redfish/service_root/test_service_root_security.robot

*** Settings ***
Documentation    Test Redfish service root login security.

Resource         ../../lib/bmc_redfish_resource.robot
Resource         ../../lib/openbmc_ffdc.robot

Test Teardown    FFDC On Test Case Fail
Test Setup       Printn

*** Variables ***

${LOGIN_SESSION_COUNT}   ${50}

&{header_requirements}  Strict-Transport-Security=max-age=31536000; includeSubdomains; preload
...                     X-Frame-Options=DENY
...                     Pragma=no-cache
...                     Cache-Control=no-Store,no-Cache
...                     Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
...                     X-XSS-Protection=1; mode=block
...                     X-Content-Type-Options=nosniff

*** Test Cases ***

Redfish Login With Invalid Credentials
    [Documentation]  Login to BMC web using invalid credential.
    [Tags]  Redfish_Login_With_Invalid_Credentials
    [Template]  Login And Verify Redfish Response

    # Username                Password               Expect status
    ${OPENBMC_USERNAME}       deadpassword           InvalidCredentialsError
    groot                     ${OPENBMC_PASSWORD}    InvalidCredentialsError
    ${EMPTY}                  ${OPENBMC_PASSWORD}    SessionCreationError
    ${OPENBMC_USERNAME}       ${EMPTY}               SessionCreationError
    ${EMPTY}                  ${EMPTY}               SessionCreationError


Redfish Login Using Unsecured HTTP
    [Documentation]  Login to BMC web through http unsecured.
    [Tags]  Redfish_Login_Using_Unsecured_HTTP

    Create Session  openbmc  http://${OPENBMC_HOST}
    ${data}=  Create Dictionary
    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}

    ${headers}=  Create Dictionary  Content-Type=application/json

    Run Keyword And Expect Error  *Connection refused*
    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
    ...  data=${data}  headers=${headers}


Redfish Login Using HTTPS Wrong Port 80 Protocol
    [Documentation]  Login to BMC web through wrong protocol port 80.
    [Tags]  Redfish_Login_Using_HTTPS_Wrong_Port_80_Protocol

    Create Session  openbmc  https://${OPENBMC_HOST}:80
    ${data}=  Create Dictionary
    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}

    ${headers}=  Create Dictionary  Content-Type=application/json

    Run Keyword And Expect Error  *Connection refused*
    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
    ...  data=${data}  headers=${headers}


Create Multiple Login Sessions And Verify
    [Documentation]  Create 50 login instances and verify.
    [Tags]  Create_Multiple_Login_Sessions_And_Verify
    [Teardown]  Run Keyword And Ignore Error  Multiple Session Cleanup

    Redfish.Login
    # Example:
    #    {
    #      'key': 'L0XEsZAXpNdF147jJaOD',
    #      'location': '/redfish/v1/SessionService/Sessions/qWn2JOJSOs'
    #    }
    ${saved_session_info}=  Get Redfish Session Info

    # Sessions book keeping for cleanup once done.
    ${session_list}=  Create List
    Set Test Variable  ${session_list}

    Repeat Keyword  ${LOGIN_SESSION_COUNT} times  Create New Login Session

    # Update the redfish session object with the first login key and location
    # and verify if it is still working.
    Redfish.Set Session Key  ${saved_session_info["key"]}
    Redfish.Set Session Location  ${saved_session_info["location"]}
    Redfish.Get  ${saved_session_info["location"]}


Attempt Login With Expired Session
    [Documentation]  Authenticate to redfish, then log out and attempt to
    ...   use the session.
    [Tags]  Attempt_Login_With_Expired_Session

    Redfish.Login
    ${saved_session_info}=  Get Redfish Session Info
    Redfish.Logout

    # Attempt login with expired session.
    # By default 60 minutes of inactivity closes the session.
    Redfish.Set Session Key  ${saved_session_info["key"]}
    Redfish.Set Session Location  ${saved_session_info["location"]}

    Redfish.Get  ${saved_session_info["location"]}  valid_status_codes=[${HTTP_UNAUTHORIZED}]


Login And Verify HTTP Response Header
    [Documentation]  Login and verify redfish HTTP response header.
    [Tags]  Login_And_Verify_HTTP_Response_Header

    # Example of HTTP redfish response header.
    # Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
    # X-Frame-Options: DENY
    # Pragma: no-cache
    # Cache-Control: no-Store,no-Cache
    # Content-Security-Policy: default-src 'self'; img-src 'self' data:
    # X-XSS-Protection: 1; mode=block
    # X-Content-Type-Options: nosniff

    Rprint Vars  header_requirements  fmt=1

    Redfish.Login
    ${resp}=  Redfish.Get  /redfish/v1/SessionService/Sessions

    # The getheaders() method returns the headers as a list of tuples:
    # headers:
    #    [Strict-Transport-Security]:        max-age=31536000; includeSubdomains; preload
    #    [X-Frame-Options]:                  DENY
    #    [Pragma]:                           no-cache
    #    [Cache-Control]:                    no-Store,no-Cache
    #    [Content-Security-Policy]:          default-src 'self'; img-src 'self' data:
    #    [X-XSS-Protection]:                 1; mode=block
    #    [X-Content-Type-Options]:           nosniff
    #    [X-UA-Compatible]:                  IE=11
    #    [Content-Type]:                     application/json
    #    [Server]:                           iBMC
    #    [Date]:                             Tue, 16 Apr 2019 17:49:46 GMT
    #    [Content-Length]:                   2177

    ${headers}=  Key Value List To Dict  ${resp.getheaders()}
    Rprint Vars  headers  fmt=1

    Dictionary Should Contain Sub Dictionary   ${headers}  ${header_requirements}


*** Keywords ***

Login And Verify Redfish Response
    [Documentation]  Login and verify redfish response.
    [Arguments]   ${username}  ${password}  ${expected_response}

    # Description of arguments:
    # expected_response    Expected REST status.
    # username             The username to be used to connect to the server.
    # password             The password to be used to connect to the server.

    # The redfish object may preserve a valid username or password from the
    # last failed login attempt.  If we then try to login with a null username
    # or password value, the redfish object may prefer the preserved value.
    # Since we're testing bad path, we wish to avoid this scenario so we will
    # clear these values.

    Redfish.Set Username  ${EMPTY}
    Redfish.Set Password  ${EMPTY}

    ${msg}=  Run Keyword And Expect Error  *  Redfish.Login  ${username}  ${password}

    # redfish package version <=3.1.6 default response is InvalidCredentialsError.
    Should Contain Any   ${msg}  InvalidCredentialsError  ${expected_response}


Create New Login Session
    [Documentation]  Multiple login session keys.

    Redfish.Login
    ${session_info}=  Get Redfish Session Info

    # Append the session location to the list.
    # ['/redfish/v1/SessionService/Sessions/uDzihgDecs',
    #  '/redfish/v1/SessionService/Sessions/PaHF5brPPd']
    Append To List  ${session_list}  ${session_info["location"]}


Multiple Session Cleanup
    [Documentation]  Do the teardown for multiple sessions.

    FFDC On Test Case Fail

    FOR  ${item}  IN  @{session_list}
      Redfish.Delete  ${item}
    END