xref: /openbmc/openbmc-test-automation/redfish/service_root/test_service_root_security.robot (revision 1a22be50521f5c258d9d290d57e5a9a27f1689f9)
1*** Settings ***
2Documentation    Test Redfish service root login security.
3
4Resource         ../../lib/bmc_redfish_resource.robot
5Resource         ../../lib/openbmc_ffdc.robot
6
7Test Teardown    FFDC On Test Case Fail
8Test Setup       Printn
9
10*** Variables ***
11
12${LOGIN_SESSION_COUNT}   ${50}
13
14&{header_requirements}  Strict-Transport-Security=max-age=31536000; includeSubdomains
15...                     X-Frame-Options=DENY
16...                     Pragma=no-cache
17...                     Cache-Control=no-store, max-age=0
18...                     Referrer-Policy=no-referrer
19...                     X-Content-Type-Options=nosniff
20...                     X-Permitted-Cross-Domain-Policies=none
21...                     Cross-Origin-Embedder-Policy=require-corp
22...                     Cross-Origin-Opener-Policy=same-origin
23...                     Cross-Origin-Resource-Policy=same-origin
24...                     Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
25
26${ERROR_RESPONSE_MSG}  *Connection refused*
27
28*** Test Cases ***
29
30Redfish Login With Invalid Credentials
31    [Documentation]  Login to BMC web using invalid credential.
32    [Tags]  Redfish_Login_With_Invalid_Credentials
33    [Template]  Login And Verify Redfish Response
34
35    # Username                Password               Expect status
36    ${OPENBMC_USERNAME}       deadpassword           InvalidCredentialsError
37    groot                     ${OPENBMC_PASSWORD}    InvalidCredentialsError
38    ${EMPTY}                  ${OPENBMC_PASSWORD}    SessionCreationError
39    ${OPENBMC_USERNAME}       ${EMPTY}               SessionCreationError
40    ${EMPTY}                  ${EMPTY}               SessionCreationError
41
42
43Redfish Login Using Unsecured HTTP
44    [Documentation]  Login to BMC web through http unsecured.
45    [Tags]  Redfish_Login_Using_Unsecured_HTTP
46
47    Create Session  openbmc  http://${OPENBMC_HOST}
48    ${data}=  Create Dictionary
49    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
50
51    ${headers}=  Create Dictionary  Content-Type=application/json
52
53    Run Keyword And Expect Error  *Connection refused*
54    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
55    ...  data=${data}  headers=${headers}
56
57
58Redfish Login Using HTTPS Wrong Port 80 Protocol
59    [Documentation]  Login to BMC web through wrong protocol port 80.
60    [Tags]  Redfish_Login_Using_HTTPS_Wrong_Port_80_Protocol
61
62    Create Session  openbmc  https://${OPENBMC_HOST}:80
63    ${data}=  Create Dictionary
64    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
65
66    ${headers}=  Create Dictionary  Content-Type=application/json
67
68    Run Keyword And Expect Error  ${ERROR_RESPONSE_MSG}
69    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
70    ...  data=${data}  headers=${headers}
71
72
73Create Multiple Login Sessions And Verify
74    [Documentation]  Create 50 login instances and verify.
75    [Tags]  Create_Multiple_Login_Sessions_And_Verify
76    [Teardown]  Run Keyword And Ignore Error  Multiple Session Cleanup
77
78    Redfish.Login
79    # Example:
80    #    {
81    #      'key': 'L0XEsZAXpNdF147jJaOD',
82    #      'location': '/redfish/v1/SessionService/Sessions/qWn2JOJSOs'
83    #    }
84    ${saved_session_info}=  Get Redfish Session Info
85
86    # Sessions book keeping for cleanup once done.
87    ${session_list}=  Create List
88    Set Test Variable  ${session_list}
89
90    Repeat Keyword  ${LOGIN_SESSION_COUNT} times  Create New Login Session
91
92    # Update the redfish session object with the first login key and location
93    # and verify if it is still working.
94    Redfish.Set Session Key  ${saved_session_info["key"]}
95    Redfish.Set Session Location  ${saved_session_info["location"]}
96    Redfish.Get  ${saved_session_info["location"]}
97
98
99Attempt Login With Expired Session
100    [Documentation]  Authenticate to redfish, then log out and attempt to
101    ...   use the session.
102    [Tags]  Attempt_Login_With_Expired_Session
103
104    Redfish.Login
105    ${saved_session_info}=  Get Redfish Session Info
106    Redfish.Logout
107
108    # Attempt login with expired session.
109    # By default 60 minutes of inactivity closes the session.
110    Redfish.Set Session Key  ${saved_session_info["key"]}
111    Redfish.Set Session Location  ${saved_session_info["location"]}
112
113    Redfish.Get  ${saved_session_info["location"]}  valid_status_codes=[${HTTP_UNAUTHORIZED}]
114
115
116Login And Verify HTTP Response Header
117    [Documentation]  Login and verify redfish HTTP response header.
118    [Tags]  Login_And_Verify_HTTP_Response_Header
119
120    # Example of HTTP redfish response header.
121    # Strict-Transport-Security: max-age=31536000; includeSubdomains
122    # X-Frame-Options: DENY
123    # Pragma: no-cache
124    # Cache-Control: no-store, max-age=0
125    # X-Content-Type-Options: nosniff
126    # Referrer-Policy: no-referrer
127    # X-Permitted-Cross-Domain-Policies: none
128    # Cross-Origin-Embedder-Policy: require-corp
129    # Cross-Origin-Opener-Policy: same-origin
130    # Cross-Origin-Resource-Policy: same-origin
131    # Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
132
133
134    Rprint Vars  header_requirements  fmt=1
135
136    Redfish.Login
137    ${resp}=  Redfish.Get  /redfish/v1/SessionService/Sessions
138
139    # The getheaders() method returns the headers as a list of tuples:
140    # headers:
141
142    # [Strict-Transport-Security]:             max-age=31536000; includeSubdomains
143    # [X-Frame-Options]:                       DENY
144    # [Pragma]:                                no-cache
145    # [Cache-Control]:                         no-store, max-age=0
146    # [X-Content-Type-Options]:                nosniff
147    # [Referrer-Policy]:                       no-referrer
148    # [X-Permitted-Cross-Domain-Policies]:     none
149    # [Cross-Origin-Embedder-Policy]:          require-corp
150    # [Cross-Origin-Opener-Policy]:            same-origin
151    # [Cross-Origin-Resource-Policy]:          same-origin
152    # [Content-Security-Policy]:               default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
153    # [Content-Type]:                          application/json
154    # [Content-Length]:                        394
155
156    ${headers}=  Key Value List To Dict  ${resp.getheaders()}
157    Rprint Vars  headers  fmt=1
158
159    Dictionary Should Contain Sub Dictionary   ${headers}  ${header_requirements}
160
161
162*** Keywords ***
163
164Login And Verify Redfish Response
165    [Documentation]  Login and verify redfish response.
166    [Arguments]   ${username}  ${password}  ${expected_response}
167
168    # Description of arguments:
169    # expected_response    Expected REST status.
170    # username             The username to be used to connect to the server.
171    # password             The password to be used to connect to the server.
172
173    # The redfish object may preserve a valid username or password from the
174    # last failed login attempt.  If we then try to login with a null username
175    # or password value, the redfish object may prefer the preserved value.
176    # Since we're testing bad path, we wish to avoid this scenario so we will
177    # clear these values.
178
179    Redfish.Set Username  ${EMPTY}
180    Redfish.Set Password  ${EMPTY}
181
182    ${msg}=  Run Keyword And Expect Error  *  Redfish.Login  ${username}  ${password}
183
184    # redfish package version <=3.1.6 default response is InvalidCredentialsError.
185    Should Contain Any   ${msg}  InvalidCredentialsError  ${expected_response}
186
187
188Create New Login Session
189    [Documentation]  Multiple login session keys.
190
191    Redfish.Login
192    ${session_info}=  Get Redfish Session Info
193
194    # Append the session location to the list.
195    # ['/redfish/v1/SessionService/Sessions/uDzihgDecs',
196    #  '/redfish/v1/SessionService/Sessions/PaHF5brPPd']
197    Append To List  ${session_list}  ${session_info["location"]}
198
199
200Multiple Session Cleanup
201    [Documentation]  Do the teardown for multiple sessions.
202
203    FFDC On Test Case Fail
204
205    FOR  ${item}  IN  @{session_list}
206      Redfish.Delete  ${item}
207    END
208