xref: /openbmc/openbmc-test-automation/security/test_bmc_expire_password.robot (revision 56bba844)

*** Settings ***
Documentation     Test root user expire password.

Resource          ../lib/resource.robot
Resource          ../gui/lib/gui_resource.robot
Resource          ../lib/ipmi_client.robot
Resource          ../lib/bmc_redfish_utils.robot
Library           ../lib/bmc_ssh_utils.py
Library           SSHLibrary

Test Setup       Set Account Lockout Threshold

Force Tags       BMC_Expire_Password

*** Variables ***

# If user re-tries more than 5 time incorrectly, the user gets locked for 5 minutes.
${default_lockout_duration}   ${300}
${admin_user}                 admin_user
${default_adminuser_passwd}   AdminUser1
${admin_password}             AdminUser2


*** Test Cases ***

Expire Root Password And Check IPMI Access Fails
    [Documentation]   Expire root user password and expect an error while access via IPMI.
    [Tags]  Expire_Root_Password_And_Check_IPMI_Access_Fails
    [Teardown]  Test Teardown Execution

    Expire Password  ${OPENBMC_USERNAME}

    ${status}=  Run Keyword And Return Status   Run External IPMI Standard Command  lan print -v
    Should Be Equal  ${status}  ${False}


Expire Root Password And Check SSH Access Fails
    [Documentation]   Expire root user password and expect an error while access via SSH.
    [Tags]  Expire_Root_Password_And_Check_SSH_Access_Fails
    [Teardown]  Test Teardown Execution

    Expire Password  ${OPENBMC_USERNAME}

    ${status}=  Run Keyword And Return Status
    ...  Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
    Should Be Equal  ${status}  ${False}


Expire And Change Root User Password And Access Via SSH
    [Documentation]   Expire and change root user password and access via SSH.
    [Tags]  Expire_And_Change_Root_User_Password_And_Access_Via_SSH
    [Teardown]  Run Keywords  Wait Until Keyword Succeeds  1 min  10 sec
    ...  Restore Default Password For Root User  AND  FFDC On Test Case Fail

    Expire Password  ${OPENBMC_USERNAME}

    Redfish.Login
    # Change to a valid password.
    ${resp}=  Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
    ...  body={'Password': '0penBmc123'}  valid_status_codes=[${HTTP_OK}]

    # Verify login with the new password through SSH.
    Open Connection And Log In  ${OPENBMC_USERNAME}  0penBmc123


Expire Root Password And Update Bad Password Length Via Redfish
   [Documentation]  Expire root password and update bad password via Redfish and expect an error.
   [Tags]  Expire_Root_Password_And_Update_Bad_Password_Length_Via_Redfish
   [Teardown]  Run Keywords  Wait Until Keyword Succeeds  1 min  10 sec
   ...  Restore Default Password For Root User  AND  FFDC On Test Case Fail

   Expire Password  ${OPENBMC_USERNAME}

   Redfish.Login
   ${status}=  Run Keyword And Return Status
   ...  Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
   ...  body={'Password': '0penBmc0penBmc0penBmc'}
   Should Be Equal  ${status}  ${False}


Expire And Change Root User Password Via Redfish And Verify
   [Documentation]   Expire and change root user password via Redfish and verify.
   [Tags]  Expire_And_Change_Root_User_Password_Via_Redfish_And_Verify
   [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
   ...  Wait Until Keyword Succeeds  1 min  10 sec
   ...  Restore Default Password For Root User

   Expire Password  ${OPENBMC_USERNAME}

   Verify User Password Expired Using Redfish  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
   # Change to a valid password.
   Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
   ...  body={'Password': '0penBmc123'}
   Redfish.Logout

   # Verify login with the new password.
   Redfish.Login  ${OPENBMC_USERNAME}  0penBmc123


Verify Error While Creating User With Expired Password
    [Documentation]  Expire root password and expect an error while creating new user.
    [Tags]  Verify_Error_While_Creating_User_With_Expired_Password
    [Teardown]  Run Keywords  Wait Until Keyword Succeeds  1 min  10 sec
    ...  Restore Default Password For Root User  AND  FFDC On Test Case Fail

    Expire Password  ${OPENBMC_USERNAME}

    Verify User Password Expired Using Redfish  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
    Redfish.Login
    ${payload}=  Create Dictionary
    ...  UserName=admin_user  Password=TestPwd123  RoleId=Administrator  Enabled=${True}
    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
    ...  valid_status_codes=[${HTTP_FORBIDDEN}]


Expire And Change Root Password Via GUI
    [Documentation]  Expire and change root password via GUI.
    [Tags]  Expire_And_Change_Root_Password_Via_GUI
    [Setup]  Launch Browser And Login GUI
    [Teardown]  Run Keywords  Logout GUI  AND  Close Browser
    ...  AND  Restore Default Password For Root User  AND  FFDC On Test Case Fail

    Expire Password  ${OPENBMC_USERNAME}

    Wait Until Page Contains Element  ${xpath_root_button_menu}
    Click Element  ${xpath_root_button_menu}
    Click Element  ${xpath_profile_settings}
    Wait Until Page Contains  Change password

    # Change valid password.
    Input Text  ${xpath_input_password}  0penBmc123
    Input Text  ${xpath_input_confirm_password}  0penBmc123
    Click Button  ${xpath_profile_save_button}
    Wait Until Page Contains  Successfully saved account settings.
    Wait Until Page Does Not Contain  Successfully saved account settings.  timeout=20
    Logout GUI

    # Verify valid password.
    Login GUI  ${OPENBMC_USERNAME}  0penBmc123
    Redfish.Login  ${OPENBMC_USERNAME}  0penBmc123


Verify Maximum Failed Attempts And Check Root User Account Locked
    [Documentation]  Verify maximum failed attempts and locks out root user account.
    [Tags]  Verify_Maximum_Failed_Attempts_And_Check_Root_User_Account_Locked
    [Setup]   Set Account Lockout Threshold  account_lockout_threshold=${5}

    # Make maximum failed login attempts.
    Repeat Keyword  ${5} times
    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  root  0penBmc123

    # Verify that legitimate login fails due to lockout.
    Run Keyword And Expect Error  InvalidCredentialsError*
    ...  Redfish.Login  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}

    # Wait for lockout duration to expire and then verify that login works.
    Sleep  ${default_lockout_duration}s
    Redfish.Login
    Redfish.Logout

Verify New Password Persistency After BMC Reboot
    [Documentation]  Verify new password persistency after BMC reboot.
    [Tags]  Verify_New_Password_Persistency_After_BMC_Reboot
    [Teardown]  Test Teardown Execution

    Redfish.Login

    # Make sure the user account in question does not already exist.
    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]

    # Create specified user.
    ${payload}=  Create Dictionary
    ...  UserName=admin_user  Password=TestPwd123  RoleId=Administrator  Enabled=${True}
    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
    ...  valid_status_codes=[${HTTP_CREATED}]
    Redfish.Logout

    Redfish.Login  admin_user  TestPwd123

    # Change to a valid password.
    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user
    ...  body={'Password': '0penBmc123'}

    # Reboot BMC and verify persistency.
    Redfish OBMC Reboot (off)

    # verify new password
    Redfish.Login  admin_user  0penBmc123


Verify Expire And Change Admin User Password Via GUI
    [Documentation]  Force expire admin password and update admin password via GUI.
    [Tags]  Verify_Expire_And_Change_Admin_User_Password_Via_GUI
    [Setup]  Run Keywords  Launch Browser And Login GUI  AND
    ...  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}
    [Teardown]  Run Keywords  Logout GUI  AND  Close Browser

    Expire Password  ${admin_user}

    Logout GUI

    # Verify that admin user should not be able to login with expired password.
    Login GUI  ${admin_user}  ${default_adminuser_passwd}

    # Verify error message to update the password.
    Wait Until Page Contains  The password is expired and must be changed.  timeout=10

    # Update a valid acceptable password.
    Input Text  ${xpath_input_password}  ${admin_password}
    Input Text  ${xpath_input_confirm_password}  ${admin_password}
    Click Button  ${xpath_confirm_password_button}
    Wait Until Page Contains  Overview  timeout=20

    # Verify valid password.
    Redfish.Login  ${admin_user}  ${admin_password}


Expire Admin Password And Check IPMI Access Fails
    [Documentation]   Expire admin user password and expect an error while access via IPMI.
    [Tags]  Expire_Admin_Password_And_Check_IPMI_Access_Fails
    [Setup]  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}

    Expire Password  ${admin_user}

    ${status}=  Run Keyword And Return Status   Run External IPMI Standard Command  lan print -v
    Should Be Equal  ${status}  ${False}


Verify Expire Admin Password And Update Bad Password Length Via Redfish
   [Documentation]  Expire admin password and update bad password with more than 20 characters
   ...  via Redfish and expect an error.
   [Tags]  Verify_Expire_Admin_Password_And_Update_Bad_Password_Length_Via_Redfish
   [Setup]  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}

   Expire Password  ${admin_user}

   Redfish.Login

   Set Password Via Redfish  0penBmc0penBmc0penBmc  ${False}


Verify Error While Creating User With Expired Admin Password
    [Documentation]  Expire admin password and expect an error while creating new user.
    [Tags]  Verify_Error_While_Creating_User_With_Expired_Admin_Password
    [Teardown]  Restore Default Password For Admin User

    Expire Password  ${admin_user}

    Verify User Password Expired Using Redfish  ${admin_user}  ${default_adminuser_passwd}

    # Create new user with expired admin password and expect an error.
    ${payload}=  Create Dictionary
    ...  UserName=admin_user1  Password=TestPwd123  RoleId=Administrator  Enabled=${True}
    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
    ...  valid_status_codes=[${HTTP_FORBIDDEN}]


Verify New Admin Password Persistency After BMC Reboot
    [Documentation]  Verify new admin password persistency after BMC reboot.
    [Tags]  Verify_New_Admin_Password_Persistency_After_BMC_Reboot
    [Setup]  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}
    [Teardown]  Restore Default Password For Admin User

    Expire Password  ${admin_user}

    Set Password Via Redfish  ${admin_password}  ${True}

    # Reboot BMC.
    Redfish OBMC Reboot (off)  stack_mode=skip

    # Verify password is persisted after bmc reboot.
    Redfish.Login  ${admin_user}  ${admin_password}


Expire And Change Admin User Password Via Redfish And Verify
   [Documentation]   Expire and change admin user password via Redfish and verify.
   [Tags]  Expire_And_Change_Admin_User_Password_Via_Redfish_And_Verify
   [Setup]  Redfish Create User  ${admin_user}  ${default_adminuser_passwd}  Administrator  ${True}
   [Teardown]  Restore Default Password For Admin User

   Expire Password  ${admin_user}

   Verify User Password Expired Using Redfish  ${admin_user}  ${default_adminuser_passwd}

   # Change to a valid password.
   Set Password Via Redfish  AdminUser2  ${True}
   Redfish.Logout

   # Verify login with the new password.
   Redfish.Login  ${admin_user}  AdminUser2


*** Keywords ***

Set Account Lockout Threshold
   [Documentation]  Set user account lockout threshold.
   [Arguments]  ${account_lockout_threshold}=${0}  ${account_lockout_duration}=${50}

   # Description of argument(s):
   # account_lockout_threshold    Set lockout threshold value.
   # account_lockout_duration     Set lockout duration value.

   Redfish.login
   ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
   ...  AccountLockoutDuration=${account_lockout_duration}
   Redfish.Patch  /redfish/v1/AccountService/  body=&{payload}
   gen_robot_valid.Valid Length  OPENBMC_PASSWORD  min_length=8
   Redfish.Logout

Restore Default Password For Root User
    [Documentation]  Restore default password for root user (i.e. 0penBmc).

    # Set default password for root user.
    Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
    ...   body={'Password': '${OPENBMC_PASSWORD}'}  valid_status_codes=[${HTTP_OK}]
    # Verify that root user is able to run Redfish command using default password.
    Redfish.Logout


Test Teardown Execution
    [Documentation]  Do test teardown task.

    Redfish.Login
    Wait Until Keyword Succeeds  1 min  10 sec  Restore Default Password For Root User
    Redfish.Logout
    Set Account Lockout Threshold  account_lockout_threshold=${5}
    FFDC On Test Case Fail


Expire Password
    [Documentation]  Force expire password.
    [Arguments]  ${username}

    # Description of argument(s):
    # username                       User to be created and expire.

    # Expire the password.
    Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}

    ${output}  ${stderr}  ${rc}=  BMC Execute Command  passwd --expire ${username}
    Should Contain Any  ${output}  password expiry information changed  password changed

    # Example output:
    # passwd --expire admin
    # passwd: password changed.

    Close All Connections


Restore Default Password For Admin User
    [Documentation]  Restore default password for admin user (i.e. AdminUser1).

    # Set default password for admin user.
    Redfish.Patch  /redfish/v1/AccountService/Accounts/${admin_user}
    ...   body={'Password': '${default_adminuser_passwd}'}  valid_status_codes=[${HTTP_OK}]
    # Verify that admin user is able to run Redfish command using default password.
    Redfish.Logout


Set Password Via Redfish
    [Documentation]  Set new  password via redfish.
    [Arguments]  ${new_password} ${expect_result}

    # Description of argument(s):
    # new_password        New password set.
    # expect_result       Expected result (eg:true or false).

    ${status}= Run Keyword And Return Status
    ... Redfish.Patch /redfish/v1/AccountService/Accounts/${admin_user}
    ... body={'Password': '${new_password}'}

    Should be Equal  ${status}  ${expect_result}