1*** Settings ***
2
3
4Documentation     Suite to test certificate via DMTF redfishtool.
5
6Library           OperatingSystem
7Library           String
8Library           Collections
9
10Resource          ../../lib/resource.robot
11Resource          ../../lib/bmc_redfish_resource.robot
12Resource          ../../lib/openbmc_ffdc.robot
13Resource          ../../lib/certificate_utils.robot
14Resource          ../../lib/dmtf_redfishtool_utils.robot
15
16Suite Setup       Suite Setup Execution
17
18
19*** Variables ***
20
21${root_cmd_args} =  SEPARATOR=
22...  redfishtool raw -r ${OPENBMC_HOST} -u ${OPENBMC_USERNAME} -p ${OPENBMC_PASSWORD} -S Always
23
24${invalid_value}  abc
25
26*** Test Cases ***
27
28
29Verify Redfishtool Replace Server Certificate Valid CertKey
30    [Documentation]  Verify replace server certificate.
31    [Tags]  Verify_Redfishtool_Replace_Server_Certificate_Valid_CertKey
32
33    Verify Redfishtool Replace Certificate  Server  Valid Certificate Valid Privatekey  ok
34
35
36Verify Redfishtool Replace Client Certificate Valid CertKey
37    [Documentation]  Verify replace client certificate.
38    [Tags]  Verify_Redfishtool_Replace_Client_Certificate_Valid_CertKey
39
40    Verify Redfishtool Replace Certificate  Client  Valid Certificate Valid Privatekey  ok
41
42
43Verify Redfishtool Replace CA Certificate Valid Cert
44    [Documentation]  Verify replace CA certificate.
45    [Tags]  Verify_Redfishtool_Replace_CA_Certificate_Valid_Cert
46
47    Verify Redfishtool Replace Certificate  CA  Valid Certificate  ok
48
49
50Verify Redfishtool Client Certificate Install Valid CertKey
51    [Documentation]  Verify client certificate installation.
52    [Tags]  Verify_Redfishtool_Client_Certificate_Install_Valid_CertKey
53
54    Verify Redfishtool Install Certificate  Client  Valid Certificate Valid Privatekey  ok
55
56
57Verify Redfishtool CA Certificate Install Valid Cert
58    [Documentation]  Verify CA Certificate installation.
59    [Tags]  Verify_Redfishtool_CA_Certificate_Install_Valid_Cert
60
61    Verify Redfishtool Install Certificate  CA  Valid Certificate  ok
62
63
64Verify Redfishtool Replace Server Certificate Errors
65    [Documentation]  Verify error while replacing invalid server certificate.
66    [Tags]  Verify_Redfishtool_Replace_Server_Certificate_Errors
67    [Template]  Verify Redfishtool Replace Certificate
68
69    Server  Empty Certificate Empty Privatekey  error
70    Server  Empty Certificate Valid Privatekey  error
71    Server  Valid Certificate Empty Privatekey  error
72
73
74Verify Redfishtool Replace Client Certificate Errors
75    [Documentation]  Verify error while replacing invalid client certificate.
76    [Tags]  Verify_Redfishtool_Replace_Client_Certificate_Errors
77    [Template]  Verify Redfishtool Replace Certificate
78
79    Client  Empty Certificate Empty Privatekey  error
80    Client  Empty Certificate Valid Privatekey  error
81    Client  Valid Certificate Empty Privatekey  error
82
83
84Verify Redfishtool Replace CA Certificate Errors
85    [Documentation]  Verify error while replacing invalid CA certificate.
86    [Tags]  Verify_Redfishtool_Replace_CA_Certificate_Errors
87    [Template]  Verify Redfishtool Replace Certificate
88
89    CA  Empty Certificate  error
90
91
92Verify Redfishtool Client Certificate Install Errors
93    [Documentation]  Verify error while installing invalid client certificate.
94    [Tags]  Verify_Redfishtool_Client_Certificate_Install_Errors
95    [Template]  Verify Redfishtool Install Certificate
96
97    Client  Empty Certificate Empty Privatekey  error
98    Client  Empty Certificate Valid Privatekey  error
99    Client  Valid Certificate Empty Privatekey  error
100
101
102Verify Redfishtool CA Certificate Install Errors
103    [Documentation]  Verify error while installing invalid CA certificate.
104    [Tags]  Verify_Redfishtool_CA_Certificate_Install_Errors
105    [Template]  Verify Redfishtool Install Certificate
106
107    # cert_type  cert_format        expected_status
108    CA           Empty Certificate  error
109
110
111Verify Error While Uploding Same CA Certificate Via Redfishtool
112    [Documentation]  Verify error while uploading same CA certificate two times.
113    [Tags]  Verify_Error_While_Uploding_Same_CA_Certificate_Via_Redfishtool
114
115    # Create certificate file for uploading.
116    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate  365
117    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
118    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
119
120    # Install CA certificate.
121    Redfishtool Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  ok  data=${file_data}
122
123    # Adding delay after certificate installation.
124    Sleep  30s
125
126    # Check error while uploading same certificate.
127    Redfishtool Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  error  data=${file_data}
128
129
130Install Server Certificate Using Redfishtool And Verify Via OpenSSL
131    [Documentation]  Install server certificate using Redfishtool and verify via OpenSSL.
132    [Tags]  Install_Server_Certificate_Using_Redfishtool_And_Verify_Via_OpenSSL.
133
134    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate Valid Privatekey
135    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
136    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
137
138    ${certificate_dict}=  Create Dictionary
139    ...  @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
140
141    ${dict_objects}=  Create Dictionary  CertificateString=${file_data}
142    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
143
144    ${string}=  Convert To String  ${dict_objects}
145    ${string}=  Replace String  ${string}  '  "
146    ${payload}=  Set Variable  '${string}'
147
148    ${response}=  Redfishtool Post
149    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
150
151    Wait Until Keyword Succeeds  2 mins  15 secs  Verify Certificate Visible Via OpenSSL  ${cert_file_path}
152
153
154Verify CSR Generation For Server Certificate
155    [Documentation]  Verify CSR generation for server certificate.
156    [Tags]  Verify_CSR_Generation_For_Server_Certificate
157    [Template]  Generate CSR Via Redfishtool
158
159    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
160    Server      RSA                 ${2048}         ${EMPTY}     ok
161    Server      EC                  ${EMPTY}        prime256v1   ok
162    Server      EC                  ${EMPTY}        secp521r1    ok
163    Server      EC                  ${EMPTY}        secp384r1    ok
164
165
166Verify CSR Generation For Client Certificate
167    [Documentation]  Verify CSR generation for client certificate.
168    [Tags]  Verify_CSR_Generation_For_Client_Certificate
169    [Template]  Generate CSR Via Redfishtool
170
171    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
172    Client      RSA                 ${2048}         ${EMPTY}     ok
173    Client      EC                  ${EMPTY}        prime256v1   ok
174    Client      EC                  ${EMPTY}        secp521r1    ok
175    Client      EC                  ${EMPTY}        secp384r1    ok
176
177
178Verify CSR Generation For Server Certificate With Invalid Value
179    [Documentation]  Verify error while generating CSR for server certificate with invalid value.
180    [Tags]  Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value
181    [Template]  Generate CSR Via Redfishtool
182
183    # csr_type  key_pair_algorithm  key_bit_length    key_curv_id       expected_status
184    Server      ${invalid_value}    ${2048}           prime256v1        error
185    Server      RAS                 ${invalid_value}  ${EMPTY}          error
186
187
188Verify CSR Generation For Client Certificate With Invalid Value
189    [Documentation]  Verify error while generating CSR for client certificate with invalid value.
190    [Tags]  Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value
191    [Template]  Generate CSR Via Redfishtool
192
193    Client      ${invalid_value}    ${2048}           prime256v1        error
194    Client      RSA                 ${invalid_value}  ${EMPTY}          error
195
196*** Keywords ***
197
198
199Generate CSR Via Redfishtool
200    [Documentation]  Generate CSR using Redfish.
201    [Arguments]  ${cert_type}  ${key_pair_algorithm}  ${key_bit_length}  ${key_curv_id}  ${expected_status}
202
203    # Description of argument(s):
204    # cert_type           Certificate type ("Server" or "Client").
205    # key_pair_algorithm  CSR key pair algorithm ("EC" or "RSA").
206    # key_bit_length      CSR key bit length ("2048").
207    # key_curv_id         CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1").
208    # expected_status     Expected status of certificate replace Redfishtool request ("ok" or "error").
209
210    ${certificate_uri}=  Set Variable If
211    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/
212    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/
213
214    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
215
216    ${csr_dict}=  Create Dictionary  City=Austin  CertificateCollection=${certificate_dict}
217    ...  CommonName=${OPENBMC_HOST}  Country=US  Organization=IBM
218    ...  OrganizationalUnit=ISL  State=AU  KeyBitLength=${key_bit_length}
219    ...  KeyPairAlgorithm=${key_pair_algorithm}  KeyCurveId=${key_curv_id}
220
221    # Remove not applicable field for CSR generation.
222    Run Keyword If  '${key_pair_algorithm}' == 'EC'  Remove From Dictionary  ${csr_dict}  KeyBitLength
223    ...  ELSE IF  '${key_pair_algorithm}' == 'RSA'  Remove From Dictionary  ${csr_dict}  KeyCurveId
224
225    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
226    ...  '${expected_status}' == 'error'  ${HTTP_BAD_REQUEST}
227
228    ${string}=  Convert To String  ${csr_dict}
229
230    ${string2}=  Replace String  ${string}   '  "
231
232    ${payload}=  Set Variable  '${string2}'
233
234    ${response}=  Redfishtool Post
235    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR
236    ...  expected_error=${expected_resp}
237
238    # Delay added between two CSR generation request.
239    Sleep  5s
240
241
242Verify Redfishtool Install Certificate
243    [Documentation]  Install and verify certificate using Redfishtool.
244    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}  ${delete_cert}=${True}
245
246    # Description of argument(s):
247    # cert_type           Certificate type (e.g. "Client" or "CA").
248    # cert_format         Certificate file format
249    # expected_status     Expected status of certificate install Redfishtool
250    #                     request (i.e. "ok" or "error").
251    # delete_cert         Certificate will be deleted before installing if this True.
252
253    Run Keyword If  '${cert_type}' == 'CA' and '${delete_cert}' == '${True}'
254    ...  Delete All CA Certificate Via Redfisthtool
255    ...  ELSE IF  '${cert_type}' == 'Client' and '${delete_cert}' == '${True}'
256    ...  Redfishtool Delete Certificate Via BMC CLI  ${cert_type}
257
258    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
259    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
260    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
261
262    ${certificate_uri}=  Set Variable If
263    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
264    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
265
266    ${cert_id}=  Redfishtool Install Certificate File On BMC
267    ...  ${certificate_uri}  ${expected_status}  data=${file_data}
268    Logging  Installed certificate id: ${cert_id}
269
270    # Adding delay after certificate installation.
271    Sleep  30s
272
273    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
274
275    ${bmc_cert_content}=  Run Keyword If  '${expected_status}' == 'ok'
276    ...  Redfishtool GetAttribute  ${certificate_uri}/${cert_id}  CertificateString
277
278    Run Keyword If  '${expected_status}' == 'ok'  Should Contain  ${cert_file_content}  ${bmc_cert_content}
279
280    [Return]  ${cert_id}
281
282
283Delete All CA Certificate Via Redfisthtool
284    [Documentation]  Delete all CA certificate via Redfish.
285
286    ${cmd_output}=  Redfishtool Get  /redfish/v1/Managers/bmc/Truststore/Certificates
287    ${json_object}=  To JSON  ${cmd_output}
288    ${cert_list}=  Set Variable  ${json_object["Members"]}
289    FOR  ${cert}  IN  @{cert_list}
290      Redfishtool Delete  ${cert["@odata.id"]}  ${root_cmd_args}
291    END
292
293
294Redfishtool Delete Certificate Via BMC CLI
295    [Documentation]  Delete certificate via BMC CLI.
296    [Arguments]  ${cert_type}
297
298    # Description of argument(s):
299    # cert_type           Certificate type (e.g. "Client" or "CA").
300
301    ${certificate_file_path}  ${certificate_service}  ${certificate_uri}=
302    ...  Run Keyword If  '${cert_type}' == 'Client'
303    ...    Set Variable  /etc/nslcd/certs/cert.pem  phosphor-certificate-manager@nslcd.service
304    ...    ${REDFISH_LDAP_CERTIFICATE_URI}
305    ...  ELSE IF  '${cert_type}' == 'CA'
306    ...    Set Variable  ${ROOT_CA_FILE_PATH}  phosphor-certificate-manager@authority.service
307    ...    ${REDFISH_CA_CERTIFICATE_URI}
308
309    ${file_status}  ${stderr}  ${rc}=  BMC Execute Command
310    ...  [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
311
312    Return From Keyword If  "${file_status}" != "Found"
313    BMC Execute Command  rm ${certificate_file_path}
314    BMC Execute Command  systemctl restart ${certificate_service}
315    BMC Execute Command  systemctl daemon-reload
316
317
318Redfishtool Install Certificate File On BMC
319    [Documentation]  Install certificate file in BMC using POST operation.
320    [Arguments]  ${uri}  ${status}=ok  &{kwargs}
321
322    # Description of argument(s):
323    # uri         URI for installing certificate file via Redfishtool.
324    #             e.g. "/redfish/v1/AccountService/LDAP/Certificates".
325    # status      Expected status of certificate installation via Redfishtool.
326    #             e.g. error, ok.
327    # kwargs      A dictionary of keys/values to be passed directly to
328    #             POST Request.
329
330    Initialize OpenBMC  20  ${quiet}=${1}  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
331
332    ${headers}=  Create Dictionary  Content-Type=application/octet-stream
333    ...  X-Auth-Token=${XAUTH_TOKEN}
334    Set To Dictionary  ${kwargs}  headers  ${headers}
335
336    ${ret}=  Post Request  openbmc  ${uri}  &{kwargs}
337    ${content_json}=  To JSON  ${ret.content}
338    ${cert_id}=  Set Variable If  '${ret.status_code}' == '${HTTP_OK}'  ${content_json["Id"]}  -1
339
340    Run Keyword If  '${status}' == 'ok'
341    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_OK}
342    ...  ELSE IF  '${status}' == 'error'
343    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_INTERNAL_SERVER_ERROR}
344
345    Delete All Sessions
346
347    [Return]  ${cert_id}
348
349
350Verify Redfishtool Replace Certificate
351    [Documentation]  Verify replace server certificate.
352    [Arguments]   ${cert_type}  ${cert_format}  ${expected_status}
353
354    # Description of argument(s):
355    # cert_type        Certificate type (e.g. "Client", "Server" or "CA").
356    # cert_format      Certificate file format
357    #                  (e.g. "Valid_Certificate_Valid_Privatekey").
358    # expected_status  Expected status of certificate replace Redfishtool
359    #                  request (i.e. "ok" or "error").
360
361    # Install certificate before replacing client or CA certificate.
362    ${cert_id}=  Run Keyword If  '${cert_type}' == 'Client'
363    ...    Verify Redfishtool Install Certificate  ${cert_type}  Valid Certificate Valid Privatekey  ok
364    ...  ELSE IF  '${cert_type}' == 'CA'
365    ...    Verify Redfishtool Install Certificate  ${cert_type}  Valid Certificate  ok
366
367    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
368    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
369    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
370
371    ${certificate_uri}=  Set Variable If
372    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
373    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
374    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/${cert_id}
375
376    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
377    ${dict_objects}=  Create Dictionary  CertificateString=${file_data}
378    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
379    ${string}=  Convert To String  ${dict_objects}
380    ${string}=  Replace String  ${string}  '  "
381    ${payload}=  Set Variable  '${string}'
382
383    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
384    ...  '${expected_status}' == 'error'  ${HTTP_NOT_FOUND}
385
386    ${response}=  Redfishtool Post
387    ...  ${payload}  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
388    ...  expected_error=${expected_resp}
389
390    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
391    ${bmc_cert_content}=  Redfishtool GetAttribute  ${certificate_uri}  CertificateString
392
393    Run Keyword If  '${expected_status}' == 'ok'
394    ...    Should Contain  ${cert_file_content}  ${bmc_cert_content}
395    ...  ELSE
396    ...    Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
397
398
399Redfishtool GetAttribute
400    [Documentation]  Execute redfishtool for GET operation.
401    [Arguments]  ${uri}  ${Attribute}  ${cmd_args}=${root_cmd_args}  ${expected_error}=""
402
403    # Description of argument(s):
404    # uri             URI for GET operation (e.g. /redfish/v1/AccountService/Accounts/).
405    # Attribute       The specific attribute to be retrieved with the URI.
406    # cmd_args        Commandline arguments.
407    # expected_error  Expected error optionally provided in testcase (e.g. 401 /
408    #                 authentication error, etc. ).
409
410    ${rc}  ${cmd_output}=  Run and Return RC and Output  ${cmd_args} GET ${uri}
411    Run Keyword If  ${rc} != 0  Is HTTP error Expected  ${cmd_output}  ${expected_error}
412    ${json_object}=  To JSON  ${cmd_output}
413
414    [Return]  ${json_object["CertificateString"]}
415
416
417Suite Setup Execution
418    [Documentation]  Do suite setup execution.
419
420    ${tool_exist}=  Run  which redfishtool
421    Should Not Be Empty  ${tool_exist}
422
423    # Create certificate sub-directory in current working directory.
424    Create Directory  certificate_dir
425