1*** Settings ***
2Documentation    Test certificate in OpenBMC.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/certificate_utils.robot
8Library          String
9
10Force Tags       Certificate_Test
11
12Suite Setup      Suite Setup Execution
13Test Teardown    Test Teardown Execution
14
15
16** Test Cases **
17
18Verify Server Certificate Replace
19    [Documentation]  Verify server certificate replace.
20    [Tags]  Verify_Server_Certificate_Replace
21    [Template]  Replace Certificate Via Redfish
22
23    # cert_type  cert_format                         expected_status
24    Server       Valid Certificate Valid Privatekey  ok
25    Server       Empty Certificate Valid Privatekey  error
26    Server       Valid Certificate Empty Privatekey  error
27    Server       Empty Certificate Empty Privatekey  error
28
29
30Verify Client Certificate Replace
31    [Documentation]  Verify client certificate replace.
32    [Tags]  Verify_Client_Certificate_Replace
33    [Template]  Replace Certificate Via Redfish
34
35    # cert_type  cert_format                         expected_status
36    Client       Valid Certificate Valid Privatekey  ok
37    Client       Empty Certificate Valid Privatekey  error
38    Client       Valid Certificate Empty Privatekey  error
39    Client       Empty Certificate Empty Privatekey  error
40
41
42Verify CA Certificate Replace
43    [Documentation]  Verify CA certificate replace.
44    [Tags]  Verify_CA_Certificate_Replace
45    [Template]  Replace Certificate Via Redfish
46
47    # cert_type  cert_format        expected_status
48    CA           Valid Certificate  ok
49    CA           Empty Certificate  error
50
51
52Verify Client Certificate Install
53    [Documentation]  Verify client certificate install.
54    [Tags]  Verify_Client_Certificate_Install
55    [Template]  Install And Verify Certificate Via Redfish
56
57    # cert_type  cert_format                         expected_status
58    Client       Valid Certificate Valid Privatekey  ok
59    Client       Empty Certificate Valid Privatekey  error
60    Client       Valid Certificate Empty Privatekey  error
61    Client       Empty Certificate Empty Privatekey  error
62
63
64Verify CA Certificate Install
65    [Documentation]  Verify CA certificate install.
66    [Tags]  Verify_CA_Certificate_Install
67    [Template]  Install And Verify Certificate Via Redfish
68
69    # cert_type  cert_format        expected_status
70    CA           Valid Certificate  ok
71    CA           Empty Certificate  error
72
73
74Verify Server Certificate View Via Openssl
75    [Documentation]  Verify server certificate via openssl command.
76    [Tags]  Verify_Server_Certificate_View_Via_Openssl
77
78    redfish.Login
79
80    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate Valid Privatekey
81    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
82    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
83
84    ${certificate_dict}=  Create Dictionary
85    ...  @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
86    ${payload}=  Create Dictionary  CertificateString=${file_data}
87    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
88
89    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
90    ...  body=${payload}
91
92    Wait Until Keyword Succeeds  2 mins  15 secs  Verify Certificate Visible Via OpenSSL  ${cert_file_path}
93
94
95*** Keywords ***
96
97Install And Verify Certificate Via Redfish
98    [Documentation]  Install and verify certificate using Redfish.
99    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}
100
101    # Description of argument(s):
102    # cert_type           Certificate type (e.g. "Client" or "CA").
103    # cert_format         Certificate file format
104    #                     (e.g. "Valid_Certificate_Valid_Privatekey").
105    # expected_status     Expected status of certificate replace Redfish
106    #                     request (i.e. "ok" or "error").
107
108    redfish.Login
109    Delete Certificate Via BMC CLI  ${cert_type}
110
111    ${time}=  Set Variable If  '${cert_format}' == 'Expired Certificate'  -10  365
112    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}  ${time}
113    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
114    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
115
116    ${certificate_uri}=  Set Variable If
117    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
118    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
119
120    Install Certificate File On BMC  ${certificate_uri}  ${expected_status}  data=${file_data}
121
122    # Adding delay after certificate installation.
123    Sleep  30s
124
125    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
126    ${bmc_cert_content}=  Run Keyword If  '${expected_status}' == 'ok'  redfish_utils.Get Attribute
127    ...  ${certificate_uri}/1  CertificateString
128
129    Run Keyword If  '${expected_status}' == 'ok'  Should Contain  ${cert_file_content}  ${bmc_cert_content}
130
131
132Install Certificate File On BMC
133    [Documentation]  Install certificate file in BMC using POST operation.
134    [Arguments]  ${uri}  ${status}=ok  &{kwargs}
135
136    # Description of argument(s):
137    # uri         URI for installing certificate file via REST
138    #             e.g. "/xyz/openbmc_project/certs/server/https".
139    # status      Expected status of certificate installation via REST
140    #             e.g. error, ok.
141    # kwargs      A dictionary of keys/values to be passed directly to
142    #             POST Request.
143
144    Initialize OpenBMC  quiet=${quiet}
145
146    ${headers}=  Create Dictionary  Content-Type=application/octet-stream
147    ...  X-Auth-Token=${XAUTH_TOKEN}
148    Set To Dictionary  ${kwargs}  headers  ${headers}
149
150    ${ret}=  Post Request  openbmc  ${uri}  &{kwargs}
151
152    Run Keyword If  '${status}' == 'ok'
153    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_OK}
154    ...  ELSE IF  '${status}' == 'error'
155    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_INTERNAL_SERVER_ERROR}
156
157    Delete All Sessions
158
159
160Replace Certificate Via Redfish
161    [Documentation]  Test 'replace certificate' operation in the BMC via Redfish.
162    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}
163
164    # Description of argument(s):
165    # cert_type           Certificate type (e.g. "Server" or "Client").
166    # cert_format         Certificate file format
167    #                     (e.g. Valid_Certificate_Valid_Privatekey).
168    # expected_status     Expected status of certificate replace Redfish
169    #                     request (i.e. "ok" or "error").
170
171    # Install certificate before replacing client or CA certificate.
172    Run Keyword If  '${cert_type}' == 'Client'
173    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate Valid Privatekey  ok
174    ...  ELSE IF  '${cert_type}' == 'CA'
175    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate  ok
176
177    redfish.Login
178
179    ${time}=  Set Variable If  '${cert_format}' == 'Expired Certificate'  -10  365
180    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}  ${time}
181
182    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
183    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
184
185    ${certificate_uri}=  Set Variable If
186    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
187    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
188    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/1
189
190    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
191    ${payload}=  Create Dictionary  CertificateString=${file_data}
192    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
193
194    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
195    ...  '${expected_status}' == 'error'  ${HTTP_INTERNAL_SERVER_ERROR}
196    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
197    ...  body=${payload}  valid_status_codes=[${expected_resp}]
198
199    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
200    ${bmc_cert_content}=  redfish_utils.Get Attribute  ${certificate_uri}  CertificateString
201
202    Run Keyword If  '${expected_status}' == 'ok'
203    ...    Should Contain  ${cert_file_content}  ${bmc_cert_content}
204    ...  ELSE
205    ...    Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
206
207
208Verify Certificate Visible Via OpenSSL
209    [Documentation]  Checks if given certificate is visible via openssl's showcert command.
210    [Arguments]  ${cert_file_path}
211
212    # Description of argument(s):
213    # cert_file_path           Certificate file path.
214
215    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
216    ${openssl_cert_content}=  Get Certificate Content From BMC Via Openssl
217    Should Contain  ${cert_file_content}  ${openssl_cert_content}
218
219
220Delete Certificate Via BMC CLI
221    [Documentation]  Delete certificate via BMC CLI.
222    [Arguments]  ${cert_type}
223
224    # Description of argument(s):
225    # cert_type           Certificate type (e.g. "Client" or "CA").
226
227    ${certificate_file_path}  ${certificate_service}  ${certificate_uri}=
228    ...  Run Keyword If  '${cert_type}' == 'Client'
229    ...    Set Variable  /etc/nslcd/certs/cert.pem  phosphor-certificate-manager@nslcd.service
230    ...    ${REDFISH_LDAP_CERTIFICATE_URI}
231    ...  ELSE IF  '${cert_type}' == 'CA'
232    ...    Set Variable  /etc/ssl/certs/Root-CA.pem  phosphor-certificate-manager@authority.service
233    ...    ${REDFISH_CA_CERTIFICATE_URI}
234
235    ${file_status}  ${stderr}  ${rc}=  BMC Execute Command
236    ...  [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
237
238    Return From Keyword If  "${file_status}" != "Found"
239    BMC Execute Command  rm ${certificate_file_path}
240    BMC Execute Command  systemctl restart ${certificate_service}
241    Wait Until Keyword Succeeds  1 min  10 sec
242    ...  Redfish.Get  ${certificate_uri}/1  valid_status_codes=[${HTTP_INTERNAL_SERVER_ERROR}]
243
244
245Suite Setup Execution
246    [Documentation]  Do suite setup tasks.
247
248    # Create certificate sub-directory in current working directory.
249    Create Directory  certificate_dir
250
251
252Test Teardown Execution
253    [Documentation]  Do the post test teardown.
254
255    FFDC On Test Case Fail
256    redfish.Logout
257