP_FORBIDDEN}]
488
489
490Verify SSH Login Access With Admin User
491    [Documentation]  Verify that admin user have SSH login access.
492    ...              By default, admin should have access but there could be
493    ...              case where admin user shell access is restricted by design
494    ...              in the community sphere..
495    [Tags]  Verify_SSH_Login_Access_With_Admin_User
496
497    # Create an admin User.
498    Redfish Create User  new_admin  TestPwd1  Administrator  ${True}
499
500    # Attempt SSH login with admin user.
501    SSHLibrary.Open Connection  ${OPENBMC_HOST}
502    ${status}=  Run Keyword And Return Status  SSHLibrary.Login  new_admin  TestPwd1
503
504    # By default ssh_status is True, user can change the status via CLI
505    # -v ssh_status:False
506    Should Be Equal As Strings  "${status}"  "${ssh_status}"
507
508    Redfish.Login
509    Redfish.Delete  /redfish/v1/AccountService/Accounts/new_admin
510
511
512Verify Configure BasicAuth Enable And Disable
513    [Documentation]  Verify configure basicauth enable and disable
514    [Tags]  Verify_Configure_BasicAuth_Enable_And_Disable
515    [Template]  Template For Configure Auth Methods
516
517    # auth_method
518    BasicAuth
519    XToken
520
521
522Redfish Create and Verify Admin User With Invalid Password Format
523    [Documentation]  Create a admin user with invalid password format and verify.
524    [Template]  Create User With Unsupported Password Format And Verify
525    [Tags]  Redfish_Create_and_Verify_Admin_User_With_Invalid_Password_Format
526
527    #username       role_id        password
528    admin_user      Administrator  snellens
529    admin_user      Administrator  10000001
530    admin_user      Administrator  12345678
531    admin_user      Administrator  abcdefgh
532    admin_user      Administrator  abf12345
533    admin_user      Administrator  helloworld
534    admin_user      Administrator  HELLOWORLD
535    admin_user      Administrator  &$%**!*@
536    admin_user      Administrator  Dictation
537
538
539Redfish Create and Verify Readonly User With Invalid Password Format
540    [Documentation]  Create a readonly user with invalid password format and verify.
541    [Template]  Create User With Unsupported Password Format And Verify
542    [Tags]  Redfish_Create_and_Verify_Readonly_User_With_Invalid_Password_Format
543
544    #username       role_id        password
545    readonly_user   ReadOnly       snellens
546    readonly_user   ReadOnly       10000001
547    readonly_user   ReadOnly       12345678
548    readonly_user   ReadOnly       abcdefgh
549    readonly_user   ReadOnly       abf12345
550    readonly_user   ReadOnly       helloworld
551    readonly_user   ReadOnly       HELLOWORLD
552    readonly_user   ReadOnly       &$%**!*@
553    readonly_user   ReadOnly       Dictation
554
555
556Verify Admin And Readonly User Password Is Not Same As Username
557    [Documentation]  Verify that admin and readonly user creation is failed if
558    ...  password is same as username.
559    [Template]  Create User With Unsupported Password Format And Verify
560    [Tags]      Verify_Admin_And_Readonly_User_Password_Is_Not_Same_As_Username
561
562    #username        role_id             password
563    AdminUser1       Administrator       AdminUser1
564    ReadOnlyUser1    ReadOnly            ReadOnlyUser1
565
566Verify AccountService Unsupported Methods
567    [Documentation]  Verify Unsupported methods of AccountService
568    [Tags]  Verify_AccountService_Unsupported_Methods
569
570    # Put operation on Account Services
571    Redfish.Put  /redfish/v1/AccountService
572    ...    valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
573
574    # Post operation on Account Services
575    Redfish.Post  /redfish/v1/AccountService
576    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
577
578    # Delete operation on Account Services
579    Redfish.Delete  /redfish/v1/AccountService
580    ...  valid_status_codes=[${HTTP_METHOD_NOT_ALLOWED}]
581
582
583*** Keywords ***
584
585Test Teardown Execution
586    [Documentation]  Do the post test teardown.
587
588    Run Keyword And Ignore Error  Redfish.Logout
589    FFDC On Test Case Fail
590
591
592Redfish Create User
593    [Documentation]  Redfish create user.
594    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${login_check}=${True}
595
596    # Description of argument(s):
597    # username            The username to be created.
598    # password            The password to be assigned.
599    # role_id             The role ID of the user to be created
600    #                     (e.g. "Administrator", "Operator", etc.).
601    # enabled             Indicates whether the username being created
602    #                     should be enabled (${True}, ${False}).
603    # login_check         Checks user login for created user.
604    #                     (e.g. ${True}, ${False}).
605
606    # Make sure the user account in question does not already exist.
607    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
608    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
609
610    # Create specified user.
611    ${payload}=  Create Dictionary
612    ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${enabled}
613    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
614    ...  valid_status_codes=[${HTTP_CREATED}]
615
616    # Resetting faillock count as a workaround for issue
617    # openbmc/phosphor-user-manager#4
618    ${cmd}=  Catenate  /usr/sbin/faillock --user ${username} --reset
619
620    Bmc Execute Command  ${cmd}
621
622    # Verify login with created user.
623    IF  '${login_check}' == '${True}'
624        ${status}=  Run Keyword And Return Status
625        ...  Verify Redfish User Login  ${username}  ${password}
626    ELSE
627        ${status}=  Set Variable  ${False}
628    END
629
630    IF  '${login_check}' == '${True}'  Should Be Equal  ${status}  ${enabled}
631
632    # Validate Role ID of created user.
633    ${role_config}=  Redfish_Utils.Get Attribute
634    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
635    Should Be Equal  ${role_id}  ${role_config}
636
637
638Redfish Verify User
639    [Documentation]  Redfish user verification.
640    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
641
642    # Description of argument(s):
643    # username            The username to be created.
644    # password            The password to be assigned.
645    # role_id             The role ID of the user to be created
646    #                     (e.g. "Administrator", "Operator", etc.).
647    # enabled             Indicates whether the username being created
648    #                     should be enabled (${True}, ${False}).
649
650    ${status}=  Verify Redfish User Login  ${username}  ${password}
651    # Doing a check of the returned status.
652    Should Be Equal  ${status}  ${enabled}
653
654    # Validate Role Id of user.
655    ${role_config}=  Redfish_Utils.Get Attribute
656    ...  /redfish/v1/AccountService/Accounts/${username}  RoleId
657    Should Be Equal  ${role_id}  ${role_config}
658
659
660Verify Redfish User Login
661    [Documentation]  Verify Redfish login with given user id.
662    [Teardown]  Run Keywords  Run Keyword And Ignore Error  Redfish.Logout  AND  Redfish.Login
663    [Arguments]   ${username}  ${password}
664
665    # Description of argument(s):
666    # username            Login username.
667    # password            Login password.
668
669    # Logout from current Redfish session.
670    # We don't really care if the current session is flushed out since we are going to login
671    # with new credential in next.
672    Run Keyword And Ignore Error  Redfish.Logout
673
674    ${status}=  Run Keyword And Return Status  Redfish.Login  ${username}  ${password}
675    RETURN  ${status}
676
677
678Redfish Create And Verify User
679    [Documentation]  Redfish create and verify user.
680    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
681
682    # Description of argument(s):
683    # username            The username to be created.
684    # password            The password to be assigned.
685    # role_id             The role ID of the user to be created
686    #                     (e.g. "Administrator", "Operator", etc.).
687    # enabled             Indicates whether the username being created
688    #                     should be enabled (${True}, ${False}).
689
690    # Example:
691    #{
692    #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
693    #"@odata.id": "/redfish/v1/AccountService/Accounts/test1",
694    #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
695    #"Description": "User Account",
696    #"Enabled": true,
697    #"Id": "test1",
698    #"Links": {
699    #  "Role": {
700    #    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
701    #  }
702    #},
703
704    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
705
706    Redfish Verify User  ${username}  ${password}  ${role_id}  ${enabled}
707
708    # Delete Specified User
709    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
710
711Verify Redfish User Login With Wrong Password
712    [Documentation]  Verify Redfish User failed to login with wrong password.
713    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}  ${wrong_password}
714
715    # Description of argument(s):
716    # username            The username to be created.
717    # password            The password to be assigned.
718    # role_id             The role ID of the user to be created
719    #                     (e.g. "Administrator", "Operator", etc.).
720    # enabled             Indicates whether the username being created
721    #                     should be enabled (${True}, ${False}).
722    # wrong_password      Any invalid password.
723
724    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
725
726    Redfish.Logout
727
728    # Attempt to login with created user with invalid password.
729    Run Keyword And Expect Error  InvalidCredentialsError*
730    ...  Redfish.Login  ${username}  ${wrong_password}
731
732    Redfish.Login
733
734    # Delete newly created user.
735    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
736
737
738Verify Login with Deleted Redfish User
739    [Documentation]  Verify Login with Deleted Redfish User.
740    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
741
742    # Description of argument(s):
743    # username            The username to be created.
744    # password            The password to be assigned.
745    # role_id             The role ID of the user to be created
746    #                     (e.g. "Administrator", "Operator", etc.).
747    # enabled             Indicates whether the username being created
748    #                     should be enabled (${True}, ${False}).
749
750    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}
751
752    # Delete newly created user.
753    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
754
755    Redfish.Logout
756
757    # Attempt to login with deleted user account.
758    Run Keyword And Expect Error  InvalidCredentialsError*
759    ...  Redfish.Login  ${username}  ${password}
760
761    Redfish.Login
762
763
764Verify Create User Without Enabling
765    [Documentation]  Verify Create User Without Enabling.
766    [Arguments]   ${username}  ${password}  ${role_id}  ${enabled}
767
768    # Description of argument(s):
769    # username            The username to be created.
770    # password            The password to be assigned.
771    # role_id             The role ID of the user to be created
772    #                     (e.g. "Administrator", "Operator", etc.).
773    # enabled             Indicates whether the username being created
774    #                     should be enabled (${True}, ${False}).
775
776    Redfish Create User  ${username}  ${password}  ${role_id}  ${enabled}  ${False}
777
778    Redfish.Logout
779
780    # Login with created user.
781    Run Keyword And Expect Error  InvalidCredentialsError*
782    ...  Redfish.Login  ${username}  ${password}
783
784    Redfish.Login
785
786    # Delete newly created user.
787    Redfish.Delete  /redfish/v1/AccountService/Accounts/${username}
788
789Template For Configure Auth Methods
790    [Documentation]  Template to configure auth methods.
791    [Arguments]  ${auth_method}
792    [Teardown]  Configure AuthMethods  ${auth_method}=${initial_value}
793
794    # Description of Argument(s):
795    # authmethods   The authmethod setting which needs to be
796    #               set in account service URI.
797    # valid values  BasicAuth, XToken.
798
799    Get AuthMethods Default Values  ${auth_method}
800
801    # Patch basicauth to TRUE
802    Configure AuthMethods  ${auth_method}=${TRUE}
803
804    IF  "${auth_method}" == "XToken"
805        Check XToken Works Fine  ${HTTP_OK}
806    ELSE
807        Check BasicAuth Works Fine  ${HTTP_OK}
808    END
809
810    # Patch basicauth to FALSE
811    Configure AuthMethods  ${auth_method}=${FALSE}
812
813    IF  "${auth_method}" == "BasicAuth"
814        Check BasicAuth Works Fine  ${HTTP_UNAUTHORIZED}
815    ELSE
816        Check XToken Works Fine  ${HTTP_UNAUTHORIZED}
817    END
818
819Configure AuthMethods
820    [Documentation]  Enable/disable authmethod types.
821    [Arguments]  &{authmethods}
822
823    # Description of argument(s):
824    # authmethods            The authmethod setting which needs to be
825    #                        set in account service URI.
826    # Usage Example          Configure AuthMethods  XToken=${TRUE}  BasicAuth=${TRUE}
827    #                        This will set the value of "XToken" and "BasicAuth"
828    #                        property in accountservice uri to TRUE.
829
830    ${openbmc}=  Create Dictionary  AuthMethods=${authmethods}
831    ${oem}=  Create Dictionary  OpenBMC=${openbmc}
832    ${payload}=  Create Dictionary  Oem=${oem}
833
834    # Setting authmethod properties using Redfish session based auth
835    ${status}=  Run Keyword And Return Status
836    ...  Redfish.Patch  ${REDFISH_BASE_URI}AccountService
837    ...  body=${payload}  valid_status_codes=[${HTTP_OK},${HTTP_NO_CONTENT}]
838
839    # Setting authmethod properties using basic auth in case the former fails
840    IF  ${status}==${FALSE}
841        # Payload dictionary pre-process to match json formatting
842        ${payload}=  Convert To String  ${payload}
843        ${payload}=  Replace String  ${payload}  '  "
844        ${payload}=  Replace String  ${payload}  False  false
845        ${payload}=  Replace String  ${payload}  True  true
846
847        # Curl Command Framing for PATCH authmethod
848        ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
849        ...  -X PATCH '${AUTH_URI}${REDFISH_ACCOUNTS_SERVICE_URI}'
850        ...  -H 'content-type:application/json' -H 'If-Match:*'
851        ...  -d '${payload}'
852        ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
853
854        #  Check the response of curl command is 200 or 204
855        ${check_no_content}=
856        ...  Run Keyword and Return Status  Should Contain  ${out}  204
857        ${check_ok}=
858        ...  Run Keyword and Return Status  Should Contain  ${out}  200
859        Pass Execution If  ${check_no_content}==${TRUE}
860        ...  OR  ${check_ok}==${TRUE}
861    END
862
863
864Get AuthMethods Default Values
865    [Documentation]  Get enabled/disabled status of all authmethods
866    ...  from Redfish account service URI
867    [Arguments]  ${authmethod}
868
869    # Description of argument(s):
870    # authmethod            The authmethod property whose value needs to be
871    #                       retrieved from account service URI.
872    # Usage Example         Get AuthMethods Default Values  BasicAuth
873    #                       returns >> ${TRUE}
874    # Example:
875    # {
876    #     "@odata.id": "/redfish/v1/AccountService",
877    #     (...)
878    #     "Oem": {
879    #         "OpenBMC": {
880    #             "AuthMethods": {
881    #                 "BasicAuth": true,
882    #                 "Cookie": true,
883    #                 "SessionToken": true,
884    #                 "TLS": true,
885    #                 "XToken": true
886    #             }
887    #         }
888    #     }
889    # }
890
891    ${resp}=  Redfish.Get Attribute  ${REDFISH_ACCOUNTS_SERVICE_URI}  Oem
892    ${authmethods}=  Set Variable  ${resp['OpenBMC']['AuthMethods']}
893    ${initial_value}=  Get From Dictionary  ${authmethods}  ${authmethod}
894    Set Test Variable  ${initial_value}
895
896Check XToken Works Fine
897    [Documentation]  Verify Xtoken works fine.
898    [Arguments]  ${status_code}
899
900    # Description of Argument(s):
901    # status_code : 200, 401.
902
903    # Verify xtoken auth works for xtoken
904    Redfish.Get  ${REDFISH_ACCOUNTS_SERVICE_URI}
905    ...  valid_status_codes=[${status_code}]
906
907Check BasicAuth Works Fine
908    [Documentation]  Verify Basic Auth works fine.
909    [Arguments]  ${status_code}
910
911    # Description of Argument(s):
912    # status_code : 200, 401.
913
914    # Verify basic auth works based on basic auth.
915    ${cmd}=  Catenate  curl -k -i -u ${OPENBMC_USERNAME}:${OPENBMC_PASSWORD}
916    ...  ${AUTH_URI}/redfish/v1/AccountService
917    ${rc}  ${out}=  Run And Return Rc And Output  ${cmd}
918
919    #  Check the response of curl command is 200/401
920    Should Contain  ${out}  ${status_code}
921
922
923Create User With Unsupported Password Format And Verify
924   [Documentation]  Create admin or readonly user with unsupported password format
925   ...  and verify.
926   [Arguments]   ${username}  ${role_id}  ${password}
927
928   # Description of argument(s):
929   # username            The username to be created.
930   # role_id             The role ID of the user to be created
931   #                     (e.g. "Administrator", "ReadOnly").
932   # password            The password to be assigned.
933   #                     Unsupported password format are sequential characters,
934   #                     sequential digits, palindrome digits, palindrome characters,
935   #                     only uppercase letters, only lowercase letters, only digits,
936   #                     only characters, not a dictionary word, username and password
937   #                     should not be same.
938
939   # Make sure the user account in question does not already exist.
940    Redfish.Delete  /redfish/v1/AccountService/Accounts/${userName}
941    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
942
943   # Create specified user with invalid password format.
944   ${payload}=  Create Dictionary
945   ...  UserName=${username}  Password=${password}  RoleId=${role_id}  Enabled=${True}
946   Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
947   ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
948
949
950Verify Minimum Password Length For Redfish User
951    [Documentation]  Verify minimum password length for new and existing admin or
952    ...  readonly user.
953    [Arguments]  ${user_name}  ${role_id}
954
955    # Description of argument(s):
956    # user_name           The username to be created.
957    # role_id             The role ID of the user to be created.
958
959    # Make sure the user account in question does not already exist.
960    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
961    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
962
963    # Try to create a user with invalid length password.
964    ${payload}=  Create Dictionary
965    ...  UserName=${user_name}  Password=UserPwd  RoleId=${role_id}  Enabled=${True}
966    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
967    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
968
969    # Create specified user with valid length password.
970    Set To Dictionary  ${payload}  Password  UserPwd1
971    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
972    ...  valid_status_codes=[${HTTP_CREATED}]
973
974    # Try to change to an invalid password.
975    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd'}
976    ...  valid_status_codes=[${HTTP_BAD_REQUEST}]
977
978    # Change to a valid password.
979    Redfish.Patch  /redfish/v1/AccountService/Accounts/${user_name}  body={'Password': 'UserPwd1'}
980
981    # Verify login.
982    Redfish.Logout
983    Redfish.Login  ${user_name}  UserPwd1
984    Redfish.Logout
985    Redfish.Login
986    Redfish.Delete  /redfish/v1/AccountService/Accounts/${user_name}
987