1*** Settings ***
2Documentation    Test Redfish service root login security.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7
8Test Teardown    FFDC On Test Case Fail
9Test Setup       Printn
10
11*** Variables ***
12
13${LOGIN_SESSION_COUNT}   ${50}
14
15&{header_requirements}  Strict-Transport-Security=max-age=31536000; includeSubdomains; preload
16...                     X-Frame-Options=DENY
17...                     Pragma=no-cache
18...                     Cache-Control=no-Store,no-Cache
19...                     Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src
20...                     'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
21...                     X-XSS-Protection=1; mode=block
22...                     X-Content-Type-Options=nosniff
23
24*** Test Cases ***
25
26Redfish Login With Invalid Credentials
27    [Documentation]  Login to BMC web using invalid credential.
28    [Tags]  Redfish_Login_With_Invalid_Credentials
29    [Template]  Login And Verify Redfish Response
30
31    # Expect status            Username               Password
32    InvalidCredentialsError*   ${OPENBMC_USERNAME}    deadpassword
33    InvalidCredentialsError*   groot                  ${OPENBMC_PASSWORD}
34    InvalidCredentialsError*   ${EMPTY}               ${OPENBMC_PASSWORD}
35    InvalidCredentialsError*   ${OPENBMC_USERNAME}    ${EMPTY}
36    InvalidCredentialsError*   ${EMPTY}               ${EMPTY}
37
38
39Redfish Login Using Unsecured HTTP
40    [Documentation]  Login to BMC web through http unsecured.
41    [Tags]  Redfish_Login_Using_Unsecured_HTTP
42
43    Create Session  openbmc  http://${OPENBMC_HOST}
44    ${data}=  Create Dictionary
45    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
46
47    ${headers}=  Create Dictionary  Content-Type=application/json
48
49    Run Keyword And Expect Error  *Connection refused*
50    ...  Post Request  openbmc  /redfish/v1/SessionService/Sessions
51    ...  data=${data}  headers=${headers}
52
53
54Redfish Login Using HTTPS Wrong Port 80 Protocol
55    [Documentation]  Login to BMC web through wrong protocol port 80.
56    [Tags]  Redfish_Login_Using_HTTPS_Wrong_Port_80_Protocol
57
58    Create Session  openbmc  https://${OPENBMC_HOST}:80
59    ${data}=  Create Dictionary
60    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
61
62    ${headers}=  Create Dictionary  Content-Type=application/json
63
64    Run Keyword And Expect Error  *Connection refused*
65    ...  Post Request  openbmc  /redfish/v1/SessionService/Sessions
66    ...  data=${data}  headers=${headers}
67
68
69Create Multiple Login Sessions And Verify
70    [Documentation]  Create 50 login instances and verify.
71    [Tags]  Create_Multiple_Login_Sessions_And_Verify
72    [Teardown]  Run Keyword And Ignore Error  Multiple Session Cleanup
73
74    Redfish.Login
75    # Example:
76    #    {
77    #      'key': 'L0XEsZAXpNdF147jJaOD',
78    #      'location': '/redfish/v1/SessionService/Sessions/qWn2JOJSOs'
79    #    }
80    ${saved_session_info}=  Get Redfish Session Info
81
82    # Sessions book keeping for cleanup once done.
83    ${session_list}=  Create List
84    Set Test Variable  ${session_list}
85
86    Repeat Keyword  ${LOGIN_SESSION_COUNT} times  Create New Login Session
87
88    # Update the redfish session object with the first login key and location
89    # and verify if it is still working.
90    Redfish.Set Session Key  ${saved_session_info["key"]}
91    Redfish.Set Session Location  ${saved_session_info["location"]}
92    Redfish.Get  ${saved_session_info["location"]}
93
94
95Attempt Login With Expired Session
96    [Documentation]  Authenticate to redfish, then log out and attempt to
97    ...   use the session.
98    [Tags]  Attempt_Login_With_Expired_Session
99
100    Redfish.Login
101    ${saved_session_info}=  Get Redfish Session Info
102    Redfish.Logout
103
104    # Attempt login with expired session.
105    # By default 60 minutes of inactivity closes the session.
106    Redfish.Set Session Key  ${saved_session_info["key"]}
107    Redfish.Set Session Location  ${saved_session_info["location"]}
108
109    Redfish.Get  ${saved_session_info["location"]}  valid_status_codes=[${HTTP_UNAUTHORIZED}]
110
111
112Login And Verify HTTP Response Header
113    [Documentation]  Login and verify redfish HTTP response header.
114    [Tags]  Login_And_Verify_HTTP_Response_Header
115
116    # Example of HTTP redfish response header.
117    # Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
118    # X-Frame-Options: DENY
119    # Pragma: no-cache
120    # Cache-Control: no-Store,no-Cache
121    # Content-Security-Policy: default-src 'self'; img-src 'self' data:
122    # X-XSS-Protection: 1; mode=block
123    # X-Content-Type-Options: nosniff
124
125    Rprint Vars  header_requirements  fmt=1
126
127    Redfish.Login
128    ${resp}=  Redfish.Get  /redfish/v1/SessionService/Sessions
129
130    # The getheaders() method returns the headers as a list of tuples:
131    # headers:
132    #    [Strict-Transport-Security]:        max-age=31536000; includeSubdomains; preload
133    #    [X-Frame-Options]:                  DENY
134    #    [Pragma]:                           no-cache
135    #    [Cache-Control]:                    no-Store,no-Cache
136    #    [Content-Security-Policy]:          default-src 'self'; img-src 'self' data:
137    #    [X-XSS-Protection]:                 1; mode=block
138    #    [X-Content-Type-Options]:           nosniff
139    #    [X-UA-Compatible]:                  IE=11
140    #    [Content-Type]:                     application/json
141    #    [Server]:                           iBMC
142    #    [Date]:                             Tue, 16 Apr 2019 17:49:46 GMT
143    #    [Content-Length]:                   2177
144
145    ${headers}=  Key Value List To Dict  ${resp.getheaders()}
146    Rprint Vars  headers  fmt=1
147
148    Dictionary Should Contain Sub Dictionary   ${headers}  ${header_requirements}
149
150
151*** Keywords ***
152
153Login And Verify Redfish Response
154    [Documentation]  Login and verify redfish response.
155    [Arguments]  ${expected_response}  ${username}  ${password}
156
157    # Description of arguments:
158    # expected_response   Expected REST status.
159    # username            The username to be used to connect to the server.
160    # password            The password to be used to connect to the server.
161
162    # The redfish object may preserve a valid username or password from the
163    # last failed login attempt.  If we then try to login with a null username
164    # or password value, the redfish object may prefer the preserved value.
165    # Since we're testing bad path, we wish to avoid this scenario so we will
166    # clear these values.
167
168    Redfish.Set Username  ${EMPTY}
169    Redfish.Set Password  ${EMPTY}
170
171    Run Keyword And Expect Error  ${expected_response}
172    ...  Redfish.Login  ${username}  ${password}
173
174
175Create New Login Session
176    [Documentation]  Multiple login session keys.
177
178    Redfish.Login
179    ${session_info}=  Get Redfish Session Info
180
181    # Append the session location to the list.
182    # ['/redfish/v1/SessionService/Sessions/uDzihgDecs',
183    #  '/redfish/v1/SessionService/Sessions/PaHF5brPPd']
184    Append To List  ${session_list}  ${session_info["location"]}
185
186
187Multiple Session Cleanup
188    [Documentation]  Do the teardown for multiple sessions.
189
190    FFDC On Test Case Fail
191
192    FOR  ${item}  IN  @{session_list}
193      Redfish.Delete  ${item}
194    END
195