| *** Settings *** |
| Documentation Test Redfish user account. |
| |
| Resource ../../lib/resource.robot |
| Resource ../../lib/bmc_redfish_resource.robot |
| Resource ../../lib/openbmc_ffdc.robot |
| Resource ../../lib/bmc_redfish_utils.robot |
| |
| Library SSHLibrary |
| |
| Test Setup Redfish.Login |
| Test Teardown Test Teardown Execution |
| |
| *** Variables *** |
| |
| ${account_lockout_duration} ${30} |
| ${account_lockout_threshold} ${3} |
| |
| ** Test Cases ** |
| |
| Verify AccountService Available |
| [Documentation] Verify Redfish account service is available. |
| [Tags] Verify_AccountService_Available |
| |
| ${resp} = Redfish_utils.Get Attribute /redfish/v1/AccountService ServiceEnabled |
| Should Be Equal As Strings ${resp} ${True} |
| |
| Verify Redfish User Persistence After Reboot |
| [Documentation] Verify Redfish user persistence after reboot. |
| [Tags] Verify_Redfish_User_Persistence_After_Reboot |
| |
| # Create Redfish users. |
| Redfish Create User admin_user TestPwd123 Administrator ${True} |
| Redfish Create User operator_user TestPwd123 Operator ${True} |
| Redfish Create User readonly_user TestPwd123 ReadOnly ${True} |
| |
| # Reboot BMC. |
| Redfish OBMC Reboot (off) stack_mode=normal |
| |
| # Verify users after reboot. |
| Redfish Verify User admin_user TestPwd123 Administrator ${True} |
| Redfish Verify User operator_user TestPwd123 Operator ${True} |
| Redfish Verify User readonly_user TestPwd123 ReadOnly ${True} |
| |
| # Delete created users. |
| Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user |
| Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user |
| Redfish.Delete /redfish/v1/AccountService/Accounts/readonly_user |
| |
| Redfish Create and Verify Users |
| [Documentation] Create Redfish users with various roles. |
| [Tags] Redfish_Create_and_Verify_Users |
| [Template] Redfish Create And Verify User |
| |
| #username password role_id enabled |
| admin_user TestPwd123 Administrator ${True} |
| operator_user TestPwd123 Operator ${True} |
| readonly_user TestPwd123 ReadOnly ${True} |
| |
| Verify Redfish User with Wrong Password |
| [Documentation] Verify Redfish User with Wrong Password. |
| [Tags] Verify_Redfish_User_with_Wrong_Password |
| [Template] Verify Redfish User with Wrong Password |
| |
| #username password role_id enabled wrong_password |
| admin_user TestPwd123 Administrator ${True} alskjhfwurh |
| operator_user TestPwd123 Operator ${True} 12j8a8uakjhdaosiruf024 |
| readonly_user TestPwd123 ReadOnly ${True} 12 |
| |
| Verify Login with Deleted Redfish Users |
| [Documentation] Verify login with deleted Redfish Users. |
| [Tags] Verify_Login_with_Deleted_Redfish_Users |
| [Template] Verify Login with Deleted Redfish User |
| |
| #username password role_id enabled |
| admin_user TestPwd123 Administrator ${True} |
| operator_user TestPwd123 Operator ${True} |
| readonly_user TestPwd123 ReadOnly ${True} |
| |
| Verify User Creation Without Enabling It |
| [Documentation] Verify User Creation Without Enabling it. |
| [Tags] Verify_User_Creation_Without_Enabling_It |
| [Template] Verify Create User Without Enabling |
| |
| #username password role_id enabled |
| admin_user TestPwd123 Administrator ${False} |
| operator_user TestPwd123 Operator ${False} |
| readonly_user TestPwd123 ReadOnly ${False} |
| |
| Verify User Creation With Invalid Role Id |
| [Documentation] Verify user creation with invalid role ID. |
| [Tags] Verify_User_Creation_With_Invalid_Role_Id |
| |
| # Make sure the user account in question does not already exist. |
| Redfish.Delete /redfish/v1/AccountService/Accounts/test_user |
| ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] |
| |
| # Create specified user. |
| ${payload}= Create Dictionary |
| ... UserName=test_user Password=TestPwd123 RoleId=wrongroleid Enabled=${True} |
| Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} |
| ... valid_status_codes=[${HTTP_BAD_REQUEST}] |
| |
| Verify Error Upon Creating Same Users With Different Privileges |
| [Documentation] Verify error upon creating same users with different privileges. |
| [Tags] Verify_Error_Upon_Creating_Same_Users_With_Different_Privileges |
| |
| Redfish Create User test_user TestPwd123 Administrator ${True} |
| |
| # Create specified user. |
| ${payload}= Create Dictionary |
| ... UserName=test_user Password=TestPwd123 RoleId=Operator Enabled=${True} |
| Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} |
| ... valid_status_codes=[${HTTP_BAD_REQUEST}] |
| |
| Redfish.Delete /redfish/v1/AccountService/Accounts/test_user |
| |
| Verify Modifying User Attributes |
| [Documentation] Verify modifying user attributes. |
| [Tags] Verify_Modifying_User_Attributes |
| |
| # Create Redfish users. |
| Redfish Create User admin_user TestPwd123 Administrator ${True} |
| Redfish Create User operator_user TestPwd123 Operator ${True} |
| Redfish Create User readonly_user TestPwd123 ReadOnly ${True} |
| |
| # Make sure the new user account does not already exist. |
| Redfish.Delete /redfish/v1/AccountService/Accounts/newadmin_user |
| ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] |
| |
| # Update admin_user username using Redfish. |
| ${payload}= Create Dictionary UserName=newadmin_user |
| Redfish.Patch /redfish/v1/AccountService/Accounts/admin_user body=&{payload} |
| |
| # Update operator_user password using Redfish. |
| ${payload}= Create Dictionary Password=NewTestPwd123 |
| Redfish.Patch /redfish/v1/AccountService/Accounts/operator_user body=&{payload} |
| |
| # Update readonly_user role using Redfish. |
| ${payload}= Create Dictionary RoleId=Operator |
| Redfish.Patch /redfish/v1/AccountService/Accounts/readonly_user body=&{payload} |
| |
| # Verify users after updating |
| Redfish Verify User newadmin_user TestPwd123 Administrator ${True} |
| Redfish Verify User operator_user NewTestPwd123 Operator ${True} |
| Redfish Verify User readonly_user TestPwd123 Operator ${True} |
| |
| # Delete created users. |
| Redfish.Delete /redfish/v1/AccountService/Accounts/newadmin_user |
| Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user |
| Redfish.Delete /redfish/v1/AccountService/Accounts/readonly_user |
| |
| Verify User Account Locked |
| [Documentation] Verify user account locked upon trying with invalid password. |
| [Tags] Verify_User_Account_Locked |
| |
| Redfish Create User admin_user TestPwd123 Administrator ${True} |
| |
| ${payload}= Create Dictionary AccountLockoutThreshold=${account_lockout_threshold} |
| ... AccountLockoutDuration=${account_lockout_duration} |
| Redfish.Patch ${REDFISH_ACCOUNTS_SERVICE_URI} body=${payload} |
| |
| Redfish.Logout |
| |
| # Make ${account_lockout_threshold} failed login attempts. |
| Repeat Keyword ${account_lockout_threshold} times |
| ... Run Keyword And Expect Error InvalidCredentialsError* Redfish.Login admin_user abc123 |
| |
| # Verify that legitimate login fails due to lockout. |
| Run Keyword And Expect Error InvalidCredentialsError* |
| ... Redfish.Login admin_user TestPwd123 |
| |
| # Wait for lockout duration to expire and then verify that login works. |
| Sleep ${account_lockout_duration}s |
| Redfish.Login admin_user TestPwd123 |
| |
| Redfish.Logout |
| |
| Redfish.Login |
| |
| Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user |
| |
| Verify Admin User Privilege |
| [Documentation] Verify admin user privilege. |
| [Tags] Verify_Admin_User_Privilege |
| |
| Redfish Create User admin_user TestPwd123 Administrator ${True} |
| Redfish Create User operator_user TestPwd123 Operator ${True} |
| Redfish Create User readonly_user TestPwd123 ReadOnly ${True} |
| |
| Redfish.Logout |
| |
| # Change role ID of operator user with admin user. |
| # Login with admin user. |
| Redfish.Login admin_user TestPwd123 |
| |
| # Modify Role ID of Operator user. |
| Redfish.Patch /redfish/v1/AccountService/Accounts/operator_user body={'RoleId': 'Administrator'} |
| |
| # Verify modified user. |
| Redfish Verify User operator_user TestPwd123 Administrator ${True} |
| |
| Redfish.Logout |
| Redfish.Login admin_user TestPwd123 |
| |
| # Change password of 'user' user with admin user. |
| Redfish.Patch /redfish/v1/AccountService/Accounts/readonly_user body={'Password': 'NewTestPwd123'} |
| |
| # Verify modified user. |
| Redfish Verify User readonly_user NewTestPwd123 ReadOnly ${True} |
| |
| Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user |
| Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user |
| Redfish.Delete /redfish/v1/AccountService/Accounts/readonly_user |
| |
| Verify Operator User Privilege |
| [Documentation] Verify operator user privilege. |
| [Tags] Verify_Operator_User_Privilege |
| |
| Redfish Create User admin_user TestPwd123 Administrator ${True} |
| Redfish Create User operator_user TestPwd123 Operator ${True} |
| |
| Redfish.Logout |
| # Login with operator user. |
| Redfish.Login operator_user TestPwd123 |
| |
| # Verify BMC reset. |
| Run Keyword And Expect Error ValueError* Redfish BMC Reset Operation |
| |
| # Attempt to change password of admin user with operator user. |
| Redfish.Patch /redfish/v1/AccountService/Accounts/admin_user body={'Password': 'NewTestPwd123'} |
| ... valid_status_codes=[${HTTP_FORBIDDEN}] |
| |
| Redfish.Logout |
| |
| Redfish.Login |
| |
| Redfish.Delete /redfish/v1/AccountService/Accounts/admin_user |
| Redfish.Delete /redfish/v1/AccountService/Accounts/operator_user |
| |
| |
| Verify ReadOnly User Privilege |
| [Documentation] Verify ReadOnly user privilege. |
| [Tags] Verify_ReadOnly_User_Privilege |
| |
| Redfish Create User readonly_user TestPwd123 ReadOnly ${True} |
| Redfish.Logout |
| |
| # Login with read_only user. |
| Redfish.Login readonly_user TestPwd123 |
| |
| # Read system level data. |
| ${system_model}= Redfish_Utils.Get Attribute |
| ... ${SYSTEM_BASE_URI} Model |
| |
| Redfish.Logout |
| Redfish.Login |
| Redfish.Delete ${REDFISH_ACCOUNTS_URI}readonly_user |
| |
| |
| Verify Minimum Password Length For Redfish User |
| [Documentation] Verify minimum password length for new and existing user. |
| [Tags] Verify_Minimum_Password_Length_For_Redfish_User |
| |
| ${user_name}= Set Variable testUser |
| |
| # Make sure the user account in question does not already exist. |
| Redfish.Delete /redfish/v1/AccountService/Accounts/${user_name} |
| ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] |
| |
| # Try to create a user with invalid length password. |
| ${payload}= Create Dictionary |
| ... UserName=${user_name} Password=UserPwd RoleId=Administrator Enabled=${True} |
| Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} |
| ... valid_status_codes=[${HTTP_BAD_REQUEST}] |
| |
| # Create specified user with valid length password. |
| Set To Dictionary ${payload} Password UserPwd1 |
| Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} |
| ... valid_status_codes=[${HTTP_CREATED}] |
| |
| # Try to change to an invalid password. |
| Redfish.Patch /redfish/v1/AccountService/Accounts/${user_name} body={'Password': 'UserPwd'} |
| ... valid_status_codes=[${HTTP_BAD_REQUEST}] |
| |
| # Change to a valid password. |
| Redfish.Patch /redfish/v1/AccountService/Accounts/${user_name} body={'Password': 'UserPwd1'} |
| |
| # Verify login. |
| Redfish.Logout |
| Redfish.Login ${user_name} UserPwd1 |
| Redfish.Logout |
| Redfish.Login |
| Redfish.Delete /redfish/v1/AccountService/Accounts/${user_name} |
| |
| |
| Verify Standard User Roles Defined By Redfish |
| [Documentation] Verify standard user roles defined by Redfish. |
| [Tags] Verify_Standard_User_Roles_Defined_By_Redfish |
| |
| ${member_list}= Redfish_Utils.Get Member List |
| ... /redfish/v1/AccountService/Roles |
| |
| @{roles}= Create List |
| ... /redfish/v1/AccountService/Roles/Administrator |
| ... /redfish/v1/AccountService/Roles/Operator |
| ... /redfish/v1/AccountService/Roles/ReadOnly |
| |
| List Should Contain Sub List ${member_list} ${roles} |
| |
| # The standard roles are: |
| |
| # | Role name | Assigned privileges | |
| # | Administrator | Login, ConfigureManager, ConfigureUsers, ConfigureComponents, ConfigureSelf | |
| # | Operator | Login, ConfigureComponents, ConfigureSelf | |
| # | ReadOnly | Login, ConfigureSelf | |
| |
| @{admin}= Create List Login ConfigureManager ConfigureUsers ConfigureComponents ConfigureSelf |
| @{operator}= Create List Login ConfigureComponents ConfigureSelf |
| @{readOnly}= Create List Login ConfigureSelf |
| |
| ${roles_dict}= create dictionary admin_privileges=${admin} operator_privileges=${operator} |
| ... readOnly_privileges=${readOnly} |
| |
| ${resp}= redfish.Get /redfish/v1/AccountService/Roles/Administrator |
| List Should Contain Sub List ${resp.dict['AssignedPrivileges']} ${roles_dict['admin_privileges']} |
| |
| ${resp}= redfish.Get /redfish/v1/AccountService/Roles/Operator |
| List Should Contain Sub List ${resp.dict['AssignedPrivileges']} ${roles_dict['operator_privileges']} |
| |
| ${resp}= redfish.Get /redfish/v1/AccountService/Roles/ReadOnly |
| List Should Contain Sub List ${resp.dict['AssignedPrivileges']} ${roles_dict['readOnly_privileges']} |
| |
| |
| Verify Error While Deleting Root User |
| [Documentation] Verify error while deleting root user. |
| [Tags] Verify_Error_While_Deleting_Root_User |
| |
| Redfish.Delete /redfish/v1/AccountService/Accounts/root valid_status_codes=[${HTTP_FORBIDDEN}] |
| |
| |
| Verify SSH Login Access With Admin User |
| [Documentation] Verify that admin user does not have SSH login access. |
| [Tags] Verify_SSH_Login_Access_With_Admin_User |
| |
| # Create an admin User. |
| Redfish Create User new_admin TestPwd1 Administrator ${True} |
| |
| # Attempt SSH login with admin user. |
| SSHLibrary.Open Connection ${OPENBMC_HOST} |
| ${status}= Run Keyword And Return Status SSHLibrary.Login new_admin TestPwd1 |
| Should Be Equal ${status} ${False} |
| |
| |
| *** Keywords *** |
| |
| Test Teardown Execution |
| [Documentation] Do the post test teardown. |
| |
| Run Keyword And Ignore Error Redfish.Logout |
| FFDC On Test Case Fail |
| |
| |
| Redfish Create User |
| [Documentation] Redfish create user. |
| [Arguments] ${username} ${password} ${role_id} ${enabled} ${login_check}=${True} |
| |
| # Description of argument(s): |
| # username The username to be created. |
| # password The password to be assigned. |
| # role_id The role ID of the user to be created |
| # (e.g. "Administrator", "Operator", etc.). |
| # enabled Indicates whether the username being created |
| # should be enabled (${True}, ${False}). |
| # login_check Checks user login for created user. |
| # (e.g. ${True}, ${False}). |
| |
| # Make sure the user account in question does not already exist. |
| Redfish.Delete /redfish/v1/AccountService/Accounts/${userName} |
| ... valid_status_codes=[${HTTP_OK}, ${HTTP_NOT_FOUND}] |
| |
| # Create specified user. |
| ${payload}= Create Dictionary |
| ... UserName=${username} Password=${password} RoleId=${role_id} Enabled=${enabled} |
| Redfish.Post /redfish/v1/AccountService/Accounts/ body=&{payload} |
| ... valid_status_codes=[${HTTP_CREATED}] |
| |
| # Resetting faillock count as a workaround for issue |
| # openbmc/phosphor-user-manager#4 |
| ${cmd}= Catenate /usr/sbin/faillock --user USER --reset |
| Bmc Execute Command ${cmd} |
| |
| # Verify login with created user. |
| ${status}= Run Keyword If '${login_check}' == '${True}' |
| ... Verify Redfish User Login ${username} ${password} |
| Run Keyword If '${login_check}' == '${True}' Should Be Equal ${status} ${enabled} |
| |
| # Validate Role ID of created user. |
| ${role_config}= Redfish_Utils.Get Attribute |
| ... /redfish/v1/AccountService/Accounts/${username} RoleId |
| Should Be Equal ${role_id} ${role_config} |
| |
| |
| Redfish Verify User |
| [Documentation] Redfish user verification. |
| [Arguments] ${username} ${password} ${role_id} ${enabled} |
| |
| # Description of argument(s): |
| # username The username to be created. |
| # password The password to be assigned. |
| # role_id The role ID of the user to be created |
| # (e.g. "Administrator", "Operator", etc.). |
| # enabled Indicates whether the username being created |
| # should be enabled (${True}, ${False}). |
| |
| ${status}= Verify Redfish User Login ${username} ${password} |
| # Doing a check of the returned status. |
| Should Be Equal ${status} ${enabled} |
| |
| # Validate Role Id of user. |
| ${role_config}= Redfish_Utils.Get Attribute |
| ... /redfish/v1/AccountService/Accounts/${username} RoleId |
| Should Be Equal ${role_id} ${role_config} |
| |
| |
| Verify Redfish User Login |
| [Documentation] Verify Redfish login with given user id. |
| [Teardown] Run Keywords Run Keyword And Ignore Error Redfish.Logout AND Redfish.Login |
| [Arguments] ${username} ${password} |
| |
| # Description of argument(s): |
| # username Login username. |
| # password Login password. |
| |
| # Logout from current Redfish session. |
| # We don't really care if the current session is flushed out since we are going to login |
| # with new credential in next. |
| Run Keyword And Ignore Error Redfish.Logout |
| |
| ${status}= Run Keyword And Return Status Redfish.Login ${username} ${password} |
| [Return] ${status} |
| |
| |
| Redfish Create And Verify User |
| [Documentation] Redfish create and verify user. |
| [Arguments] ${username} ${password} ${role_id} ${enabled} |
| |
| # Description of argument(s): |
| # username The username to be created. |
| # password The password to be assigned. |
| # role_id The role ID of the user to be created |
| # (e.g. "Administrator", "Operator", etc.). |
| # enabled Indicates whether the username being created |
| # should be enabled (${True}, ${False}). |
| |
| # Example: |
| #{ |
| #"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount", |
| #"@odata.id": "/redfish/v1/AccountService/Accounts/test1", |
| #"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount", |
| #"Description": "User Account", |
| #"Enabled": true, |
| #"Id": "test1", |
| #"Links": { |
| # "Role": { |
| # "@odata.id": "/redfish/v1/AccountService/Roles/Administrator" |
| # } |
| #}, |
| |
| Redfish Create User ${username} ${password} ${role_id} ${enabled} |
| |
| Redfish Verify User ${username} ${password} ${role_id} ${enabled} |
| |
| # Delete Specified User |
| Redfish.Delete /redfish/v1/AccountService/Accounts/${username} |
| |
| Verify Redfish User with Wrong Password |
| [Documentation] Verify Redfish User with Wrong Password. |
| [Arguments] ${username} ${password} ${role_id} ${enabled} ${wrong_password} |
| |
| # Description of argument(s): |
| # username The username to be created. |
| # password The password to be assigned. |
| # role_id The role ID of the user to be created |
| # (e.g. "Administrator", "Operator", etc.). |
| # enabled Indicates whether the username being created |
| # should be enabled (${True}, ${False}). |
| # wrong_password Any invalid password. |
| |
| Redfish Create User ${username} ${password} ${role_id} ${enabled} |
| |
| Redfish.Logout |
| |
| # Attempt to login with created user with invalid password. |
| Run Keyword And Expect Error InvalidCredentialsError* |
| ... Redfish.Login ${username} ${wrong_password} |
| |
| Redfish.Login |
| |
| # Delete newly created user. |
| Redfish.Delete /redfish/v1/AccountService/Accounts/${username} |
| |
| |
| Verify Login with Deleted Redfish User |
| [Documentation] Verify Login with Deleted Redfish User. |
| [Arguments] ${username} ${password} ${role_id} ${enabled} |
| |
| # Description of argument(s): |
| # username The username to be created. |
| # password The password to be assigned. |
| # role_id The role ID of the user to be created |
| # (e.g. "Administrator", "Operator", etc.). |
| # enabled Indicates whether the username being created |
| # should be enabled (${True}, ${False}). |
| |
| Redfish Create User ${username} ${password} ${role_id} ${enabled} |
| |
| # Delete newly created user. |
| Redfish.Delete /redfish/v1/AccountService/Accounts/${userName} |
| |
| Redfish.Logout |
| |
| # Attempt to login with deleted user account. |
| Run Keyword And Expect Error InvalidCredentialsError* |
| ... Redfish.Login ${username} ${password} |
| |
| Redfish.Login |
| |
| |
| Verify Create User Without Enabling |
| [Documentation] Verify Create User Without Enabling. |
| [Arguments] ${username} ${password} ${role_id} ${enabled} |
| |
| # Description of argument(s): |
| # username The username to be created. |
| # password The password to be assigned. |
| # role_id The role ID of the user to be created |
| # (e.g. "Administrator", "Operator", etc.). |
| # enabled Indicates whether the username being created |
| # should be enabled (${True}, ${False}). |
| |
| Redfish Create User ${username} ${password} ${role_id} ${enabled} ${False} |
| |
| Redfish.Logout |
| |
| # Login with created user. |
| Run Keyword And Expect Error InvalidCredentialsError* |
| ... Redfish.Login ${username} ${password} |
| |
| Redfish.Login |
| |
| # Delete newly created user. |
| Redfish.Delete /redfish/v1/AccountService/Accounts/${username} |
| |