| *** Settings *** |
| |
| Documentation VMI certificate exchange tests. |
| |
| Library ../../lib/jobs_processing.py |
| Resource ../../lib/resource.robot |
| Resource ../../lib/bmc_redfish_resource.robot |
| Resource ../../lib/openbmc_ffdc.robot |
| Resource ../../lib/bmc_redfish_utils.robot |
| Resource ../../lib/utils.robot |
| |
| Suite Setup Suite Setup Execution |
| Test Teardown FFDC On Test Case Fail |
| Suite Teardown Suite Teardown Execution |
| |
| |
| *** Variables *** |
| |
| # users User Name password |
| @{ADMIN} admin_user TestPwd123 |
| @{OPERATOR} operator_user TestPwd123 |
| @{ReadOnly} readonly_user TestPwd123 |
| @{NoAccess} noaccess_user TestPwd123 |
| &{USERS} Administrator=${ADMIN} Operator=${OPERATOR} ReadOnly=${ReadOnly} |
| ... NoAccess=${NoAccess} |
| ${VMI_BASE_URI} /ibm/v1/ |
| |
| |
| *** Test Cases *** |
| |
| Get CSR Request Signed By VMI And Verify |
| [Documentation] Get CSR request signed by VMI using different user roles and verify. |
| [Tags] Get_CSR_Request_Signed_By_VMI_And_Verify |
| [Setup] Redfish Power On |
| [Template] Get Certificate Signed By VMI |
| |
| # username password force_create valid_csr valid_status_code |
| ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| |
| # Send CSR request from operator user. |
| operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Send CSR request from ReadOnly user. |
| readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Send CSR request from NoAccess user. |
| noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| |
| Get Root Certificate Using Different Privilege Users Roles |
| [Documentation] Get root certificate using different users. |
| [Tags] Get_Root_Certificate_Using_Different_Users |
| [Setup] Redfish Power On |
| [Template] Get Root Certificate |
| |
| # username password force_create valid_csr valid_status_code |
| # Request root certificate from admin user. |
| admin_user TestPwd123 ${True} ${True} ${HTTP_OK} |
| |
| # Request root certificate from operator user. |
| operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Request root certificate from ReadOnly user. |
| readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Request root certificate from NoAccess user. |
| noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| |
| Send CSR Request When VMI Is Off And Verify |
| [Documentation] Send CSR signing request to VMI when it is off and expect an error. |
| [Tags] Get_CSR_Request_When_VMI_Is_Off_And_verify |
| [Setup] Redfish Power Off |
| [Template] Get Certificate Signed By VMI |
| |
| # username password force_create valid_csr valid_status_code |
| ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_INTERNAL_SERVER_ERROR} |
| |
| # Send CSR request from operator user. |
| operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Send CSR request from ReadOnly user. |
| readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Send CSR request from NoAccess user. |
| noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| Get Corrupted CSR Request Signed By VMI And Verify |
| [Documentation] Send corrupted CSR for signing and expect an error. |
| [Tags] Get_Corrupted_CSR_Request_Signed_By_VMI_And_Verify |
| [Setup] Redfish Power On |
| [Template] Get Certificate Signed By VMI |
| |
| # username password force_create valid_csr valid_status_code |
| ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} |
| |
| # Send CSR request from operator user. |
| operator_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} |
| |
| # Send CSR request from ReadOnly user. |
| readonly_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} |
| |
| # Send CSR request from NoAccess user. |
| noaccess_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} |
| |
| Get Root Certificate When VMI Is Off And Verify |
| [Documentation] Get root certificate when vmi is off and verify. |
| [Tags] Get_Root_Certificate_When_VMI_Is_Off_And_Verify |
| [Setup] Redfish Power Off |
| [Template] Get Root Certificate |
| |
| # username password force_create valid_csr valid_status_code |
| ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| |
| # Request root certificate from operator user. |
| operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Request root certificate from ReadOnly user. |
| readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Request root certificate from NoAccess user. |
| noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| |
| Get Root Certificate After BMC Reboot And Verify |
| [Documentation] Get root certificate after bmc reboot and verify. |
| [Tags] Get_Root_Certificate_After_BMC_Reboot_And_Verify |
| [Setup] Run Keywords OBMC Reboot (off) AND Redfish Power On |
| [Template] Get Root Certificate |
| |
| # username password force_create valid_csr valid_status_code |
| ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| |
| # Request root certificate from operator user. |
| operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Request root certificate from ReadOnly user. |
| readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| # Request root certificate from NoAccess user. |
| noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} |
| |
| Get Concurrent Root Certificate Requests From Multiple Admin Users |
| [Documentation] Get multiple concurrent root certificate requests from multiple admins |
| ... and verify no errors. |
| [Tags] Get_Concurrent_Root_Certificate_Requests_From_Multiple_Admin_Users |
| |
| FOR ${i} IN RANGE ${5} |
| ${dict}= Execute Process Multi Keyword ${5} |
| ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| Dictionary Should Not Contain Value ${dict} False |
| ... msg=One or more operations has failed. |
| END |
| |
| Get Concurrent CSR Requests From Multiple Admin Users |
| [Documentation] Get multiple concurrent csr requests from multiple admins and verify no errors. |
| [Tags] Get_Concurrent_CSR_Requests_From_Multiple_Admin_Users |
| |
| FOR ${i} IN RANGE ${5} |
| ${dict}= Execute Process Multi Keyword ${5} |
| ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| Dictionary Should Not Contain Value ${dict} False |
| ... msg=One or more operations has failed. |
| END |
| |
| Get Concurrent Corrupted CSR Requests From Multiple Admin Users |
| [Documentation] Get multiple concurrent corrupted csr requests from multiple admins and verify no errors. |
| [Tags] Get_Concurrent_Corrupted_CSR_Requests_From_Multiple_Admin_Users |
| |
| FOR ${i} IN RANGE ${5} |
| ${dict}= Execute Process Multi Keyword ${5} |
| ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} |
| ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} |
| ... Get Certificate Signed By VMI ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} |
| Dictionary Should Not Contain Value ${dict} False |
| ... msg=One or more operations has failed. |
| END |
| |
| Get Concurrent Root Certificate Request From Operator Users |
| [Documentation] Get multiple concurrent root certificate from non admin users and verify no errors. |
| [Tags] Get_Concurrent_Root_Certificate_Request_From_Operator_Users |
| |
| FOR ${i} IN RANGE ${5} |
| ${dict}= Execute Process Multi Keyword ${5} |
| ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| Dictionary Should Not Contain Value ${dict} False |
| ... msg=One or more operations has failed. |
| END |
| |
| Get Concurrent Root Certificate Request From Admin And Non Admin Users |
| [Documentation] Get multiple concurrent root certificate from admin and non admin users |
| ... and verify no errors. |
| [Tags] Get_Concurrent_Root_Certificate_Request_From_Admin_And_Non_Admin_Users |
| |
| FOR ${i} IN RANGE ${5} |
| ${dict}= Execute Process Multi Keyword ${5} |
| ... Get Root Certificate ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} |
| ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| ... Get Root Certificate readonly_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| Dictionary Should Not Contain Value ${dict} False |
| ... msg=One or more operations has failed. |
| END |
| |
| Get Concurrent Root Certificate Request From Different Non Admin Users |
| [Documentation] Get multiple concurrent root certificate from different non admin users |
| ... and verify no errors. |
| [Tags] Get_Concurrent_Root_Certificate_Request_From_Different_Non_Admin_Users |
| |
| FOR ${i} IN RANGE ${5} |
| ${dict}= Execute Process Multi Keyword ${5} |
| ... Get Root Certificate operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| ... Get Root Certificate readonly_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| ... Get Root Certificate noaccess_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| Dictionary Should Not Contain Value ${dict} False |
| ... msg=One or more operations has failed. |
| END |
| |
| Get Concurrent CSR Request From Operator Users |
| [Documentation] Get multiple concurrent csr request from non admin users and verify no errors. |
| [Tags] Get_Concurrent_CSR_Request_From_Operator_Users |
| |
| FOR ${i} IN RANGE ${5} |
| ${dict}= Execute Process Multi Keyword ${5} |
| ... Get Certificate Signed By VMI operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| ... Get Certificate Signed By VMI operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| ... Get Certificate Signed By VMI operator_user TestPwd123 ${True} ${True} ${HTTP_FORBIDDEN} |
| Dictionary Should Not Contain Value ${dict} False |
| ... msg=One or more operations has failed. |
| END |
| |
| *** Keywords *** |
| |
| Generate CSR String |
| [Documentation] Generate a csr string. |
| |
| # Note: Generates and returns csr string. |
| ${csr_gen_time} = Get Current Date Time |
| ${CSR_FILE}= Catenate SEPARATOR=_ ${csr_gen_time} csr_server.csr |
| ${CSR_KEY}= Catenate SEPARATOR=_ ${csr_gen_time} csr_server.key |
| Set Test Variable ${CSR_FILE} |
| Set Test Variable ${CSR_KEY} |
| ${ssl_cmd}= Set Variable openssl req -new -newkey rsa:2048 -nodes -keyout ${CSR_KEY} -out ${CSR_FILE} |
| ${ssl_sub}= Set Variable |
| ... -subj "/C=XY/ST=Abcd/L=Efgh/O=ABC/OU=Systems/CN=abc.com/emailAddress=xyz@xx.ABC.com" |
| |
| # Run openssl command to create a new private key and use that to generate a CSR string |
| # in server.csr file. |
| ${output}= Run ${ssl_cmd} ${ssl_sub} |
| ${csr}= OperatingSystem.Get File ${CSR_FILE} |
| |
| [Return] ${csr} |
| |
| |
| Send CSR To VMI And Get Signed |
| [Arguments] ${csr} ${force_create} ${username} ${password} |
| |
| # Description of argument(s): |
| # csr Certificate request from client to VMI. |
| # force_create Create a new REST session if True. |
| # username Username to create a REST session. |
| # password Password to create a REST session. |
| |
| Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} |
| ... Initialize OpenBMC rest_username=${username} rest_password=${password} |
| |
| ${data}= Create Dictionary |
| ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} |
| ... Content-Type=application/json |
| |
| ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Actions/SignCSR |
| |
| # For SignCSR request, we need to pass CSR string generated by openssl command. |
| ${csr_data}= Create Dictionary CsrString ${csr} |
| Set To Dictionary ${data} data ${csr_data} |
| |
| ${resp}= Post Request openbmc ${cert_uri} &{data} headers=${headers} |
| Log to console ${resp.content} |
| |
| [Return] ${resp} |
| |
| |
| Get Root Certificate |
| [Documentation] Get root certificate from VMI. |
| [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} |
| ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} |
| |
| # Description of argument(s): |
| # cert_type Type of the certificate requesting. eg. root or SignCSR. |
| # username Username to create a REST session. |
| # password Password to create a REST session. |
| # force_create Create a new REST session if True. |
| # valid_csr Uses valid CSR string in the REST request if True. |
| # This is not applicable for root certificate. |
| # valid_status_code Expected status code from REST request. |
| |
| Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} |
| ... Initialize OpenBMC rest_username=${username} rest_password=${password} |
| |
| ${data}= Create Dictionary |
| ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} |
| ... Content-Type=application/json |
| |
| ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Certificate/root |
| |
| ${resp}= Get Request openbmc ${cert_uri} &{data} headers=${headers} |
| |
| Should Be Equal As Strings ${resp.status_code} ${valid_status_code} |
| Return From Keyword If ${resp.status_code} != ${HTTP_OK} |
| |
| ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json |
| Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE |
| Should Contain ${cert["Certificate"]} END CERTIFICATE |
| |
| |
| Get Subject |
| [Documentation] Generate a csr string. |
| [Arguments] ${file_name} ${is_csr_file} |
| |
| # Description of argument(s): |
| # file_name Name of CSR or signed CERT file. |
| # is_csr_file A True value means a CSR while a False is for signed CERT file. |
| |
| ${subject}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -text -noout | grep Subject: |
| ... ELSE Run openssl x509 -in ${file_name} -text -noout | grep Subject: |
| |
| [Return] ${subject} |
| |
| |
| Get Public Key |
| [Documentation] Generate a csr string. |
| [Arguments] ${file_name} ${is_csr_file} |
| |
| # Description of argument(s): |
| # file_name Name of CSR or CERT file. |
| # is_csr_file A True value means a CSR while a False is for signed CERT file. |
| |
| ${PublicKey}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -noout -pubkey |
| ... ELSE Run openssl x509 -in ${file_name} -noout -pubkey |
| |
| [Return] ${PublicKey} |
| |
| |
| Get Certificate Signed By VMI |
| [Documentation] Get signed certificate from VMI. |
| [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} |
| ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} |
| |
| # Description of argument(s): |
| # cert_type Type of the certificate requesting. eg. root or SignCSR. |
| # username Username to create a REST session. |
| # password Password to create a REST session. |
| # force_create Create a new REST session if True. |
| # valid_csr Uses valid CSR string in the REST request if True. |
| # This is not applicable for root certificate. |
| # valid_status_code Expected status code from REST request. |
| |
| Set Test Variable ${CSR} CSR |
| Set Test Variable ${CORRUPTED_CSR} CORRUPTED_CSR |
| |
| ${CSR}= Generate CSR String |
| ${csr_left} ${csr_right}= Split String From Right ${CSR} == 1 |
| ${CORRUPTED_CSR}= Catenate SEPARATOR= ${csr_left} \N ${csr_right} |
| |
| # For SignCSR request, we need to pass CSR string generated by openssl command |
| ${csr_str}= Set Variable If ${valid_csr} == ${True} ${CSR} ${CORRUPTED_CSR} |
| |
| ${resp}= Send CSR To VMI And Get Signed ${csr_str} ${force_create} ${username} ${password} |
| |
| Should Be Equal As Strings ${resp.status_code} ${valid_status_code} |
| Return From Keyword If ${resp.status_code} != ${HTTP_OK} |
| |
| ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json |
| Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE |
| Should Contain ${cert["Certificate"]} END CERTIFICATE |
| |
| # Now do subject and public key verification |
| ${subject_csr}= Get Subject ${CSR_FILE} True |
| ${pubKey_csr}= Get Public Key ${CSR_FILE} True |
| |
| # create a crt file with certificate string |
| ${signed_cert}= Set Variable ${cert["Certificate"]} |
| ${testcert_gen_time} = Get Current Date Time |
| ${test_cert_file}= Catenate SEPARATOR=_ ${testcert_gen_time} test_certificate.cert |
| |
| Create File ${test_cert_file} ${signed_cert} |
| ${subject_signed_csr}= Get Subject ${test_cert_file} False |
| ${pubKey_signed_csr}= Get Public Key ${test_cert_file} False |
| |
| Should be equal as strings ${subject_signed_csr} ${subject_csr} |
| Should be equal as strings ${pubKey_signed_csr} ${pubKey_csr} |
| |
| |
| Suite Setup Execution |
| [Documentation] Suite setup execution. |
| |
| Remove Files *.csr *.key *.cert |
| # Create different user accounts. |
| Redfish.Login |
| Redfish Power On |
| Create Users With Different Roles users=${USERS} force=${True} |
| |
| |
| Suite Teardown Execution |
| [Documentation] Suite teardown execution. |
| |
| Remove Files *.csr *.key *.cert |
| Delete BMC Users Via Redfish users=${USERS} |
| Delete All Sessions |
| Redfish.Logout |