Add security dashboard attributes

Change-Id: Ic89c56e178b478a0c653b76a588c10aef037f318
2020-06-22 04:30:52 +00:00
parent af96983b3d
commit 699dfb0041
14 changed files with 559 additions and 4 deletions
--- a/proliantutils/tests/redfish/json_samples/security_dashboard.json
+++ b/proliantutils/tests/redfish/json_samples/security_dashboard.json
@@ -0,0 +1,12 @@
+{
+  "@odata.context": "/redfish/v1/$metadata#HpeiLOSecurityDashboard.HpeiLOSecurityDashboard",
+  "@odata.etag": "W/\"543055B3\"",
+  "@odata.id": "/redfish/v1/Managers/1/SecurityService/SecurityDashboard",
+  "@odata.type": "#HpeiLOSecurityDashboard.v1_0_0.HpeiLOSecurityDashboard",
+  "Id": "SecurityDashboard",
+  "OverallSecurityStatus": "Risk",
+  "SecurityParameters": {
+    "@odata.id": "/redfish/v1/Managers/1/SecurityService/SecurityDashboard/SecurityParams"
+  },
+  "ServerConfigurationLockStatus": "Disabled"
+}
--- a/proliantutils/tests/redfish/json_samples/security_param.json
+++ b/proliantutils/tests/redfish/json_samples/security_param.json
@@ -0,0 +1,11 @@
+{
+  "@odata.context": "/redfish/v1/$metadata#HpeiLOSecurityParam.HpeiLOSecurityParam",
+  "@odata.etag": "W/\"A3A6BF43\"",
+  "@odata.id": "/redfish/v1/Managers/1/SecurityService/SecurityDashboard/SecurityParams/0",
+  "@odata.type": "#HpeiLOSecurityParam.v1_0_0.HpeiLOSecurityParam",
+  "Id": "0",
+  "Ignore": false,
+  "Name": "Security Override Switch",
+  "SecurityStatus": "Ok",
+  "State": "Off"
+}
--- a/proliantutils/tests/redfish/json_samples/security_param1.json
+++ b/proliantutils/tests/redfish/json_samples/security_param1.json
@@ -0,0 +1,11 @@
+{
+  "@odata.context": "/redfish/v1/$metadata#HpeiLOSecurityParam.HpeiLOSecurityParam",
+  "@odata.etag": "W/\"A3A6BF43\"",
+  "@odata.id": "/redfish/v1/Managers/1/SecurityService/SecurityDashboard/SecurityParams/1",
+  "@odata.type": "#HpeiLOSecurityParam.v1_0_0.HpeiLOSecurityParam",
+  "Id": "1",
+  "Ignore": false,
+  "Name": "IPMI/DCMI Over LAN",
+  "SecurityStatus": "Ok",
+  "State": "Disabled"
+}
--- a/proliantutils/tests/redfish/json_samples/security_params_collection.json
+++ b/proliantutils/tests/redfish/json_samples/security_params_collection.json
@@ -0,0 +1,14 @@
+{
+  "@odata.context": "/redfish/v1/$metadata#HpeiLOSecurityParamCollection.HpeiLOSecurityParamCollection",
+  "@odata.etag": "W/\"1E796226\"",
+  "@odata.id": "/redfish/v1/Managers/1/SecurityService/SecurityDashboard/SecurityParams",
+  "@odata.type": "#HpeiLOSecurityParamCollection.HpeiLOSecurityParamCollection",
+  "Description": "iLO Security Parameter Collection",
+  "Name": "Security Parameter Collection",
+  "Members": [{
+    "@odata.id": "/redfish/v1/Managers/1/SecurityService/SecurityDashboard/SecurityParams/0"
+  }, {
+    "@odata.id": "/redfish/v1/Managers/1/SecurityService/SecurityDashboard/SecurityParams/1"
+  }],
+  "Members@odata.count": 2
+}
--- a/proliantutils/tests/redfish/json_samples/security_service.json
+++ b/proliantutils/tests/redfish/json_samples/security_service.json
@@ -0,0 +1,34 @@
+{
+  "@odata.context": "/redfish/v1/$metadata#HpeSecurityService.HpeSecurityService",
+  "@odata.etag": "W/\"B61FA0F1\"",
+  "@odata.id": "/redfish/v1/Managers/1/SecurityService",
+  "@odata.type": "#HpeSecurityService.v2_2_0.HpeSecurityService",
+  "Id": "SecurityService",
+  "CurrentCipher": "ECDHE-RSA-AES256-GCM-SHA384",
+  "Links": {
+    "ESKM": {
+      "@odata.id": "/redfish/v1/Managers/1/SecurityService/ESKM"
+    },
+    "HttpsCert": {
+      "@odata.id": "/redfish/v1/Managers/1/SecurityService/HttpsCert"
+    },
+    "SSO": {
+      "@odata.id": "/redfish/v1/Managers/1/SecurityService/SSO"
+    },
+    "SecurityDashboard": {
+      "@odata.id": "/redfish/v1/Managers/1/SecurityService/SecurityDashboard"
+    },
+    "SecurityParams": {
+      "@odata.id": "/redfish/v1/Managers/1/SecurityService/SecurityDashboard/SecurityParams"
+    },
+    "CertAuth": {
+      "@odata.id": "/redfish/v1/Managers/1/SecurityService/CertificateAuthentication"
+    }
+  },
+  "LoginSecurityBanner": {
+    "IsEnabled": false
+  },
+  "SSHHostKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQEv+Fv4xLYjuKRS30nhqHVasE/PXiEKN12mdZQA97K4yJY+9lHqFJOt82mUelHLnO4fvWuqdML4LeiXo6LI2EJBR83hE4jjsPmKS7ZBa3I6PI3KF8CiBN4mFaSdcTEA/ZYZFKwVcQgOox3Hu1TYu2b41bAofKl1f5ZBBmZ/ZGnoeGsq4PNFqj/xtVAOdj+rqYnuK8yNzetl+WXiMF7/lmFKuuKLoM0GfY7nQjSSlu+XwZhUflQYiKHHfq0gl+I3u8KbNaNbHjHMjQVPYSzaRRkR9F2M8N2bqR47EzAC3qOt3SMBCt4ka+87dIS54ji6dC3uk+xRqJv2kuREyELqlV",
+  "SecurityState": "Production",
+  "SecurityState@Redfish.AllowableValues": ["Production", "HighSecurity", "FIPS"]
+}
--- a/proliantutils/tests/redfish/resources/manager/test_security_dashboard.py
+++ b/proliantutils/tests/redfish/resources/manager/test_security_dashboard.py
@@ -0,0 +1,44 @@
+# Copyright 2020 Hewlett Packard Enterprise Development LP.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+"""Test Class for SecurityDashboard."""
+
+import json
+
+import mock
+import testtools
+
+from proliantutils.redfish.resources.manager import security_dashboard
+
+
+class SecurityDashboardTestCase(testtools.TestCase):
+
+    def setUp(self):
+        super(SecurityDashboardTestCase, self).setUp()
+        self.conn = mock.Mock()
+        security_param_file = ('proliantutils/tests/redfish/json_samples/'
+                               'security_dashboard.json')
+        with open(security_param_file) as f:
+            self.json_doc = json.load(f)
+            self.conn.get.return_value.json.return_value = (
+                self.json_doc)
+
+        path = ("/redfish/v1/Mangers/1/SecurityService/"
+                "SecurityDashboard")
+        self.sec_dash = security_dashboard.SecurityDashboard(
+            self.conn, path, '1.0.2', None)
+
+    def test__parse_attributes(self):
+        self.sec_dash._parse_attributes(self.json_doc)
+        self.assertEqual('1.0.2', self.sec_dash.redfish_version)
+        self.assertEqual("Risk", self.sec_dash.overall_status)
--- a/proliantutils/tests/redfish/resources/manager/test_security_params.py
+++ b/proliantutils/tests/redfish/resources/manager/test_security_params.py
@@ -0,0 +1,99 @@
+# Copyright 2020 Hewlett Packard Enterprise Development LP
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+"""Test Class for SecurityParamsTestCase"""
+
+import json
+
+import mock
+import testtools
+
+from proliantutils.redfish.resources.manager import security_params
+
+
+class SecurityParamsTestCase(testtools.TestCase):
+
+    def setUp(self):
+        super(SecurityParamsTestCase, self).setUp()
+        self.conn = mock.Mock()
+        security_param_file = ('proliantutils/tests/redfish/json_samples/'
+                               'security_param.json')
+        with open(security_param_file) as f:
+            self.json_doc = json.load(f)
+            self.conn.get.return_value.json.return_value = (
+                self.json_doc)
+
+        path = ("/redfish/v1/Mangers/1/SecurityService/"
+                "SecurityDashboard/SecurityParams")
+        self.sec_param = security_params.SecurityParams(
+            self.conn, path, '1.0.2', None)
+
+    def test__parse_attributes(self):
+        self.sec_param._parse_attributes(self.json_doc)
+        self.assertEqual('1.0.2', self.sec_param.redfish_version)
+        self.assertEqual("Security Override Switch", self.sec_param.name)
+        self.assertEqual("Ok", self.sec_param.status)
+        self.assertEqual("Off", self.sec_param.state)
+
+
+class SecurityParamsCollectionTestCase(testtools.TestCase):
+
+    def setUp(self):
+        super(SecurityParamsCollectionTestCase, self).setUp()
+        self.conn = mock.Mock()
+        with open('proliantutils/tests/redfish/json_samples/'
+                  'security_params_collection.json', 'r') as f:
+            self.json_doc = json.load(f)
+            self.conn.get.return_value.json.return_value = self.json_doc
+        self.sec_params_col = security_params.SecurityParamsCollection(
+            self.conn,
+            ('/redfish/v1/Managers/1/SecurityService/'
+             'SecurityDashboard/SecurityParams'),
+            redfish_version='1.0.2')
+
+    def test__parse_attributes(self):
+        self.sec_params_col._parse_attributes(self.json_doc)
+        self.assertEqual('1.0.2', self.sec_params_col.redfish_version)
+        self.assertEqual('Security Parameter Collection',
+                         self.sec_params_col.name)
+        path = ('/redfish/v1/Managers/1/SecurityService/'
+                'SecurityDashboard/SecurityParams/0',
+                '/redfish/v1/Managers/1/SecurityService/'
+                'SecurityDashboard/SecurityParams/1')
+        self.assertEqual(path, self.sec_params_col.members_identities)
+
+    @mock.patch.object(security_params, 'SecurityParams', autospec=True)
+    def test_get_member(self, mock_eth):
+        self.sec_params_col.get_member(
+            '/redfish/v1/Managers/1/SecurityService/SecurityDashboard/'
+            'SecurityParams/1')
+        mock_eth.assert_called_once_with(
+            self.sec_params_col._conn,
+            ('/redfish/v1/Managers/1/SecurityService/SecurityDashboard/'
+             'SecurityParams/1'),
+            self.sec_params_col.redfish_version, None)
+
+    @mock.patch.object(security_params, 'SecurityParams', autospec=True)
+    def test_get_members(self, mock_eth):
+        members = self.sec_params_col.get_members()
+        path = ('/redfish/v1/Managers/1/SecurityService/SecurityDashboard/'
+                'SecurityParams/0')
+        path2 = ('/redfish/v1/Managers/1/SecurityService/SecurityDashboard/'
+                 'SecurityParams/1')
+        calls = [mock.call(self.sec_params_col._conn, path,
+                           self.sec_params_col.redfish_version, None),
+                 mock.call(self.sec_params_col._conn, path2,
+                           self.sec_params_col.redfish_version, None)]
+        mock_eth.assert_has_calls(calls)
+        self.assertIsInstance(members, list)
+        self.assertEqual(2, len(members))
--- a/proliantutils/tests/redfish/resources/manager/test_security_service.py
+++ b/proliantutils/tests/redfish/resources/manager/test_security_service.py
@@ -0,0 +1,41 @@
+# Copyright 2017 Hewlett Packard Enterprise Development LP
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import json
+
+import mock
+import testtools
+
+from proliantutils.redfish.resources.manager import security_service
+
+
+class SecurityServiceTestCase(testtools.TestCase):
+
+    def setUp(self):
+        super(SecurityServiceTestCase, self).setUp()
+        self.conn = mock.Mock()
+        security_file = ('proliantutils/tests/redfish/json_samples/'
+                         'security_service.json')
+        with open(security_file) as f:
+            self.json_doc = json.load(f)
+            self.conn.get.return_value.json.return_value = (
+                self.json_doc)
+
+        path = ("/redfish/v1/Mangers/1/SecurityService/")
+        self.sec_serv = security_service.SecurityService(
+            self.conn, path, '1.0.2', None)
+
+    def test__parse_attributes(self):
+        self.sec_serv._parse_attributes(self.json_doc)
+        self.assertEqual('1.0.2', self.sec_serv.redfish_version)
--- a/proliantutils/tests/redfish/test_redfish.py
+++ b/proliantutils/tests/redfish/test_redfish.py
@@ -688,6 +688,8 @@ class RedfishOperationsTestCase(testtools.TestCase):
            'The Redfish controller failed to get the supported boot modes.',
            self.rf_client.get_supported_boot_mode)

+    @mock.patch.object(redfish.RedfishOperations,
+                       '_parse_security_dashboard_values_for_capabilities')
    @mock.patch.object(common_storage, 'get_drive_rotational_speed_rpm')
    @mock.patch.object(common_storage, 'has_nvme_ssd')
    @mock.patch.object(common_storage, 'has_rotational')
@@ -696,7 +698,7 @@ class RedfishOperationsTestCase(testtools.TestCase):
    @mock.patch.object(redfish.RedfishOperations, '_get_sushy_manager')
    def test_get_server_capabilities(self, get_manager_mock, get_system_mock,
                                     ssd_mock, rotational_mock,
-                                     nvme_mock, speed_mock):
+                                     nvme_mock, speed_mock, sec_mock):
        type(get_system_mock.return_value.pci_devices).gpu_devices = (
            [mock.MagicMock(spec=pci_device.PCIDevice)])
        type(get_system_mock.return_value.bios_settings).sriov = (
@@ -740,6 +742,9 @@ class RedfishOperationsTestCase(testtools.TestCase):
        type(get_system_mock.return_value.
             smart_storage).logical_raid_levels = (raid_mock)
        speed_mock.return_value = set(['10000', '15000'])
+        sec_mock.return_value = {'overall_security_status': 'Risk',
+                                 'security_override_switch': 'Ok',
+                                 'last_firmware_scan_result': 'Ok'}
        actual = self.rf_client.get_server_capabilities()
        expected = {'pci_gpu_devices': 1, 'sriov_enabled': 'true',
                    'secure_boot': 'true', 'cpu_vt': 'true',
@@ -760,9 +765,14 @@ class RedfishOperationsTestCase(testtools.TestCase):
                    'logical_raid_level_0': 'true',
                    'logical_raid_level_1': 'true',
                    'drive_rotational_10000_rpm': 'true',
-                    'drive_rotational_15000_rpm': 'true'}
+                    'drive_rotational_15000_rpm': 'true',
+                    'overall_security_status': 'Risk',
+                    'security_override_switch': 'Ok',
+                    'last_firmware_scan_result': 'Ok'}
        self.assertEqual(expected, actual)

+    @mock.patch.object(redfish.RedfishOperations,
+                       '_parse_security_dashboard_values_for_capabilities')
    @mock.patch.object(common_storage, 'get_drive_rotational_speed_rpm')
    @mock.patch.object(common_storage, 'has_nvme_ssd')
    @mock.patch.object(common_storage, 'has_rotational')
@@ -771,7 +781,7 @@ class RedfishOperationsTestCase(testtools.TestCase):
    @mock.patch.object(redfish.RedfishOperations, '_get_sushy_manager')
    def test_get_server_capabilities_optional_capabilities_absent(
            self, get_manager_mock, get_system_mock, ssd_mock,
-            rotational_mock, nvme_mock, speed_mock):
+            rotational_mock, nvme_mock, speed_mock, sec_mock):
        type(get_system_mock.return_value.pci_devices).gpu_devices = (
            [mock.MagicMock(spec=pci_device.PCIDevice)])
        type(get_system_mock.return_value.bios_settings).sriov = (
@@ -816,13 +826,19 @@ class RedfishOperationsTestCase(testtools.TestCase):
        type(get_system_mock.return_value.
             smart_storage).logical_raid_levels = (raid_mock)
        speed_mock.return_value = set()
+        sec_mock.return_value = {'overall_security_status': 'Risk',
+                                 'security_override_switch': 'Ok',
+                                 'last_firmware_scan_result': 'Ok'}
        actual = self.rf_client.get_server_capabilities()
        expected = {'pci_gpu_devices': 1,
                    'rom_firmware_version': 'U31 v1.00 (03/11/2017)',
                    'ilo_firmware_version': 'iLO 5 v1.15',
                    'nic_capacity': '1Gb',
                    'server_model': 'ProLiant DL180 Gen10',
-                    'boot_mode_bios': 'false', 'boot_mode_uefi': 'true'}
+                    'boot_mode_bios': 'false', 'boot_mode_uefi': 'true',
+                    'overall_security_status': 'Risk',
+                    'security_override_switch': 'Ok',
+                    'last_firmware_scan_result': 'Ok'}
        self.assertEqual(expected, actual)

    @mock.patch.object(redfish.RedfishOperations, '_get_sushy_system')
@@ -2104,3 +2120,64 @@ class RedfishOperationsTestCase(testtools.TestCase):
            exception.IloCommandNotSupportedInBiosError,
            'TLS certificate cannot be removed in BIOS boot mode',
            self.rf_client.remove_tls_certificate, fp)
+
+    @mock.patch.object(redfish.RedfishOperations,
+                       '_get_security_dashboard_values')
+    def test__parse_security_dashboard_values_for_capabilities(self, sec_mock):
+        desc1 = ('The Require Login for iLO RBSU setting is disabled. '
+                 'This configuration allows unauthenticated iLO access '
+                 'through the UEFI System Utilities.')
+        act1 = ('Enable the Require Login for iLO RBSU setting.')
+        desc2 = ('The Password Complexity setting is disabled. This '
+                 'configuration increases system vulnerability to attack.')
+        act2 = ('Enable the "Password Complexity" setting.')
+        desc3 = ('The UEFI Secure Boot setting is disabled. In this '
+                 'configuration, the UEFI system firmware does not '
+                 'validate the boot loader, Option ROM firmware, and '
+                 'other system software executables for trusted signatures. '
+                 'This configuration breaks the chain of trust established by '
+                 'iLO from power-on')
+        act3 = ('Enable the Secure Boot setting in the UEFI System Utilities.')
+        s = {'server_configuration_lock_status': 'Disabled',
+             'overall_security_status': 'Risk',
+             'security_parameters':
+             {'Require Host Authentication': {'ignore': False,
+                                              'security_status': 'Ok',
+                                              'state': 'Disabled'},
+              'Last Firmware Scan Result': {'ignore': False,
+                                            'security_status': 'Ok',
+                                            'state': 'Ok'},
+              'Require Login for iLO RBSU': {'ignore': False,
+                                             'security_status': 'Risk',
+                                             'description': desc1,
+                                             'state': 'Disabled',
+                                             'recommended_action': act1},
+              'Authentication Failure Logging': {'ignore': False,
+                                                 'security_status': 'Ok',
+                                                 'state': 'Enabled'},
+              'Password Complexity': {'ignore': False,
+                                      'security_status': 'Risk',
+                                      'description': desc2,
+                                      'state': 'Disabled',
+                                      'recommended_action': act2},
+              'IPMI/DCMI Over LAN': {'ignore': False,
+                                     'security_status': 'Ok',
+                                     'state': 'Disabled'},
+              'Security Override Switch': {'ignore': False,
+                                           'security_status': 'Ok',
+                                           'state': 'Off'},
+              'Minimum Password Length': {'ignore': False,
+                                          'security_status': 'Ok',
+                                          'state': 'Ok'},
+              'Secure Boot': {'ignore': False,
+                              'security_status': 'Risk',
+                              'description': desc3,
+                              'state': 'Disabled',
+                              'recommended_action': act3}}}
+        sec_mock.return_value = s
+        expected = {'last_firmware_scan_result': 'Ok',
+                    'overall_security_status': 'Risk',
+                    'security_override_switch': 'Ok'}
+        actual = (
+            self.rf_client._parse_security_dashboard_values_for_capabilities())
+        self.assertEqual(expected, actual)