blob: 83906a0c0b26c38996ae0eed4bf6d1ea938e6ffc [file] [log] [blame]
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -06001*** Settings ***
2Documentation Test certificate in OpenBMC.
3
4Resource ../../lib/resource.robot
5Resource ../../lib/bmc_redfish_resource.robot
6Resource ../../lib/openbmc_ffdc.robot
7Resource ../../lib/certificate_utils.robot
George Keishingbf17fab2019-06-13 09:22:22 -05008Library String
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -06009
Rahul Maheshwarie48fd3e2019-07-22 02:28:58 -050010Force Tags Certificate_Test
11
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -060012Suite Setup Suite Setup Execution
13Test Teardown Test Teardown Execution
14
15
Rahul Maheshwari1e0f6a82019-08-29 01:33:23 -050016*** Variables ***
17
18${invalid_value} abc
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +020019${ROOT_CA_FILE_PATH} /etc/ssl/certs/authority/*
Rahul Maheshwari1e0f6a82019-08-29 01:33:23 -050020
21
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -060022** Test Cases **
23
24Verify Server Certificate Replace
25 [Documentation] Verify server certificate replace.
26 [Tags] Verify_Server_Certificate_Replace
27 [Template] Replace Certificate Via Redfish
28
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -050029 # cert_type cert_format expected_status
30 Server Valid Certificate Valid Privatekey ok
31 Server Empty Certificate Valid Privatekey error
32 Server Valid Certificate Empty Privatekey error
33 Server Empty Certificate Empty Privatekey error
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -060034
35
36Verify Client Certificate Replace
37 [Documentation] Verify client certificate replace.
38 [Tags] Verify_Client_Certificate_Replace
39 [Template] Replace Certificate Via Redfish
40
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -050041 # cert_type cert_format expected_status
42 Client Valid Certificate Valid Privatekey ok
43 Client Empty Certificate Valid Privatekey error
44 Client Valid Certificate Empty Privatekey error
45 Client Empty Certificate Empty Privatekey error
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -060046
47
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -050048Verify CA Certificate Replace
49 [Documentation] Verify CA certificate replace.
50 [Tags] Verify_CA_Certificate_Replace
51 [Template] Replace Certificate Via Redfish
52
53 # cert_type cert_format expected_status
54 CA Valid Certificate ok
55 CA Empty Certificate error
56
57
Rahul Maheshwari037a3432019-05-23 00:55:40 -050058Verify Client Certificate Install
59 [Documentation] Verify client certificate install.
60 [Tags] Verify_Client_Certificate_Install
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -050061 [Template] Install And Verify Certificate Via Redfish
Rahul Maheshwari037a3432019-05-23 00:55:40 -050062
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -050063 # cert_type cert_format expected_status
64 Client Valid Certificate Valid Privatekey ok
65 Client Empty Certificate Valid Privatekey error
66 Client Valid Certificate Empty Privatekey error
67 Client Empty Certificate Empty Privatekey error
Rahul Maheshwari037a3432019-05-23 00:55:40 -050068
69
Rahul Maheshwari479c9c52019-06-03 01:23:12 -050070Verify CA Certificate Install
71 [Documentation] Verify CA certificate install.
72 [Tags] Verify_CA_Certificate_Install
73 [Template] Install And Verify Certificate Via Redfish
74
75 # cert_type cert_format expected_status
76 CA Valid Certificate ok
77 CA Empty Certificate error
78
79
Rahul Maheshwarifa95b092019-05-22 05:10:59 -050080Verify Server Certificate View Via Openssl
81 [Documentation] Verify server certificate via openssl command.
82 [Tags] Verify_Server_Certificate_View_Via_Openssl
83
84 redfish.Login
85
86 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate Valid Privatekey
George Keishingbf17fab2019-06-13 09:22:22 -050087 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path}
88 ${file_data}= Decode Bytes To String ${bytes} UTF-8
Rahul Maheshwarifa95b092019-05-22 05:10:59 -050089
90 ${certificate_dict}= Create Dictionary
91 ... @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
92 ${payload}= Create Dictionary CertificateString=${file_data}
93 ... CertificateType=PEM CertificateUri=${certificate_dict}
94
95 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
96 ... body=${payload}
97
98 Wait Until Keyword Succeeds 2 mins 15 secs Verify Certificate Visible Via OpenSSL ${cert_file_path}
99
100
Rahul Maheshwari1e0f6a82019-08-29 01:33:23 -0500101Verify CSR Generation For Server Certificate
102 [Documentation] Verify CSR generation for server certificate.
103 [Tags] Verify_CSR_Generation_For_Server_Certificate
104 [Template] Generate CSR Via Redfish
105
106 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status
107 Server RSA ${2048} ${EMPTY} ok
108 Server EC ${EMPTY} prime256v1 ok
109 Server EC ${EMPTY} secp521r1 ok
110 Server EC ${EMPTY} secp384r1 ok
111
112
113Verify CSR Generation For Client Certificate
114 [Documentation] Verify CSR generation for client certificate.
115 [Tags] Verify_CSR_Generation_For_Client_Certificate
116 [Template] Generate CSR Via Redfish
117
118 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status
119 Client RSA ${2048} ${EMPTY} ok
120 Client EC ${EMPTY} prime256v1 ok
121 Client EC ${EMPTY} secp521r1 ok
122 Client EC ${EMPTY} secp384r1 ok
123
124
125Verify CSR Generation For Server Certificate With Invalid Value
126 [Documentation] Verify error while generating CSR for server certificate with invalid value.
127 [Tags] Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value
128 [Template] Generate CSR Via Redfish
129
130 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status
131 Server ${invalid_value} ${2048} prime256v1 error
132 Server RAS ${invalid_value} ${EMPTY} error
133 Server EC ${EMPTY} ${invalid_value} error
134
135
136Verify CSR Generation For Client Certificate With Invalid Value
137 [Documentation] Verify error while generating CSR for client certificate with invalid value.
138 [Tags] Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value
139 [Template] Generate CSR Via Redfish
140
141 Client ${invalid_value} ${2048} prime256v1 error
142 Client RSA ${invalid_value} ${EMPTY} error
143 Client EC ${EMPTY} ${invalid_value} error
144
145
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600146*** Keywords ***
147
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500148Install And Verify Certificate Via Redfish
149 [Documentation] Install and verify certificate using Redfish.
150 [Arguments] ${cert_type} ${cert_format} ${expected_status}
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500151
152 # Description of argument(s):
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500153 # cert_type Certificate type (e.g. "Client" or "CA").
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500154 # cert_format Certificate file format
155 # (e.g. "Valid_Certificate_Valid_Privatekey").
156 # expected_status Expected status of certificate replace Redfish
157 # request (i.e. "ok" or "error").
158
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500159 redfish.Login
Rahul Maheshwari382c4dc2020-02-09 23:50:54 -0600160 Run Keyword If '${cert_type}' == 'CA' Delete All CA Certificate Via Redfish
161 ... ELSE IF '${cert_type}' == 'Client' Delete Certificate Via BMC CLI ${cert_type}
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500162
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500163 ${time}= Set Variable If '${cert_format}' == 'Expired Certificate' -10 365
164 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} ${time}
George Keishingbf17fab2019-06-13 09:22:22 -0500165 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path}
166 ${file_data}= Decode Bytes To String ${bytes} UTF-8
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500167
Rahul Maheshwari479c9c52019-06-03 01:23:12 -0500168 ${certificate_uri}= Set Variable If
169 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}
170 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}
171
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200172 ${cert_id}= Install Certificate File On BMC ${certificate_uri} ${expected_status} data=${file_data}
173 Logging Installed certificate id: ${cert_id}
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500174
175 # Adding delay after certificate installation.
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -0500176 Sleep 30s
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500177
178 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path}
179 ${bmc_cert_content}= Run Keyword If '${expected_status}' == 'ok' redfish_utils.Get Attribute
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200180 ... ${certificate_uri}/${cert_id} CertificateString
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500181
182 Run Keyword If '${expected_status}' == 'ok' Should Contain ${cert_file_content} ${bmc_cert_content}
183
184
Rahul Maheshwari479c9c52019-06-03 01:23:12 -0500185Install Certificate File On BMC
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500186 [Documentation] Install certificate file in BMC using POST operation.
187 [Arguments] ${uri} ${status}=ok &{kwargs}
188
189 # Description of argument(s):
190 # uri URI for installing certificate file via REST
191 # e.g. "/xyz/openbmc_project/certs/server/https".
192 # status Expected status of certificate installation via REST
193 # e.g. error, ok.
194 # kwargs A dictionary of keys/values to be passed directly to
195 # POST Request.
196
197 Initialize OpenBMC quiet=${quiet}
198
199 ${headers}= Create Dictionary Content-Type=application/octet-stream
200 ... X-Auth-Token=${XAUTH_TOKEN}
201 Set To Dictionary ${kwargs} headers ${headers}
202
203 ${ret}= Post Request openbmc ${uri} &{kwargs}
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200204 ${content_json}= To JSON ${ret.content}
205 ${cert_id}= Set Variable If '${ret.status_code}' == '${HTTP_OK}' ${content_json["Id"]} -1
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500206
207 Run Keyword If '${status}' == 'ok'
208 ... Should Be Equal As Strings ${ret.status_code} ${HTTP_OK}
209 ... ELSE IF '${status}' == 'error'
210 ... Should Be Equal As Strings ${ret.status_code} ${HTTP_INTERNAL_SERVER_ERROR}
211
212 Delete All Sessions
213
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200214 [Return] ${cert_id}
Rahul Maheshwari037a3432019-05-23 00:55:40 -0500215
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600216Replace Certificate Via Redfish
217 [Documentation] Test 'replace certificate' operation in the BMC via Redfish.
218 [Arguments] ${cert_type} ${cert_format} ${expected_status}
219
220 # Description of argument(s):
221 # cert_type Certificate type (e.g. "Server" or "Client").
222 # cert_format Certificate file format
223 # (e.g. Valid_Certificate_Valid_Privatekey).
224 # expected_status Expected status of certificate replace Redfish
225 # request (i.e. "ok" or "error").
226
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -0500227 # Install certificate before replacing client or CA certificate.
228 Run Keyword If '${cert_type}' == 'Client'
229 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate Valid Privatekey ok
230 ... ELSE IF '${cert_type}' == 'CA'
231 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate ok
Rahul Maheshwari9862eb52019-05-31 04:04:42 -0500232
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600233 redfish.Login
234
235 ${time}= Set Variable If '${cert_format}' == 'Expired Certificate' -10 365
236 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} ${time}
237
George Keishingbf17fab2019-06-13 09:22:22 -0500238 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path}
239 ${file_data}= Decode Bytes To String ${bytes} UTF-8
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600240
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -0500241 ${certificate_uri}= Set Variable If
Rahul Maheshwaric142c092019-06-13 00:42:35 -0500242 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/1
Rahul Maheshwaric1f43ed2019-06-03 01:00:16 -0500243 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/1
244 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}/1
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600245
246 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri}
247 ${payload}= Create Dictionary CertificateString=${file_data}
248 ... CertificateType=PEM CertificateUri=${certificate_dict}
Rahul Maheshwari19e6e442019-06-03 00:22:45 -0500249
250 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK}
George Keishingd2251802020-01-24 00:23:12 -0600251 ... '${expected_status}' == 'error' ${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}
Rahul Maheshwari9862eb52019-05-31 04:04:42 -0500252 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
Rahul Maheshwari19e6e442019-06-03 00:22:45 -0500253 ... body=${payload} valid_status_codes=[${expected_resp}]
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600254
255 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path}
256 ${bmc_cert_content}= redfish_utils.Get Attribute ${certificate_uri} CertificateString
257
258 Run Keyword If '${expected_status}' == 'ok'
259 ... Should Contain ${cert_file_content} ${bmc_cert_content}
260 ... ELSE
261 ... Should Not Contain ${cert_file_content} ${bmc_cert_content}
262
263
Rahul Maheshwari1e0f6a82019-08-29 01:33:23 -0500264Generate CSR Via Redfish
265 [Documentation] Generate CSR using Redfish.
266 [Arguments] ${cert_type} ${key_pair_algorithm} ${key_bit_length} ${key_curv_id} ${expected_status}
267
268 # Description of argument(s):
269 # cert_type Certificate type ("Server" or "Client").
270 # key_pair_algorithm CSR key pair algorithm ("EC" or "RSA")
271 # key_bit_length CSR key bit length ("2048").
272 # key_curv_id CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1").
273 # expected_status Expected status of certificate replace Redfish
274 # request ("ok" or "error").
275
276 redfish.Login
277
278 ${certificate_uri}= Set Variable If
279 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/
280 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/
281
282 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri}
283 ${payload}= Create Dictionary City=Austin CertificateCollection=${certificate_dict}
284 ... CommonName=${OPENBMC_HOST} Country=US Organization=IBM
285 ... OrganizationalUnit=ISL State=AU KeyBitLength=${key_bit_length}
286 ... KeyPairAlgorithm=${key_pair_algorithm} KeyCurveId=${key_curv_id}
287
288 # Remove not applicable field for CSR generation.
289 Run Keyword If '${key_pair_algorithm}' == 'EC' Remove From Dictionary ${payload} KeyBitLength
290 ... ELSE IF '${key_pair_algorithm}' == 'RSA' Remove From Dictionary ${payload} KeyCurveId
291
292 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK}
293 ... '${expected_status}' == 'error' ${HTTP_INTERNAL_SERVER_ERROR}, ${HTTP_BAD_REQUEST}
294 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR
295 ... body=${payload} valid_status_codes=[${expected_resp}]
296
297 # Delay added between two CSR generation request.
298 Sleep 5s
299
300
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500301Delete Certificate Via BMC CLI
302 [Documentation] Delete certificate via BMC CLI.
303 [Arguments] ${cert_type}
304
305 # Description of argument(s):
306 # cert_type Certificate type (e.g. "Client" or "CA").
307
308 ${certificate_file_path} ${certificate_service} ${certificate_uri}=
309 ... Run Keyword If '${cert_type}' == 'Client'
310 ... Set Variable /etc/nslcd/certs/cert.pem phosphor-certificate-manager@nslcd.service
311 ... ${REDFISH_LDAP_CERTIFICATE_URI}
312 ... ELSE IF '${cert_type}' == 'CA'
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200313 ... Set Variable ${ROOT_CA_FILE_PATH} phosphor-certificate-manager@authority.service
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500314 ... ${REDFISH_CA_CERTIFICATE_URI}
Rahul Maheshwaria5b17672019-05-30 11:08:30 -0500315
316 ${file_status} ${stderr} ${rc}= BMC Execute Command
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500317 ... [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
Rahul Maheshwaria5b17672019-05-30 11:08:30 -0500318
Rahul Maheshwari3ecd1a62019-06-03 01:44:34 -0500319 Return From Keyword If "${file_status}" != "Found"
320 BMC Execute Command rm ${certificate_file_path}
321 BMC Execute Command systemctl restart ${certificate_service}
Zbigniew Kurzynski84ae0d32019-10-11 15:51:59 +0200322 BMC Execute Command systemctl daemon-reload
George Keishing2d0804e2019-12-12 22:27:05 -0600323 Wait Until Keyword Succeeds 1 min 10 sec Redfish.Get ${certificate_uri}/1
324 ... valid_status_codes=[${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}]
Rahul Maheshwaria5b17672019-05-30 11:08:30 -0500325
326
Rahul Maheshwari382c4dc2020-02-09 23:50:54 -0600327Delete All CA Certificate Via Redfish
328 [Documentation] Delete all CA certificate via Redfish.
329
330 ${cert_list}= Redfish_Utils.Get Member List /redfish/v1/Managers/bmc/Truststore/Certificates
331 FOR ${cert} IN @{cert_list}
332 Redfish.Delete ${cert} valid_status_codes=[${HTTP_NO_CONTENT}]
333 END
334
335
Rahul Maheshwarib4b8bb62019-03-04 23:56:10 -0600336Suite Setup Execution
337 [Documentation] Do suite setup tasks.
338
339 # Create certificate sub-directory in current working directory.
340 Create Directory certificate_dir
341
342
343Test Teardown Execution
344 [Documentation] Do the post test teardown.
345
346 FFDC On Test Case Fail
347 redfish.Logout