redfish/account_service/test_ldap_configuration.robot

*** Settings ***
Documentation    Test Redfish LDAP user configuration.

Library          ../../lib/gen_robot_valid.py
Resource         ../../lib/resource.robot
Resource         ../../lib/bmc_redfish_resource.robot
Resource         ../../lib/openbmc_ffdc.robot
Resource         ../../lib/utils.robot
Library          ../../lib/gen_robot_valid.py
Resource         ../../lib/bmc_network_utils.robot
Resource         ../../lib/bmc_ldap_utils.robot

Suite Setup      Suite Setup Execution
Suite Teardown   LDAP Suite Teardown Execution
Test Teardown    Run Keywords  Redfish.Login  AND  FFDC On Test Case Fail
Force Tags       LDAP_Test

*** Variables ***
${old_ldap_privilege}   Administrator
&{old_account_service}  &{EMPTY}
&{old_ldap_config}      &{EMPTY}
${hostname}             ${EMPTY}
${test_ip}              10.6.6.6
${test_mask}            255.255.255.0

** Test Cases **

Verify LDAP Configuration Created
    [Documentation]  Verify that LDAP configuration created.
    [Tags]  Verify_LDAP_Configuration_Created

    Create LDAP Configuration
    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
    Get LDAP Configuration  ${LDAP_TYPE}
    Sleep  10s
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Redfish.Logout


Verify LDAP Service Disable
    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
    ...  login.
    [Tags]  Verify_LDAP_Service_Disable

    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
    Sleep  15s
    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
    ...  ${LDAP_USER_PASSWORD}
    Should Be Equal  ${resp}  ${False}
    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
    Redfish.Logout
    Redfish.Login
    # Enabling LDAP so that LDAP user works.
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
    Redfish.Logout


Verify LDAP Login With ServiceEnabled
    [Documentation]  Verify that LDAP Login with ServiceEnabled.
    [Tags]  Verify_LDAP_Login_With_ServiceEnabled

    Disable Other LDAP
    # Actual service enablement.
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
    Sleep  15s
    # After update, LDAP login.
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Redfish.Logout


Verify LDAP Login With Correct AuthenticationType
    [Documentation]  Verify that LDAP Login with right AuthenticationType.
    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType

    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
    Sleep  15s
    # After update, LDAP login.
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Redfish.Logout


Verify LDAP Config Update With Incorrect AuthenticationType
    [Documentation]  Verify that invalid AuthenticationType is not updated.
    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType

    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}

    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body=${body}  valid_status_codes=[400]


Verify LDAP Login With Correct LDAP URL
    [Documentation]  Verify LDAP Login with right LDAP URL.
    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL

    Config LDAP URL  ${LDAP_SERVER_URI}


Verify LDAP Config Update With Incorrect LDAP URL
    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
    [Teardown]  Run Keywords  Restore LDAP URL  AND
    ...  FFDC On Test Case Fail

    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}

Verify LDAP Configuration Exist
    [Documentation]  Verify that LDAP configuration is available.
    [Tags]  Verify_LDAP_Configuration_Exist

    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
    ...  ${LDAP_TYPE}  default=${EMPTY}
    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.


Verify LDAP User Login
    [Documentation]  Verify that LDAP user able to login into BMC.
    [Tags]  Verify_LDAP_User_Login

    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Redfish.Logout


Verify LDAP Service Available
    [Documentation]  Verify that LDAP service is available.
    [Tags]  Verify_LDAP_Service_Available

    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
    Should Contain  ${ldap_configuration}  LDAPService
    ...  msg=LDAPService is not available.


Verify LDAP Login Works After BMC Reboot
    [Documentation]  Verify that LDAP login works after BMC reboot.
    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot

    Redfish OBMC Reboot (off)
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Redfish.Logout


Verify LDAP User With Admin Privilege Able To Do BMC Reboot
    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot


    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    # With LDAP user and with right privilege trying to do BMC reboot.
    Redfish OBMC Reboot (off)
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Redfish.Logout


Verify LDAP User With Operator Privilege Able To Do Host Poweroff
    [Documentation]  Verify that LDAP user with operator privilege can do host
    ...  power off.
    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
    [Teardown]  Restore LDAP Privilege

    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
    ...  Operator  ${GROUP_NAME}

    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    # Verify that the LDAP user with operator privilege is able to power the system off.
    Redfish.Post  ${REDFISH_POWER_URI}
    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
    Redfish.Logout
    Redfish.Login


Verify AccountLockout Attributes Set To Zero By LDAP User
    [Documentation]  Verify that attribute AccountLockoutDuration and
    ...  AccountLockoutThreshold are set to 0 by LDAP user.
    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
    ...  FFDC On Test Case Fail
    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User

    ${old_account_service}=  Redfish.Get Properties
    ...  ${REDFISH_BASE_URI}AccountService
    Rprint Vars  old_account_service

    # Create LDAP user and create session using LDAP user.
    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
    ...  Administrator  ${GROUP_NAME}

    # Clear existing Redfish sessions.
    Redfish.Logout

    # Login using LDAP user.
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}

    # Set Account Lockout attributes using LDAP user.
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body=[('AccountLockoutDuration', 0)]
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body=[('AccountLockoutThreshold', 0)]


Verify LDAP User With Read Privilege Able To Check Inventory
    [Documentation]  Verify that LDAP user with read privilege able to
    ...  read firmware inventory.
    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
    [Template]  Set Read Privilege And Check Firmware Inventory

    ReadOnly


Verify LDAP User With Read Privilege Should Not Do Host Poweron
    [Documentation]  Verify that LDAP user with read privilege should not be
    ...  allowed to power on the host.
    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
    [Template]  Set Read Privilege And Check Poweron

    ReadOnly


Update LDAP Group Name And Verify Operations
    [Documentation]  Verify that LDAP group name update and able to do right
    ...  operations.
    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
    [Template]  Update LDAP Config And Verify Set Host Name
    [Teardown]  Restore LDAP Privilege

    # group_name             group_privilege  valid_status_codes
    ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
    ${GROUP_NAME}            Operator         [${HTTP_OK}, ${HTTP_NO_CONTENT}]
    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
    ${GROUP_NAME}            NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
    Invalid_LDAP_Group_Name  NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]


Verify LDAP BaseDN Update And LDAP Login
    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
    ...  that LDAP login works.
    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login


    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
    Sleep  15s
    Redfish Verify LDAP Login


Verify LDAP BindDN Update And LDAP Login
    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
    ...  that LDAP login works.
    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login

    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
    ...  '${LDAP_BIND_DN}'}}}
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
    Sleep  15s
    Redfish Verify LDAP Login


Verify LDAP BindDN Password Update And LDAP Login
    [Documentation]  Update LDAP BindDN password of LDAP configuration and
    ...  verify that LDAP login works.
    [Tags]  Verify_LDAP_BindDN_Password_Update_And_LDAP_Login


    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
    Sleep  15s
    Redfish Verify LDAP Login


Verify LDAP Type Update And LDAP Login
    [Documentation]  Update LDAP type of LDAP configuration and verify
    ...  that LDAP login works.
    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login

    Disable Other LDAP
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
    Sleep  15s
    Redfish Verify LDAP Login


Verify LDAP Authorization With Null Privilege
    [Documentation]  Verify the failure of LDAP authorization with empty
    ...  privilege.
    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
    [Teardown]  Restore LDAP Privilege

    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
    ...  [${HTTP_FORBIDDEN}]


Verify LDAP Authorization With Invalid Privilege
    [Documentation]  Verify that LDAP user authorization with wrong privilege
    ...  fails.
    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
    [Teardown]  Restore LDAP Privilege

    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]


Verify LDAP Login With Invalid Data
    [Documentation]  Verify that LDAP login with Invalid LDAP data and
    ...  right LDAP user fails.
    [Tags]  Verify_LDAP_Login_With_Invalid_Data
    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
    ...  Redfish.Login  AND
    ...  Create LDAP Configuration

    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
    ...  Invalid_LDAP_BASE_DN
    Sleep  15s
    Redfish Verify LDAP Login  ${False}


Verify LDAP Config Creation Without BASE_DN
    [Documentation]  Verify that LDAP login with LDAP configuration
    ...  created without BASE_DN fails.
    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
    ...  Redfish.Login  AND
    ...  Create LDAP Configuration

    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
    Sleep  15s
    Redfish Verify LDAP Login  ${False}


Verify LDAP Authentication Without Password
    [Documentation]  Verify that LDAP user authentication without LDAP
    ...  user password fails.
    [Tags]  Verify_LDAP_Authentication_Without_Password
    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login

    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
    Valid Value  status  [${False}]


Verify LDAP Login With Invalid BASE_DN
    [Documentation]  Verify that LDAP login with invalid BASE_DN and
    ...  valid LDAP user fails.
    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
    ...  Redfish.Login  AND
    ...  Create LDAP Configuration

    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
    Sleep  15s
    Redfish Verify LDAP Login  ${False}


Verify LDAP Login With Invalid BIND_DN_PASSWORD
    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
    ...  valid LDAP user fails.
    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
    ...  Redfish.Login  AND
    ...  Create LDAP Configuration

    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
    Sleep  15s
    Redfish Verify LDAP Login  ${False}


Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
    ...  BIND_DN and valid LDAP user fails.
    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
    ...  Redfish.Login  AND
    ...  Create LDAP Configuration

    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
    Sleep  15s
    Redfish Verify LDAP Login  ${False}


Verify Group Name And Group Privilege Able To Modify
    [Documentation]  Verify that LDAP group name and group privilege able to
    ...  modify.
    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
    [Setup]  Update LDAP Configuration with LDAP User Role And Group
    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}

    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
    ...  Administrator  ${GROUP_NAME}


Verify LDAP Login With Invalid BIND_DN
    [Documentation]  Verify that LDAP login with invalid BIND_DN and
    ...  valid LDAP user fails.
    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
    ...  Redfish.Login  AND
    ...  Create LDAP Configuration

    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
    Sleep  15s
    Redfish Verify LDAP Login  ${False}


Verify LDAP Authentication With Invalid LDAP User
    [Documentation]  Verify that LDAP user authentication for user not exist
    ...  in LDAP server and fails.
    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login

    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
    ...  ${LDAP_USER_PASSWORD}
    Valid Value  status  [${False}]


Update LDAP User Roles And Verify Host Poweroff Operation
    [Documentation]  Update LDAP user roles and verify host poweroff operation.
    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
    [Teardown]  Restore LDAP Privilege

    [Template]  Update LDAP User Role And Host Poweroff
    # ldap_type   group_privilege  group_name     valid_status_codes

    # Verify LDAP user with NoAccess privilege not able to do host poweroff.
    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}

    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}

    # Verify LDAP user with Operator privilege able to do host poweroff.
    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}

    # Verify LDAP user with Administrator privilege able to do host poweroff.
    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}


Update LDAP User Roles And Verify Host Poweron Operation
    [Documentation]  Update LDAP user roles and verify host poweron operation.
    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
    [Teardown]  Restore LDAP Privilege

    [Template]  Update LDAP User Role And Host Poweron
    # ldap_type   group_privilege  group_name     valid_status_codes

    # Verify LDAP user with NoAccess privilege not able to do host poweron.
    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}

    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}

    # Verify LDAP user with Operator privilege able to do host poweron.
    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}

    # Verify LDAP user with Administrator privilege able to do host poweron.
    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}


Configure IP Address Via Different User Roles And Verify
    [Documentation]  Configure IP address via different user roles and verify.
    [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
    [Teardown]  Restore LDAP Privilege

    [Template]  Update LDAP User Role And Configure IP Address
    # Verify LDAP user with Administrator privilege is able to configure IP address.
    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}

    # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}

    # Verify LDAP user with NoAccess privilege is forbidden to configure IP address.
    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}

    # Verify LDAP user with Operator privilege is able to configure IP address.
    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}


Delete IP Address Via Different User Roles And Verify
    [Documentation]  Delete IP address via different user roles and verify.
    [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
    [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail

    [Template]  Update LDAP User Role And Delete IP Address
    # Verify LDAP user with Administrator privilege is able to delete IP address.
    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}

    # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}

    # Verify LDAP user with NoAccess privilege is forbidden to delete IP address.
    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}

    # Verify LDAP user with Operator privilege is able to delete IP address.
    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}


Read Network Configuration Via Different User Roles And Verify
    [Documentation]  Read network configuration via different user roles and verify.
    [Tags]  Read_Network_Configuration_Via_Different_User_Roles_And_Verify
    [Teardown]  Restore LDAP Privilege

    [Template]  Update LDAP User Role And Read Network Configuration
    ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}

    ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}

    ${LDAP_TYPE}  NoAccess       ${GROUP_NAME}  ${HTTP_FORBIDDEN}

    ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}

Switch LDAP Type And Verify Login Fails
    [Documentation]  Switch LDAP type and verify login fails.
    [Tags]  Switch_LDAP_Type_And_Verify_Login_Fails

    # Check Login with LDAP Type is working
    Create LDAP Configuration
    Redfish Verify LDAP Login

    # Disable the LDAP Type from OpenLDAP to ActiveDirectory or vice-versa
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}

    # Enable the inverse LDAP type
    Disable Other LDAP  ${True}
    Create LDAP Configuration  ${LDAP_TYPE_1}  ${LDAP_SERVER_URI_1}  ${LDAP_BIND_DN_1}  ${LDAP_BIND_DN_PASSWORD_1}  ${LDAP_BASE_DN_1}
    Redfish.Logout
    Sleep  10s

    # Check if Login works via Inverse LDAP
    Redfish.Login  ${LDAP_USER_1}  ${LDAP_USER_PASSWORD_1}
    Redfish.Logout
    Sleep  10s

    # Login using LDAP type must fail
    Redfish Verify LDAP Login  ${False}
    Redfish.Logout

*** Keywords ***

Redfish Verify LDAP Login
    [Documentation]  LDAP user log into BMC.
    [Arguments]  ${valid_status}=${True}

    # Description of argument(s):
    # valid_status  Expected status of LDAP login ("True" or "False").

    # According to our repo coding rules, Redfish.Login is to be done in Suite
    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
    # deviation from this rule (such as in this keyword), the deviant code
    # must take steps to restore us to our original logged-in state.

    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
    ...  ${LDAP_USER_PASSWORD}
    Valid Value  status  [${valid_status}]
    Redfish.Logout
    Redfish.Login


Update LDAP Config And Verify Set Host Name
    [Documentation]  Update LDAP config and verify by attempting to set host name.
    [Arguments]  ${group_name}  ${group_privilege}=Administrator
    ...  ${valid_status_codes}=[${HTTP_OK}]
    [Teardown]  Run Keyword If  '${group_privilege}'=='NoAccess'  Redfish.Login
                ...  ELSE  Run Keywords  Redfish.Logout  AND  Redfish.Login

    # Description of argument(s):
    # group_name                    The group name of user.
    # group_privilege               The group privilege ("Administrator",
    #                               "Operator", "User" or "Callback").
    # valid_status_codes            Expected return code(s) from patch
    #                               operation (e.g. "200") used to update
    #                               HostName.  See prolog of rest_request
    #                               method in redfish_plus.py for details.
    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
    ...  ${group_privilege}  ${group_name}

    Run Keyword If  '${group_privilege}'=='NoAccess'
    ...  Run Keyword And Return  Verify Redfish Login for LDAP Userrole NoAccess

    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    # Verify that the LDAP user in ${group_name} with the given privilege is
    # allowed to change the hostname.
    Redfish.Patch  ${REDFISH_NW_ETH0_URI}  body={'HostName': '${hostname}'}
    ...  valid_status_codes=${valid_status_codes}

Verify Redfish Login for LDAP Userrole NoAccess
    [Documentation]  Verify Redfish login should not be able to login for LDAP Userrole NoAccess.

    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Valid Value  status  [${False}]

Disable Other LDAP
    [Documentation]  Disable other LDAP configuration.
    [Arguments]  ${service_state}=${False}

    # First disable other LDAP.
    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${service_state}}}
    Sleep  15s


Config LDAP URL
    [Documentation]  Config LDAP URL.
    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}

    # Description of argument(s):
    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").

    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
    Sleep  15s
    # After update, LDAP login.
    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Valid Value  status  [${expected_status}]

    Redfish.Logout
    Redfish.Login


Restore LDAP URL
    [Documentation]  Restore LDAP URL.

    # Restoring the working LDAP server uri.
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
    Sleep  15s


Restore AccountLockout Attributes
    [Documentation]  Restore AccountLockout Attributes.

    Return From Keyword If  &{old_account_service} == &{EMPTY}
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]


Suite Setup Execution
    [Documentation]  Do suite setup tasks.

    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
    Valid Value  LDAP_USER
    Valid Value  LDAP_USER_PASSWORD
    Valid Value  GROUP_PRIVILEGE
    Valid Value  GROUP_NAME
    Valid Value  LDAP_SERVER_URI
    Valid Value  LDAP_BIND_DN_PASSWORD
    Valid Value  LDAP_BIND_DN
    Valid Value  LDAP_BASE_DN

    Redfish.Login
    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
    Get LDAP Configuration  ${LDAP_TYPE}
    Set Suite Variable  ${old_ldap_privilege}
    Disable Other LDAP
    Create LDAP Configuration
    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName


LDAP Suite Teardown Execution
    [Documentation]  Restore ldap configuration, delete unused redfish session.

    Restore LDAP Privilege
    Redfish.Logout
    Run Keyword And Ignore Error  Delete All Redfish Sessions


Set Read Privilege And Check Firmware Inventory
    [Documentation]  Set read privilege and check firmware inventory.
    [Arguments]  ${read_privilege}

    # Description of argument(s):
    # read_privilege  The read privilege role (e.g. "User" / "Callback").

    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
    ...  ${read_privilege}  ${GROUP_NAME}

    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    # Verify that the LDAP user with read privilege is able to read inventory.
    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
    Redfish.Logout
    Redfish.Login


Set Read Privilege And Check Poweron
    [Documentation]  Set read privilege and power on should not be possible.
    [Arguments]  ${read_privilege}

    # Description of argument(s):
    # read_privilege  The read privilege role (e.g. "User" / "Callback").

    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
    ...  ${read_privilege}  ${GROUP_NAME}
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Redfish.Post  ${REDFISH_POWER_URI}
    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
    Redfish.Logout
    Redfish.Login


Get LDAP Configuration
    [Documentation]  Retrieve LDAP Configuration.
    [Arguments]   ${ldap_type}

    # Description of argument(s):
    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").

    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
    [Return]  ${ldap_config["${ldap_type}"]}


Update LDAP Configuration with LDAP User Role And Group
    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}

    # Description of argument(s):
    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
    # group_name       The group name of user.

    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
    # Provide adequate time for LDAP daemon to restart after the update.
    Sleep  15s


Get LDAP Privilege
    [Documentation]  Get LDAP privilege and return it.

    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}

    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}


Restore LDAP Privilege
    [Documentation]  Restore the LDAP privilege to its original value.

    Redfish.Login
    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'
    # Log back in to restore the original privilege.
    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
    ...  ${old_ldap_privilege}  ${GROUP_NAME}

    Sleep  18s

Verify Host Power Status
    [Documentation]  Verify the Host power status and do host power on/off respectively.
    [Arguments]  ${expected_power_status}

    # Description of argument(s):
    # expected_power_status  State of Host e.g. Off or On.

    ${power_status}=  Redfish.Get Attribute  /redfish/v1/Chassis/${CHASSIS_ID}  PowerState
    Return From Keyword If  '${power_status}' == '${expected_power_status}'

    Run Keyword If  '${power_status}' == 'Off'  Redfish Power On
    ...  ELSE  Redfish Power Off

Update LDAP User Role And Host Poweroff
    [Documentation]  Update LDAP user role and do host poweroff.
    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login

    # Description of argument(s):
    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
    # group_name         The group name of user.
    # valid_status_code  The expected valid status code.

    # check Host state and do the power on/off if needed.
    Verify Host Power Status  On

    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
    ...  ${group_privilege}  ${group_name}

    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}

    Redfish.Post  ${REDFISH_POWER_URI}
    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]

    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
    Wait Until Keyword Succeeds  1 min  10 sec  Verify Host Power State  Off


Update LDAP User Role And Host Poweron
    [Documentation]  Update LDAP user role and do host poweron.
    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login

    # Description of argument(s):
    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
    # group_name         The group name of user.
    # valid_status_code  The expected valid status code.

    # check Host state and do the power on/off if needed.
    Verify Host Power Status  Off

    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
    ...  ${group_privilege}  ${group_name}

    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}

    Redfish.Post  ${REDFISH_POWER_URI}
    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]

    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
    Verify Host Is Up


Update LDAP User Role And Configure IP Address
    [Documentation]  Update LDAP user role and configure IP address.
    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}

    # Description of argument(s):
    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
    # group_name         The group name of user.
    # valid_status_code  The expected valid status code.

    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
    ...  ${group_privilege}  ${group_name}

    Redfish.Logout

    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}

    ${test_gateway}=  Get BMC Default Gateway

    Run Keyword If  '${group_privilege}' == 'NoAccess'
    ...  Add IP Address With NoAccess User  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
    ...  ELSE
    ...  Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}


Update LDAP User Role And Delete IP Address
    [Documentation]  Update LDAP user role and delete IP address.
    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}

    # Description of argument(s):
    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
    # group_name         The group name of user.
    # valid_status_code  The expected valid status code.

    ${test_gateway}=  Get BMC Default Gateway

    # Configure IP address before deleting via LDAP user roles.
    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}

    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
    ...  ${group_privilege}  ${group_name}

    Redfish.Logout

    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}

    Run Keyword If  '${group_privilege}' == 'NoAccess'
    ...  Delete IP Address With NoAccess User  ${test_ip}  ${valid_status_code}
    ...  ELSE
    ...  Delete IP Address  ${test_ip}  ${valid_status_code}


Update LDAP User Role And Read Network Configuration
    [Documentation]  Update LDAP user role and read network configuration.
    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login

    # Description of argument(s):
    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
    # group_name         The group name of user.
    # valid_status_code  The expected valid status code.

    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
    ...  ${group_privilege}  ${group_name}

    Redfish.Logout

    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
    Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]


Add IP Address With NoAccess User
    [Documentation]  Add IP Address To BMC.
    [Arguments]  ${ip}  ${subnet_mask}  ${gateway}
    ...  ${valid_status_codes}=${HTTP_OK}

    # Description of argument(s):
    # ip                  IP address to be added (e.g. "10.7.7.7").
    # subnet_mask         Subnet mask for the IP to be added
    #                     (e.g. "255.255.0.0").
    # gateway             Gateway for the IP to be added (e.g. "10.7.7.1").
    # valid_status_codes  Expected return code from patch operation
    #                     (e.g. "200").  See prolog of rest_request
    #                     method in redfish_plus.py for details.

    # Logout from LDAP user.
    Redfish.Logout

    # Login with local user.
    Redfish.Login

    ${empty_dict}=  Create Dictionary
    ${ip_data}=  Create Dictionary  Address=${ip}
    ...  SubnetMask=${subnet_mask}  Gateway=${gateway}

    ${patch_list}=  Create List
    ${network_configurations}=  Get Network Configuration
    ${num_entries}=  Get Length  ${network_configurations}

    FOR  ${INDEX}  IN RANGE  0  ${num_entries}
      Append To List  ${patch_list}  ${empty_dict}
    END

    ${valid_status_codes}=  Run Keyword If  '${valid_status_codes}' == '${HTTP_OK}'
    ...  Set Variable   ${HTTP_OK},${HTTP_NO_CONTENT}
    ...  ELSE  Set Variable  ${valid_status_codes}

    # We need not check for existence of IP on BMC while adding.
    Append To List  ${patch_list}  ${ip_data}
    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}

    ${active_channel_config}=  Get Active Channel Config
    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}

    # Logout from local user.
    Redfish.Logout

    # Login from LDAP user and check if we can configure IP address.
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}

    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
    ...  valid_status_codes=[${valid_status_codes}]


Delete IP Address With NoAccess User
    [Documentation]  Delete IP Address Of BMC.
    [Arguments]  ${ip}  ${valid_status_codes}=${HTTP_OK}

    # Description of argument(s):
    # ip                  IP address to be deleted (e.g. "10.7.7.7").
    # valid_status_codes  Expected return code from patch operation
    #                     (e.g. "200").  See prolog of rest_request
    #                     method in redfish_plus.py for details.

    # Logout from LDAP user.
    Redfish.Logout

    # Login with local user.
    Redfish.Login

    ${empty_dict}=  Create Dictionary
    ${patch_list}=  Create List

    @{network_configurations}=  Get Network Configuration
    FOR  ${network_configuration}  IN  @{network_configurations}
      Run Keyword If  '${network_configuration['Address']}' == '${ip}'
      ...  Append To List  ${patch_list}  ${null}
      ...  ELSE  Append To List  ${patch_list}  ${empty_dict}
    END

    ${ip_found}=  Run Keyword And Return Status  List Should Contain Value
    ...  ${patch_list}  ${null}  msg=${ip} does not exist on BMC
    Pass Execution If  ${ip_found} == ${False}  ${ip} does not exist on BMC

    # Run patch command only if given IP is found on BMC
    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}

    ${active_channel_config}=  Get Active Channel Config
    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}

    # Logout from local user.
    Redfish.Logout

    # Login from LDAP user and check if we can delete IP address.
    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}

    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
    ...  valid_status_codes=[${valid_status_codes}]

    # Note: Network restart takes around 15-18s after patch request processing
    Sleep  ${NETWORK_TIMEOUT}s
    Wait For Host To Ping  ${OPENBMC_HOST}  ${NETWORK_TIMEOUT}