1*** Settings ***
2
3
4Documentation     Suite to test certificate via DMTF redfishtool.
5
6Library           OperatingSystem
7Library           String
8Library           Collections
9
10Resource          ../../lib/resource.robot
11Resource          ../../lib/bmc_redfish_resource.robot
12Resource          ../../lib/openbmc_ffdc.robot
13Resource          ../../lib/certificate_utils.robot
14Resource          ../../lib/dmtf_redfishtool_utils.robot
15
16Suite Setup       Suite Setup Execution
17
18
19*** Variables ***
20
21${root_cmd_args} =  SEPARATOR=
22...  redfishtool raw -r ${OPENBMC_HOST} -u ${OPENBMC_USERNAME} -p ${OPENBMC_PASSWORD} -S Always
23
24
25*** Test Cases ***
26
27
28Verify Redfishtool Replace Server Certificate Valid CertKey
29    [Documentation]  Verify replace server certificate.
30    [Tags]  Verify_Redfishtool_Replace_Server_Certificate_Valid_CertKey
31
32    Verify Redfishtool Replace Certificate  Server  Valid Certificate Valid Privatekey  ok
33
34
35Verify Redfishtool Replace Client Certificate Valid CertKey
36    [Documentation]  Verify replace client certificate.
37    [Tags]  Verify_Redfishtool_Replace_Client_Certificate_Valid_CertKey
38
39    Verify Redfishtool Replace Certificate  Client  Valid Certificate Valid Privatekey  ok
40
41
42Verify Redfishtool Replace CA Certificate Valid Cert
43    [Documentation]  Verify replace CA certificate.
44    [Tags]  Verify_Redfishtool_Replace_CA_Certificate_Valid_Cert
45
46    Verify Redfishtool Replace Certificate  CA  Valid Certificate  ok
47
48
49Verify Redfishtool Client Certificate Install Valid CertKey
50    [Documentation]  Verify client certificate installation.
51    [Tags]  Verify_Redfishtool_Client_Certificate_Install_Valid_CertKey
52
53    Verify Redfishtool Install Certificate  Client  Valid Certificate Valid Privatekey  ok
54
55
56Verify Redfishtool CA Certificate Install Valid Cert
57    [Documentation]  Verify CA Certificate installation.
58    [Tags]  Verify_Redfishtool_CA_Certificate_Install_Valid_Cert
59
60    Verify Redfishtool Install Certificate  CA  Valid Certificate  ok
61
62
63Verify Redfishtool Replace Server Certificate Errors
64    [Documentation]  Verify error while replacing invalid server certificate.
65    [Tags]  Verify_Redfishtool_Replace_Server_Certificate_Errors
66    [Template]  Verify Redfishtool Replace Certificate
67
68    Server  Empty Certificate Empty Privatekey  error
69    Server  Empty Certificate Valid Privatekey  error
70    Server  Valid Certificate Empty Privatekey  error
71
72
73Verify Redfishtool Replace Client Certificate Errors
74    [Documentation]  Verify error while replacing invalid client certificate.
75    [Tags]  Verify_Redfishtool_Replace_Client_Certificate_Errors
76    [Template]  Verify Redfishtool Replace Certificate
77
78    Client  Empty Certificate Empty Privatekey  error
79    Client  Empty Certificate Valid Privatekey  error
80    Client  Valid Certificate Empty Privatekey  error
81
82
83Verify Redfishtool Replace CA Certificate Errors
84    [Documentation]  Verify error while replacing invalid CA certificate.
85    [Tags]  Verify_Redfishtool_Replace_CA_Certificate_Errors
86    [Template]  Verify Redfishtool Replace Certificate
87
88    CA  Empty Certificate  error
89
90
91Verify Redfishtool Client Certificate Install Errors
92    [Documentation]  Verify error while installing invalid client certificate.
93    [Tags]  Verify_Redfishtool_Client_Certificate_Install_Errors
94    [Template]  Verify Redfishtool Install Certificate
95
96    Client  Empty Certificate Empty Privatekey  error
97    Client  Empty Certificate Valid Privatekey  error
98    Client  Valid Certificate Empty Privatekey  error
99
100
101*** Keywords ***
102
103
104Verify Redfishtool Install Certificate
105    [Documentation]  Install and verify certificate using Redfishtool.
106    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}  ${delete_cert}=${True}
107
108    # Description of argument(s):
109    # cert_type           Certificate type (e.g. "Client" or "CA").
110    # cert_format         Certificate file format
111    # expected_status     Expected status of certificate install Redfishtool
112    #                     request (i.e. "ok" or "error").
113    # delete_cert         Certificate will be deleted before installing if this True.
114
115    Run Keyword If  '${cert_type}' == 'CA' and '${delete_cert}' == '${True}'
116    ...  Delete All CA Certificate Via Redfisthtool
117    ...  ELSE IF  '${cert_type}' == 'Client' and '${delete_cert}' == '${True}'
118    ...  Redfishtool Delete Certificate Via BMC CLI  ${cert_type}
119
120    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
121    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
122    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
123
124    ${certificate_uri}=  Set Variable If
125    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
126    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
127
128    ${cert_id}=  Redfishtool Install Certificate File On BMC
129    ...  ${certificate_uri}  ${expected_status}  data=${file_data}
130    Logging  Installed certificate id: ${cert_id}
131
132    # Adding delay after certificate installation.
133    Sleep  30s
134
135    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
136
137    ${bmc_cert_content}=  Run Keyword If  '${expected_status}' == 'ok'
138    ...  Redfishtool GetAttribute  ${certificate_uri}/${cert_id}  CertificateString
139
140    Run Keyword If  '${expected_status}' == 'ok'  Should Contain  ${cert_file_content}  ${bmc_cert_content}
141
142    [Return]  ${cert_id}
143
144
145Delete All CA Certificate Via Redfisthtool
146    [Documentation]  Delete all CA certificate via Redfish.
147
148    ${cmd_output}=  Redfishtool Get  /redfish/v1/Managers/bmc/Truststore/Certificates
149    ${json_object}=  To JSON  ${cmd_output}
150    ${cert_list}=  Set Variable  ${json_object["Members"]}
151    FOR  ${cert}  IN  @{cert_list}
152      Redfishtool Delete  ${cert["@odata.id"]}  ${root_cmd_args}
153    END
154
155
156Redfishtool Delete Certificate Via BMC CLI
157    [Documentation]  Delete certificate via BMC CLI.
158    [Arguments]  ${cert_type}
159
160    # Description of argument(s):
161    # cert_type           Certificate type (e.g. "Client" or "CA").
162
163    ${certificate_file_path}  ${certificate_service}  ${certificate_uri}=
164    ...  Run Keyword If  '${cert_type}' == 'Client'
165    ...    Set Variable  /etc/nslcd/certs/cert.pem  phosphor-certificate-manager@nslcd.service
166    ...    ${REDFISH_LDAP_CERTIFICATE_URI}
167    ...  ELSE IF  '${cert_type}' == 'CA'
168    ...    Set Variable  ${ROOT_CA_FILE_PATH}  phosphor-certificate-manager@authority.service
169    ...    ${REDFISH_CA_CERTIFICATE_URI}
170
171    ${file_status}  ${stderr}  ${rc}=  BMC Execute Command
172    ...  [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
173
174    Return From Keyword If  "${file_status}" != "Found"
175    BMC Execute Command  rm ${certificate_file_path}
176    BMC Execute Command  systemctl restart ${certificate_service}
177    BMC Execute Command  systemctl daemon-reload
178
179
180Redfishtool Install Certificate File On BMC
181    [Documentation]  Install certificate file in BMC using POST operation.
182    [Arguments]  ${uri}  ${status}=ok  &{kwargs}
183
184    # Description of argument(s):
185    # uri         URI for installing certificate file via Redfishtool.
186    #             e.g. "/redfish/v1/AccountService/LDAP/Certificates".
187    # status      Expected status of certificate installation via Redfishtool.
188    #             e.g. error, ok.
189    # kwargs      A dictionary of keys/values to be passed directly to
190    #             POST Request.
191
192    Initialize OpenBMC  20  ${quiet}=${1}  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
193
194    ${headers}=  Create Dictionary  Content-Type=application/octet-stream
195    ...  X-Auth-Token=${XAUTH_TOKEN}
196    Set To Dictionary  ${kwargs}  headers  ${headers}
197
198    ${ret}=  Post Request  openbmc  ${uri}  &{kwargs}
199    ${content_json}=  To JSON  ${ret.content}
200    ${cert_id}=  Set Variable If  '${ret.status_code}' == '${HTTP_OK}'  ${content_json["Id"]}  -1
201
202    Run Keyword If  '${status}' == 'ok'
203    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_OK}
204    ...  ELSE IF  '${status}' == 'error'
205    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_INTERNAL_SERVER_ERROR}
206
207    Delete All Sessions
208
209    [Return]  ${cert_id}
210
211
212Verify Redfishtool Replace Certificate
213    [Documentation]  Verify replace server certificate.
214    [Arguments]   ${cert_type}  ${cert_format}  ${expected_status}
215
216    # Description of argument(s):
217    # cert_type        Certificate type (e.g. "Client", "Server" or "CA").
218    # cert_format      Certificate file format
219    #                  (e.g. "Valid_Certificate_Valid_Privatekey").
220    # expected_status  Expected status of certificate replace Redfishtool
221    #                  request (i.e. "ok" or "error").
222
223    # Install certificate before replacing client or CA certificate.
224    ${cert_id}=  Run Keyword If  '${cert_type}' == 'Client'
225    ...    Verify Redfishtool Install Certificate  ${cert_type}  Valid Certificate Valid Privatekey  ok
226    ...  ELSE IF  '${cert_type}' == 'CA'
227    ...    Verify Redfishtool Install Certificate  ${cert_type}  Valid Certificate  ok
228
229    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
230    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
231    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
232
233    ${certificate_uri}=  Set Variable If
234    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
235    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
236    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/${cert_id}
237
238    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
239    ${dict_objects}=  Create Dictionary  CertificateString=${file_data}
240    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
241    ${string}=  Convert To String  ${dict_objects}
242    ${string}=  Replace String  ${string}  '  "
243    ${payload}=  Set Variable  '${string}'
244
245    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
246    ...  '${expected_status}' == 'error'  ${HTTP_NOT_FOUND}
247
248    ${response}=  Redfishtool Post
249    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
250    ...  expected_error=${expected_resp}
251
252    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
253    ${bmc_cert_content}=  Redfishtool GetAttribute  ${certificate_uri}  CertificateString
254
255    Run Keyword If  '${expected_status}' == 'ok'
256    ...    Should Contain  ${cert_file_content}  ${bmc_cert_content}
257    ...  ELSE
258    ...    Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
259
260
261Redfishtool GetAttribute
262    [Documentation]  Execute redfishtool for GET operation.
263    [Arguments]  ${uri}  ${Attribute}  ${cmd_args}=${root_cmd_args}  ${expected_error}=""
264
265    # Description of argument(s):
266    # uri             URI for GET operation (e.g. /redfish/v1/AccountService/Accounts/).
267    # Attribute       The specific attribute to be retrieved with the URI.
268    # cmd_args        Commandline arguments.
269    # expected_error  Expected error optionally provided in testcase (e.g. 401 /
270    #                 authentication error, etc. ).
271
272    ${rc}  ${cmd_output}=  Run and Return RC and Output  ${cmd_args} GET ${uri}
273    Run Keyword If  ${rc} != 0  Is HTTP error Expected  ${cmd_output}  ${expected_error}
274    ${json_object}=  To JSON  ${cmd_output}
275
276    [Return]  ${json_object["CertificateString"]}
277
278
279Suite Setup Execution
280    [Documentation]  Do suite setup execution.
281
282    ${tool_exist}=  Run  which redfishtool
283    Should Not Be Empty  ${tool_exist}
284
285    # Create certificate sub-directory in current working directory.
286    Create Directory  certificate_dir
287