xref: /openbmc/openbmc-test-automation/security/test_bmc_expire_password.robot (revision ff3879e015e38f8161b5ad019f2eee569ba992f0)
1*** Settings ***
2Documentation     Test root user expire password.
3
4Resource          ../lib/resource.robot
5Resource          ../gui/lib/gui_resource.robot
6Resource          ../lib/ipmi_client.robot
7Resource          ../lib/bmc_redfish_utils.robot
8Library           ../lib/bmc_ssh_utils.py
9Library           SSHLibrary
10
11Test Setup       Set Account Lockout Threshold
12
13*** Variables ***
14
15# If user re-tries more than 5 time incorrectly, the user gets locked for 5 minutes.
16${default_lockout_duration}   ${300}
17
18
19*** Test Cases ***
20
21Expire Root Password And Check IPMI Access Fails
22    [Documentation]   Expire root user password and expect an error while access via IPMI.
23    [Tags]  Expire_Root_Password_And_Check_IPMI_Access_Fails
24    [Teardown]  Test Teardown Execution
25
26    Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
27
28    ${output}  ${stderr}  ${rc}=  BMC Execute Command  passwd --expire ${OPENBMC_USERNAME}
29    Should Contain  ${output}  password expiry information changed
30
31    ${status}=  Run Keyword And Return Status   Run External IPMI Standard Command  lan print -v
32    Should Be Equal  ${status}  ${False}
33
34
35Expire Root Password And Check SSH Access Fails
36    [Documentation]   Expire root user password and expect an error while access via SSH.
37    [Tags]  Expire_Root_Password_And_Check_SSH_Access_Fails
38    [Teardown]  Test Teardown Execution
39
40    Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
41    ${output}  ${stderr}  ${rc}=  BMC Execute Command  passwd --expire ${OPENBMC_USERNAME}
42    Should Contain  ${output}  password expiry information changed
43
44    ${status}=  Run Keyword And Return Status
45    ...  Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
46    Should Be Equal  ${status}  ${False}
47
48
49Expire And Change Root User Password And Access Via SSH
50    [Documentation]   Expire and change root user password and access via SSH.
51    [Tags]  Expire_Root_User_Password_And_Access_Via_SSH
52    [Teardown]  Run Keywords  Wait Until Keyword Succeeds  1 min  10 sec
53    ...  Restore Default Password For Root User  AND  FFDC On Test Case Fail
54
55    Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
56
57    ${output}  ${stderr}  ${rc}=  BMC Execute Command  passwd --expire ${OPENBMC_USERNAME}
58    Should Contain  ${output}  password expiry information changed
59
60    Redfish.Login
61    # Change to a valid password.
62    ${resp}=  Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
63    ...  body={'Password': '0penBmc123'}  valid_status_codes=[${HTTP_OK}]
64
65    # Verify login with the new password through SSH.
66    Open Connection And Log In  ${OPENBMC_USERNAME}  0penBmc123
67
68
69Expire Root Password And Update Bad Password Length Via Redfish
70   [Documentation]  Expire root password and update bad password via Redfish and expect an error.
71   [Tags]  Expire_Root_Password_And_Update_Bad_Password_Length_Via_Redfish
72   [Teardown]  Run Keywords  Wait Until Keyword Succeeds  1 min  10 sec
73   ...  Restore Default Password For Root User  AND  FFDC On Test Case Fail
74
75   Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
76   ${output}  ${stderr}  ${rc}=  BMC Execute Command  passwd --expire ${OPENBMC_USERNAME}
77   Should Contain  ${output}  password expiry information changed
78
79   Redfish.Login
80   ${status}=  Run Keyword And Return Status
81   ...  Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
82   ...  body={'Password': '0penBmc0penBmc0penBmc'}
83   Should Be Equal  ${status}  ${False}
84
85
86Expire And Change Root User Password Via Redfish And Verify
87   [Documentation]   Expire and change root user password via Redfish and verify.
88   [Tags]  Expire_And_Change_Root_User_Password_Via_Redfish_And_Verify
89   [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
90   ...  Wait Until Keyword Succeeds  1 min  10 sec
91   ...  Restore Default Password For Root User
92
93   Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
94
95   ${output}  ${stderr}  ${rc}=  BMC Execute Command  passwd --expire ${OPENBMC_USERNAME}
96   Should Contain  ${output}  password expiry information changed
97
98   Verify User Password Expired Using Redfish  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
99   # Change to a valid password.
100   Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
101   ...  body={'Password': '0penBmc123'}
102   Redfish.Logout
103
104   # Verify login with the new password.
105   Redfish.Login  ${OPENBMC_USERNAME}  0penBmc123
106
107
108Verify Error While Creating User With Expired Password
109    [Documentation]  Expire root password and expect an error while creating new user.
110    [Tags]  Verify_Error_While_Creating_User_With_Expired_Password
111    [Teardown]  Run Keywords  Wait Until Keyword Succeeds  1 min  10 sec
112    ...  Restore Default Password For Root User  AND  FFDC On Test Case Fail
113
114    Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
115    ${output}  ${stderr}  ${rc}=  BMC Execute Command  passwd --expire ${OPENBMC_USERNAME}
116    Should Contain  ${output}  password expiry information changed
117
118    Verify User Password Expired Using Redfish  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
119    Redfish.Login
120    ${payload}=  Create Dictionary
121    ...  UserName=admin_user  Password=TestPwd123  RoleId=Administrator  Enabled=${True}
122    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
123    ...  valid_status_codes=[${HTTP_FORBIDDEN}]
124
125
126Expire And Change Root Password Via GUI
127    [Documentation]  Expire and change root password via GUI.
128    [Tags]  Expire_And_Change_Root_Password_Via_GUI
129    [Setup]  Launch Browser And Login GUI
130    [Teardown]  Run Keywords  Logout GUI  AND  Close Browser
131    ...  AND  Restore Default Password For Root User  AND  FFDC On Test Case Fail
132
133    Open Connection And Log In  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
134    ${output}  ${stderr}  ${rc}=  BMC Execute Command  passwd --expire ${OPENBMC_USERNAME}
135    Should Contain  ${output}  password expiry information changed
136
137    Wait Until Page Contains Element  ${xpath_root_button_menu}
138    Click Element  ${xpath_root_button_menu}
139    Click Element  ${xpath_profile_settings}
140    Wait Until Page Contains  Change password
141
142    # Change valid password.
143    Input Text  ${xpath_input_password}  0penBmc123
144    Input Text  ${xpath_input_confirm_password}  0penBmc123
145    Click Button  ${xpath_profile_save_button}
146    Wait Until Page Contains  Successfully saved account settings.
147    Wait Until Page Does Not Contain  Successfully saved account settings.  timeout=20
148    Logout GUI
149
150    # Verify valid password.
151    Login GUI  ${OPENBMC_USERNAME}  0penBmc123
152    Redfish.Login  ${OPENBMC_USERNAME}  0penBmc123
153
154
155Verify Maximum Failed Attempts And Check Root User Account Locked
156    [Documentation]  Verify maximum failed attempts and locks out root user account.
157    [Tags]  Verify_Maximum_Failed_Attempts_And_Check_Root_User_Account_Locked
158    [Setup]   Set Account Lockout Threshold  account_lockout_threshold=${5}
159
160    # Make maximum failed login attempts.
161    Repeat Keyword  ${5} times
162    ...  Run Keyword And Expect Error  InvalidCredentialsError*  Redfish.Login  root  0penBmc123
163
164    # Verify that legitimate login fails due to lockout.
165    Run Keyword And Expect Error  InvalidCredentialsError*
166    ...  Redfish.Login  ${OPENBMC_USERNAME}  ${OPENBMC_PASSWORD}
167
168    # Wait for lockout duration to expire and then verify that login works.
169    Sleep  ${default_lockout_duration}s
170    Redfish.Login
171    Redfish.Logout
172
173Verify New Password Persistency After BMC Reboot
174    [Documentation]  Verify new password persistency after BMC reboot.
175    [Tags]  Verify_New_Password_Persistency_After_BMC_Reboot
176    [Teardown]  Test Teardown Execution
177
178    Redfish.Login
179
180    # Make sure the user account in question does not already exist.
181    Redfish.Delete  /redfish/v1/AccountService/Accounts/admin_user
182    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}]
183
184    # Create specified user.
185    ${payload}=  Create Dictionary
186    ...  UserName=admin_user  Password=TestPwd123  RoleId=Administrator  Enabled=${True}
187    Redfish.Post  /redfish/v1/AccountService/Accounts/  body=&{payload}
188    ...  valid_status_codes=[${HTTP_CREATED}]
189    Redfish.Logout
190
191    Redfish.Login  admin_user  TestPwd123
192
193    # Change to a valid password.
194    Redfish.Patch  /redfish/v1/AccountService/Accounts/admin_user
195    ...  body={'Password': '0penBmc123'}
196
197    # Reboot BMC and verify persistency.
198    Redfish OBMC Reboot (off)
199
200    # verify new password
201    Redfish.Login  admin_user  0penBmc123
202
203
204*** Keywords ***
205
206Set Account Lockout Threshold
207   [Documentation]  Set user account lockout threshold.
208   [Arguments]  ${account_lockout_threshold}=${0}  ${account_lockout_duration}=${50}
209
210   # Description of argument(s):
211   # account_lockout_threshold    Set lockout threshold value.
212   # account_lockout_duration     Set lockout duration value.
213
214   Redfish.login
215   ${payload}=  Create Dictionary  AccountLockoutThreshold=${account_lockout_threshold}
216   ...  AccountLockoutDuration=${account_lockout_duration}
217   Redfish.Patch  /redfish/v1/AccountService/  body=&{payload}
218   gen_robot_valid.Valid Length  OPENBMC_PASSWORD  min_length=8
219   Redfish.Logout
220
221Restore Default Password For Root User
222    [Documentation]  Restore default password for root user (i.e. 0penBmc).
223
224    # Set default password for root user.
225    Redfish.Patch  /redfish/v1/AccountService/Accounts/${OPENBMC_USERNAME}
226    ...   body={'Password': '${OPENBMC_PASSWORD}'}  valid_status_codes=[${HTTP_OK}]
227    # Verify that root user is able to run Redfish command using default password.
228    Redfish.Logout
229
230
231Test Teardown Execution
232    [Documentation]  Do test teardown task.
233
234    Redfish.Login
235    Wait Until Keyword Succeeds  1 min  10 sec  Restore Default Password For Root User
236    Redfish.Logout
237    Set Account Lockout Threshold  account_lockout_threshold=${5}
238    FFDC On Test Case Fail
239