xref: /openbmc/openbmc-test-automation/security/test_bmc_expire_password.robot (revision 409df05d4b10b9a8c81e282da8fef0199db5bdea)
1*** Settings ***
2Documentation     Test root user expire password.
3
4Resource          ../lib/resource.robot
5Resource          ../gui/lib/gui_resource.robot
6Resource          ../lib/ipmi_client.robot
7Resource          ../lib/bmc_redfish_utils.robot
8Library           ../lib/bmc_ssh_utils.py
9Library           SSHLibrary
10
11Test Setup       Set Account Lockout Threshold
12
13Force Tags       BMC_Expire_Password
14
15*** Variables ***
16
17# If user re-tries more than 5 time incorrectly, the user gets locked for 5 minutes.
18${default_lockout_duration}   ${300}
19${admin_user}                 admin_user
20${default_adminuser_passwd}   AdminUser1
21${admin_password}             AdminUser2
22
23
24*** Test Cases ***
25
26Expire Root Password And Check IPMI Access Fails
27    [Documentation]   Expire root user password and expect an error while access via IPMI.
28    [Tags]  Expire_Root_Password_And_Check_IPMI_Access_Fails
29    [Teardown]  Test Teardown Execution
30
31    Expire Password  ${OPENBMC_USERNAME}
32
33    ${status}=  Run Keyword And Return Status   Run External IPMI Standard Command  lan print -v
34    Should Be Equal  ${status}  ${False}
35
36
37Expire Root Password And Check SSH Access Fails
38    [Documentation]   Expire root user password and expect an error while access via SSH.
39    [Tags]  Expire_Root_Password_And_Check_SSH_Access_Fails
40    [Teardown]  Test Teardown Execution
41
42    Expire Password  ${OPENBMC_USERNAME}
43
44    ${status}=  Run Keyword And Return Status
45    ...  Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
46    Should Be Equal  ${status}  ${False}
47
48
49Expire And Change Root User Password And Access Via SSH
50    [Documentation]   Expire and change root user password and access via SSH.
51    [Tags]  Expire_And_Change_Root_User_Password_And_Access_Via_SSH
52    [Teardown]  Run Keywords  Wait Until Keyword Succeeds  1 min  10 sec
53    ...  Restore Default Password For Root User  AND  FFDC On Test Case Fail
54
55    Expire Password  ${OPENBMC_USERNAME}
56
57    Redfish.Login
58    # Change to a valid password.
59    ${resp}=  Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
60    ...  body={'Password': '0penBmc123'}  valid_status_codes=[${HTTP_OK}]
61
62    # Verify login with the new password through SSH.
63    Open Connection And Log In  ${OPENBMC_USERNAME}  0penBmc123
64
65
66Expire Root Password And Update Bad Password Length Via Redfish
67   [Documentation]  Expire root password and update bad password via Redfish and expect an error.
68   [Tags]  Expire_Root_Password_And_Update_Bad_Password_Length_Via_Redfish
69   [Teardown]  Run Keywords  Wait Until Keyword Succeeds  1 min  10 sec
70   ...  Restore Default Password For Root User  AND  FFDC On Test Case Fail
71
72   Expire Password  ${OPENBMC_USERNAME}
73
74   Redfish.Login
75   ${status}=  Run Keyword And Return Status
76   ...  Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
77   ...  body={'Password': '0penBmc0penBmc0penBmc'}
78   Should Be Equal  ${status}  ${False}
79
80
81Expire And Change Root User Password Via Redfish And Verify
82   [Documentation]   Expire and change root user password via Redfish and verify.
83   [Tags]  Expire_And_Change_Root_User_Password_Via_Redfish_And_Verify
84   [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
85   ...  Wait Until Keyword Succeeds  1 min  10 sec
86   ...  Restore Default Password For Root User
87
88   Expire Password  ${OPENBMC_USERNAME}
89
90   Verify User Password Expired Using Redfish  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
91   # Change to a valid password.
92   Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
93   ...  body={'Password': '0penBmc123'}
94   Redfish.Logout
95
96   # Verify login with the new password.
97   Redfish.Login  ${OPENBMC_USERNAME}  0penBmc123
98
99
100Verify Error While Creating User With Expired Password
101    [Documentation]  Expire root password and expect an error while creating new user.
102    [Tags]  Verify_Error_While_Creating_User_With_Expired_Password
103    [Teardown]  Run Keywords  Wait Until Keyword Succeeds  1 min  10 sec
104    ...  Restore Default Password For Root User  AND  FFDC On Test Case Fail
105
106    Expire Password  ${OPENBMC_USERNAME}
107
108    Verify User Password Expired Using Redfish  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
109    Redfish.Login
110    ${payload}=  Create Dictionary
111    ...  UserName=admin_user  Password=TestPwd123  RoleId=Administrator  Enabled=${True}
112    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
113    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
114
115
116Expire And Change Root Password Via GUI
117    [Documentation]  Expire and change root password via GUI.
118    [Tags]  Expire_And_Change_Root_Password_Via_GUI
119    [Setup]  Launch Browser And Login GUI
120    [Teardown]  Run Keywords  Logout GUI  AND  Close Browser
121    ...  AND  Restore Default Password For Root User  AND  FFDC On Test Case Fail
122
123    Expire Password  ${OPENBMC_USERNAME}
124
125    Wait Until Page Contains Element  ${xpath_root_button_menu}
126    Click Element  ${xpath_root_button_menu}
127    Click Element  ${xpath_profile_settings}
128    Wait Until Page Contains  Change password
129
130    # Change valid password.
131    Input Text  ${xpath_input_password}  0penBmc123
132    Input Text  ${xpath_input_confirm_password}  0penBmc123
133    Click Button  ${xpath_profile_save_button}
134    Wait Until Page Contains  Successfully saved account settings.
135    Wait Until Page Does Not Contain  Successfully saved account settings.  timeout=20
136    Logout GUI
137
138    # Verify valid password.
139    Login GUI  ${OPENBMC_USERNAME}  0penBmc123
140    Redfish.Login  ${OPENBMC_USERNAME}  0penBmc123
141
142
143Verify Maximum Failed Attempts And Check Root User Account Locked
144    [Documentation]  Verify maximum failed attempts and locks out root user account.
145    [Tags]  Verify_Maximum_Failed_Attempts_And_Check_Root_User_Account_Locked
146    [Setup]   Set Account Lockout Threshold  account_lockout_threshold=${5}
147
148    # Make maximum failed login attempts.
149    Repeat Keyword  ${5} times
150    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  root  0penBmc123
151
152    # Verify that legitimate login fails due to lockout.
153    Run Keyword And Expect Error  InvalidCredentialsError*
154    ...  Redfish.Login  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
155
156    # Wait for lockout duration to expire and then verify that login works.
157    Sleep  ${default_lockout_duration}s
158    Redfish.Login
159    Redfish.Logout
160
161Verify New Password Persistency After BMC Reboot
162    [Documentation]  Verify new password persistency after BMC reboot.
163    [Tags]  Verify_New_Password_Persistency_After_BMC_Reboot
164    [Teardown]  Test Teardown Execution
165
166    Redfish.Login
167
168    # Make sure the user account in question does not already exist.
169    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
170    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
171
172    # Create specified user.
173    ${payload}=  Create Dictionary
174    ...  UserName=admin_user  Password=TestPwd123  RoleId=Administrator  Enabled=${True}
175    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
176    ...  valid_status_codes=[${HTTP_CREATED}]
177    Redfish.Logout
178
179    Redfish.Login  admin_user  TestPwd123
180
181    # Change to a valid password.
182    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user
183    ...  body={'Password': '0penBmc123'}
184
185    # Reboot BMC and verify persistency.
186    Redfish OBMC Reboot (off)
187
188    # verify new password
189    Redfish.Login  admin_user  0penBmc123
190
191
192Verify Expire And Change Admin User Password Via GUI
193    [Documentation]  Force expire admin password and update admin password via GUI.
194    [Tags]  Verify_Expire_And_Change_Admin_User_Password_Via_GUI
195    [Setup]  Run Keywords  Launch Browser And Login GUI  AND
196    ...  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}
197    [Teardown]  Run Keywords  Logout GUI  AND  Close Browser
198
199    Expire Password  ${admin_user}
200
201    Logout GUI
202
203    # Verify that admin user should not be able to login with expired password.
204    Login GUI  ${admin_user}  ${default_adminuser_passwd}
205
206    # Verify error message to update the password.
207    Wait Until Page Contains  The password is expired and must be changed.  timeout=10
208
209    # Update a valid acceptable password.
210    Input Text  ${xpath_input_password}  ${admin_password}
211    Input Text  ${xpath_input_confirm_password}  ${admin_password}
212    Click Button  ${xpath_confirm_password_button}
213    Wait Until Page Contains  Overview  timeout=20
214
215    # Verify valid password.
216    Redfish.Login  ${admin_user}  ${admin_password}
217
218
219Expire Admin Password And Check IPMI Access Fails
220    [Documentation]   Expire admin user password and expect an error while access via IPMI.
221    [Tags]  Expire_Admin_Password_And_Check_IPMI_Access_Fails
222    [Setup]  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}
223
224    Expire Password  ${admin_user}
225
226    ${status}=  Run Keyword And Return Status   Run External IPMI Standard Command  lan print -v
227    Should Be Equal  ${status}  ${False}
228
229
230Verify Expire Admin Password And Update Bad Password Length Via Redfish
231   [Documentation]  Expire admin password and update bad password with more than 20 characters
232   ...  via Redfish and expect an error.
233   [Tags]  Verify_Expire_Admin_Password_And_Update_Bad_Password_Length_Via_Redfish
234   [Setup]  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}
235
236   Expire Password  ${admin_user}
237
238   Redfish.Login
239
240   Set Password Via Redfish  0penBmc0penBmc0penBmc  ${False}
241
242
243Verify Error While Creating User With Expired Admin Password
244    [Documentation]  Expire admin password and expect an error while creating new user.
245    [Tags]  Verify_Error_While_Creating_User_With_Expired_Admin_Password
246    [Teardown]  Restore Default Password For Admin User
247
248    Expire Password  ${admin_user}
249
250    Verify User Password Expired Using Redfish  ${admin_user}  ${default_adminuser_passwd}
251
252    # Create new user with expired admin password and expect an error.
253    ${payload}=  Create Dictionary
254    ...  UserName=admin_user1  Password=TestPwd123  RoleId=Administrator  Enabled=${True}
255    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
256    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
257
258
259Verify New Admin Password Persistency After BMC Reboot
260    [Documentation]  Verify new admin password persistency after BMC reboot.
261    [Tags]  Verify_New_Admin_Password_Persistency_After_BMC_Reboot
262    [Setup]  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}
263    [Teardown]  Restore Default Password For Admin User
264
265    Expire Password  ${admin_user}
266
267    Set Password Via Redfish  ${admin_password}  ${True}
268
269    # Reboot BMC.
270    Redfish OBMC Reboot (off)  stack_mode=skip
271
272    # Verify password is persisted after bmc reboot.
273    Redfish.Login  ${admin_user}  ${admin_password}
274
275
276Expire And Change Admin User Password Via Redfish And Verify
277   [Documentation]   Expire and change admin user password via Redfish and verify.
278   [Tags]  Expire_And_Change_Admin_User_Password_Via_Redfish_And_Verify
279   [Setup]  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}
280   [Teardown]  Restore Default Password For Admin User
281
282   Expire Password  ${admin_user}
283
284   Verify User Password Expired Using Redfish  ${admin_user}  ${default_adminuser_passwd}
285
286   # Change to a valid password.
287   Set Password Via Redfish  AdminUser2  ${True}
288   Redfish.Logout
289
290   # Verify login with the new password.
291   Redfish.Login  ${admin_user}  AdminUser2
292
293
294*** Keywords ***
295
296Set Account Lockout Threshold
297   [Documentation]  Set user account lockout threshold.
298   [Arguments]  ${account_lockout_threshold}=${0}  ${account_lockout_duration}=${50}
299
300   # Description of argument(s):
301   # account_lockout_threshold    Set lockout threshold value.
302   # account_lockout_duration     Set lockout duration value.
303
304   Redfish.login
305   ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
306   ...  AccountLockoutDuration=${account_lockout_duration}
307   Redfish.Patch  /redfish/v1/AccountService/  body=&{payload}
308   gen_robot_valid.Valid Length  OPENBMC_PASSWORD  min_length=8
309   Redfish.Logout
310
311Restore Default Password For Root User
312    [Documentation]  Restore default password for root user (i.e. 0penBmc).
313
314    # Set default password for root user.
315    Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
316    ...   body={'Password': '${OPENBMC_PASSWORD}'}  valid_status_codes=[${HTTP_OK}]
317    # Verify that root user is able to run Redfish command using default password.
318    Redfish.Logout
319
320
321Test Teardown Execution
322    [Documentation]  Do test teardown task.
323
324    Redfish.Login
325    Wait Until Keyword Succeeds  1 min  10 sec  Restore Default Password For Root User
326    Redfish.Logout
327    Set Account Lockout Threshold  account_lockout_threshold=${5}
328    FFDC On Test Case Fail
329
330
331Expire Password
332    [Documentation]  Force expire password.
333    [Arguments]  ${username}
334
335    # Description of argument(s):
336    # username                       User to be created and expire.
337
338    # Expire the password.
339    Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
340
341    ${output}  ${stderr}  ${rc}=  BMC Execute Command  passwd --expire ${username}
342    Should Contain Any  ${output}  password expiry information changed  password changed
343
344    # Example output:
345    # passwd --expire admin
346    # passwd: password changed.
347
348    Close All Connections
349
350
351Restore Default Password For Admin User
352    [Documentation]  Restore default password for admin user (i.e. AdminUser1).
353
354    # Set default password for admin user.
355    Redfish.Patch  /redfish/v1/AccountService/Accounts/${admin_user}
356    ...   body={'Password': '${default_adminuser_passwd}'}  valid_status_codes=[${HTTP_OK}]
357    # Verify that admin user is able to run Redfish command using default password.
358    Redfish.Logout
359
360
361Set Password Via Redfish
362    [Documentation]  Set new password via redfish.
363    [Arguments]  ${new_password}  ${expect_result}
364
365    # Description of argument(s):
366    # new_password        New password set.
367    # expect_result       Expected result (eg:true or false).
368
369    ${status}= Run Keyword And Return Status
370    ... Redfish.Patch /redfish/v1/AccountService/Accounts/${admin_user}
371    ... body={'Password': '${new_password}'}
372
373    Should be Equal  ${status}  ${expect_result}
374