VMI certificate exchange testcases
Added Use cases to test:
- root certificate by client / externel interface from VMI.
- Generate and verify CSR signed by VMI.
- Verify certificate organization code, signature in CSR and signed CSR.
Change-Id: I6c4b46fc72d3f84b3f18a4d2548d6239f0894d35
Signed-off-by: manashsarma <manashsarma@in.ibm.com>
diff --git a/openpower/ext_interfaces/test_vmicert_management.robot b/openpower/ext_interfaces/test_vmicert_management.robot
new file mode 100644
index 0000000..a939438
--- /dev/null
+++ b/openpower/ext_interfaces/test_vmicert_management.robot
@@ -0,0 +1,213 @@
+*** Settings ***
+
+Documentation VMI certificate exchange tests.
+
+Resource ../../lib/resource.robot
+Resource ../../lib/bmc_redfish_resource.robot
+Resource ../../lib/openbmc_ffdc.robot
+Resource ../../lib/bmc_redfish_utils.robot
+Resource ../../lib/utils.robot
+
+Suite Setup Suite Setup Execution
+Test Teardown FFDC On Test Case Fail
+Suite Teardown Suite Teardown Execution
+
+
+*** Variables ***
+
+# users User Name password
+@{ADMIN} admin_user TestPwd123
+@{OPERATOR} operator_user TestPwd123
+&{USERS} Administrator=${ADMIN} Operator=${OPERATOR}
+${VMI_BASE_URI} /ibm/v1/
+${CSR_FILE} csr_server.csr
+${CSR_KEY} csr_server.key
+
+*** Test Cases ***
+
+Get CSR Request Signed By VMI And Verify
+ [Documentation] Get CSR request signed by VMI using different user roles and verify.
+ [Tags] Get_CSR_Request_Signed_By_VMI_And_Verify
+ [Template] Get Certificate Signed By VMI
+
+ # username password force_create valid_csr valid_status_code
+ ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK}
+ operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN}
+
+
+Get Root Certificate Using Different Privilege Users Roles
+ [Documentation] Get root certificate using different users.
+ [Tags] Get_Root_Certificate_Using_Different_Users
+ [Template] Get Root Certificate
+
+ # username password force_create valid_csr valid_status_code
+ admin_user TestPwd123 ${True} ${True} ${HTTP_OK}
+ operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN}
+
+
+*** Keywords ***
+
+Generate CSR String
+ [Documentation] Generate a csr string.
+
+ # Note: Generates and returns csr string.
+ ${ssl_cmd}= Set Variable openssl req -new -newkey rsa:2048 -nodes -keyout ${CSR_KEY} -out ${CSR_FILE}
+ ${ssl_sub}= Set Variable
+ ... -subj "/C=XY/ST=Abcd/L=Efgh/O=ABC/OU=Systems/CN=abc.com/emailAddress=xyz@xx.ABC.com"
+
+ # Run openssl command to create a new private key and use that to generate a CSR string
+ # in server.csr file.
+ ${output}= Run ${ssl_cmd} ${ssl_sub}
+ ${csr}= OperatingSystem.Get File server.csr
+
+ [Return] ${csr}
+
+
+Send CSR To VMI And Get Signed
+ [Arguments] ${csr} ${force_create} ${username} ${password}
+
+ # Description of argument(s):
+ # csr Certificate request from client to VMI.
+ # force_create Create a new REST session if True.
+ # username Username to create a REST session.
+ # password Password to create a REST session.
+
+ Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True}
+ ... Initialize OpenBMC rest_username=${username} rest_password=${password}
+
+ ${data}= Create Dictionary
+ ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN}
+ ... Content-Type=application/json
+
+ ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Actions/SignCSR
+
+ # For SignCSR request, we need to pass CSR string generated by openssl command.
+ ${csr_data}= Create Dictionary CsrString ${csr}
+ Set To Dictionary ${data} data ${csr_data}
+
+ ${resp}= Post Request openbmc ${cert_uri} &{data} headers=${headers}
+
+ [Return] ${resp}
+
+
+Get Root Certificate
+ [Documentation] Get root certificate from VMI.
+ [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD}
+ ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK}
+
+ # Description of argument(s):
+ # cert_type Type of the certificate requesting. eg. root or SignCSR.
+ # username Username to create a REST session.
+ # password Password to create a REST session.
+ # force_create Create a new REST session if True.
+ # valid_csr Uses valid CSR string in the REST request if True.
+ # This is not applicable for root certificate.
+ # valid_status_code Expected status code from REST request.
+
+ Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True}
+ ... Initialize OpenBMC rest_username=${username} rest_password=${password}
+
+ ${data}= Create Dictionary
+ ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN}
+ ... Content-Type=application/json
+
+ ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Certificate/root
+
+ ${resp}= Get Request openbmc ${cert_uri} &{data} headers=${headers}
+
+ Should Be Equal As Strings ${resp.status_code} ${valid_status_code}
+ Return From Keyword If ${resp.status_code} != ${HTTP_OK}
+
+ ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json
+ Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE
+ Should Contain ${cert["Certificate"]} END CERTIFICATE
+
+
+Get Subject
+ [Documentation] Generate a csr string.
+ [Arguments] ${file_name} ${is_csr_file}
+
+ # Description of argument(s):
+ # file_name Name of CSR or signed CERT file.
+ # is_csr_file A True value means a CSR while a False is for signed CERT file.
+
+ ${subject}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -text -noout | grep Subject:
+ ... ELSE Run openssl x509 -in ${file_name} -text -noout | grep Subject:
+
+ [Return] ${subject}
+
+
+Get Public Key
+ [Documentation] Generate a csr string.
+ [Arguments] ${file_name} ${is_csr_file}
+
+ # Description of argument(s):
+ # file_name Name of CSR or CERT file.
+ # is_csr_file A True value means a CSR while a False is for signed CERT file.
+
+ ${PublicKey}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -noout -pubkey
+ ... ELSE Run openssl x509 -in ${file_name} -noout -pubkey
+
+ [Return] ${PublicKey}
+
+
+Get Certificate Signed By VMI
+ [Documentation] Get signed certificate from VMI.
+ [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD}
+ ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK}
+
+ # Description of argument(s):
+ # cert_type Type of the certificate requesting. eg. root or SignCSR.
+ # username Username to create a REST session.
+ # password Password to create a REST session.
+ # force_create Create a new REST session if True.
+ # valid_csr Uses valid CSR string in the REST request if True.
+ # This is not applicable for root certificate.
+ # valid_status_code Expected status code from REST request.
+
+ Set Test Variable ${CSR} CSR
+ Set Test Variable ${CORRUPTED_CSR} CORRUPTED_CSR
+
+ ${CSR}= Generate CSR String
+
+ # For SignCSR request, we need to pass CSR string generated by openssl command
+ ${csr_str}= Set Variable If ${valid_csr} == ${True} ${CSR} ${CORRUPTED_CSR}
+
+ ${resp}= Send CSR To VMI And Get Signed ${csr_str} ${force_create} ${username} ${password}
+
+ Should Be Equal As Strings ${resp.status_code} ${valid_status_code}
+ Return From Keyword If ${resp.status_code} != ${HTTP_OK}
+
+ ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json
+ Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE
+ Should Contain ${cert["Certificate"]} END CERTIFICATE
+
+ # Now do subject and public key verification
+ ${subject_csr}= Get Subject ${CSR_FILE} True
+ ${pubKey_csr}= Get Public Key ${CSR_FILE} True
+
+ # create a crt file with certificate string
+ ${signed_cert}= Set Variable ${cert["Certificate"]}
+
+ Create File test_certificate.crt ${signed_cert}
+ ${subject_signed_csr}= Get Subject test_certificate.crt False
+ ${pubKey_signed_csr}= Get Public Key test_certificate.crt False
+
+ Should be equal as strings ${subject_signed_csr} ${subject_csr}
+ Should be equal as strings ${pubKey_signed_csr} ${pubKey_csr}
+
+
+Suite Setup Execution
+ [Documentation] Suite setup execution.
+
+ # Create different user accounts.
+ Redfish.Login
+ Create Users With Different Roles users=${USERS} force=${True}
+
+
+Suite Teardown Execution
+ [Documentation] Suite teardown execution.
+
+ Delete BMC Users Via Redfish users=${USERS}
+ Delete All Sessions
+ Redfish.Logout