Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 1 | *** Settings *** |
| 2 | Documentation Test Redfish LDAP user configuration. |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 3 | Library ../../lib/gen_robot_valid.py |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 4 | Resource ../../lib/resource.robot |
| 5 | Resource ../../lib/bmc_redfish_resource.robot |
| 6 | Resource ../../lib/openbmc_ffdc.robot |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 7 | Library ../../lib/gen_robot_valid.py |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 8 | |
| 9 | Suite Setup Suite Setup Execution |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 10 | Suite Teardown Run Keywords Restore LDAP Privilege AND Redfish.Logout |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 11 | Test Teardown FFDC On Test Case Fail |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 12 | |
Sivas SRR | 9358b5c | 2019-06-06 04:57:03 -0500 | [diff] [blame] | 13 | Force Tags LDAP_Test |
| 14 | |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 15 | *** Variables *** |
| 16 | ${old_ldap_privilege} ${EMPTY} |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 17 | &{old_account_service} &{EMPTY} |
Sivas SRR | b1b8575 | 2019-07-04 01:28:28 -0500 | [diff] [blame^] | 18 | &{old_ldap_config} &{EMPTY} |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 19 | |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 20 | ** Test Cases ** |
| 21 | |
Sivas SRR | b1b8575 | 2019-07-04 01:28:28 -0500 | [diff] [blame^] | 22 | Verify LDAP Configuration Created |
| 23 | [Documentation] Verify LDAP configuration created. |
| 24 | [Tags] Verify_LDAP_Configuration_Created |
| 25 | |
| 26 | Create LDAP Configuration |
| 27 | # Call 'Get LDAP Configuration' to verify that LDAP configuration exists. |
| 28 | Get LDAP Configuration ${LDAP_TYPE} |
| 29 | Sleep 10s |
| 30 | Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} |
| 31 | Redfish.Logout |
| 32 | Redfish.Login |
| 33 | |
| 34 | |
| 35 | Verify LDAP Service Disable |
| 36 | [Documentation] Verify LDAP is disabled and that LDAP user cannot login. |
| 37 | [Tags] Verify_LDAP_Service_Disable |
| 38 | |
| 39 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 40 | ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}} |
| 41 | Sleep 15s |
| 42 | ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} |
| 43 | ... ${LDAP_USER_PASSWORD} |
| 44 | Should Be Equal ${resp} ${False} msg=LDAP user was able to login even though the LDAP service was disabled. |
| 45 | Redfish.Logout |
| 46 | Redfish.Login |
| 47 | # Enabling LDAP so that LDAP user works. |
| 48 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 49 | ... body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}} |
| 50 | Redfish.Logout |
| 51 | Redfish.Login |
| 52 | |
| 53 | |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 54 | Verify LDAP Configuration Exist |
| 55 | [Documentation] Verify LDAP configuration is available. |
| 56 | [Tags] Verify_LDAP_Configuration_Exist |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 57 | ${resp}= Redfish.Get Attribute ${REDFISH_BASE_URI}AccountService |
| 58 | ... ${LDAP_TYPE} default=${EMPTY} |
| 59 | Should Not Be Empty ${resp} msg=LDAP configuration is not defined. |
| 60 | |
| 61 | |
| 62 | Verify LDAP User Login |
| 63 | [Documentation] Verify LDAP user able to login into BMC. |
| 64 | [Tags] Verify_LDAP_User_Login |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 65 | ${resp}= Run Keyword And Return Status Redfish.Login ${LDAP_USER} |
| 66 | ... ${LDAP_USER_PASSWORD} |
| 67 | Should Be Equal ${resp} ${True} msg=LDAP user is not able to login. |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 68 | Redfish.Logout |
| 69 | Redfish.Login |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 70 | |
| 71 | |
| 72 | Verify LDAP Service Available |
| 73 | [Documentation] Verify LDAP service is available. |
| 74 | [Tags] Verify_LDAP_Service_Available |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 75 | @{ldap_configuration}= Get LDAP Configuration ${LDAP_TYPE} |
| 76 | Should Contain ${ldap_configuration} LDAPService |
| 77 | ... msg=LDAPService is not available. |
| 78 | |
| 79 | |
Sivas SRR | 108f9d3 | 2019-06-03 10:05:34 -0500 | [diff] [blame] | 80 | Verify LDAP Login Works After BMC Reboot |
| 81 | [Documentation] Verify LDAP login works after BMC reboot. |
| 82 | [Tags] Verify_LDAP_Login_Works_After_BMC_Reboot |
Sivas SRR | 108f9d3 | 2019-06-03 10:05:34 -0500 | [diff] [blame] | 83 | Redfish OBMC Reboot (off) |
| 84 | Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} |
| 85 | Redfish.Logout |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 86 | Redfish.Login |
Sivas SRR | 108f9d3 | 2019-06-03 10:05:34 -0500 | [diff] [blame] | 87 | |
| 88 | |
| 89 | Verify LDAP User With Admin Privilege Able To Do BMC Reboot |
| 90 | [Documentation] Verify LDAP user with administrator privilege able to do BMC reboot. |
| 91 | [Tags] Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot |
| 92 | |
Sivas SRR | 108f9d3 | 2019-06-03 10:05:34 -0500 | [diff] [blame] | 93 | Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} |
| 94 | ... ${GROUP_PRIVILEGE} ${GROUP_NAME} |
| 95 | Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} |
| 96 | # With LDAP user and with right privilege trying to do BMC reboot. |
| 97 | Redfish OBMC Reboot (off) |
| 98 | Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} |
| 99 | Redfish.Logout |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 100 | Redfish.Login |
Sivas SRR | 108f9d3 | 2019-06-03 10:05:34 -0500 | [diff] [blame] | 101 | |
| 102 | |
Sivas SRR | 2b83ec0 | 2019-07-12 11:30:20 -0500 | [diff] [blame] | 103 | Verify LDAP User With Operator Privilege Able To Do Host Poweroff |
| 104 | [Documentation] Verify LDAP user with operator privilege can do host power off. |
| 105 | [Tags] Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 106 | [Teardown] Restore LDAP Privilege |
| 107 | |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 108 | Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} |
| 109 | ... Operator ${GROUP_NAME} |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 110 | |
| 111 | ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService |
| 112 | ${new_ldap_privilege}= Set Variable |
| 113 | ... ${ldap_config["LDAP"]["RemoteRoleMapping"][0]["LocalRole"]} |
| 114 | Should Be Equal ${new_ldap_privilege} Operator |
| 115 | Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} |
Sivas SRR | 2b83ec0 | 2019-07-12 11:30:20 -0500 | [diff] [blame] | 116 | # Verify that the LDAP user with operator privilege is able to power the system off. |
| 117 | Redfish.Post ${REDFISH_POWER_URI} |
Sivas SRR | 3d82b3c | 2019-07-12 12:20:04 -0500 | [diff] [blame] | 118 | ... body={'ResetType': 'ForceOff'} valid_status_codes=[200] |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 119 | Redfish.Logout |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 120 | Redfish.Login |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 121 | |
| 122 | |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 123 | Verify AccountLockout Attributes Set To Zero |
| 124 | [Documentation] Verify attribute AccountLockoutDuration and |
| 125 | ... AccountLockoutThreshold are set to 0. |
| 126 | [Teardown] Run Keywords Restore AccountLockout Attributes AND |
| 127 | ... FFDC On Test Case Fail |
| 128 | [Tags] Verify_AccountLockout_Attributes_Set_To_Zero |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 129 | ${old_account_service}= Redfish.Get Properties |
| 130 | ... ${REDFISH_BASE_URI}AccountService |
Michael Walsh | 39c0051 | 2019-07-17 10:54:06 -0500 | [diff] [blame] | 131 | Rprint Vars old_account_service |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 132 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 133 | ... body=[('AccountLockoutDuration', 0)] |
| 134 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 135 | ... body=[('AccountLockoutThreshold', 0)] |
| 136 | |
| 137 | |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 138 | Verify LDAP User With Read Privilege Able To Check Inventory |
| 139 | [Documentation] Verify LDAP user with read privilege able to |
| 140 | ... read firmware inventory. |
| 141 | [Tags] Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory |
| 142 | [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege |
| 143 | [Template] Set Read Privilege And Check Firmware Inventory |
| 144 | |
| 145 | User |
| 146 | Callback |
| 147 | |
| 148 | |
| 149 | Verify LDAP User With Read Privilege Should Not Do Host Poweron |
| 150 | [Documentation] Verify LDAP user with read privilege should not be |
| 151 | ... allowed to power on the host. |
| 152 | [Tags] Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron |
| 153 | [Teardown] Run Keywords FFDC On Test Case Fail AND Restore LDAP Privilege |
| 154 | [Template] Set Read Privilege And Check Poweron |
| 155 | |
| 156 | User |
| 157 | Callback |
| 158 | |
| 159 | |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 160 | *** Keywords *** |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 161 | |
Sivas SRR | b1b8575 | 2019-07-04 01:28:28 -0500 | [diff] [blame^] | 162 | Create LDAP Configuration |
| 163 | [Documentation] Create LDAP configuration. |
| 164 | [Arguments] ${ldap_type}=${LDAP_TYPE} ${ldap_server_uri}=${LDAP_SERVER_URI} |
| 165 | ... ${ldap_bind_dn}=${LDAP_BIND_DN} ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD} |
| 166 | ... ${ldap_base_dn}=${LDAP_BASE_DN} |
| 167 | |
| 168 | # Description of argument(s): |
| 169 | # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). |
| 170 | # ldap_server_uri LDAP server uri (e.g. ldap://XX.XX.XX.XX). |
| 171 | # ldap_bind_dn The LDAP bind distinguished name. |
| 172 | # ldap_bind_dn_password The LDAP bind distinguished name password. |
| 173 | # ldap_base_dn The LDAP base distinguished name. |
| 174 | |
| 175 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 176 | ... body={'${ldap_type}': {'ServiceEnabled': ${True}}} |
| 177 | Sleep 15s |
| 178 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 179 | ... body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}} |
| 180 | Sleep 15s |
| 181 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 182 | ... body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}} |
| 183 | Sleep 15s |
| 184 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 185 | ... body={'${ldap_type}': {'Authentication': {'Username':'${ldap_bind_dn}'}}} |
| 186 | Sleep 15s |
| 187 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 188 | ... body={'${ldap_type}': {'Authentication': {'Password':'${ldap_bind_dn_password}'}}} |
| 189 | Sleep 15s |
| 190 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 191 | ... body={'${ldap_type}': {'LDAPService': {'SearchSettings': {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}} |
| 192 | Sleep 15s |
| 193 | |
| 194 | |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 195 | Restore AccountLockout Attributes |
| 196 | [Documentation] Restore AccountLockout Attributes. |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 197 | Return From Keyword If &{old_account_service} == &{EMPTY} |
| 198 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 199 | ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})] |
| 200 | Redfish.Patch ${REDFISH_BASE_URI}AccountService |
| 201 | ... body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})] |
| 202 | |
| 203 | |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 204 | Suite Setup Execution |
| 205 | [Documentation] Do suite setup tasks. |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 206 | Rvalid Value LDAP_TYPE valid_values=["ActiveDirectory", "LDAP"] |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 207 | Rvalid Value LDAP_USER |
| 208 | Rvalid Value LDAP_USER_PASSWORD |
| 209 | Rvalid Value GROUP_PRIVILEGE |
| 210 | Rvalid Value GROUP_NAME |
| 211 | Redfish.Login |
Sivas SRR | b1b8575 | 2019-07-04 01:28:28 -0500 | [diff] [blame^] | 212 | ${old_ldap_config}= Get LDAP Configuration ${LDAP_TYPE} |
| 213 | Run Keyword If '${old_ldap_config['ServiceEnabled']}' == 'False' |
| 214 | ... Run Keywords Create LDAP Configuration AND |
| 215 | ... Update LDAP Configuration with LDAP User Role And Group |
| 216 | ... ${LDAP_TYPE} ${GROUP_PRIVILEGE} ${GROUP_NAME} |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 217 | ${old_ldap_privilege}= Get LDAP Privilege |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 218 | |
| 219 | |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 220 | Set Read Privilege And Check Firmware Inventory |
| 221 | [Documentation] Set read privilege and check firmware inventory. |
| 222 | [Arguments] ${read_privilege} |
| 223 | |
| 224 | # Description of argument(s): |
| 225 | # read_privilege The read privilege role (e.g. "User" / "Callback"). |
| 226 | |
| 227 | Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} |
| 228 | ... ${read_privilege} ${GROUP_NAME} |
| 229 | |
| 230 | Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} |
| 231 | # Verify that the LDAP user with read privilege is able to read inventory. |
| 232 | ${resp}= Redfish.Get /redfish/v1/UpdateService/FirmwareInventory |
| 233 | Should Be True ${resp.dict["Members@odata.count"]} >= ${1} |
| 234 | Length Should Be ${resp.dict["Members"]} ${resp.dict["Members@odata.count"]} |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 235 | Redfish.Logout |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 236 | Redfish.Login |
| 237 | |
| 238 | |
| 239 | Set Read Privilege And Check Poweron |
| 240 | [Documentation] Set read privilege and power on should not be possible. |
| 241 | [Arguments] ${read_privilege} |
| 242 | |
| 243 | # Description of argument(s): |
| 244 | # read_privilege The read privilege role (e.g. "User" / "Callback"). |
| 245 | |
| 246 | Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} |
| 247 | ... ${read_privilege} ${GROUP_NAME} |
| 248 | Redfish.Login ${LDAP_USER} ${LDAP_USER_PASSWORD} |
| 249 | Redfish.Post ${REDFISH_POWER_URI} |
| 250 | ... body={'ResetType': 'On'} valid_status_codes=[401, 403] |
| 251 | Redfish.Logout |
| 252 | Redfish.Login |
Sivas SRR | d21c984 | 2019-06-21 05:41:18 -0500 | [diff] [blame] | 253 | |
| 254 | |
Sivas SRR | 7d7bae3 | 2019-05-29 00:31:14 -0500 | [diff] [blame] | 255 | Get LDAP Configuration |
| 256 | [Documentation] Retrieve LDAP Configuration. |
| 257 | [Arguments] ${ldap_type} |
| 258 | |
| 259 | # Description of argument(s): |
| 260 | # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). |
| 261 | |
| 262 | ${ldap_config}= Redfish.Get Properties ${REDFISH_BASE_URI}AccountService |
| 263 | [Return] ${ldap_config["${ldap_type}"]} |
Sivas SRR | 108f9d3 | 2019-06-03 10:05:34 -0500 | [diff] [blame] | 264 | |
| 265 | |
| 266 | Update LDAP Configuration with LDAP User Role And Group |
| 267 | [Documentation] Update LDAP configuration update with LDAP user Role and group. |
| 268 | [Arguments] ${ldap_type} ${group_privilege} ${group_name} |
| 269 | |
| 270 | # Description of argument(s): |
| 271 | # ldap_type The LDAP type ("ActiveDirectory" or "LDAP"). |
| 272 | # group_privilege The group privilege ("Administrator", "Operator", "User" or "Callback"). |
| 273 | # group_name The group name of user. |
| 274 | |
| 275 | ${local_role_remote_group}= Create Dictionary LocalRole=${group_privilege} RemoteGroup=${group_name} |
| 276 | ${remote_role_mapping}= Create List ${local_role_remote_group} |
| 277 | ${ldap_data}= Create Dictionary RemoteRoleMapping=${remote_role_mapping} |
| 278 | ${payload}= Create Dictionary ${ldap_type}=${ldap_data} |
| 279 | Redfish.Patch ${REDFISH_BASE_URI}AccountService body=&{payload} |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 280 | # Provide adequate time for LDAP daemon to restart after the update. |
| 281 | Sleep 10s |
Sivas SRR | 108f9d3 | 2019-06-03 10:05:34 -0500 | [diff] [blame] | 282 | |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 283 | |
| 284 | Get LDAP Privilege |
| 285 | [Documentation] Get LDAP privilege and return it. |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 286 | ${ldap_config}= Get LDAP Configuration ${LDAP_TYPE} |
| 287 | [Return] ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]} |
| 288 | |
| 289 | |
| 290 | Restore LDAP Privilege |
| 291 | [Documentation] Restore the LDAP privilege to its original value. |
Sivas SRR | 939b4b1 | 2019-06-26 00:01:59 -0500 | [diff] [blame] | 292 | Return From Keyword If '${old_ldap_privilege}' == '${EMPTY}' |
| 293 | # Log back in to restore the original privilege. |
Sivas SRR | f4ec649 | 2019-06-16 01:59:30 -0500 | [diff] [blame] | 294 | Update LDAP Configuration with LDAP User Role And Group ${LDAP_TYPE} |
| 295 | ... ${old_ldap_privilege} ${GROUP_NAME} |