redfish/service_root/test_service_root_security.robot - openbmc/openbmc-test-automation - Gitiles

 *** Settings ***
 Documentation    Test Redfish service root login security.

 Resource         ../../lib/resource.robot
 Resource         ../../lib/bmc_redfish_resource.robot
 Resource         ../../lib/openbmc_ffdc.robot

 Test Teardown    FFDC On Test Case Fail
 Test Setup       Printn

 *** Variables ***

 ${LOGIN_SESSION_COUNT}   ${50}

 &{header_requirements}  Strict-Transport-Security=max-age=31536000; includeSubdomains; preload
 ...                     X-Frame-Options=DENY
 ...                     Pragma=no-cache
 ...                     Cache-Control=no-Store,no-Cache
 ...                     Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
 ...                     X-XSS-Protection=1; mode=block
 ...                     X-Content-Type-Options=nosniff

 *** Test Cases ***

 Redfish Login With Invalid Credentials
     [Documentation]  Login to BMC web using invalid credential.
     [Tags]  Redfish_Login_With_Invalid_Credentials
     [Template]  Login And Verify Redfish Response

     # Expect status            Username               Password
     InvalidCredentialsError*   ${OPENBMC_USERNAME}    deadpassword
     InvalidCredentialsError*   groot                  ${OPENBMC_PASSWORD}
     InvalidCredentialsError*   ${EMPTY}               ${OPENBMC_PASSWORD}
     InvalidCredentialsError*   ${OPENBMC_USERNAME}    ${EMPTY}
     InvalidCredentialsError*   ${EMPTY}               ${EMPTY}


 Redfish Login Using Unsecured HTTP
     [Documentation]  Login to BMC web through http unsecured.
     [Tags]  Redfish_Login_Using_Unsecured_HTTP

     Create Session  openbmc  http://${OPENBMC_HOST}
     ${data}=  Create Dictionary
     ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}

     ${headers}=  Create Dictionary  Content-Type=application/json

     Run Keyword And Expect Error  *Connection refused*
     ...  Post Request  openbmc  /redfish/v1/SessionService/Sessions
     ...  data=${data}  headers=${headers}


 Redfish Login Using HTTPS Wrong Port 80 Protocol
     [Documentation]  Login to BMC web through wrong protocol port 80.
     [Tags]  Redfish_Login_Using_HTTPS_Wrong_Port_80_Protocol

     Create Session  openbmc  https://${OPENBMC_HOST}:80
     ${data}=  Create Dictionary
     ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}

     ${headers}=  Create Dictionary  Content-Type=application/json

     Run Keyword And Expect Error  *Connection refused*
     ...  Post Request  openbmc  /redfish/v1/SessionService/Sessions
     ...  data=${data}  headers=${headers}


 Create Multiple Login Sessions And Verify
     [Documentation]  Create 50 login instances and verify.
     [Tags]  Create_Multiple_Login_Sessions_And_Verify
     [Teardown]  Run Keyword And Ignore Error  Multiple Session Cleanup

     Redfish.Login
     # Example:
     #    {
     #      'key': 'L0XEsZAXpNdF147jJaOD',
     #      'location': '/redfish/v1/SessionService/Sessions/qWn2JOJSOs'
     #    }
     ${saved_session_info}=  Get Redfish Session Info

     # Sessions book keeping for cleanup once done.
     ${session_list}=  Create List
     Set Test Variable  ${session_list}

     Repeat Keyword  ${LOGIN_SESSION_COUNT} times  Create New Login Session

     # Update the redfish session object with the first login key and location
     # and verify if it is still working.
     Redfish.Set Session Key  ${saved_session_info["key"]}
     Redfish.Set Session Location  ${saved_session_info["location"]}
     Redfish.Get  ${saved_session_info["location"]}


 Attempt Login With Expired Session
     [Documentation]  Authenticate to redfish, then log out and attempt to
     ...   use the session.
     [Tags]  Attempt_Login_With_Expired_Session

     Redfish.Login
     ${saved_session_info}=  Get Redfish Session Info
     Redfish.Logout

     # Attempt login with expired session.
     # By default 60 minutes of inactivity closes the session.
     Redfish.Set Session Key  ${saved_session_info["key"]}
     Redfish.Set Session Location  ${saved_session_info["location"]}

     Redfish.Get  ${saved_session_info["location"]}  valid_status_codes=[${HTTP_UNAUTHORIZED}]


 Login And Verify HTTP Response Header
     [Documentation]  Login and verify redfish HTTP response header.
     [Tags]  Login_And_Verify_HTTP_Response_Header

     # Example of HTTP redfish response header.
     # Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
     # X-Frame-Options: DENY
     # Pragma: no-cache
     # Cache-Control: no-Store,no-Cache
     # Content-Security-Policy: default-src 'self'; img-src 'self' data:
     # X-XSS-Protection: 1; mode=block
     # X-Content-Type-Options: nosniff

     Rprint Vars  header_requirements  fmt=1

     Redfish.Login
     ${resp}=  Redfish.Get  /redfish/v1/SessionService/Sessions

     # The getheaders() method returns the headers as a list of tuples:
     # headers:
     #    [Strict-Transport-Security]:        max-age=31536000; includeSubdomains; preload
     #    [X-Frame-Options]:                  DENY
     #    [Pragma]:                           no-cache
     #    [Cache-Control]:                    no-Store,no-Cache
     #    [Content-Security-Policy]:          default-src 'self'; img-src 'self' data:
     #    [X-XSS-Protection]:                 1; mode=block
     #    [X-Content-Type-Options]:           nosniff
     #    [X-UA-Compatible]:                  IE=11
     #    [Content-Type]:                     application/json
     #    [Server]:                           iBMC
     #    [Date]:                             Tue, 16 Apr 2019 17:49:46 GMT
     #    [Content-Length]:                   2177

     ${headers}=  Key Value List To Dict  ${resp.getheaders()}
     Rprint Vars  headers  fmt=1

     Dictionary Should Contain Sub Dictionary   ${headers}  ${header_requirements}


 *** Keywords ***

 Login And Verify Redfish Response
     [Documentation]  Login and verify redfish response.
     [Arguments]  ${expected_response}  ${username}  ${password}

     # Description of arguments:
     # expected_response   Expected REST status.
     # username            The username to be used to connect to the server.
     # password            The password to be used to connect to the server.

     # The redfish object may preserve a valid username or password from the
     # last failed login attempt.  If we then try to login with a null username
     # or password value, the redfish object may prefer the preserved value.
     # Since we're testing bad path, we wish to avoid this scenario so we will
     # clear these values.

     Redfish.Set Username  ${EMPTY}
     Redfish.Set Password  ${EMPTY}

     Run Keyword And Expect Error  ${expected_response}
     ...  Redfish.Login  ${username}  ${password}


 Create New Login Session
     [Documentation]  Multiple login session keys.

     Redfish.Login
     ${session_info}=  Get Redfish Session Info

     # Append the session location to the list.
     # ['/redfish/v1/SessionService/Sessions/uDzihgDecs',
     #  '/redfish/v1/SessionService/Sessions/PaHF5brPPd']
     Append To List  ${session_list}  ${session_info["location"]}


 Multiple Session Cleanup
     [Documentation]  Do the teardown for multiple sessions.

     FFDC On Test Case Fail

     FOR  ${item}  IN  @{session_list}
       Redfish.Delete  ${item}
     END
	* Settings *
	Documentation Test Redfish service root login security.

	Resource ../../lib/resource.robot
	Resource ../../lib/bmc_redfish_resource.robot
	Resource ../../lib/openbmc_ffdc.robot

	Test Teardown FFDC On Test Case Fail
	Test Setup Printn

	* Variables *

	${LOGIN_SESSION_COUNT} ${50}

	&{header_requirements} Strict-Transport-Security=max-age=31536000; includeSubdomains; preload
	... X-Frame-Options=DENY
	... Pragma=no-cache
	... Cache-Control=no-Store,no-Cache
	... Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
	... X-XSS-Protection=1; mode=block
	... X-Content-Type-Options=nosniff

	* Test Cases *

	Redfish Login With Invalid Credentials
	[Documentation] Login to BMC web using invalid credential.
	[Tags] Redfish_Login_With_Invalid_Credentials
	[Template] Login And Verify Redfish Response

	# Expect status Username Password
	InvalidCredentialsError* ${OPENBMC_USERNAME} deadpassword
	InvalidCredentialsError* groot ${OPENBMC_PASSWORD}
	InvalidCredentialsError* ${EMPTY} ${OPENBMC_PASSWORD}
	InvalidCredentialsError* ${OPENBMC_USERNAME} ${EMPTY}
	InvalidCredentialsError* ${EMPTY} ${EMPTY}


	Redfish Login Using Unsecured HTTP
	[Documentation] Login to BMC web through http unsecured.
	[Tags] Redfish_Login_Using_Unsecured_HTTP

	Create Session openbmc http://${OPENBMC_HOST}
	${data}= Create Dictionary
	... UserName=${OPENBMC_USERNAME} Password=${OPENBMC_PASSWORD}

	${headers}= Create Dictionary Content-Type=application/json

	Run Keyword And Expect Error Connection refused
	... Post Request openbmc /redfish/v1/SessionService/Sessions
	... data=${data} headers=${headers}


	Redfish Login Using HTTPS Wrong Port 80 Protocol
	[Documentation] Login to BMC web through wrong protocol port 80.
	[Tags] Redfish_Login_Using_HTTPS_Wrong_Port_80_Protocol

	Create Session openbmc https://${OPENBMC_HOST}:80
	${data}= Create Dictionary
	... UserName=${OPENBMC_USERNAME} Password=${OPENBMC_PASSWORD}

	${headers}= Create Dictionary Content-Type=application/json

	Run Keyword And Expect Error Connection refused
	... Post Request openbmc /redfish/v1/SessionService/Sessions
	... data=${data} headers=${headers}


	Create Multiple Login Sessions And Verify
	[Documentation] Create 50 login instances and verify.
	[Tags] Create_Multiple_Login_Sessions_And_Verify
	[Teardown] Run Keyword And Ignore Error Multiple Session Cleanup

	Redfish.Login
	# Example:
	# {
	# 'key': 'L0XEsZAXpNdF147jJaOD',
	# 'location': '/redfish/v1/SessionService/Sessions/qWn2JOJSOs'
	# }
	${saved_session_info}= Get Redfish Session Info

	# Sessions book keeping for cleanup once done.
	${session_list}= Create List
	Set Test Variable ${session_list}

	Repeat Keyword ${LOGIN_SESSION_COUNT} times Create New Login Session

	# Update the redfish session object with the first login key and location
	# and verify if it is still working.
	Redfish.Set Session Key ${saved_session_info["key"]}
	Redfish.Set Session Location ${saved_session_info["location"]}
	Redfish.Get ${saved_session_info["location"]}


	Attempt Login With Expired Session
	[Documentation] Authenticate to redfish, then log out and attempt to
	... use the session.
	[Tags] Attempt_Login_With_Expired_Session

	Redfish.Login
	${saved_session_info}= Get Redfish Session Info
	Redfish.Logout

	# Attempt login with expired session.
	# By default 60 minutes of inactivity closes the session.
	Redfish.Set Session Key ${saved_session_info["key"]}
	Redfish.Set Session Location ${saved_session_info["location"]}

	Redfish.Get ${saved_session_info["location"]} valid_status_codes=[${HTTP_UNAUTHORIZED}]


	Login And Verify HTTP Response Header
	[Documentation] Login and verify redfish HTTP response header.
	[Tags] Login_And_Verify_HTTP_Response_Header

	# Example of HTTP redfish response header.
	# Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
	# X-Frame-Options: DENY
	# Pragma: no-cache
	# Cache-Control: no-Store,no-Cache
	# Content-Security-Policy: default-src 'self'; img-src 'self' data:
	# X-XSS-Protection: 1; mode=block
	# X-Content-Type-Options: nosniff

	Rprint Vars header_requirements fmt=1

	Redfish.Login
	${resp}= Redfish.Get /redfish/v1/SessionService/Sessions

	# The getheaders() method returns the headers as a list of tuples:
	# headers:
	# [Strict-Transport-Security]: max-age=31536000; includeSubdomains; preload
	# [X-Frame-Options]: DENY
	# [Pragma]: no-cache
	# [Cache-Control]: no-Store,no-Cache
	# [Content-Security-Policy]: default-src 'self'; img-src 'self' data:
	# [X-XSS-Protection]: 1; mode=block
	# [X-Content-Type-Options]: nosniff
	# [X-UA-Compatible]: IE=11
	# [Content-Type]: application/json
	# [Server]: iBMC
	# [Date]: Tue, 16 Apr 2019 17:49:46 GMT
	# [Content-Length]: 2177

	${headers}= Key Value List To Dict ${resp.getheaders()}
	Rprint Vars headers fmt=1

	Dictionary Should Contain Sub Dictionary ${headers} ${header_requirements}


	* Keywords *

	Login And Verify Redfish Response
	[Documentation] Login and verify redfish response.
	[Arguments] ${expected_response} ${username} ${password}

	# Description of arguments:
	# expected_response Expected REST status.
	# username The username to be used to connect to the server.
	# password The password to be used to connect to the server.

	# The redfish object may preserve a valid username or password from the
	# last failed login attempt. If we then try to login with a null username
	# or password value, the redfish object may prefer the preserved value.
	# Since we're testing bad path, we wish to avoid this scenario so we will
	# clear these values.

	Redfish.Set Username ${EMPTY}
	Redfish.Set Password ${EMPTY}

	Run Keyword And Expect Error ${expected_response}
	... Redfish.Login ${username} ${password}


	Create New Login Session
	[Documentation] Multiple login session keys.

	Redfish.Login
	${session_info}= Get Redfish Session Info

	# Append the session location to the list.
	# ['/redfish/v1/SessionService/Sessions/uDzihgDecs',
	# '/redfish/v1/SessionService/Sessions/PaHF5brPPd']
	Append To List ${session_list} ${session_info["location"]}


	Multiple Session Cleanup
	[Documentation] Do the teardown for multiple sessions.

	FFDC On Test Case Fail

	FOR ${item} IN @{session_list}
	Redfish.Delete ${item}
	END