blob: 382ef88ada2ebe750acc1293b0d5eb769b8e687a [file] [log] [blame]
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -06001*** Settings ***
2Documentation Test certificate in OpenBMC.
3
4Resource ../../lib/resource.robot
5Resource ../../lib/bmc_redfish_resource.robot
6Resource ../../lib/openbmc_ffdc.robot
7Resource ../../lib/certificate_utils.robot
George Keishingbf17fab2019-06-13 09:22:22 -05008Library String
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -06009
Rahul Maheshwarie48fd3e2019-07-22 02:28:58 -050010Force Tags Certificate_Test
11
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -060012Suite Setup Suite Setup Execution
13Test Teardown Test Teardown Execution
14
15
Rahul Maheshwari1e0f6a82019-08-29 01:33:23 -050016*** Variables ***
17
18${invalid_value} abc
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +020019${ROOT_CA_FILE_PATH} /etc/ssl/certs/authority/*
Rahul Maheshwari1e0f6a82019-08-29 01:33:23 -050020
21
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -060022** Test Cases **
23
24Verify Server Certificate Replace
25 [Documentation] Verify server certificate replace.
26 [Tags] Verify_Server_Certificate_Replace
27 [Template] Replace Certificate Via Redfish
28
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -050029 # cert_type cert_format expected_status
30 Server Valid Certificate Valid Privatekey ok
31 Server Empty Certificate Valid Privatekey error
32 Server Valid Certificate Empty Privatekey error
33 Server Empty Certificate Empty Privatekey error
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -060034
35
36Verify Client Certificate Replace
37 [Documentation] Verify client certificate replace.
38 [Tags] Verify_Client_Certificate_Replace
39 [Template] Replace Certificate Via Redfish
40
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -050041 # cert_type cert_format expected_status
42 Client Valid Certificate Valid Privatekey ok
43 Client Empty Certificate Valid Privatekey error
44 Client Valid Certificate Empty Privatekey error
45 Client Empty Certificate Empty Privatekey error
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -060046
47
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -050048Verify CA Certificate Replace
49 [Documentation] Verify CA certificate replace.
50 [Tags] Verify_CA_Certificate_Replace
51 [Template] Replace Certificate Via Redfish
52
53 # cert_type cert_format expected_status
54 CA Valid Certificate ok
55 CA Empty Certificate error
56
57
Rahul Maheshwari037a3432019-05-23 00:55:40 -050058Verify Client Certificate Install
59 [Documentation] Verify client certificate install.
60 [Tags] Verify_Client_Certificate_Install
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -050061 [Template] Install And Verify Certificate Via Redfish
Rahul Maheshwari037a3432019-05-23 00:55:40 -050062
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -050063 # cert_type cert_format expected_status
64 Client Valid Certificate Valid Privatekey ok
65 Client Empty Certificate Valid Privatekey error
66 Client Valid Certificate Empty Privatekey error
67 Client Empty Certificate Empty Privatekey error
Rahul Maheshwari037a3432019-05-23 00:55:40 -050068
69
Rahul Maheshwari479c9c52019-06-03 01:23:12 -050070Verify CA Certificate Install
71 [Documentation] Verify CA certificate install.
72 [Tags] Verify_CA_Certificate_Install
73 [Template] Install And Verify Certificate Via Redfish
74
75 # cert_type cert_format expected_status
76 CA Valid Certificate ok
77 CA Empty Certificate error
78
79
Rahul Maheshwarifa95b092019-05-22 05:10:59 -050080Verify Server Certificate View Via Openssl
81 [Documentation] Verify server certificate via openssl command.
82 [Tags] Verify_Server_Certificate_View_Via_Openssl
83
84 redfish.Login
85
86 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate Valid Privatekey
George Keishingbf17fab2019-06-13 09:22:22 -050087 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path}
88 ${file_data}= Decode Bytes To String ${bytes} UTF-8
Rahul Maheshwarifa95b092019-05-22 05:10:59 -050089
90 ${certificate_dict}= Create Dictionary
91 ... @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
92 ${payload}= Create Dictionary CertificateString=${file_data}
93 ... CertificateType=PEM CertificateUri=${certificate_dict}
94
95 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
96 ... body=${payload}
97
98 Wait Until Keyword Succeeds 2 mins 15 secs Verify Certificate Visible Via OpenSSL ${cert_file_path}
99
100
Rahul Maheshwari1e0f6a82019-08-29 01:33:23 -0500101Verify CSR Generation For Server Certificate
102 [Documentation] Verify CSR generation for server certificate.
103 [Tags] Verify_CSR_Generation_For_Server_Certificate
104 [Template] Generate CSR Via Redfish
105
106 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status
107 Server RSA ${2048} ${EMPTY} ok
108 Server EC ${EMPTY} prime256v1 ok
109 Server EC ${EMPTY} secp521r1 ok
110 Server EC ${EMPTY} secp384r1 ok
111
112
113Verify CSR Generation For Client Certificate
114 [Documentation] Verify CSR generation for client certificate.
115 [Tags] Verify_CSR_Generation_For_Client_Certificate
116 [Template] Generate CSR Via Redfish
117
118 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status
119 Client RSA ${2048} ${EMPTY} ok
120 Client EC ${EMPTY} prime256v1 ok
121 Client EC ${EMPTY} secp521r1 ok
122 Client EC ${EMPTY} secp384r1 ok
123
124
125Verify CSR Generation For Server Certificate With Invalid Value
126 [Documentation] Verify error while generating CSR for server certificate with invalid value.
127 [Tags] Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value
128 [Template] Generate CSR Via Redfish
129
130 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status
131 Server ${invalid_value} ${2048} prime256v1 error
132 Server RAS ${invalid_value} ${EMPTY} error
133 Server EC ${EMPTY} ${invalid_value} error
134
135
136Verify CSR Generation For Client Certificate With Invalid Value
137 [Documentation] Verify error while generating CSR for client certificate with invalid value.
138 [Tags] Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value
139 [Template] Generate CSR Via Redfish
140
141 Client ${invalid_value} ${2048} prime256v1 error
142 Client RSA ${invalid_value} ${EMPTY} error
143 Client EC ${EMPTY} ${invalid_value} error
144
145
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600146*** Keywords ***
147
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500148Install And Verify Certificate Via Redfish
149 [Documentation] Install and verify certificate using Redfish.
150 [Arguments] ${cert_type} ${cert_format} ${expected_status}
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500151
152 # Description of argument(s):
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500153 # cert_type Certificate type (e.g. "Client" or "CA").
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500154 # cert_format Certificate file format
155 # (e.g. "Valid_Certificate_Valid_Privatekey").
156 # expected_status Expected status of certificate replace Redfish
157 # request (i.e. "ok" or "error").
158
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500159 redfish.Login
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500160 Delete Certificate Via BMC CLI ${cert_type}
161
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500162 ${time}= Set Variable If '${cert_format}' == 'Expired Certificate' -10 365
163 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} ${time}
George Keishingbf17fab2019-06-13 09:22:22 -0500164 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path}
165 ${file_data}= Decode Bytes To String ${bytes} UTF-8
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500166
Rahul Maheshwari479c9c52019-06-03 01:23:12 -0500167 ${certificate_uri}= Set Variable If
168 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}
169 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}
170
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200171 ${cert_id}= Install Certificate File On BMC ${certificate_uri} ${expected_status} data=${file_data}
172 Logging Installed certificate id: ${cert_id}
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500173
174 # Adding delay after certificate installation.
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -0500175 Sleep 30s
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500176
177 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path}
178 ${bmc_cert_content}= Run Keyword If '${expected_status}' == 'ok' redfish_utils.Get Attribute
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200179 ... ${certificate_uri}/${cert_id} CertificateString
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500180
181 Run Keyword If '${expected_status}' == 'ok' Should Contain ${cert_file_content} ${bmc_cert_content}
182
183
Rahul Maheshwari479c9c52019-06-03 01:23:12 -0500184Install Certificate File On BMC
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500185 [Documentation] Install certificate file in BMC using POST operation.
186 [Arguments] ${uri} ${status}=ok &{kwargs}
187
188 # Description of argument(s):
189 # uri URI for installing certificate file via REST
190 # e.g. "/xyz/openbmc_project/certs/server/https".
191 # status Expected status of certificate installation via REST
192 # e.g. error, ok.
193 # kwargs A dictionary of keys/values to be passed directly to
194 # POST Request.
195
196 Initialize OpenBMC quiet=${quiet}
197
198 ${headers}= Create Dictionary Content-Type=application/octet-stream
199 ... X-Auth-Token=${XAUTH_TOKEN}
200 Set To Dictionary ${kwargs} headers ${headers}
201
202 ${ret}= Post Request openbmc ${uri} &{kwargs}
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200203 ${content_json}= To JSON ${ret.content}
204 ${cert_id}= Set Variable If '${ret.status_code}' == '${HTTP_OK}' ${content_json["Id"]} -1
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500205
206 Run Keyword If '${status}' == 'ok'
207 ... Should Be Equal As Strings ${ret.status_code} ${HTTP_OK}
208 ... ELSE IF '${status}' == 'error'
209 ... Should Be Equal As Strings ${ret.status_code} ${HTTP_INTERNAL_SERVER_ERROR}
210
211 Delete All Sessions
212
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200213 [Return] ${cert_id}
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500214
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600215Replace Certificate Via Redfish
216 [Documentation] Test 'replace certificate' operation in the BMC via Redfish.
217 [Arguments] ${cert_type} ${cert_format} ${expected_status}
218
219 # Description of argument(s):
220 # cert_type Certificate type (e.g. "Server" or "Client").
221 # cert_format Certificate file format
222 # (e.g. Valid_Certificate_Valid_Privatekey).
223 # expected_status Expected status of certificate replace Redfish
224 # request (i.e. "ok" or "error").
225
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -0500226 # Install certificate before replacing client or CA certificate.
227 Run Keyword If '${cert_type}' == 'Client'
228 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate Valid Privatekey ok
229 ... ELSE IF '${cert_type}' == 'CA'
230 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate ok
Rahul Maheshwari9862eb52019-05-31 04:04:42 -0500231
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600232 redfish.Login
233
234 ${time}= Set Variable If '${cert_format}' == 'Expired Certificate' -10 365
235 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} ${time}
236
George Keishingbf17fab2019-06-13 09:22:22 -0500237 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path}
238 ${file_data}= Decode Bytes To String ${bytes} UTF-8
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600239
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -0500240 ${certificate_uri}= Set Variable If
Rahul Maheshwaric142c092019-06-13 00:42:35 -0500241 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/1
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -0500242 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/1
243 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}/1
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600244
245 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri}
246 ${payload}= Create Dictionary CertificateString=${file_data}
247 ... CertificateType=PEM CertificateUri=${certificate_dict}
Rahul Maheshwari19e6e442019-06-03 00:22:45 -0500248
249 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK}
George Keishingd2251802020-01-24 00:23:12 -0600250 ... '${expected_status}' == 'error' ${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}
Rahul Maheshwari9862eb52019-05-31 04:04:42 -0500251 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
Rahul Maheshwari19e6e442019-06-03 00:22:45 -0500252 ... body=${payload} valid_status_codes=[${expected_resp}]
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600253
254 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path}
255 ${bmc_cert_content}= redfish_utils.Get Attribute ${certificate_uri} CertificateString
256
257 Run Keyword If '${expected_status}' == 'ok'
258 ... Should Contain ${cert_file_content} ${bmc_cert_content}
259 ... ELSE
260 ... Should Not Contain ${cert_file_content} ${bmc_cert_content}
261
262
Rahul Maheshwari1e0f6a82019-08-29 01:33:23 -0500263Generate CSR Via Redfish
264 [Documentation] Generate CSR using Redfish.
265 [Arguments] ${cert_type} ${key_pair_algorithm} ${key_bit_length} ${key_curv_id} ${expected_status}
266
267 # Description of argument(s):
268 # cert_type Certificate type ("Server" or "Client").
269 # key_pair_algorithm CSR key pair algorithm ("EC" or "RSA")
270 # key_bit_length CSR key bit length ("2048").
271 # key_curv_id CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1").
272 # expected_status Expected status of certificate replace Redfish
273 # request ("ok" or "error").
274
275 redfish.Login
276
277 ${certificate_uri}= Set Variable If
278 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/
279 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/
280
281 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri}
282 ${payload}= Create Dictionary City=Austin CertificateCollection=${certificate_dict}
283 ... CommonName=${OPENBMC_HOST} Country=US Organization=IBM
284 ... OrganizationalUnit=ISL State=AU KeyBitLength=${key_bit_length}
285 ... KeyPairAlgorithm=${key_pair_algorithm} KeyCurveId=${key_curv_id}
286
287 # Remove not applicable field for CSR generation.
288 Run Keyword If '${key_pair_algorithm}' == 'EC' Remove From Dictionary ${payload} KeyBitLength
289 ... ELSE IF '${key_pair_algorithm}' == 'RSA' Remove From Dictionary ${payload} KeyCurveId
290
291 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK}
292 ... '${expected_status}' == 'error' ${HTTP_INTERNAL_SERVER_ERROR}, ${HTTP_BAD_REQUEST}
293 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR
294 ... body=${payload} valid_status_codes=[${expected_resp}]
295
296 # Delay added between two CSR generation request.
297 Sleep 5s
298
299
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500300Delete Certificate Via BMC CLI
301 [Documentation] Delete certificate via BMC CLI.
302 [Arguments] ${cert_type}
303
304 # Description of argument(s):
305 # cert_type Certificate type (e.g. "Client" or "CA").
306
307 ${certificate_file_path} ${certificate_service} ${certificate_uri}=
308 ... Run Keyword If '${cert_type}' == 'Client'
309 ... Set Variable /etc/nslcd/certs/cert.pem phosphor-certificate-manager@nslcd.service
310 ... ${REDFISH_LDAP_CERTIFICATE_URI}
311 ... ELSE IF '${cert_type}' == 'CA'
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200312 ... Set Variable ${ROOT_CA_FILE_PATH} phosphor-certificate-manager@authority.service
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500313 ... ${REDFISH_CA_CERTIFICATE_URI}
Rahul Maheshwaria5b17672019-05-30 11:08:30 -0500314
315 ${file_status} ${stderr} ${rc}= BMC Execute Command
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500316 ... [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
Rahul Maheshwaria5b17672019-05-30 11:08:30 -0500317
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500318 Return From Keyword If "${file_status}" != "Found"
319 BMC Execute Command rm ${certificate_file_path}
320 BMC Execute Command systemctl restart ${certificate_service}
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200321 BMC Execute Command systemctl daemon-reload
George Keishing2d0804e2019-12-12 22:27:05 -0600322 Wait Until Keyword Succeeds 1 min 10 sec Redfish.Get ${certificate_uri}/1
323 ... valid_status_codes=[${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}]
Rahul Maheshwaria5b17672019-05-30 11:08:30 -0500324
325
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600326Suite Setup Execution
327 [Documentation] Do suite setup tasks.
328
329 # Create certificate sub-directory in current working directory.
330 Create Directory certificate_dir
331
332
333Test Teardown Execution
334 [Documentation] Do the post test teardown.
335
336 FFDC On Test Case Fail
337 redfish.Logout