1*** Settings ***
2
3
4Documentation     Suite to test certificate via DMTF redfishtool.
5
6Library           OperatingSystem
7Library           String
8Library           Collections
9Library           JSONLibrary
10
11Resource          ../../lib/resource.robot
12Resource          ../../lib/bmc_redfish_resource.robot
13Resource          ../../lib/openbmc_ffdc.robot
14Resource          ../../lib/certificate_utils.robot
15Resource          ../../lib/dmtf_redfishtool_utils.robot
16
17Suite Setup       Suite Setup Execution
18
19Test Tags        Redfishtool_Certificate
20
21*** Variables ***
22
23${root_cmd_args} =  SEPARATOR=
24...  redfishtool raw -r ${OPENBMC_HOST}:${HTTPS_PORT} -u ${OPENBMC_USERNAME} -p ${OPENBMC_PASSWORD} -S Always
25${invalid_value}  abc
26${keybit_length}  ${2048}
27
28*** Test Cases ***
29
30
31Verify Redfishtool Replace Server Certificate Valid CertKey
32    [Documentation]  Verify replace server certificate.
33    [Tags]  Verify_Redfishtool_Replace_Server_Certificate_Valid_CertKey
34
35    Verify Redfishtool Replace Certificate  Server  Valid Certificate Valid Privatekey  ok
36
37
38Verify Redfishtool Replace Client Certificate Valid CertKey
39    [Documentation]  Verify replace client certificate.
40    [Tags]  Verify_Redfishtool_Replace_Client_Certificate_Valid_CertKey
41
42    Verify Redfishtool Replace Certificate  Client  Valid Certificate Valid Privatekey  ok
43
44
45Verify Redfishtool Replace CA Certificate Valid Cert
46    [Documentation]  Verify replace CA certificate.
47    [Tags]  Verify_Redfishtool_Replace_CA_Certificate_Valid_Cert
48
49    Verify Redfishtool Replace Certificate  CA  Valid Certificate  ok
50
51
52Verify Redfishtool Client Certificate Install Valid CertKey
53    [Documentation]  Verify client certificate installation.
54    [Tags]  Verify_Redfishtool_Client_Certificate_Install_Valid_CertKey
55
56    Verify Redfishtool Install Certificate  Client  Valid Certificate Valid Privatekey  ok
57
58
59Verify Redfishtool CA Certificate Install Valid Cert
60    [Documentation]  Verify CA Certificate installation.
61    [Tags]  Verify_Redfishtool_CA_Certificate_Install_Valid_Cert
62
63    Verify Redfishtool Install Certificate  CA  Valid Certificate  ok
64
65
66Verify Redfishtool Replace Server Certificate Errors
67    [Documentation]  Verify error while replacing invalid server certificate.
68    [Tags]  Verify_Redfishtool_Replace_Server_Certificate_Errors
69    [Template]  Verify Redfishtool Replace Certificate
70
71    Server  Empty Certificate Empty Privatekey  error
72    Server  Empty Certificate Valid Privatekey  error
73    Server  Valid Certificate Empty Privatekey  error
74
75
76Verify Redfishtool Replace Client Certificate Errors
77    [Documentation]  Verify error while replacing invalid client certificate.
78    [Tags]  Verify_Redfishtool_Replace_Client_Certificate_Errors
79    [Template]  Verify Redfishtool Replace Certificate
80
81    Client  Empty Certificate Empty Privatekey  error
82    Client  Empty Certificate Valid Privatekey  error
83    Client  Valid Certificate Empty Privatekey  error
84
85
86Verify Redfishtool Replace CA Certificate Errors
87    [Documentation]  Verify error while replacing invalid CA certificate.
88    [Tags]  Verify_Redfishtool_Replace_CA_Certificate_Errors
89    [Template]  Verify Redfishtool Replace Certificate
90
91    CA  Empty Certificate  error
92
93
94Verify Redfishtool Client Certificate Install Errors
95    [Documentation]  Verify error while installing invalid client certificate.
96    [Tags]  Verify_Redfishtool_Client_Certificate_Install_Errors
97    [Template]  Verify Redfishtool Install Certificate
98
99    Client  Empty Certificate Empty Privatekey  error
100    Client  Empty Certificate Valid Privatekey  error
101    Client  Valid Certificate Empty Privatekey  error
102
103
104Verify Redfishtool CA Certificate Install Errors
105    [Documentation]  Verify error while installing invalid CA certificate.
106    [Tags]  Verify_Redfishtool_CA_Certificate_Install_Errors
107    [Template]  Verify Redfishtool Install Certificate
108
109    # cert_type  cert_format        expected_status
110    CA           Empty Certificate  error
111
112
113Verify Error While Uploading Same CA Certificate Via Redfishtool
114    [Documentation]  Verify error while uploading same CA certificate two times.
115    [Tags]  Verify_Error_While_Uploading_Same_CA_Certificate_Via_Redfishtool
116
117    # Create certificate file for uploading.
118    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate  365
119    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
120    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
121
122    # Install CA certificate.
123    Redfishtool Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  ok  data=${file_data}
124
125    # Adding delay after certificate installation.
126    Sleep  30s
127
128    # Check error while uploading same certificate.
129    Redfishtool Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  error  data=${file_data}
130
131
132Install Server Certificate Using Redfishtool And Verify Via OpenSSL
133    [Documentation]  Install server certificate using Redfishtool and verify via OpenSSL.
134    [Tags]  Install_Server_Certificate_Using_Redfishtool_And_Verify_Via_OpenSSL
135
136    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate Valid Privatekey
137    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
138    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
139
140    ${certificate_dict}=  Create Dictionary
141    ...  @odata.id=/redfish/v1/Managers/${MANAGER_ID}/NetworkProtocol/HTTPS/Certificates/1
142
143    ${dict_objects}=  Create Dictionary  CertificateString=${file_data}
144    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
145
146    ${string}=  Convert To String  ${dict_objects}
147    ${string}=  Replace String  ${string}  '  "
148    ${payload}=  Set Variable  '${string}'
149
150    ${response}=  Redfishtool Post
151    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
152    ...  expected_error=${HTTP_OK}, ${HTTP_NO_CONTENT}
153
154    Wait Until Keyword Succeeds  2 mins  15 secs  Verify Certificate Visible Via OpenSSL  ${cert_file_path}
155
156
157Verify CSR Generation For Server Certificate Via Redfishtool
158    [Documentation]  Verify CSR generation for server certificate.
159    [Tags]  Verify_CSR_Generation_For_Server_Certificate_Via_Redfishtool
160    [Template]  Generate CSR Via Redfishtool
161
162    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
163    Server      RSA                 ${keybit_length}         ${EMPTY}     ok
164    Server      EC                  ${EMPTY}                 prime256v1   ok
165    Server      EC                  ${EMPTY}                 secp521r1    ok
166    Server      EC                  ${EMPTY}                 secp384r1    ok
167
168
169Verify CSR Generation For Client Certificate Via Redfishtool
170    [Documentation]  Verify CSR generation for client certificate.
171    [Tags]  Verify_CSR_Generation_For_Client_Certificate_Via_Redfishtool
172    [Template]  Generate CSR Via Redfishtool
173
174    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
175    Client      RSA                 ${keybit_length}         ${EMPTY}     ok
176    Client      EC                  ${EMPTY}                 prime256v1   ok
177    Client      EC                  ${EMPTY}                 secp521r1    ok
178    Client      EC                  ${EMPTY}                 secp384r1    ok
179
180
181Verify CSR Generation For Server Certificate With Invalid Value Via Redfishtool
182    [Documentation]  Verify error while generating CSR for server certificate with invalid value.
183    [Tags]  Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value_Via_Redfishtool
184    [Template]  Generate CSR Via Redfishtool
185
186    # csr_type  key_pair_algorithm  key_bit_length    key_curv_id       expected_status
187    Server      ${invalid_value}    ${keybit_length}           prime256v1        error
188    Server      RAS                 ${invalid_value}           ${EMPTY}          error
189
190
191Verify CSR Generation For Client Certificate With Invalid Value Via Redfishtool
192    [Documentation]  Verify error while generating CSR for client certificate with invalid value.
193    [Tags]  Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value_Via_Redfishtool
194    [Template]  Generate CSR Via Redfishtool
195
196    Client      ${invalid_value}    ${keybit_length}           prime256v1        error
197    Client      RSA                 ${invalid_value}           ${EMPTY}          error
198
199*** Keywords ***
200
201
202Generate CSR Via Redfishtool
203    [Documentation]  Generate CSR using Redfish.
204    [Arguments]  ${cert_type}  ${key_pair_algorithm}  ${key_bit_length}  ${key_curv_id}  ${expected_status}
205
206    # Description of argument(s):
207    # cert_type           Certificate type ("Server" or "Client").
208    # key_pair_algorithm  CSR key pair algorithm ("EC" or "RSA").
209    # key_bit_length      CSR key bit length ("2048").
210    # key_curv_id         CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1").
211    # expected_status     Expected status of certificate replace Redfishtool request ("ok" or "error").
212
213    ${certificate_uri}=  Set Variable If
214    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/
215    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/
216
217    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
218
219    ${csr_dict}=  Create Dictionary  City=Austin  CertificateCollection=${certificate_dict}
220    ...  CommonName=${OPENBMC_HOST}  Country=US  Organization=xyz
221    ...  OrganizationalUnit=ISL  State=AU  KeyBitLength=${key_bit_length}
222    ...  KeyPairAlgorithm=${key_pair_algorithm}  KeyCurveId=${key_curv_id}
223
224    # Remove not applicable field for CSR generation.
225    Run Keyword If  '${key_pair_algorithm}' == 'EC'  Remove From Dictionary  ${csr_dict}  KeyBitLength
226    ...  ELSE IF  '${key_pair_algorithm}' == 'RSA'  Remove From Dictionary  ${csr_dict}  KeyCurveId
227
228    ${expected_resp}=  Set Variable If
229    ...  '${expected_status}' == 'ok'     ${HTTP_OK}, ${HTTP_NO_CONTENT}
230    ...  '${expected_status}' == 'error'  ${HTTP_BAD_REQUEST}
231
232    ${string}=  Convert To String  ${csr_dict}
233
234    ${string2}=  Replace String  ${string}   '  "
235
236    ${payload}=  Set Variable  '${string2}'
237
238    ${response}=  Redfishtool Post
239    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR
240    ...  expected_error=${expected_resp}
241
242    # Delay added between two CSR generation request.
243    Sleep  5s
244
245
246Verify Redfishtool Install Certificate
247    [Documentation]  Install and verify certificate using Redfishtool.
248    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}  ${delete_cert}=${True}
249    ...  ${install_type}=install
250
251    # Description of argument(s):
252    # cert_type           Certificate type (e.g. "Client" or "CA").
253    # cert_format         Certificate file format
254    # expected_status     Expected status of certificate install Redfishtool
255    #                     request (i.e. "ok" or "error").
256    # delete_cert         Certificate will be deleted before installing if this True.
257
258    Run Keyword If  '${cert_type}' == 'CA'
259    ...  Delete All CA Certificate Via Redfishtool  ${delete_cert}
260    ...  ELSE IF  '${cert_type}' == 'Client'
261    ...  Redfishtool Delete Certificate Via BMC CLI  ${cert_type}  ${delete_cert}
262
263    Return From Keyword If  "${install_type}" != "install" and "${file_status}" != "Not Found"
264
265    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
266    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
267    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
268
269    ${certificate_uri}=  Set Variable If
270    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
271    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
272
273    ${cert_id}=  Redfishtool Install Certificate File On BMC
274    ...  ${certificate_uri}  ${expected_status}  data=${file_data}
275    Logging  Installed certificate id: ${cert_id}
276    Set Test Variable  ${cert_id}
277
278    # Adding delay after certificate installation.
279    Sleep  30s
280
281    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
282
283    ${bmc_cert_content}=  Run Keyword If  '${expected_status}' == 'ok'
284    ...  Redfishtool GetAttribute  ${certificate_uri}/${cert_id}  CertificateString
285
286    Run Keyword If  '${expected_status}' == 'ok'  Should Contain  ${cert_file_content}  ${bmc_cert_content}
287
288
289Delete All CA Certificate Via Redfishtool
290    [Documentation]  Delete all CA certificate via Redfish.
291    [Arguments]  ${delete_cert}=${True}
292
293    ${cmd_output}=  Redfishtool Get  /redfish/v1/Managers/${MANAGER_ID}/Truststore/Certificates
294    ${cmd_output}=  Convert String to JSON  ${cmd_output}
295    ${cert_list}=  Set Variable  ${cmd_output["Members"]}
296    ${uri_length}=  Get Length  ${cert_list}
297    ${file_status}=  Set Variable If
298    ...  "${uri_length}" == "0"  Not Found
299    ...  "${uri_length}" != "0"  Found
300    ${cert_id}=  Set Variable If
301    ...  "${uri_length}" != "0"  ${cert_list[-1]["@odata.id"].split("/")[-1].strip()}
302    ...  "${uri_length}" == "0"  None
303    Set Test Variable  ${cert_id}
304    Set Test Variable  ${file_status}
305    Return From Keyword If  "${file_status}" != "Found" or "${delete_cert}" != "${True}"
306    FOR  ${cert}  IN  @{cert_list}
307      Redfishtool Delete  ${cert["@odata.id"]}  ${root_cmd_args}
308    END
309
310
311Redfishtool Delete Certificate Via BMC CLI
312    [Documentation]  Delete certificate via BMC CLI.
313    [Arguments]  ${cert_type}  ${delete_cert}=${True}
314
315    # Description of argument(s):
316    # cert_type           Certificate type (e.g. "Client" or "CA").
317
318    ${certificate_file_path}  ${certificate_service}  ${certificate_uri}=
319    ...  Run Keyword If  '${cert_type}' == 'Client'
320    ...    Set Variable  /etc/nslcd/certs/cert.pem  phosphor-certificate-manager@nslcd.service
321    ...    ${REDFISH_LDAP_CERTIFICATE_URI}
322    ...  ELSE IF  '${cert_type}' == 'CA'
323    ...    Set Variable  ${ROOT_CA_FILE_PATH}  phosphor-certificate-manager@authority.service
324    ...    ${REDFISH_CA_CERTIFICATE_URI}
325
326    ${file_status}  ${stderr}  ${rc}=  BMC Execute Command
327    ...  [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
328
329    Set Test Variable  ${file_status}
330    Return From Keyword If  "${file_status}" != "Found" or '${delete_cert}' != "${True}"
331    BMC Execute Command  rm ${certificate_file_path}
332    BMC Execute Command  systemctl restart ${certificate_service}
333    BMC Execute Command  systemctl daemon-reload
334
335
336Redfishtool Install Certificate File On BMC
337    [Documentation]  Install certificate file in BMC using POST operation.
338    [Arguments]  ${uri}  ${status}=ok  &{kwargs}
339
340    # Description of argument(s):
341    # uri         URI for installing certificate file via Redfishtool.
342    #             e.g. "/redfish/v1/AccountService/LDAP/Certificates".
343    # status      Expected status of certificate installation via Redfishtool.
344    #             e.g. error, ok.
345    # kwargs      A dictionary of keys/values to be passed directly to
346    #             POST Request.
347
348    Initialize OpenBMC  20  ${quiet}=${1}  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
349
350    ${headers}=  Create Dictionary  Content-Type=application/octet-stream
351    ...  X-Auth-Token=${XAUTH_TOKEN}
352    Set To Dictionary  ${kwargs}  headers  ${headers}
353
354    ${resp}=  POST On Session  openbmc  ${uri}  &{kwargs}  expected_status=any
355    ${cert_id}=  Set Variable If
356    ...  '${resp.status_code}' == '${HTTP_OK}'  ${resp.json()["Id"]}
357    ...  '${resp.status_code}' == '${HTTP_NO_CONTENT}'  ${resp.json()["Id"]}  -1
358
359    Run Keyword If  '${status}' == 'ok'
360    ...  Should Contain Any  "${resp.status_code}"  ${HTTP_OK}  ${HTTP_NO_CONTENT}
361    ...  ELSE IF  '${status}' == 'error'
362    ...  Should Be Equal As Strings  ${resp.status_code}  ${HTTP_INTERNAL_SERVER_ERROR}
363
364    Delete All Sessions
365
366    RETURN  ${cert_id}
367
368
369Verify Redfishtool Replace Certificate
370    [Documentation]  Verify replace server certificate.
371    [Arguments]   ${cert_type}  ${cert_format}  ${expected_status}
372
373    # Description of argument(s):
374    # cert_type        Certificate type (e.g. "Client", "Server" or "CA").
375    # cert_format      Certificate file format
376    #                  (e.g. "Valid_Certificate_Valid_Privatekey").
377    # expected_status  Expected status of certificate replace Redfishtool
378    #                  request (i.e. "ok" or "error").
379
380    # Install certificate before replacing client or CA certificate.
381    Run Keyword If  '${cert_type}' == 'Client'
382    ...    Verify Redfishtool Install Certificate  ${cert_type}  ${cert_format}  ${expected_status}
383    ...    ${False}  replace
384    ...  ELSE IF  '${cert_type}' == 'CA'
385    ...    Verify Redfishtool Install Certificate  ${cert_type}  ${cert_format}  ${expected_status}
386    ...    ${False}  replace
387
388    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
389    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
390    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
391
392    ${certificate_uri}=  Set Variable If
393    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
394    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
395    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/${cert_id}
396
397    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
398    ${dict_objects}=  Create Dictionary  CertificateString=${file_data}
399    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
400    ${string}=  Convert To String  ${dict_objects}
401    ${string}=  Replace String  ${string}  '  "
402    ${payload}=  Set Variable  '${string}'
403
404    ${expected_resp}=  Set Variable If
405    ...  '${expected_status}' == 'ok'     ${HTTP_OK}, ${HTTP_NO_CONTENT}
406    ...  '${expected_status}' == 'error'  ${HTTP_NOT_FOUND},${HTTP_INTERNAL_SERVER_ERROR}
407
408    ${response}=  Redfishtool Post
409    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
410    ...  expected_error=${expected_resp}
411
412    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
413    Sleep  5s
414    ${bmc_cert_content}=  Redfishtool GetAttribute  ${certificate_uri}  CertificateString
415
416    Run Keyword If  '${expected_status}' == 'ok'
417    ...    Should Contain  ${cert_file_content}  ${bmc_cert_content}
418    ...  ELSE
419    ...    Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
420
421
422Redfishtool GetAttribute
423    [Documentation]  Execute redfishtool for GET operation.
424    [Arguments]  ${uri}  ${Attribute}  ${cmd_args}=${root_cmd_args}  ${expected_error}=""
425
426    # Description of argument(s):
427    # uri             URI for GET operation (e.g. /redfish/v1/AccountService/Accounts/).
428    # Attribute       The specific attribute to be retrieved with the URI.
429    # cmd_args        Commandline arguments.
430    # expected_error  Expected error optionally provided in testcase (e.g. 401 /
431    #                 authentication error, etc. ).
432
433    ${rc}  ${cmd_output}=  Run and Return RC and Output  ${cmd_args} GET ${uri}
434    Run Keyword If  ${rc} != 0  Is HTTP error Expected  ${cmd_output}  ${expected_error}
435
436    ${cmd_output}=  Convert String to JSON  ${cmd_output}
437
438    RETURN  ${cmd_output["CertificateString"]}
439
440
441Suite Setup Execution
442    [Documentation]  Do suite setup execution.
443
444    ${tool_exist}=  Run  which redfishtool
445    Should Not Be Empty  ${tool_exist}
446
447    # Create certificate sub-directory in current working directory.
448    Create Directory  certificate_dir
449