1*** Settings *** 2 3 4Documentation Suite to test certificate via DMTF redfishtool. 5 6Library OperatingSystem 7Library String 8Library Collections 9Library JSONLibrary 10 11Resource ../../lib/resource.robot 12Resource ../../lib/bmc_redfish_resource.robot 13Resource ../../lib/openbmc_ffdc.robot 14Resource ../../lib/certificate_utils.robot 15Resource ../../lib/dmtf_redfishtool_utils.robot 16 17Suite Setup Suite Setup Execution 18 19 20*** Variables *** 21 22${root_cmd_args} = SEPARATOR= 23... redfishtool raw -r ${OPENBMC_HOST}:${HTTPS_PORT} -u ${OPENBMC_USERNAME} -p ${OPENBMC_PASSWORD} -S Always 24${invalid_value} abc 25${keybit_length} ${2048} 26 27*** Test Cases *** 28 29 30Verify Redfishtool Replace Server Certificate Valid CertKey 31 [Documentation] Verify replace server certificate. 32 [Tags] Verify_Redfishtool_Replace_Server_Certificate_Valid_CertKey 33 34 Verify Redfishtool Replace Certificate Server Valid Certificate Valid Privatekey ok 35 36 37Verify Redfishtool Replace Client Certificate Valid CertKey 38 [Documentation] Verify replace client certificate. 39 [Tags] Verify_Redfishtool_Replace_Client_Certificate_Valid_CertKey 40 41 Verify Redfishtool Replace Certificate Client Valid Certificate Valid Privatekey ok 42 43 44Verify Redfishtool Replace CA Certificate Valid Cert 45 [Documentation] Verify replace CA certificate. 46 [Tags] Verify_Redfishtool_Replace_CA_Certificate_Valid_Cert 47 48 Verify Redfishtool Replace Certificate CA Valid Certificate ok 49 50 51Verify Redfishtool Client Certificate Install Valid CertKey 52 [Documentation] Verify client certificate installation. 53 [Tags] Verify_Redfishtool_Client_Certificate_Install_Valid_CertKey 54 55 Verify Redfishtool Install Certificate Client Valid Certificate Valid Privatekey ok 56 57 58Verify Redfishtool CA Certificate Install Valid Cert 59 [Documentation] Verify CA Certificate installation. 60 [Tags] Verify_Redfishtool_CA_Certificate_Install_Valid_Cert 61 62 Verify Redfishtool Install Certificate CA Valid Certificate ok 63 64 65Verify Redfishtool Replace Server Certificate Errors 66 [Documentation] Verify error while replacing invalid server certificate. 67 [Tags] Verify_Redfishtool_Replace_Server_Certificate_Errors 68 [Template] Verify Redfishtool Replace Certificate 69 70 Server Empty Certificate Empty Privatekey error 71 Server Empty Certificate Valid Privatekey error 72 Server Valid Certificate Empty Privatekey error 73 74 75Verify Redfishtool Replace Client Certificate Errors 76 [Documentation] Verify error while replacing invalid client certificate. 77 [Tags] Verify_Redfishtool_Replace_Client_Certificate_Errors 78 [Template] Verify Redfishtool Replace Certificate 79 80 Client Empty Certificate Empty Privatekey error 81 Client Empty Certificate Valid Privatekey error 82 Client Valid Certificate Empty Privatekey error 83 84 85Verify Redfishtool Replace CA Certificate Errors 86 [Documentation] Verify error while replacing invalid CA certificate. 87 [Tags] Verify_Redfishtool_Replace_CA_Certificate_Errors 88 [Template] Verify Redfishtool Replace Certificate 89 90 CA Empty Certificate error 91 92 93Verify Redfishtool Client Certificate Install Errors 94 [Documentation] Verify error while installing invalid client certificate. 95 [Tags] Verify_Redfishtool_Client_Certificate_Install_Errors 96 [Template] Verify Redfishtool Install Certificate 97 98 Client Empty Certificate Empty Privatekey error 99 Client Empty Certificate Valid Privatekey error 100 Client Valid Certificate Empty Privatekey error 101 102 103Verify Redfishtool CA Certificate Install Errors 104 [Documentation] Verify error while installing invalid CA certificate. 105 [Tags] Verify_Redfishtool_CA_Certificate_Install_Errors 106 [Template] Verify Redfishtool Install Certificate 107 108 # cert_type cert_format expected_status 109 CA Empty Certificate error 110 111 112Verify Error While Uploading Same CA Certificate Via Redfishtool 113 [Documentation] Verify error while uploading same CA certificate two times. 114 [Tags] Verify_Error_While_Uploading_Same_CA_Certificate_Via_Redfishtool 115 116 # Create certificate file for uploading. 117 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate 365 118 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 119 ${file_data}= Decode Bytes To String ${bytes} UTF-8 120 121 # Install CA certificate. 122 Redfishtool Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} ok data=${file_data} 123 124 # Adding delay after certificate installation. 125 Sleep 30s 126 127 # Check error while uploading same certificate. 128 Redfishtool Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} error data=${file_data} 129 130 131Install Server Certificate Using Redfishtool And Verify Via OpenSSL 132 [Documentation] Install server certificate using Redfishtool and verify via OpenSSL. 133 [Tags] Install_Server_Certificate_Using_Redfishtool_And_Verify_Via_OpenSSL 134 135 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate Valid Privatekey 136 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 137 ${file_data}= Decode Bytes To String ${bytes} UTF-8 138 139 ${certificate_dict}= Create Dictionary 140 ... @odata.id=/redfish/v1/Managers/${MANAGER_ID}/NetworkProtocol/HTTPS/Certificates/1 141 142 ${dict_objects}= Create Dictionary CertificateString=${file_data} 143 ... CertificateType=PEM CertificateUri=${certificate_dict} 144 145 ${string}= Convert To String ${dict_objects} 146 ${string}= Replace String ${string} ' " 147 ${payload}= Set Variable '${string}' 148 149 ${response}= Redfishtool Post 150 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 151 152 Wait Until Keyword Succeeds 2 mins 15 secs Verify Certificate Visible Via OpenSSL ${cert_file_path} 153 154 155Verify CSR Generation For Server Certificate Via Redfishtool 156 [Documentation] Verify CSR generation for server certificate. 157 [Tags] Verify_CSR_Generation_For_Server_Certificate_Via_Redfishtool 158 [Template] Generate CSR Via Redfishtool 159 160 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 161 Server RSA ${keybit_length} ${EMPTY} ok 162 Server EC ${EMPTY} prime256v1 ok 163 Server EC ${EMPTY} secp521r1 ok 164 Server EC ${EMPTY} secp384r1 ok 165 166 167Verify CSR Generation For Client Certificate Via Redfishtool 168 [Documentation] Verify CSR generation for client certificate. 169 [Tags] Verify_CSR_Generation_For_Client_Certificate_Via_Redfishtool 170 [Template] Generate CSR Via Redfishtool 171 172 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 173 Client RSA ${keybit_length} ${EMPTY} ok 174 Client EC ${EMPTY} prime256v1 ok 175 Client EC ${EMPTY} secp521r1 ok 176 Client EC ${EMPTY} secp384r1 ok 177 178 179Verify CSR Generation For Server Certificate With Invalid Value Via Redfishtool 180 [Documentation] Verify error while generating CSR for server certificate with invalid value. 181 [Tags] Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value_Via_Redfishtool 182 [Template] Generate CSR Via Redfishtool 183 184 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 185 Server ${invalid_value} ${keybit_length} prime256v1 error 186 Server RAS ${invalid_value} ${EMPTY} error 187 188 189Verify CSR Generation For Client Certificate With Invalid Value Via Redfishtool 190 [Documentation] Verify error while generating CSR for client certificate with invalid value. 191 [Tags] Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value_Via_Redfishtool 192 [Template] Generate CSR Via Redfishtool 193 194 Client ${invalid_value} ${keybit_length} prime256v1 error 195 Client RSA ${invalid_value} ${EMPTY} error 196 197*** Keywords *** 198 199 200Generate CSR Via Redfishtool 201 [Documentation] Generate CSR using Redfish. 202 [Arguments] ${cert_type} ${key_pair_algorithm} ${key_bit_length} ${key_curv_id} ${expected_status} 203 204 # Description of argument(s): 205 # cert_type Certificate type ("Server" or "Client"). 206 # key_pair_algorithm CSR key pair algorithm ("EC" or "RSA"). 207 # key_bit_length CSR key bit length ("2048"). 208 # key_curv_id CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1"). 209 # expected_status Expected status of certificate replace Redfishtool request ("ok" or "error"). 210 211 ${certificate_uri}= Set Variable If 212 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/ 213 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/ 214 215 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 216 217 ${csr_dict}= Create Dictionary City=Austin CertificateCollection=${certificate_dict} 218 ... CommonName=${OPENBMC_HOST} Country=US Organization=xyz 219 ... OrganizationalUnit=ISL State=AU KeyBitLength=${key_bit_length} 220 ... KeyPairAlgorithm=${key_pair_algorithm} KeyCurveId=${key_curv_id} 221 222 # Remove not applicable field for CSR generation. 223 Run Keyword If '${key_pair_algorithm}' == 'EC' Remove From Dictionary ${csr_dict} KeyBitLength 224 ... ELSE IF '${key_pair_algorithm}' == 'RSA' Remove From Dictionary ${csr_dict} KeyCurveId 225 226 ${expected_resp}= Set Variable If 227 ... '${expected_status}' == 'ok' ${HTTP_OK}, ${HTTP_NO_CONTENT} 228 ... '${expected_status}' == 'error' ${HTTP_BAD_REQUEST} 229 230 ${string}= Convert To String ${csr_dict} 231 232 ${string2}= Replace String ${string} ' " 233 234 ${payload}= Set Variable '${string2}' 235 236 ${response}= Redfishtool Post 237 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR 238 ... expected_error=${expected_resp} 239 240 # Delay added between two CSR generation request. 241 Sleep 5s 242 243 244Verify Redfishtool Install Certificate 245 [Documentation] Install and verify certificate using Redfishtool. 246 [Arguments] ${cert_type} ${cert_format} ${expected_status} ${delete_cert}=${True} 247 ... ${install_type}=install 248 249 # Description of argument(s): 250 # cert_type Certificate type (e.g. "Client" or "CA"). 251 # cert_format Certificate file format 252 # expected_status Expected status of certificate install Redfishtool 253 # request (i.e. "ok" or "error"). 254 # delete_cert Certificate will be deleted before installing if this True. 255 256 Run Keyword If '${cert_type}' == 'CA' 257 ... Delete All CA Certificate Via Redfishtool ${delete_cert} 258 ... ELSE IF '${cert_type}' == 'Client' 259 ... Redfishtool Delete Certificate Via BMC CLI ${cert_type} ${delete_cert} 260 261 Return From Keyword If "${install_type}" != "install" and "${file_status}" != "Not Found" 262 263 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 264 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 265 ${file_data}= Decode Bytes To String ${bytes} UTF-8 266 267 ${certificate_uri}= Set Variable If 268 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI} 269 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI} 270 271 ${cert_id}= Redfishtool Install Certificate File On BMC 272 ... ${certificate_uri} ${expected_status} data=${file_data} 273 Logging Installed certificate id: ${cert_id} 274 275 # Adding delay after certificate installation. 276 Sleep 30s 277 278 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 279 280 ${bmc_cert_content}= Run Keyword If '${expected_status}' == 'ok' 281 ... Redfishtool GetAttribute ${certificate_uri}/${cert_id} CertificateString 282 283 Run Keyword If '${expected_status}' == 'ok' Should Contain ${cert_file_content} ${bmc_cert_content} 284 285 286Delete All CA Certificate Via Redfishtool 287 [Documentation] Delete all CA certificate via Redfish. 288 [Arguments] ${delete_cert}=${True} 289 290 ${cmd_output}= Redfishtool Get /redfish/v1/Managers/${MANAGER_ID}/Truststore/Certificates 291 ${cmd_output}= Convert String to JSON ${cmd_output} 292 ${cert_list}= Set Variable ${cmd_output["Members"]} 293 ${uri_length}= Get Length ${cert_list} 294 ${file_status}= Set Variable If 295 ... "${uri_length}" == "0" Not Found 296 ... "${uri_length}" != "0" Found 297 ${cert_id}= Set Variable If 298 ... "${uri_length}" != "0" ${cert_list[-1]["@odata.id"].split("/")[-1].strip()} 299 ... "${uri_length}" == "0" None 300 Set Test Variable ${cert_id} 301 Set Test Variable ${file_status} 302 Return From Keyword If "${file_status}" != "Found" or "${delete_cert}" != "${True}" 303 FOR ${cert} IN @{cert_list} 304 Redfishtool Delete ${cert["@odata.id"]} ${root_cmd_args} 305 END 306 307 308Redfishtool Delete Certificate Via BMC CLI 309 [Documentation] Delete certificate via BMC CLI. 310 [Arguments] ${cert_type} ${delete_cert}=${True} 311 312 # Description of argument(s): 313 # cert_type Certificate type (e.g. "Client" or "CA"). 314 315 ${certificate_file_path} ${certificate_service} ${certificate_uri}= 316 ... Run Keyword If '${cert_type}' == 'Client' 317 ... Set Variable /etc/nslcd/certs/cert.pem phosphor-certificate-manager@nslcd.service 318 ... ${REDFISH_LDAP_CERTIFICATE_URI} 319 ... ELSE IF '${cert_type}' == 'CA' 320 ... Set Variable ${ROOT_CA_FILE_PATH} phosphor-certificate-manager@authority.service 321 ... ${REDFISH_CA_CERTIFICATE_URI} 322 323 ${file_status} ${stderr} ${rc}= BMC Execute Command 324 ... [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found" 325 326 Set Test Variable ${file_status} 327 Return From Keyword If "${file_status}" != "Found" or '${delete_cert}' != "${True}" 328 BMC Execute Command rm ${certificate_file_path} 329 BMC Execute Command systemctl restart ${certificate_service} 330 BMC Execute Command systemctl daemon-reload 331 332 333Redfishtool Install Certificate File On BMC 334 [Documentation] Install certificate file in BMC using POST operation. 335 [Arguments] ${uri} ${status}=ok &{kwargs} 336 337 # Description of argument(s): 338 # uri URI for installing certificate file via Redfishtool. 339 # e.g. "/redfish/v1/AccountService/LDAP/Certificates". 340 # status Expected status of certificate installation via Redfishtool. 341 # e.g. error, ok. 342 # kwargs A dictionary of keys/values to be passed directly to 343 # POST Request. 344 345 Initialize OpenBMC 20 ${quiet}=${1} ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} 346 347 ${headers}= Create Dictionary Content-Type=application/octet-stream 348 ... X-Auth-Token=${XAUTH_TOKEN} 349 Set To Dictionary ${kwargs} headers ${headers} 350 351 ${resp}= POST On Session openbmc ${uri} &{kwargs} expected_status=any 352 ${cert_id}= Set Variable If 353 ... '${resp.status_code}' == '${HTTP_OK}' ${resp.json()["Id"]} 354 ... '${resp.status_code}' == '${HTTP_NO_CONTENT}' ${resp.json()["Id"]} -1 355 356 Run Keyword If '${status}' == 'ok' 357 ... Should Contain Any "${resp.status_code}" ${HTTP_OK} ${HTTP_NO_CONTENT} 358 ... ELSE IF '${status}' == 'error' 359 ... Should Be Equal As Strings ${resp.status_code} ${HTTP_INTERNAL_SERVER_ERROR} 360 361 Delete All Sessions 362 363 [Return] ${cert_id} 364 365 366Verify Redfishtool Replace Certificate 367 [Documentation] Verify replace server certificate. 368 [Arguments] ${cert_type} ${cert_format} ${expected_status} 369 370 # Description of argument(s): 371 # cert_type Certificate type (e.g. "Client", "Server" or "CA"). 372 # cert_format Certificate file format 373 # (e.g. "Valid_Certificate_Valid_Privatekey"). 374 # expected_status Expected status of certificate replace Redfishtool 375 # request (i.e. "ok" or "error"). 376 377 # Install certificate before replacing client or CA certificate. 378 Run Keyword If '${cert_type}' == 'Client' 379 ... Verify Redfishtool Install Certificate ${cert_type} ${cert_format} ${expected_status} 380 ... ${False} replace 381 ... ELSE IF '${cert_type}' == 'CA' 382 ... Verify Redfishtool Install Certificate ${cert_type} ${cert_format} ${expected_status} 383 ... ${False} replace 384 385 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 386 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 387 ${file_data}= Decode Bytes To String ${bytes} UTF-8 388 389 ${certificate_uri}= Set Variable If 390 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/1 391 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/1 392 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}/${cert_id} 393 394 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 395 ${dict_objects}= Create Dictionary CertificateString=${file_data} 396 ... CertificateType=PEM CertificateUri=${certificate_dict} 397 ${string}= Convert To String ${dict_objects} 398 ${string}= Replace String ${string} ' " 399 ${payload}= Set Variable '${string}' 400 401 ${expected_resp}= Set Variable If 402 ... '${expected_status}' == 'ok' ${HTTP_OK}, ${HTTP_NO_CONTENT} 403 ... '${expected_status}' == 'error' ${HTTP_NOT_FOUND},${HTTP_INTERNAL_SERVER_ERROR} 404 405 ${response}= Redfishtool Post 406 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 407 ... expected_error=${expected_resp} 408 409 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 410 Sleep 5s 411 ${bmc_cert_content}= Redfishtool GetAttribute ${certificate_uri} CertificateString 412 413 Run Keyword If '${expected_status}' == 'ok' 414 ... Should Contain ${cert_file_content} ${bmc_cert_content} 415 ... ELSE 416 ... Should Not Contain ${cert_file_content} ${bmc_cert_content} 417 418 419Redfishtool GetAttribute 420 [Documentation] Execute redfishtool for GET operation. 421 [Arguments] ${uri} ${Attribute} ${cmd_args}=${root_cmd_args} ${expected_error}="" 422 423 # Description of argument(s): 424 # uri URI for GET operation (e.g. /redfish/v1/AccountService/Accounts/). 425 # Attribute The specific attribute to be retrieved with the URI. 426 # cmd_args Commandline arguments. 427 # expected_error Expected error optionally provided in testcase (e.g. 401 / 428 # authentication error, etc. ). 429 430 ${rc} ${cmd_output}= Run and Return RC and Output ${cmd_args} GET ${uri} 431 Run Keyword If ${rc} != 0 Is HTTP error Expected ${cmd_output} ${expected_error} 432 433 ${cmd_output}= Convert String to JSON ${cmd_output} 434 435 [Return] ${cmd_output["CertificateString"]} 436 437 438Suite Setup Execution 439 [Documentation] Do suite setup execution. 440 441 ${tool_exist}= Run which redfishtool 442 Should Not Be Empty ${tool_exist} 443 444 # Create certificate sub-directory in current working directory. 445 Create Directory certificate_dir 446