88ada3bc | 13-Apr-2023 |
V-Sanjana <sanjana.v@intel.com> |
Add Server-Sent-Event support
Server-Sent-Event is a standard describing how servers can initiate data transmission towards clients once an initial client connection has been established. Unlike web
Add Server-Sent-Event support
Server-Sent-Event is a standard describing how servers can initiate data transmission towards clients once an initial client connection has been established. Unlike websockets (which are bidirectional), Server-Sent-Events(SSE) are unidirectional and commonly used to send message updates or continuous data streams to a browser client.
This is base patch for adding Server-Sent-Events routing support to bmcweb. Redfish EventService SSE style subscription uses SSE route for sending the Events/MetricReports to client which establishes the connection.
Tested this patch with along with EventService SSE support patches and verified the functionalty on browser.
Tested: - Tested using follow-up patches on top which adds support for Redfish EventService SSE style subscription and observed events are getting sent periodically. - Created SSE subscription from the browser by visiting https://<BMC IP>/redfish/v1/EventService/SSE
Change-Id: I36956565cbba30c2007852c9471f477f6d1736e9 Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com> Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> Signed-off-by: V-Sanjana <sanjana.v@intel.com>
show more ...
|
f8ca6d79 | 28-Jun-2022 |
Ed Tanous <edtanous@google.com> |
Allow async resolver to be optional
This commit adds a meson option to allow selecting which dns resolver bmcweb uses. There are use cases, like Open Compute Project Inband Management Agent, that w
Allow async resolver to be optional
This commit adds a meson option to allow selecting which dns resolver bmcweb uses. There are use cases, like Open Compute Project Inband Management Agent, that would require not using dbus, which would require us to fall back to the asio resolver. This commit makes the existing asio resolver constructor, and async_resolve methods match the equivalents in asio (which we intended to do anyway), then adds a macro and configure option for being able to select which resolver backend to rely on.
Tested: Code can now compile without sdbusplus.
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I3220214367179f131a60082bdfaf7e725d35c125
show more ...
|
faf100f9 | 25-May-2023 |
Ed Tanous <edtanous@google.com> |
Fix some includes
System includes should be included with <>, in-tree includes should be included with "". This was found manually, with the help of the following grep statement[1].
git grep -o -h
Fix some includes
System includes should be included with <>, in-tree includes should be included with "". This was found manually, with the help of the following grep statement[1].
git grep -o -h "#include .*" | sort | uniq
Tested: Code compiles
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I1a6b2a5ba35ccbbb61c67b7c4b036a2d7b3a36a3
show more ...
|
3e72c202 | 27-Mar-2023 |
Ninad Palsule <ninadpalsule@us.ibm.com> |
Added new pre-defined usergroup called hostconsole
The new pre-defined usergroup named "hostconsole" is added to differentiate access between host console and manager console. The only users allowed
Added new pre-defined usergroup called hostconsole
The new pre-defined usergroup named "hostconsole" is added to differentiate access between host console and manager console. The only users allowed to interact with host console are part of the "hostconsole" group and they are in an administrator role.
Note: The changes are spread across multiple repositories listed under "Related commits:"
The bmcweb changes to incorporate new group are as follows: - The new user is added in the hostconsole group only if it has an administrative role. - The ssh usergroup is only translated to ManagerConsole redfish group and hostconsole usergroup is translated to HostConsole redfish group. - The following changes are made to check the privileges for host console access - The new OEM privilege "OpenBMCHostConsole" added for host console access. This privilege is not shared externally hence it is not documented. - Updated obmc_console BMCWEB_ROUTE to use the new privilege. - Router functions now save user role and user groups in the session - getUserPrivileges() function now takes session reference instead of user role. This function now also checks for the user group "hostconsole" and add the new privilege if user is member of this group. - Updated all callers of the getUserPrivileges to pass session reference. - Added test to validate that new privilege is set correctly.
Tested: Loaded code on the system and validated that; - New user gets added in hostconsole group. NOTE: Prior to this commit all groups are assigned to new user. This drop does not change that behavior. - Access from the web gui is only available for users in hostconsole group. Used IBM internal simulator called simics to test this. This simulator allows accessing openbmc from GUI. - Checked the role collection and there is no change. $ curl -k -H "X-Auth-Token: $TOKEN" -X GET \ https://${bmc}/redfish/v1/AccountService/Roles $ curl -k -H "X-Auth-Token: $TOKEN" -X GET \ https://${bmc}/redfish/v1/AccountService/Roles/Administrator $ curl -k -H "X-Auth-Token: $TOKEN" -X GET \ https://${bmc}/redfish/v1/AccountService/Roles/ReadOnly $ curl -k -H "X-Auth-Token: $TOKEN" -X GET \ https://${bmc}/redfish/v1/AccountService/Roles/Operator
- HostConsole is in AccountType when hostconsole group is present in UserGroups D-Bus property
$ id user99 uid=1006(user99) gid=100(users) groups=1000(priv-admin),1005(web),\ 1006(redfish),1013(hostconsole),100(users)
$ curl -k https://${bmc}/redfish/v1/AccountService/Accounts/user99 { "@odata.id": "/redfish/v1/AccountService/Accounts/user99", "@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount", "AccountTypes": [ "HostConsole", "Redfish", "WebUI", "ManagerConsole" ], "Description": "User Account", "Enabled": true, "Id": "user99", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Administrator" } }, "Locked": false, "Locked@Redfish.AllowableValues": [ "false" ], "Name": "User Account", "Password": null, "PasswordChangeRequired": false, "RoleId": "Administrator", "UserName": "user99"
- The hostconsole group is not present for readonly or operator users and also made sure that console access is not provided. This testing is done one the system and console access was tried by modifying the https://github.com/openbmc/bmcweb/blob/master/scripts/websocket_test.py
+ curl -k https://${bmc}/redfish/v1/AccountService/Accounts/user99 { "@odata.id": "/redfish/v1/AccountService/Accounts/user99", "@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount", "AccountTypes": [ "IPMI", "Redfish", "WebUI", "ManagerConsole" ], "Description": "User Account", "Enabled": true, "Id": "user99", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/ReadOnly" } }, "Locked": false, "Locked@Redfish.AllowableValues": [ "false" ], "Name": "User Account", "Password": null, "PasswordChangeRequired": false, "RoleId": "ReadOnly", "UserName": "user99"
[INFO "http_connection.hpp":209] Request: 0x150ac38 HTTP/1.1 GET /console0 ::ffff:x.x.xx.xxx [DEBUG "routing.hpp":1265] Matched rule (upgrade) '/console0' 1 / 2 [DEBUG "routing.hpp":1084] userName = user99 userRole = priv-user [DEBUG "routing.hpp":1123] IsUserPrivileged: group=ipmi [DEBUG "routing.hpp":1123] IsUserPrivileged: group=redfish [DEBUG "routing.hpp":1123] IsUserPrivileged: group=ssh [DEBUG "routing.hpp":1123] IsUserPrivileged: group=web [DEBUG "routing.hpp":93] checkPrivileges: BASE USER: Login [DEBUG "routing.hpp":93] checkPrivileges: BASE USER: ConfigureSelf [DEBUG "routing.hpp":113] checkPrivileges: OEM REQUIRED: OpenBMCHostConsole [ERROR "routing.hpp":1192] Insufficient Privilege
+ curl -k https://${bmc}/redfish/v1/AccountService/Accounts/user99 { "@odata.id": "/redfish/v1/AccountService/Accounts/user99", "@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount", "AccountTypes": [ "IPMI", "Redfish", "WebUI", "ManagerConsole" ], "Description": "User Account", "Enabled": true, "Id": "user99", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Operator" } }, "Locked": false, "Locked@Redfish.AllowableValues": [ "false" ], "Name": "User Account", "Password": null, "PasswordChangeRequired": false, "RoleId": "Operator", "UserName": "user99"
[INFO "http_connection.hpp":209] Request: 0x21c7c38 HTTP/1.1 GET /console0 ::ffff:x.x.xx.xxx [DEBUG "routing.hpp":1265] Matched rule (upgrade) '/console0' 1 / 2 [DEBUG "routing.hpp":1084] userName = user99 userRole = priv-operator [DEBUG "routing.hpp":1123] IsUserPrivileged: group=ipmi [DEBUG "routing.hpp":1123] IsUserPrivileged: group=redfish [DEBUG "routing.hpp":1123] IsUserPrivileged: group=ssh [DEBUG "routing.hpp":1123] IsUserPrivileged: group=web [DEBUG "routing.hpp":93] checkPrivileges: BASE USER: Login [DEBUG "routing.hpp":93] checkPrivileges: BASE USER: ConfigureComponents [DEBUG "routing.hpp":93] checkPrivileges: BASE USER: ConfigureSelf [DEBUG "routing.hpp":113] checkPrivileges: OEM REQUIRED: OpenBMCHostConsole [ERROR "routing.hpp":1192] Insufficient Privilege
Related commits: NOTE: docs, openbmc, obmc-console changes are already merged. bmcweb and phosphor-user-manager will be merged together. docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968 phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583 openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582 obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581 bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580
Change-Id: Ia5a33dafc9a76444e6a8e74e752f0f90cb0a31c8 Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>
show more ...
|
81c4e330 | 18-May-2023 |
Ed Tanous <edtanous@google.com> |
Capture all boost::system::error_codes by ref
Capturing these possibly overloaded values by reference can avoid a copy in some cases, and it's good to be consistent.
This change was made automatica
Capture all boost::system::error_codes by ref
Capturing these possibly overloaded values by reference can avoid a copy in some cases, and it's good to be consistent.
This change was made automatically by grep/sed.
Tested: Code compiles.
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: Iafeaca2a5dc52f39753b5a3880419d6bc943f81b
show more ...
|
a6695a84 | 16-May-2023 |
Ed Tanous <edtanous@google.com> |
Clear json object
nlohmann::json::clear() has different behavior dependent on what the underlying object is, rather than doing the expected behavior of completely clearing the json object. This did
Clear json object
nlohmann::json::clear() has different behavior dependent on what the underlying object is, rather than doing the expected behavior of completely clearing the json object. This didn't matter because of a similar bug in http_connection that relied on nlohmann:json::empty() which is ALSO type dependent, so these worked.
Unfortunately, in 02e01b5108d46720a0b438c0d79952464320d954 we wanted to allow empty objects, and this bug was exposed.
There are two places where clear() is used, once in Response, which is clearly not the intent, which is to reset the object to the original constructed state. The other place we call clear is in Manager, where we use it to clear incremental results. That was a previous best practice that has been eliminated everywhere else (now we return as many results with the error as we are able). It has been removed.
Tested: Logging into the webui in firefox no longer core dumps.
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: Ic89a037b30fb40c0e6eaeb939cae6e006dd0ffac
show more ...
|
ad2b2eb9 | 16-May-2023 |
Ed Tanous <edtanous@google.com> |
http_connection: Allow empty json objects
Currently http_connection will produce empty body in the response if the res.jsonValue is empty, including empty array, object.
This makes the output confu
http_connection: Allow empty json objects
Currently http_connection will produce empty body in the response if the res.jsonValue is empty, including empty array, object.
This makes the output confusing in case a response does contain an empty object or array.
Change the code to print the json object even if it's empty object or array.
This patchset was previously reverted because of a regression, but this regression is fixed in 63529.
Tested on previous commit: With an OEM URL that returns empty array depending on the system config, the response becomes `[]` instead of empty.
Signed-off-by: Lei YU <yulei.sh@bytedance.com> Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I1d1bf01a5277ff1bc953b15d9fc410e10f941e70
show more ...
|
eea9c979 | 15-May-2023 |
Ed Tanous <edtanous@google.com> |
Clean up preparePayload
boost::beast::http::message::prepare_payload [1] can throw, which isn't really the behavior we want (as it throws to the io_context). Luckily, every part of that function is
Clean up preparePayload
boost::beast::http::message::prepare_payload [1] can throw, which isn't really the behavior we want (as it throws to the io_context). Luckily, every part of that function is using public methods, and we can simplify it.
In past commits, we've worked around this issue: 6295becabb9edba2edb53a3c0dddc13d2ffac8dd
This is an attempt to fix it properly.
[1] https://github.com/boostorg/beast/blob/ae01f0201dbf940cbc32d96d7a78dc584a02ab26/include/boost/beast/http/impl/message.hpp#L398
Redfish service validator passes
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: Ie88ddeecfd226bba75a7659cfb7ddddd38eb27cb
show more ...
|
ef4c65b7 | 24-Apr-2023 |
Ed Tanous <edtanous@google.com> |
Boost::urls::format
Boost 1.82 dropped a lovely new toy, boost::urls::format, which is a lot like our urlFromPieces method, but better in that it makes the resulting uris more readable, and allows d
Boost::urls::format
Boost 1.82 dropped a lovely new toy, boost::urls::format, which is a lot like our urlFromPieces method, but better in that it makes the resulting uris more readable, and allows doing things like fragments in a single line instead of multiple. We should prefer it in some cases.
Tested: Redfish service validator passes. Spot checks of URLs work as expected. Unit tests pass.
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: Ia7b38f0a95771c862507e7d5b4aa68aa1c98403c
show more ...
|
b84e729d | 11-May-2023 |
Ed Tanous <edtanous@google.com> |
Revert "http_connection: Allow empty json objects"
This reverts commit 02e01b5108d46720a0b438c0d79952464320d954.
This commit is being reverted because it causes login failures on Firefox browsers.
Revert "http_connection: Allow empty json objects"
This reverts commit 02e01b5108d46720a0b438c0d79952464320d954.
This commit is being reverted because it causes login failures on Firefox browsers. This commit originally was added with the idea that it did not fix anything on upstream, but made some peoples forks better.
It appears to have broken some upstream things, so the right thing to do is to revert it until those breakages can be understood.
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I04de84fca1a8de657f6941653f2a3e595ee725d5
show more ...
|
65a176cd | 12-May-2023 |
Patrick Williams <patrick@stwcx.xyz> |
fix clang-tidy warnings with unreachable returns
``` /data0/jenkins/workspace/ci-repository/openbmc/bmcweb/http/verb.hpp:51:12: error: 'return' will never be executed [clang-diagnostic-unreachable-c
fix clang-tidy warnings with unreachable returns
``` /data0/jenkins/workspace/ci-repository/openbmc/bmcweb/http/verb.hpp:51:12: error: 'return' will never be executed [clang-diagnostic-unreachable-code-return,-warnings-as-errors] /data0/jenkins/workspace/ci-repository/openbmc/bmcweb/http/utility.hpp:99:12: error: 'return' will never be executed [clang-diagnostic-unreachable-code-return,-warnings-as-errors] /data0/jenkins/workspace/ci-repository/openbmc/bmcweb/redfish-core/include/utils/query_param.hpp:272:13: error: 'break' will never be executed [clang-diagnostic-unreachable-code-break,-warnings-as-errors] ```
Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Change-Id: Ia74f4fb4f34875097d1ef04b26e40908cc175088
show more ...
|
a232343d | 12-May-2023 |
Patrick Williams <patrick@stwcx.xyz> |
http-app: fix unused macro clang-tidy warning
``` /data0/jenkins/workspace/ci-repository/openbmc/bmcweb/http/app.hpp:27:9: error: macro is not used [clang-diagnostic-unused-macros,-warnings-as-error
http-app: fix unused macro clang-tidy warning
``` /data0/jenkins/workspace/ci-repository/openbmc/bmcweb/http/app.hpp:27:9: error: macro is not used [clang-diagnostic-unused-macros,-warnings-as-errors] #define BMCWEB_ROUTE(app, url) ```
Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Change-Id: I49b6239d7d5f31c52af6f6e5b0bc57be22a299b5
show more ...
|
eb8a3998 | 12-May-2023 |
Patrick Williams <patrick@stwcx.xyz> |
http-logging: fix clang-tidy warnings
``` /data0/jenkins/workspace/ci-repository/openbmc/bmcweb/http/logging.hpp:132:9: error: macro is not used [clang-diagnostic-unused-macros,-warnings-as-errors]
http-logging: fix clang-tidy warnings
``` /data0/jenkins/workspace/ci-repository/openbmc/bmcweb/http/logging.hpp:132:9: error: macro is not used [clang-diagnostic-unused-macros,-warnings-as-errors] #define BMCWEB_LOG_CRITICAL ```
Add NOLINTBEGIN/NOLINTEND guards around the whole of the macro definitions because there are now multiple clang-tidy warning types that call out this behavior, but we want it in this case.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Change-Id: Iac2ee839999f36424ca6dfed212d0bad0a2f3ae5
show more ...
|
3d7fc71e | 10-May-2023 |
Patrick Williams <patrick@stwcx.xyz> |
mutual-tls: fix clang-tidy warning
``` ../http/mutual_tls.hpp:77:35: error: unsafe buffer access [-Werror,-Wunsafe-buffer-usage] unsigned char usageChar = usage->data[i]; ```
Signed-off-by:
mutual-tls: fix clang-tidy warning
``` ../http/mutual_tls.hpp:77:35: error: unsafe buffer access [-Werror,-Wunsafe-buffer-usage] unsigned char usageChar = usage->data[i]; ```
Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Change-Id: Icc6905f31fdd54b683fe7807eb72e9b78437b2d1
show more ...
|
89492a15 | 10-May-2023 |
Patrick Williams <patrick@stwcx.xyz> |
clang-format: copy latest and re-format
clang-format-16 has some backwards incompatible changes that require additional settings for best compatibility and re-running the formatter. Copy the latest
clang-format: copy latest and re-format
clang-format-16 has some backwards incompatible changes that require additional settings for best compatibility and re-running the formatter. Copy the latest .clang-format from the docs repository and reformat the repository.
Change-Id: I75f89d2959b0f1338c20d72ad669fbdc1d720835 Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
show more ...
|
662aa6e3 | 10-Jan-2023 |
Myung Bae <myungbae@us.ibm.com> |
Update Logging option for the setting log level
In order to be able to more easily debug bmcweb related issue, a new meson option is added to set a specific logging level Which generates the targete
Update Logging option for the setting log level
In order to be able to more easily debug bmcweb related issue, a new meson option is added to set a specific logging level Which generates the targeted logging traces rather than all of debug traces.
The current option -Dbmcweb-logging which can be either disabled or enabled is changed to allow to set the log level for the specific level traces (e.g. error or critical traces) to be written to the journal.
-Dbmcweb-logging=<log-level>
where <log-level> can be disabled, enabled, debug, info, warning, error, or critical.
- `disabled`: Turns off all bmcweb log traces. - `enabled` : treated as `debug` - Other option can be described in [Logging Levels](DEVELOPING.md).
For an example, to enable only 'error', 'critical' log entries, bmcweb can be built with
-Dbmcweb-logging=error
Testing: - Verified that only the specific logs (e.g. error and critical logs) were displayed by compiling bmcweb with the specific bmcweb-logging level.
Change-Id: I522ca26700ea420fee1a5cf688d3e8c6661f2f55 Signed-off-by: Myung Bae <myungbae@us.ibm.com>
show more ...
|
28f4b387 | 10-Apr-2023 |
Ed Tanous <edtanous@google.com> |
Remove nameStr from router
It isn't used anywhere in the code, so it can be removed, and the router simplified. These common data structures have caused problems, in that they're not copied to chil
Remove nameStr from router
It isn't used anywhere in the code, so it can be removed, and the router simplified. These common data structures have caused problems, in that they're not copied to child handlers, and cause bugs like #249.
Tested: Redfish service validator passes. Basic sanity tests of both static file routes such as $metadata (which use DynamicRule) as well as method routes, such as /redfish/v1, return valid data.
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I93ad74581912e18ee5db9aaa9ecdaf08ed765418
show more ...
|
15a42df0 | 09-Feb-2023 |
Ed Tanous <edtanous@google.com> |
Remove number support from the router
The router historically came from crow. Crow supported wildcards of <int>, <float>, and <double>. bmcweb doesn't use them, nor should it in basically any case
Remove number support from the router
The router historically came from crow. Crow supported wildcards of <int>, <float>, and <double>. bmcweb doesn't use them, nor should it in basically any case, as we now have explicit 404 handling.
This commit removes them. This amounts to about -450 lines of code, but it's some of the scarier code we have, some of it existing in the namespace "black_magic". Reducing the brain debt for people working in this subsystem seems worthwhile. There is no case in the future where we would use integer based url parameters.
Tested: Redfish service validator passes. Should be good enough coverage for a code removal.
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I34add8df7d3486952474ca7ec3dc6be990c50ed0
show more ...
|
02e01b51 | 19-Apr-2023 |
Lei YU <yulei.sh@bytedance.com> |
http_connection: Allow empty json objects
Currently http_connection will produce empty body in the response if the res.jsonValue is empty, including empty array, object.
This makes the output confu
http_connection: Allow empty json objects
Currently http_connection will produce empty body in the response if the res.jsonValue is empty, including empty array, object.
This makes the output confusing in case a response does contain an empty object or array.
Change the code to print the json object even if it's empty object or array, so that the output is consistent with the `res.jsonValue`.
Tested: With an OEM URL that returns empty array depending on the system config, the response becomes `[]` instead of empty.
Signed-off-by: Lei YU <yulei.sh@bytedance.com> Change-Id: Ie97378a2cffce7b1fd6586a56b6cfa7d5c476dc1
show more ...
|
9d192c74 | 10-Apr-2023 |
Ed Tanous <edtanous@google.com> |
Copy privilegeset into websocket rule
Resolves #249
Tested: Running websockets now shows rules being applied ``` Apr 10 20:26:35 p10bmc bmcweb[745]: (2023-04-10 20:26:35) [INFO "http_connection.hpp
Copy privilegeset into websocket rule
Resolves #249
Tested: Running websockets now shows rules being applied ``` Apr 10 20:26:35 p10bmc bmcweb[745]: (2023-04-10 20:26:35) [INFO "http_connection.hpp":209] Request: 0x11e3248 HTTP/1.1 GET /console0 ::ffff:X.XX.XX.XXX | Apr 10 20:26:35 p10bmc bmcweb[745]: (2023-04-10 20:26:35) [DEBUG "routing.hpp":1460] Matched rule (upgrade) '/console0' 1 / 2 Apr 10 20:26:36 p10bmc bmcweb[745]: (2023-04-10 20:26:36) [DEBUG "routing.hpp":1299] userName = admin userRole = priv-admin Apr 10 20:26:36 p10bmc bmcweb[745]: (2023-04-10 20:26:36) [DEBUG "routing.hpp":101] checkPrivileges: Active BASE priv: ConfigureManager <<<<<< Apr 10 20:26:36 p10bmc bmcweb[745]: (2023-04-10 20:26:36) [DEBUG "routing.hpp":101] checkPrivileges: Active BASE priv: ConfigureComponents <<<<<< Apr 10 20:26:36 p10bmc bmcweb[745]: (2023-04-10 20:26:36) [ERROR "routing.hpp":1361] isUserPrivileged: URL: /console0 IsPrivelegeSetEmpty: 0 Username: admin ```
Signed-off-by: Ed Tanous <edtanous@google.com> Tested-by: Ninad Palsule <ninadpalsule@us.ibm.com> Change-Id: Ia2eae1847822b50a425afd2e5e13b528393aa7ad
show more ...
|
e628df86 | 04-Apr-2023 |
Gunnar Mills <gmills@us.ibm.com> |
Fix websocket csrf checking
https://github.com/openbmc/bmcweb/commit/f8aa3d2704d3897eb724dab9ac596af8b1f0e33e (4/15/20) added CSRF check into websockets but later setting cookieAuth to true was remo
Fix websocket csrf checking
https://github.com/openbmc/bmcweb/commit/f8aa3d2704d3897eb724dab9ac596af8b1f0e33e (4/15/20) added CSRF check into websockets but later setting cookieAuth to true was removed so this session->cookieAuth is always false. https://github.com/openbmc/bmcweb/commit/3909dc82a003893812f598434d6c4558107afa28 (7/15/20).
2 choices here add back this cookieAuth=true when cookie auth is used or remove this "if cookieAuth" and do this check anytime BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION isn't enabled.
Really we shouldn't support any other auth on websockets so maybe if (!session->cookieAuth){ unauthorized; } if go with the first choice. Went with the 2nd choice because cleaner.
This checking is a bit weird because it uses protocol for csrf checking. https://github.com/openbmc/webui-vue/blob/b63e9d9a70dabc4c9a7038f7727fca6bd17d940a/src/views/Operations/SerialOverLan/SerialOverLanConsole.vue#L98
Tested: Before could log in to webui-vue, delete the XSRF-TOKEN but still connect to the host console. After if deleted the XSRF-TOKEN (browser dev tools), the websocket does not connect. Don't have a system with KVM, VM enabled so wasn't able to check those but the webui-vue code for them looks to pass the token. The webui-vue host console works the same as before if you aren't messing with the XSRF-TOKEN.
Change-Id: Ibd5910587648f68809c7fd518bcf5a0bcf8cf329 Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
show more ...
|
863c1c2e | 21-Feb-2022 |
Ed Tanous <edtanous@google.com> |
nbd proxy and websocket cleanups
As-written, the nbd (and all websocket daemons) suffer from a problem where there is no way to apply socket backpressure, so in certain conditions, it's trivial to r
nbd proxy and websocket cleanups
As-written, the nbd (and all websocket daemons) suffer from a problem where there is no way to apply socket backpressure, so in certain conditions, it's trivial to run the BMC out of memory on a given message. This is a problem.
This commit implements the idea of an incremental callback handler, that accepts a callback function to be run when the processing of the message is complete. This allows applying backpressure on the socket, which in turn, should provide pressure back to the client, and prevent buffering crashes on slow connections, or connections with high latency.
Tested: NBD proxy not upstream, no way to test. No changes made to normal websocket flow.
Signed-off-by: Michal Orzel <michalx.orzel@intel.com> Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I3f116cc91eeadc949579deacbeb2d9f5e0f4fa53
show more ...
|
e551b5fa | 27-Feb-2023 |
Ed Tanous <edtanous@google.com> |
Remove authorization checks in nbd_proxy
nbd proxy should not have its own authorization checks, as these are now handled in the core as of 7e9093e625961f533250a6c193c1a474e98007c4
Signed-off-by: E
Remove authorization checks in nbd_proxy
nbd proxy should not have its own authorization checks, as these are now handled in the core as of 7e9093e625961f533250a6c193c1a474e98007c4
Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I8874d8a09278ba21d2acfdf076cb76dee718ecf4
show more ...
|
d3c8ce63 | 21-Mar-2023 |
Jonathan Doman <jonathan.doman@intel.com> |
Fix Request use-after-move
Partial revert of 915d2d4e59be56958b04a79ba96e0242ef735f44
Request object was being moved out of the owning Connection object, which would then try to use the Request aga
Fix Request use-after-move
Partial revert of 915d2d4e59be56958b04a79ba96e0242ef735f44
Request object was being moved out of the owning Connection object, which would then try to use the Request again in completeRequest(). Just pass around a reference instead of taking ownership.
The obvious symptom was that Redfish pages were served as json in the browser instead of HTML, because the headers in the Request were no longer valid after being moved.
Tested: /redfish/v1 is served as HTML in the browser again.
Change-Id: Iae68a68817146c28377bbcade04716725e4a6096 Signed-off-by: Jonathan Doman <jonathan.doman@intel.com>
show more ...
|
d14a48ff | 21-Feb-2023 |
Carson Labrado <clabrado@google.com> |
Aggregation: Increase response read limit to 50MB
With Redfish aggregation, responses from satellite BMCs can be on the order of MBs due to use cases like logging or binary payloads. Offloading $exp
Aggregation: Increase response read limit to 50MB
With Redfish aggregation, responses from satellite BMCs can be on the order of MBs due to use cases like logging or binary payloads. Offloading $expand could similar result in responses that exceed the current read limit of 128 KB.
Splits the connection pools used for aggregation and EventService so that the response read limit is 50MB for responses associated with aggregation. Pools used by EventService keep the current limit of 2^17 bytes or 128 KB. It also propogates a ConnectionPolicy object that gets instantiated within HttpClient, which allows per-client policies for retry/byte limits. This allows EventService and aggregation to have different policies.
Tested: With aggregation enabled I was able to return a response from a satellite BMC which was than 2MB. Ran the Redfish Mockup Creator and it was able to successfully query all aggregated resources as part of walking the tree. Also verified that HTTP push events still work with EventListener.
Change-Id: I91de6f82aadf8ad6f7bc3f58dfa0d14c0759dd47 Signed-off-by: Carson Labrado <clabrado@google.com> Signed-off-by: Ed Tanous <edtanous@google.com>
show more ...
|