xref: /openbmc/openbmc-test-automation/redfish/dmtf_tools/test_redfishtool_certificate.robot (revision 069b266e40a93fda3992c888062745b1ac920473) 
1*** Settings ***
2
3
4Documentation     Suite to test certificate via DMTF redfishtool.
5
6Library           OperatingSystem
7Library           String
8Library           Collections
9Library           JSONLibrary
10
11Resource          ../../lib/resource.robot
12Resource          ../../lib/bmc_redfish_resource.robot
13Resource          ../../lib/openbmc_ffdc.robot
14Resource          ../../lib/certificate_utils.robot
15Resource          ../../lib/dmtf_redfishtool_utils.robot
16
17Suite Setup       Suite Setup Execution
18
19Test Tags        Redfishtool_Certificate
20
21*** Variables ***
22
23${root_cmd_args} =  SEPARATOR=
24...  redfishtool raw -r ${OPENBMC_HOST}:${HTTPS_PORT} -u ${OPENBMC_USERNAME} -p ${OPENBMC_PASSWORD} -S Always
25${invalid_value}  abc
26${keybit_length}  ${2048}
27
28*** Test Cases ***
29
30
31Verify Redfishtool Replace Server Certificate Valid CertKey
32    [Documentation]  Verify replace server certificate.
33    [Tags]  Verify_Redfishtool_Replace_Server_Certificate_Valid_CertKey
34
35    Verify Redfishtool Replace Certificate  Server  Valid Certificate Valid Privatekey  ok
36
37
38Verify Redfishtool Replace Client Certificate Valid CertKey
39    [Documentation]  Verify replace client certificate.
40    [Tags]  Verify_Redfishtool_Replace_Client_Certificate_Valid_CertKey
41
42    Verify Redfishtool Replace Certificate  Client  Valid Certificate Valid Privatekey  ok
43
44
45Verify Redfishtool Replace CA Certificate Valid Cert
46    [Documentation]  Verify replace CA certificate.
47    [Tags]  Verify_Redfishtool_Replace_CA_Certificate_Valid_Cert
48
49    Verify Redfishtool Replace Certificate  CA  Valid Certificate  ok
50
51
52Verify Redfishtool Client Certificate Install Valid CertKey
53    [Documentation]  Verify client certificate installation.
54    [Tags]  Verify_Redfishtool_Client_Certificate_Install_Valid_CertKey
55
56    Verify Redfishtool Install Certificate  Client  Valid Certificate Valid Privatekey  ok
57
58
59Verify Redfishtool CA Certificate Install Valid Cert
60    [Documentation]  Verify CA Certificate installation.
61    [Tags]  Verify_Redfishtool_CA_Certificate_Install_Valid_Cert
62
63    Verify Redfishtool Install Certificate  CA  Valid Certificate  ok
64
65
66Verify Redfishtool Replace Server Certificate Errors
67    [Documentation]  Verify error while replacing invalid server certificate.
68    [Tags]  Verify_Redfishtool_Replace_Server_Certificate_Errors
69    [Template]  Verify Redfishtool Replace Certificate
70
71    Server  Empty Certificate Empty Privatekey  error
72    Server  Empty Certificate Valid Privatekey  error
73    Server  Valid Certificate Empty Privatekey  error
74
75
76Verify Redfishtool Replace Client Certificate Errors
77    [Documentation]  Verify error while replacing invalid client certificate.
78    [Tags]  Verify_Redfishtool_Replace_Client_Certificate_Errors
79    [Template]  Verify Redfishtool Replace Certificate
80
81    Client  Empty Certificate Empty Privatekey  error
82    Client  Empty Certificate Valid Privatekey  error
83    Client  Valid Certificate Empty Privatekey  error
84
85
86Verify Redfishtool Replace CA Certificate Errors
87    [Documentation]  Verify error while replacing invalid CA certificate.
88    [Tags]  Verify_Redfishtool_Replace_CA_Certificate_Errors
89    [Template]  Verify Redfishtool Replace Certificate
90
91    CA  Empty Certificate  error
92
93
94Verify Redfishtool Client Certificate Install Errors
95    [Documentation]  Verify error while installing invalid client certificate.
96    [Tags]  Verify_Redfishtool_Client_Certificate_Install_Errors
97    [Template]  Verify Redfishtool Install Certificate
98
99    Client  Empty Certificate Empty Privatekey  error
100    Client  Empty Certificate Valid Privatekey  error
101    Client  Valid Certificate Empty Privatekey  error
102
103
104Verify Redfishtool CA Certificate Install Errors
105    [Documentation]  Verify error while installing invalid CA certificate.
106    [Tags]  Verify_Redfishtool_CA_Certificate_Install_Errors
107    [Template]  Verify Redfishtool Install Certificate
108
109    # cert_type  cert_format        expected_status
110    CA           Empty Certificate  error
111
112
113Verify Error While Uploading Same CA Certificate Via Redfishtool
114    [Documentation]  Verify error while uploading same CA certificate two times.
115    [Tags]  Verify_Error_While_Uploading_Same_CA_Certificate_Via_Redfishtool
116
117    # Create certificate file for uploading.
118    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate  365
119    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
120    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
121
122    # Install CA certificate.
123    Redfishtool Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  ok  data=${file_data}
124
125    # Adding delay after certificate installation.
126    Sleep  30s
127
128    # Check error while uploading same certificate.
129    Redfishtool Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  error  data=${file_data}
130
131
132Install Server Certificate Using Redfishtool And Verify Via OpenSSL
133    [Documentation]  Install server certificate using Redfishtool and verify via OpenSSL.
134    [Tags]  Install_Server_Certificate_Using_Redfishtool_And_Verify_Via_OpenSSL
135
136    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate Valid Privatekey
137    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
138    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
139
140    ${certificate_dict}=  Create Dictionary
141    ...  @odata.id=/redfish/v1/Managers/${MANAGER_ID}/NetworkProtocol/HTTPS/Certificates/1
142
143    ${dict_objects}=  Create Dictionary  CertificateString=${file_data}
144    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
145
146    ${string}=  Convert To String  ${dict_objects}
147    ${string}=  Replace String  ${string}  '  "
148    ${payload}=  Set Variable  '${string}'
149
150    ${response}=  Redfishtool Post
151    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
152    ...  expected_error=${HTTP_OK}, ${HTTP_NO_CONTENT}
153
154    Wait Until Keyword Succeeds  2 mins  15 secs  Verify Certificate Visible Via OpenSSL  ${cert_file_path}
155
156
157Verify CSR Generation For Server Certificate Via Redfishtool
158    [Documentation]  Verify CSR generation for server certificate.
159    [Tags]  Verify_CSR_Generation_For_Server_Certificate_Via_Redfishtool
160    [Template]  Generate CSR Via Redfishtool
161
162    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
163    Server      RSA                 ${keybit_length}         ${EMPTY}     ok
164    Server      EC                  ${EMPTY}                 prime256v1   ok
165    Server      EC                  ${EMPTY}                 secp521r1    ok
166    Server      EC                  ${EMPTY}                 secp384r1    ok
167
168
169Verify CSR Generation For Client Certificate Via Redfishtool
170    [Documentation]  Verify CSR generation for client certificate.
171    [Tags]  Verify_CSR_Generation_For_Client_Certificate_Via_Redfishtool
172    [Template]  Generate CSR Via Redfishtool
173
174    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
175    Client      RSA                 ${keybit_length}         ${EMPTY}     ok
176    Client      EC                  ${EMPTY}                 prime256v1   ok
177    Client      EC                  ${EMPTY}                 secp521r1    ok
178    Client      EC                  ${EMPTY}                 secp384r1    ok
179
180
181Verify CSR Generation For Server Certificate With Invalid Value Via Redfishtool
182    [Documentation]  Verify error while generating CSR for server certificate with invalid value.
183    [Tags]  Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value_Via_Redfishtool
184    [Template]  Generate CSR Via Redfishtool
185
186    # csr_type  key_pair_algorithm  key_bit_length    key_curv_id       expected_status
187    Server      ${invalid_value}    ${keybit_length}           prime256v1        error
188    Server      RAS                 ${invalid_value}           ${EMPTY}          error
189
190
191Verify CSR Generation For Client Certificate With Invalid Value Via Redfishtool
192    [Documentation]  Verify error while generating CSR for client certificate with invalid value.
193    [Tags]  Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value_Via_Redfishtool
194    [Template]  Generate CSR Via Redfishtool
195
196    Client      ${invalid_value}    ${keybit_length}           prime256v1        error
197    Client      RSA                 ${invalid_value}           ${EMPTY}          error
198
199*** Keywords ***
200
201
202Generate CSR Via Redfishtool
203    [Documentation]  Generate CSR using Redfish.
204    [Arguments]  ${cert_type}  ${key_pair_algorithm}  ${key_bit_length}  ${key_curv_id}  ${expected_status}
205
206    # Description of argument(s):
207    # cert_type           Certificate type ("Server" or "Client").
208    # key_pair_algorithm  CSR key pair algorithm ("EC" or "RSA").
209    # key_bit_length      CSR key bit length ("2048").
210    # key_curv_id         CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1").
211    # expected_status     Expected status of certificate replace Redfishtool request ("ok" or "error").
212
213    ${certificate_uri}=  Set Variable If
214    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/
215    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/
216
217    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
218
219    ${csr_dict}=  Create Dictionary  City=Austin  CertificateCollection=${certificate_dict}
220    ...  CommonName=${OPENBMC_HOST}  Country=US  Organization=xyz
221    ...  OrganizationalUnit=ISL  State=AU  KeyBitLength=${key_bit_length}
222    ...  KeyPairAlgorithm=${key_pair_algorithm}  KeyCurveId=${key_curv_id}
223
224    # Remove not applicable field for CSR generation.
225    IF  '${key_pair_algorithm}' == 'EC'
226        Remove From Dictionary  ${csr_dict}  KeyBitLength
227    ELSE IF  '${key_pair_algorithm}' == 'RSA'
228        Remove From Dictionary  ${csr_dict}  KeyCurveId
229    END
230
231    ${expected_resp}=  Set Variable If
232    ...  '${expected_status}' == 'ok'     ${HTTP_OK}, ${HTTP_NO_CONTENT}
233    ...  '${expected_status}' == 'error'  ${HTTP_BAD_REQUEST}
234
235    ${string}=  Convert To String  ${csr_dict}
236
237    ${string2}=  Replace String  ${string}   '  "
238
239    ${payload}=  Set Variable  '${string2}'
240
241    ${response}=  Redfishtool Post
242    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR
243    ...  expected_error=${expected_resp}
244
245    # Delay added between two CSR generation request.
246    Sleep  5s
247
248
249Verify Redfishtool Install Certificate
250    [Documentation]  Install and verify certificate using Redfishtool.
251    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}  ${delete_cert}=${True}
252    ...  ${install_type}=install
253
254    # Description of argument(s):
255    # cert_type           Certificate type (e.g. "Client" or "CA").
256    # cert_format         Certificate file format
257    # expected_status     Expected status of certificate install Redfishtool
258    #                     request (i.e. "ok" or "error").
259    # delete_cert         Certificate will be deleted before installing if this True.
260
261    IF  '${cert_type}' == 'CA'
262        Delete All CA Certificate Via Redfishtool  ${delete_cert}
263    ELSE IF  '${cert_type}' == 'Client'
264        Redfishtool Delete Certificate Via BMC CLI  ${cert_type}  ${delete_cert}
265    END
266
267    IF  "${install_type}" != "install" and "${file_status}" != "Not Found"
268        RETURN
269    END
270
271    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
272    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
273    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
274
275    ${certificate_uri}=  Set Variable If
276    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
277    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
278
279    ${cert_id}=  Redfishtool Install Certificate File On BMC
280    ...  ${certificate_uri}  ${expected_status}  data=${file_data}
281    Logging  Installed certificate id: ${cert_id}
282    Set Test Variable  ${cert_id}
283
284    # Adding delay after certificate installation.
285    Sleep  30s
286
287    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
288
289    IF  '${expected_status}' == 'ok'
290        ${bmc_cert_content}=  Redfishtool GetAttribute  ${certificate_uri}/${cert_id}  CertificateString
291        Should Contain  ${cert_file_content}  ${bmc_cert_content}
292    END
293
294
295Delete All CA Certificate Via Redfishtool
296    [Documentation]  Delete all CA certificate via Redfish.
297    [Arguments]  ${delete_cert}=${True}
298
299    ${cmd_output}=  Redfishtool Get  /redfish/v1/Managers/${MANAGER_ID}/Truststore/Certificates
300    ${cmd_output}=  Convert String To JSON  ${cmd_output}
301    ${cert_list}=  Set Variable  ${cmd_output["Members"]}
302    ${uri_length}=  Get Length  ${cert_list}
303    ${file_status}=  Set Variable If
304    ...  "${uri_length}" == "0"  Not Found
305    ...  "${uri_length}" != "0"  Found
306    ${cert_id}=  Set Variable If
307    ...  "${uri_length}" != "0"  ${cert_list[-1]["@odata.id"].split("/")[-1].strip()}
308    ...  "${uri_length}" == "0"  None
309    Set Test Variable  ${cert_id}
310    Set Test Variable  ${file_status}
311
312    IF  "${file_status}" != "Found" or "${delete_cert}" != "${True}"
313        RETURN
314    END
315
316    FOR  ${cert}  IN  @{cert_list}
317      Redfishtool Delete  ${cert["@odata.id"]}  ${root_cmd_args}
318    END
319
320
321Redfishtool Delete Certificate Via BMC CLI
322    [Documentation]  Delete certificate via BMC CLI.
323    [Arguments]  ${cert_type}  ${delete_cert}=${True}
324
325    # Description of argument(s):
326    # cert_type           Certificate type (e.g. "Client" or "CA").
327
328    # Check if cert type is Client else set to CA parameters.
329
330    ${certificate_file_path}=  Set Variable If  '${cert_type}' == 'Client'
331    ...  /etc/nslcd/certs/cert.pem  ${ROOT_CA_FILE_PATH}
332
333    ${certificate_service}=  Set Variable If  '${cert_type}' == 'Client'
334     ...  phosphor-certificate-manager@nslcd.service
335     ...  phosphor-certificate-manager@authority.service
336
337    ${certificate_uri}=  Set Variable If  '${cert_type}' == 'Client'
338    ...  ${REDFISH_LDAP_CERTIFICATE_URI}
339    ...  ${REDFISH_CA_CERTIFICATE_URI}
340
341    ${file_status}  ${stderr}  ${rc}=  BMC Execute Command
342    ...  [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
343
344    Set Test Variable  ${file_status}
345
346    IF  "${file_status}" != "Found" or '${delete_cert}' != "${True}"
347        RETURN
348    END
349
350    BMC Execute Command  rm ${certificate_file_path}
351    BMC Execute Command  systemctl restart ${certificate_service}
352    BMC Execute Command  systemctl daemon-reload
353
354
355Redfishtool Install Certificate File On BMC
356    [Documentation]  Install certificate file in BMC using POST operation.
357    [Arguments]  ${uri}  ${status}=ok  &{kwargs}
358
359    # Description of argument(s):
360    # uri         URI for installing certificate file via Redfishtool.
361    #             e.g. "/redfish/v1/AccountService/LDAP/Certificates".
362    # status      Expected status of certificate installation via Redfishtool.
363    #             e.g. error, ok.
364    # kwargs      A dictionary of keys/values to be passed directly to
365    #             POST Request.
366
367    Initialize OpenBMC  20  ${quiet}=${1}  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
368
369    ${headers}=  Create Dictionary  Content-Type=application/octet-stream
370    ...  X-Auth-Token=${XAUTH_TOKEN}
371    Set To Dictionary  ${kwargs}  headers  ${headers}
372
373    ${resp}=  POST On Session  openbmc  ${uri}  &{kwargs}  expected_status=any
374    ${cert_id}=  Set Variable If
375    ...  '${resp.status_code}' == '${HTTP_OK}'  ${resp.json()["Id"]}
376    ...  '${resp.status_code}' == '${HTTP_NO_CONTENT}'  ${resp.json()["Id"]}  -1
377
378    IF  '${status}' == 'ok'
379        Should Contain Any  "${resp.status_code}"  ${HTTP_OK}  ${HTTP_NO_CONTENT}
380    ELSE IF  '${status}' == 'error'
381        Should Be Equal As Strings  ${resp.status_code}  ${HTTP_INTERNAL_SERVER_ERROR}
382    END
383
384    Delete All Sessions
385
386    RETURN  ${cert_id}
387
388
389Verify Redfishtool Replace Certificate
390    [Documentation]  Verify replace server certificate.
391    [Arguments]   ${cert_type}  ${cert_format}  ${expected_status}
392
393    # Description of argument(s):
394    # cert_type        Certificate type (e.g. "Client", "Server" or "CA").
395    # cert_format      Certificate file format
396    #                  (e.g. "Valid_Certificate_Valid_Privatekey").
397    # expected_status  Expected status of certificate replace Redfishtool
398    #                  request (i.e. "ok" or "error").
399
400    # Install certificate before replacing client or CA certificate.
401    IF  '${cert_type}' == 'Client'
402        Verify Redfishtool Install Certificate  ${cert_type}  ${cert_format}  ${expected_status}
403        ...  ${False}  replace
404    ELSE IF  '${cert_type}' == 'CA'
405        Verify Redfishtool Install Certificate  ${cert_type}  ${cert_format}  ${expected_status}
406        ...  ${False}  replace
407    END
408
409    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
410    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
411    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
412
413    ${certificate_uri}=  Set Variable If
414    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
415    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
416    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/${cert_id}
417
418    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
419    ${dict_objects}=  Create Dictionary  CertificateString=${file_data}
420    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
421    ${string}=  Convert To String  ${dict_objects}
422    ${string}=  Replace String  ${string}  '  "
423    ${payload}=  Set Variable  '${string}'
424
425    ${expected_resp}=  Set Variable If
426    ...  '${expected_status}' == 'ok'     ${HTTP_OK}, ${HTTP_NO_CONTENT}
427    ...  '${expected_status}' == 'error'  ${HTTP_NOT_FOUND},${HTTP_INTERNAL_SERVER_ERROR}
428
429    ${response}=  Redfishtool Post
430    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
431    ...  expected_error=${expected_resp}
432
433    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
434    Sleep  5s
435    ${bmc_cert_content}=  Redfishtool GetAttribute  ${certificate_uri}  CertificateString
436
437    IF  '${expected_status}' == 'ok'
438        Should Contain  ${cert_file_content}  ${bmc_cert_content}
439    ELSE
440        Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
441    END
442
443
444Redfishtool GetAttribute
445    [Documentation]  Execute redfishtool for GET operation.
446    [Arguments]  ${uri}  ${Attribute}  ${cmd_args}=${root_cmd_args}  ${expected_error}=""
447
448    # Description of argument(s):
449    # uri             URI for GET operation (e.g. /redfish/v1/AccountService/Accounts/).
450    # Attribute       The specific attribute to be retrieved with the URI.
451    # cmd_args        Commandline arguments.
452    # expected_error  Expected error optionally provided in testcase (e.g. 401 /
453    #                 authentication error, etc. ).
454
455    ${rc}  ${cmd_output}=  Run And Return RC And Output  ${cmd_args} GET ${uri}
456    IF  ${rc} != 0  Is HTTP Error Expected  ${cmd_output}  ${expected_error}
457
458    ${cmd_output}=  Convert String To JSON  ${cmd_output}
459
460    RETURN  ${cmd_output["CertificateString"]}
461
462
463Suite Setup Execution
464    [Documentation]  Do suite setup execution.
465
466    ${tool_exist}=  Run  which redfishtool
467    Should Not Be Empty  ${tool_exist}
468
469    # Create certificate sub-directory in current working directory.
470    Create Directory  certificate_dir
471