1*** Settings *** 2 3 4Documentation Suite to test certificate via DMTF redfishtool. 5 6Library OperatingSystem 7Library String 8Library Collections 9Library JSONLibrary 10 11Resource ../../lib/resource.robot 12Resource ../../lib/bmc_redfish_resource.robot 13Resource ../../lib/openbmc_ffdc.robot 14Resource ../../lib/certificate_utils.robot 15Resource ../../lib/dmtf_redfishtool_utils.robot 16 17Suite Setup Suite Setup Execution 18 19Test Tags Redfishtool_Certificate 20 21*** Variables *** 22 23${root_cmd_args} = SEPARATOR= 24... redfishtool raw -r ${OPENBMC_HOST}:${HTTPS_PORT} -u ${OPENBMC_USERNAME} -p ${OPENBMC_PASSWORD} -S Always 25${invalid_value} abc 26${keybit_length} ${2048} 27 28*** Test Cases *** 29 30 31Verify Redfishtool Replace Server Certificate Valid CertKey 32 [Documentation] Verify replace server certificate. 33 [Tags] Verify_Redfishtool_Replace_Server_Certificate_Valid_CertKey 34 35 Verify Redfishtool Replace Certificate Server Valid Certificate Valid Privatekey ok 36 37 38Verify Redfishtool Replace Client Certificate Valid CertKey 39 [Documentation] Verify replace client certificate. 40 [Tags] Verify_Redfishtool_Replace_Client_Certificate_Valid_CertKey 41 42 Verify Redfishtool Replace Certificate Client Valid Certificate Valid Privatekey ok 43 44 45Verify Redfishtool Replace CA Certificate Valid Cert 46 [Documentation] Verify replace CA certificate. 47 [Tags] Verify_Redfishtool_Replace_CA_Certificate_Valid_Cert 48 49 Verify Redfishtool Replace Certificate CA Valid Certificate ok 50 51 52Verify Redfishtool Client Certificate Install Valid CertKey 53 [Documentation] Verify client certificate installation. 54 [Tags] Verify_Redfishtool_Client_Certificate_Install_Valid_CertKey 55 56 Verify Redfishtool Install Certificate Client Valid Certificate Valid Privatekey ok 57 58 59Verify Redfishtool CA Certificate Install Valid Cert 60 [Documentation] Verify CA Certificate installation. 61 [Tags] Verify_Redfishtool_CA_Certificate_Install_Valid_Cert 62 63 Verify Redfishtool Install Certificate CA Valid Certificate ok 64 65 66Verify Redfishtool Replace Server Certificate Errors 67 [Documentation] Verify error while replacing invalid server certificate. 68 [Tags] Verify_Redfishtool_Replace_Server_Certificate_Errors 69 [Template] Verify Redfishtool Replace Certificate 70 71 Server Empty Certificate Empty Privatekey error 72 Server Empty Certificate Valid Privatekey error 73 Server Valid Certificate Empty Privatekey error 74 75 76Verify Redfishtool Replace Client Certificate Errors 77 [Documentation] Verify error while replacing invalid client certificate. 78 [Tags] Verify_Redfishtool_Replace_Client_Certificate_Errors 79 [Template] Verify Redfishtool Replace Certificate 80 81 Client Empty Certificate Empty Privatekey error 82 Client Empty Certificate Valid Privatekey error 83 Client Valid Certificate Empty Privatekey error 84 85 86Verify Redfishtool Replace CA Certificate Errors 87 [Documentation] Verify error while replacing invalid CA certificate. 88 [Tags] Verify_Redfishtool_Replace_CA_Certificate_Errors 89 [Template] Verify Redfishtool Replace Certificate 90 91 CA Empty Certificate error 92 93 94Verify Redfishtool Client Certificate Install Errors 95 [Documentation] Verify error while installing invalid client certificate. 96 [Tags] Verify_Redfishtool_Client_Certificate_Install_Errors 97 [Template] Verify Redfishtool Install Certificate 98 99 Client Empty Certificate Empty Privatekey error 100 Client Empty Certificate Valid Privatekey error 101 Client Valid Certificate Empty Privatekey error 102 103 104Verify Redfishtool CA Certificate Install Errors 105 [Documentation] Verify error while installing invalid CA certificate. 106 [Tags] Verify_Redfishtool_CA_Certificate_Install_Errors 107 [Template] Verify Redfishtool Install Certificate 108 109 # cert_type cert_format expected_status 110 CA Empty Certificate error 111 112 113Verify Error While Uploading Same CA Certificate Via Redfishtool 114 [Documentation] Verify error while uploading same CA certificate two times. 115 [Tags] Verify_Error_While_Uploading_Same_CA_Certificate_Via_Redfishtool 116 117 # Create certificate file for uploading. 118 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate 365 119 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 120 ${file_data}= Decode Bytes To String ${bytes} UTF-8 121 122 # Install CA certificate. 123 Redfishtool Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} ok data=${file_data} 124 125 # Adding delay after certificate installation. 126 Sleep 30s 127 128 # Check error while uploading same certificate. 129 Redfishtool Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} error data=${file_data} 130 131 132Install Server Certificate Using Redfishtool And Verify Via OpenSSL 133 [Documentation] Install server certificate using Redfishtool and verify via OpenSSL. 134 [Tags] Install_Server_Certificate_Using_Redfishtool_And_Verify_Via_OpenSSL 135 136 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate Valid Privatekey 137 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 138 ${file_data}= Decode Bytes To String ${bytes} UTF-8 139 140 ${certificate_dict}= Create Dictionary 141 ... @odata.id=/redfish/v1/Managers/${MANAGER_ID}/NetworkProtocol/HTTPS/Certificates/1 142 143 ${dict_objects}= Create Dictionary CertificateString=${file_data} 144 ... CertificateType=PEM CertificateUri=${certificate_dict} 145 146 ${string}= Convert To String ${dict_objects} 147 ${string}= Replace String ${string} ' " 148 ${payload}= Set Variable '${string}' 149 150 ${response}= Redfishtool Post 151 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 152 ... expected_error=${HTTP_OK}, ${HTTP_NO_CONTENT} 153 154 Wait Until Keyword Succeeds 2 mins 15 secs Verify Certificate Visible Via OpenSSL ${cert_file_path} 155 156 157Verify CSR Generation For Server Certificate Via Redfishtool 158 [Documentation] Verify CSR generation for server certificate. 159 [Tags] Verify_CSR_Generation_For_Server_Certificate_Via_Redfishtool 160 [Template] Generate CSR Via Redfishtool 161 162 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 163 Server RSA ${keybit_length} ${EMPTY} ok 164 Server EC ${EMPTY} prime256v1 ok 165 Server EC ${EMPTY} secp521r1 ok 166 Server EC ${EMPTY} secp384r1 ok 167 168 169Verify CSR Generation For Client Certificate Via Redfishtool 170 [Documentation] Verify CSR generation for client certificate. 171 [Tags] Verify_CSR_Generation_For_Client_Certificate_Via_Redfishtool 172 [Template] Generate CSR Via Redfishtool 173 174 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 175 Client RSA ${keybit_length} ${EMPTY} ok 176 Client EC ${EMPTY} prime256v1 ok 177 Client EC ${EMPTY} secp521r1 ok 178 Client EC ${EMPTY} secp384r1 ok 179 180 181Verify CSR Generation For Server Certificate With Invalid Value Via Redfishtool 182 [Documentation] Verify error while generating CSR for server certificate with invalid value. 183 [Tags] Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value_Via_Redfishtool 184 [Template] Generate CSR Via Redfishtool 185 186 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 187 Server ${invalid_value} ${keybit_length} prime256v1 error 188 Server RAS ${invalid_value} ${EMPTY} error 189 190 191Verify CSR Generation For Client Certificate With Invalid Value Via Redfishtool 192 [Documentation] Verify error while generating CSR for client certificate with invalid value. 193 [Tags] Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value_Via_Redfishtool 194 [Template] Generate CSR Via Redfishtool 195 196 Client ${invalid_value} ${keybit_length} prime256v1 error 197 Client RSA ${invalid_value} ${EMPTY} error 198 199*** Keywords *** 200 201 202Generate CSR Via Redfishtool 203 [Documentation] Generate CSR using Redfish. 204 [Arguments] ${cert_type} ${key_pair_algorithm} ${key_bit_length} ${key_curv_id} ${expected_status} 205 206 # Description of argument(s): 207 # cert_type Certificate type ("Server" or "Client"). 208 # key_pair_algorithm CSR key pair algorithm ("EC" or "RSA"). 209 # key_bit_length CSR key bit length ("2048"). 210 # key_curv_id CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1"). 211 # expected_status Expected status of certificate replace Redfishtool request ("ok" or "error"). 212 213 ${certificate_uri}= Set Variable If 214 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/ 215 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/ 216 217 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 218 219 ${csr_dict}= Create Dictionary City=Austin CertificateCollection=${certificate_dict} 220 ... CommonName=${OPENBMC_HOST} Country=US Organization=xyz 221 ... OrganizationalUnit=ISL State=AU KeyBitLength=${key_bit_length} 222 ... KeyPairAlgorithm=${key_pair_algorithm} KeyCurveId=${key_curv_id} 223 224 # Remove not applicable field for CSR generation. 225 Run Keyword If '${key_pair_algorithm}' == 'EC' Remove From Dictionary ${csr_dict} KeyBitLength 226 ... ELSE IF '${key_pair_algorithm}' == 'RSA' Remove From Dictionary ${csr_dict} KeyCurveId 227 228 ${expected_resp}= Set Variable If 229 ... '${expected_status}' == 'ok' ${HTTP_OK}, ${HTTP_NO_CONTENT} 230 ... '${expected_status}' == 'error' ${HTTP_BAD_REQUEST} 231 232 ${string}= Convert To String ${csr_dict} 233 234 ${string2}= Replace String ${string} ' " 235 236 ${payload}= Set Variable '${string2}' 237 238 ${response}= Redfishtool Post 239 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR 240 ... expected_error=${expected_resp} 241 242 # Delay added between two CSR generation request. 243 Sleep 5s 244 245 246Verify Redfishtool Install Certificate 247 [Documentation] Install and verify certificate using Redfishtool. 248 [Arguments] ${cert_type} ${cert_format} ${expected_status} ${delete_cert}=${True} 249 ... ${install_type}=install 250 251 # Description of argument(s): 252 # cert_type Certificate type (e.g. "Client" or "CA"). 253 # cert_format Certificate file format 254 # expected_status Expected status of certificate install Redfishtool 255 # request (i.e. "ok" or "error"). 256 # delete_cert Certificate will be deleted before installing if this True. 257 258 Run Keyword If '${cert_type}' == 'CA' 259 ... Delete All CA Certificate Via Redfishtool ${delete_cert} 260 ... ELSE IF '${cert_type}' == 'Client' 261 ... Redfishtool Delete Certificate Via BMC CLI ${cert_type} ${delete_cert} 262 263 Return From Keyword If "${install_type}" != "install" and "${file_status}" != "Not Found" 264 265 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 266 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 267 ${file_data}= Decode Bytes To String ${bytes} UTF-8 268 269 ${certificate_uri}= Set Variable If 270 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI} 271 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI} 272 273 ${cert_id}= Redfishtool Install Certificate File On BMC 274 ... ${certificate_uri} ${expected_status} data=${file_data} 275 Logging Installed certificate id: ${cert_id} 276 Set Test Variable ${cert_id} 277 278 # Adding delay after certificate installation. 279 Sleep 30s 280 281 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 282 283 ${bmc_cert_content}= Run Keyword If '${expected_status}' == 'ok' 284 ... Redfishtool GetAttribute ${certificate_uri}/${cert_id} CertificateString 285 286 Run Keyword If '${expected_status}' == 'ok' Should Contain ${cert_file_content} ${bmc_cert_content} 287 288 289Delete All CA Certificate Via Redfishtool 290 [Documentation] Delete all CA certificate via Redfish. 291 [Arguments] ${delete_cert}=${True} 292 293 ${cmd_output}= Redfishtool Get /redfish/v1/Managers/${MANAGER_ID}/Truststore/Certificates 294 ${cmd_output}= Convert String to JSON ${cmd_output} 295 ${cert_list}= Set Variable ${cmd_output["Members"]} 296 ${uri_length}= Get Length ${cert_list} 297 ${file_status}= Set Variable If 298 ... "${uri_length}" == "0" Not Found 299 ... "${uri_length}" != "0" Found 300 ${cert_id}= Set Variable If 301 ... "${uri_length}" != "0" ${cert_list[-1]["@odata.id"].split("/")[-1].strip()} 302 ... "${uri_length}" == "0" None 303 Set Test Variable ${cert_id} 304 Set Test Variable ${file_status} 305 Return From Keyword If "${file_status}" != "Found" or "${delete_cert}" != "${True}" 306 FOR ${cert} IN @{cert_list} 307 Redfishtool Delete ${cert["@odata.id"]} ${root_cmd_args} 308 END 309 310 311Redfishtool Delete Certificate Via BMC CLI 312 [Documentation] Delete certificate via BMC CLI. 313 [Arguments] ${cert_type} ${delete_cert}=${True} 314 315 # Description of argument(s): 316 # cert_type Certificate type (e.g. "Client" or "CA"). 317 318 ${certificate_file_path} ${certificate_service} ${certificate_uri}= 319 ... Run Keyword If '${cert_type}' == 'Client' 320 ... Set Variable /etc/nslcd/certs/cert.pem phosphor-certificate-manager@nslcd.service 321 ... ${REDFISH_LDAP_CERTIFICATE_URI} 322 ... ELSE IF '${cert_type}' == 'CA' 323 ... Set Variable ${ROOT_CA_FILE_PATH} phosphor-certificate-manager@authority.service 324 ... ${REDFISH_CA_CERTIFICATE_URI} 325 326 ${file_status} ${stderr} ${rc}= BMC Execute Command 327 ... [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found" 328 329 Set Test Variable ${file_status} 330 Return From Keyword If "${file_status}" != "Found" or '${delete_cert}' != "${True}" 331 BMC Execute Command rm ${certificate_file_path} 332 BMC Execute Command systemctl restart ${certificate_service} 333 BMC Execute Command systemctl daemon-reload 334 335 336Redfishtool Install Certificate File On BMC 337 [Documentation] Install certificate file in BMC using POST operation. 338 [Arguments] ${uri} ${status}=ok &{kwargs} 339 340 # Description of argument(s): 341 # uri URI for installing certificate file via Redfishtool. 342 # e.g. "/redfish/v1/AccountService/LDAP/Certificates". 343 # status Expected status of certificate installation via Redfishtool. 344 # e.g. error, ok. 345 # kwargs A dictionary of keys/values to be passed directly to 346 # POST Request. 347 348 Initialize OpenBMC 20 ${quiet}=${1} ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} 349 350 ${headers}= Create Dictionary Content-Type=application/octet-stream 351 ... X-Auth-Token=${XAUTH_TOKEN} 352 Set To Dictionary ${kwargs} headers ${headers} 353 354 ${resp}= POST On Session openbmc ${uri} &{kwargs} expected_status=any 355 ${cert_id}= Set Variable If 356 ... '${resp.status_code}' == '${HTTP_OK}' ${resp.json()["Id"]} 357 ... '${resp.status_code}' == '${HTTP_NO_CONTENT}' ${resp.json()["Id"]} -1 358 359 Run Keyword If '${status}' == 'ok' 360 ... Should Contain Any "${resp.status_code}" ${HTTP_OK} ${HTTP_NO_CONTENT} 361 ... ELSE IF '${status}' == 'error' 362 ... Should Be Equal As Strings ${resp.status_code} ${HTTP_INTERNAL_SERVER_ERROR} 363 364 Delete All Sessions 365 366 RETURN ${cert_id} 367 368 369Verify Redfishtool Replace Certificate 370 [Documentation] Verify replace server certificate. 371 [Arguments] ${cert_type} ${cert_format} ${expected_status} 372 373 # Description of argument(s): 374 # cert_type Certificate type (e.g. "Client", "Server" or "CA"). 375 # cert_format Certificate file format 376 # (e.g. "Valid_Certificate_Valid_Privatekey"). 377 # expected_status Expected status of certificate replace Redfishtool 378 # request (i.e. "ok" or "error"). 379 380 # Install certificate before replacing client or CA certificate. 381 Run Keyword If '${cert_type}' == 'Client' 382 ... Verify Redfishtool Install Certificate ${cert_type} ${cert_format} ${expected_status} 383 ... ${False} replace 384 ... ELSE IF '${cert_type}' == 'CA' 385 ... Verify Redfishtool Install Certificate ${cert_type} ${cert_format} ${expected_status} 386 ... ${False} replace 387 388 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 389 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 390 ${file_data}= Decode Bytes To String ${bytes} UTF-8 391 392 ${certificate_uri}= Set Variable If 393 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/1 394 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/1 395 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}/${cert_id} 396 397 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 398 ${dict_objects}= Create Dictionary CertificateString=${file_data} 399 ... CertificateType=PEM CertificateUri=${certificate_dict} 400 ${string}= Convert To String ${dict_objects} 401 ${string}= Replace String ${string} ' " 402 ${payload}= Set Variable '${string}' 403 404 ${expected_resp}= Set Variable If 405 ... '${expected_status}' == 'ok' ${HTTP_OK}, ${HTTP_NO_CONTENT} 406 ... '${expected_status}' == 'error' ${HTTP_NOT_FOUND},${HTTP_INTERNAL_SERVER_ERROR} 407 408 ${response}= Redfishtool Post 409 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 410 ... expected_error=${expected_resp} 411 412 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 413 Sleep 5s 414 ${bmc_cert_content}= Redfishtool GetAttribute ${certificate_uri} CertificateString 415 416 Run Keyword If '${expected_status}' == 'ok' 417 ... Should Contain ${cert_file_content} ${bmc_cert_content} 418 ... ELSE 419 ... Should Not Contain ${cert_file_content} ${bmc_cert_content} 420 421 422Redfishtool GetAttribute 423 [Documentation] Execute redfishtool for GET operation. 424 [Arguments] ${uri} ${Attribute} ${cmd_args}=${root_cmd_args} ${expected_error}="" 425 426 # Description of argument(s): 427 # uri URI for GET operation (e.g. /redfish/v1/AccountService/Accounts/). 428 # Attribute The specific attribute to be retrieved with the URI. 429 # cmd_args Commandline arguments. 430 # expected_error Expected error optionally provided in testcase (e.g. 401 / 431 # authentication error, etc. ). 432 433 ${rc} ${cmd_output}= Run and Return RC and Output ${cmd_args} GET ${uri} 434 Run Keyword If ${rc} != 0 Is HTTP error Expected ${cmd_output} ${expected_error} 435 436 ${cmd_output}= Convert String to JSON ${cmd_output} 437 438 RETURN ${cmd_output["CertificateString"]} 439 440 441Suite Setup Execution 442 [Documentation] Do suite setup execution. 443 444 ${tool_exist}= Run which redfishtool 445 Should Not Be Empty ${tool_exist} 446 447 # Create certificate sub-directory in current working directory. 448 Create Directory certificate_dir 449