Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc-test-automation / b1b8575767d2541572125909c5233c23413248f4 / . / redfish / account_service / test_ldap_configuration.robot
blob: 83db55b9b372f85ddb832748d9dbf7dbe38120b0 [file] [log] [blame]
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]1*** Settings ***
2Documentation Test Redfish LDAP user configuration.
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]3Library ../../lib/gen_robot_valid.py
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]4Resource ../../lib/resource.robot
5Resource ../../lib/bmc_redfish_resource.robot
6Resource ../../lib/openbmc_ffdc.robot
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]7Library ../../lib/gen_robot_valid.py
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]8
9Suite Setup Suite Setup Execution
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]10Suite Teardown Run Keywords Restore LDAP Privilege AND Redfish.Logout
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]11Test Teardown FFDC On Test Case Fail
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]12
Sivas SRR9358b5c2019-06-06 04:57:03 -0500[diff] [blame]13Force Tags LDAP_Test
14
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]15*** Variables ***
16${old_ldap_privilege} ${EMPTY}
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]17&{old_account_service} &{EMPTY}
Sivas SRRb1b85752019-07-04 01:28:28 -0500[diff] [blame^]18&{old_ldap_config} &{EMPTY}
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]19
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]20** Test Cases **
21
Sivas SRRb1b85752019-07-04 01:28:28 -0500[diff] [blame^]22Verify LDAP Configuration Created
23 [Documentation] Verify LDAP configuration created.
24 [Tags] Verify_LDAP_Configuration_Created
25
26 Create LDAP Configuration
27 # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
28 Get LDAP Configuration ${LDAP_TYPE}
29 Sleep 10s
30 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD}
31 Redfish.Logout
32 Redfish.Login
33
34
35Verify LDAP Service Disable
36 [Documentation] Verify LDAP is disabled and that LDAP user cannot login.
37 [Tags] Verify_LDAP_Service_Disable
38
39 Redfish.Patch ${REDFISH_BASE_URI}AccountService
40 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
41 Sleep 15s
42 ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER}
43 ... ${LDAP_USER_PASSWORD}
44 Should Be Equal ${resp} ${False} msg=LDAP user was able to login even though the LDAP service was disabled.
45 Redfish.Logout
46 Redfish.Login
47 # Enabling LDAP so that LDAP user works.
48 Redfish.Patch ${REDFISH_BASE_URI}AccountService
49 ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
50 Redfish.Logout
51 Redfish.Login
52
53
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]54Verify LDAP Configuration Exist
55 [Documentation] Verify LDAP configuration is available.
56 [Tags] Verify_LDAP_Configuration_Exist
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]57 ${resp}= Redfish.Get Attribute ${REDFISH_BASE_URI}AccountService
58 ... ${LDAP_TYPE} default=${EMPTY}
59 Should Not Be Empty ${resp} msg=LDAP configuration is not defined.
60
61
62Verify LDAP User Login
63 [Documentation] Verify LDAP user able to login into BMC.
64 [Tags] Verify_LDAP_User_Login
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]65 ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER}
66 ... ${LDAP_USER_PASSWORD}
67 Should Be Equal ${resp} ${True} msg=LDAP user is not able to login.
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]68 Redfish.Logout
69 Redfish.Login
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]70
71
72Verify LDAP Service Available
73 [Documentation] Verify LDAP service is available.
74 [Tags] Verify_LDAP_Service_Available
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]75 @{ldap_configuration}= Get LDAP Configuration ${LDAP_TYPE}
76 Should Contain ${ldap_configuration} LDAPService
77 ... msg=LDAPService is not available.
78
79
Sivas SRR108f9d32019-06-03 10:05:34 -0500[diff] [blame]80Verify LDAP Login Works After BMC Reboot
81 [Documentation] Verify LDAP login works after BMC reboot.
82 [Tags] Verify_LDAP_Login_Works_After_BMC_Reboot
Sivas SRR108f9d32019-06-03 10:05:34 -0500[diff] [blame]83 Redfish OBMC Reboot (off)
84 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD}
85 Redfish.Logout
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]86 Redfish.Login
Sivas SRR108f9d32019-06-03 10:05:34 -0500[diff] [blame]87
88
89Verify LDAP User With Admin Privilege Able To Do BMC Reboot
90 [Documentation] Verify LDAP user with administrator privilege able to do BMC reboot.
91 [Tags] Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
92
Sivas SRR108f9d32019-06-03 10:05:34 -0500[diff] [blame]93 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE}
94 ... ${GROUP_PRIVILEGE} ${GROUP_NAME}
95 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD}
96 # With LDAP user and with right privilege trying to do BMC reboot.
97 Redfish OBMC Reboot (off)
98 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD}
99 Redfish.Logout
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]100 Redfish.Login
Sivas SRR108f9d32019-06-03 10:05:34 -0500[diff] [blame]101
102
Sivas SRR2b83ec02019-07-12 11:30:20 -0500[diff] [blame]103Verify LDAP User With Operator Privilege Able To Do Host Poweroff
104 [Documentation] Verify LDAP user with operator privilege can do host power off.
105 [Tags] Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]106 [Teardown] Restore LDAP Privilege
107
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]108 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE}
109 ... Operator ${GROUP_NAME}
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]110
111 ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService
112 ${new_ldap_privilege}= Set Variable
113 ... ${ldap_config["LDAP"]["RemoteRoleMapping"][0]["LocalRole"]}
114 Should Be Equal ${new_ldap_privilege} Operator
115 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD}
Sivas SRR2b83ec02019-07-12 11:30:20 -0500[diff] [blame]116 # Verify that the LDAP user with operator privilege is able to power the system off.
117 Redfish.Post ${REDFISH_POWER_URI}
Sivas SRR3d82b3c2019-07-12 12:20:04 -0500[diff] [blame]118 ... body={'ResetType': 'ForceOff'} valid_status_codes=[200]
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]119 Redfish.Logout
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]120 Redfish.Login
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]121
122
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]123Verify AccountLockout Attributes Set To Zero
124 [Documentation] Verify attribute AccountLockoutDuration and
125 ... AccountLockoutThreshold are set to 0.
126 [Teardown] Run Keywords Restore AccountLockout Attributes AND
127 ... FFDC On Test Case Fail
128 [Tags] Verify_AccountLockout_Attributes_Set_To_Zero
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]129 ${old_account_service}= Redfish.Get Properties
130 ... ${REDFISH_BASE_URI}AccountService
Michael Walsh39c00512019-07-17 10:54:06 -0500[diff] [blame]131 Rprint Vars old_account_service
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]132 Redfish.Patch ${REDFISH_BASE_URI}AccountService
133 ... body=[('AccountLockoutDuration', 0)]
134 Redfish.Patch ${REDFISH_BASE_URI}AccountService
135 ... body=[('AccountLockoutThreshold', 0)]
136
137
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]138Verify LDAP User With Read Privilege Able To Check Inventory
139 [Documentation] Verify LDAP user with read privilege able to
140 ... read firmware inventory.
141 [Tags] Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
142 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege
143 [Template] Set Read Privilege And Check Firmware Inventory
144
145 User
146 Callback
147
148
149Verify LDAP User With Read Privilege Should Not Do Host Poweron
150 [Documentation] Verify LDAP user with read privilege should not be
151 ... allowed to power on the host.
152 [Tags] Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
153 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege
154 [Template] Set Read Privilege And Check Poweron
155
156 User
157 Callback
158
159
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]160*** Keywords ***
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]161
Sivas SRRb1b85752019-07-04 01:28:28 -0500[diff] [blame^]162Create LDAP Configuration
163 [Documentation] Create LDAP configuration.
164 [Arguments] ${ldap_type}=${LDAP_TYPE} ${ldap_server_uri}=${LDAP_SERVER_URI}
165 ... ${ldap_bind_dn}=${LDAP_BIND_DN} ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD}
166 ... ${ldap_base_dn}=${LDAP_BASE_DN}
167
168 # Description of argument(s):
169 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP").
170 # ldap_server_uri LDAP server uri (e.g. ldap://XX.XX.XX.XX).
171 # ldap_bind_dn The LDAP bind distinguished name.
172 # ldap_bind_dn_password The LDAP bind distinguished name password.
173 # ldap_base_dn The LDAP base distinguished name.
174
175 Redfish.Patch ${REDFISH_BASE_URI}AccountService
176 ... body={'${ldap_type}': {'ServiceEnabled': ${True}}}
177 Sleep 15s
178 Redfish.Patch ${REDFISH_BASE_URI}AccountService
179 ... body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
180 Sleep 15s
181 Redfish.Patch ${REDFISH_BASE_URI}AccountService
182 ... body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
183 Sleep 15s
184 Redfish.Patch ${REDFISH_BASE_URI}AccountService
185 ... body={'${ldap_type}': {'Authentication': {'Username':'${ldap_bind_dn}'}}}
186 Sleep 15s
187 Redfish.Patch ${REDFISH_BASE_URI}AccountService
188 ... body={'${ldap_type}': {'Authentication': {'Password':'${ldap_bind_dn_password}'}}}
189 Sleep 15s
190 Redfish.Patch ${REDFISH_BASE_URI}AccountService
191 ... body={'${ldap_type}': {'LDAPService': {'SearchSettings': {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}}
192 Sleep 15s
193
194
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]195Restore AccountLockout Attributes
196 [Documentation] Restore AccountLockout Attributes.
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]197 Return From Keyword If &{old_account_service} == &{EMPTY}
198 Redfish.Patch ${REDFISH_BASE_URI}AccountService
199 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
200 Redfish.Patch ${REDFISH_BASE_URI}AccountService
201 ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
202
203
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]204Suite Setup Execution
205 [Documentation] Do suite setup tasks.
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]206 Rvalid Value LDAP_TYPE valid_values=["ActiveDirectory", "LDAP"]
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]207 Rvalid Value LDAP_USER
208 Rvalid Value LDAP_USER_PASSWORD
209 Rvalid Value GROUP_PRIVILEGE
210 Rvalid Value GROUP_NAME
211 Redfish.Login
Sivas SRRb1b85752019-07-04 01:28:28 -0500[diff] [blame^]212 ${old_ldap_config}= Get LDAP Configuration ${LDAP_TYPE}
213 Run Keyword If '${old_ldap_config['ServiceEnabled']}' == 'False'
214 ... Run Keywords Create LDAP Configuration AND
215 ... Update LDAP Configuration with LDAP User Role And Group
216 ... ${LDAP_TYPE} ${GROUP_PRIVILEGE} ${GROUP_NAME}
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]217 ${old_ldap_privilege}= Get LDAP Privilege
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]218
219
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]220Set Read Privilege And Check Firmware Inventory
221 [Documentation] Set read privilege and check firmware inventory.
222 [Arguments] ${read_privilege}
223
224 # Description of argument(s):
225 # read_privilege The read privilege role (e.g. "User" / "Callback").
226
227 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE}
228 ... ${read_privilege} ${GROUP_NAME}
229
230 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD}
231 # Verify that the LDAP user with read privilege is able to read inventory.
232 ${resp}= Redfish.Get /redfish/v1/UpdateService/FirmwareInventory
233 Should Be True ${resp.dict["Members@odata.count"]} >= ${1}
234 Length Should Be ${resp.dict["Members"]} ${resp.dict["Members@odata.count"]}
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]235 Redfish.Logout
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]236 Redfish.Login
237
238
239Set Read Privilege And Check Poweron
240 [Documentation] Set read privilege and power on should not be possible.
241 [Arguments] ${read_privilege}
242
243 # Description of argument(s):
244 # read_privilege The read privilege role (e.g. "User" / "Callback").
245
246 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE}
247 ... ${read_privilege} ${GROUP_NAME}
248 Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD}
249 Redfish.Post ${REDFISH_POWER_URI}
250 ... body={'ResetType': 'On'} valid_status_codes=[401, 403]
251 Redfish.Logout
252 Redfish.Login
Sivas SRRd21c9842019-06-21 05:41:18 -0500[diff] [blame]253
254
Sivas SRR7d7bae32019-05-29 00:31:14 -0500[diff] [blame]255Get LDAP Configuration
256 [Documentation] Retrieve LDAP Configuration.
257 [Arguments] ${ldap_type}
258
259 # Description of argument(s):
260 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP").
261
262 ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService
263 [Return] ${ldap_config["${ldap_type}"]}
Sivas SRR108f9d32019-06-03 10:05:34 -0500[diff] [blame]264
265
266Update LDAP Configuration with LDAP User Role And Group
267 [Documentation] Update LDAP configuration update with LDAP user Role and group.
268 [Arguments] ${ldap_type} ${group_privilege} ${group_name}
269
270 # Description of argument(s):
271 # ldap_type The LDAP type ("ActiveDirectory" or "LDAP").
272 # group_privilege The group privilege ("Administrator", "Operator", "User" or "Callback").
273 # group_name The group name of user.
274
275 ${local_role_remote_group}= Create Dictionary LocalRole=${group_privilege} RemoteGroup=${group_name}
276 ${remote_role_mapping}= Create List ${local_role_remote_group}
277 ${ldap_data}= Create Dictionary RemoteRoleMapping=${remote_role_mapping}
278 ${payload}= Create Dictionary ${ldap_type}=${ldap_data}
279 Redfish.Patch ${REDFISH_BASE_URI}AccountService body=&{payload}
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]280 # Provide adequate time for LDAP daemon to restart after the update.
281 Sleep 10s
Sivas SRR108f9d32019-06-03 10:05:34 -0500[diff] [blame]282
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]283
284Get LDAP Privilege
285 [Documentation] Get LDAP privilege and return it.
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]286 ${ldap_config}= Get LDAP Configuration ${LDAP_TYPE}
287 [Return] ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
288
289
290Restore LDAP Privilege
291 [Documentation] Restore the LDAP privilege to its original value.
Sivas SRR939b4b12019-06-26 00:01:59 -0500[diff] [blame]292 Return From Keyword If '${old_ldap_privilege}' == '${EMPTY}'
293 # Log back in to restore the original privilege.
Sivas SRRf4ec6492019-06-16 01:59:30 -0500[diff] [blame]294 Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE}
295 ... ${old_ldap_privilege} ${GROUP_NAME}