Parse number types from the base registry

Rather than maintaining a list of arguments that are numbers (which is
error prone), update the script to just trust that the few parameters
labeled in Redf

Parse number types from the base registry

Rather than maintaining a list of arguments that are numbers (which is
error prone), update the script to just trust that the few parameters
labeled in Redfish as numbers should in fact show up in the API as
numbers.

Functionally this changes the APIs for only a few error messages, only
one of which (StringValueTooShort) is used and that usage was added
recently.

Tested: SRV passes.

Change-Id: I580523ecc0263688738bcb7f7925913e40e2a113
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

PasswordChangeRequired: Fix error message

The PasswordChangeRequired error was incorrectly formatted. Per the
spec, it should be an error response and 403 on all requests except for
session creation

PasswordChangeRequired: Fix error message

The PasswordChangeRequired error was incorrectly formatted. Per the
spec, it should be an error response and 403 on all requests except for
session creation, which is just a `@Message.ExtendedInfo` annotation.
See [1].

This is a follow-up to 1c651ee12ad55ab6626c2baf3754aecda305ba43 which
accidentally only broke out the password change logic for session
creation. This change adjusts the non-session-creation error response
for PasswordChangeRequired to return a proper error.

Tested:
- Built a romulus image
- Ran `passwd --expire root`
- curl to Managers and session creation

```
╰─○ curl -kv --user "$BMC_USER:$BMC_PASS" https: //localhost:2443/redfish/v1/Managers
< HTTP/2 403
{
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The password provided for this account must be changed before access is granted. PATCH the Password property for this account located at the target URI '/redfish/v1/AccountService/Accounts/root' to complete this process.",
"MessageArgs": [
"/redfish/v1/AccountService/Accounts/root"
],
"MessageId": "Base.1.19.PasswordChangeRequired",
"MessageSeverity": "Critical",
"Resolution": "Change the password for this account using a PATCH to the Password property at the URI provided."
}
],
"code": "Base.1.19.PasswordChangeRequired",
"message": "The password provided for this account must be changed before access is granted. PATCH the Password property for this account located at the target URI '/redfish/v1/AccountService/Accounts/root' to complete this process."
}
}

╰─○ curl -kv -X POST -H 'Content-Type: application/json' -d '{"UserName": "root", "Password": "..."}' https://localhost:2443/redfish/v1/SessionService/Sessions
< HTTP/2 201
{
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The password provided for this account must be changed before access is granted. PATCH the Password property for this account located at the target URI '/redfish/v1/AccountService/Accounts/root' to complete this process.",
"MessageArgs": [
"/redfish/v1/AccountService/Accounts/root"
],
"MessageId": "Base.1.19.PasswordChangeRequired",
"MessageSeverity": "Critical",
"Resolution": "Change the password for this account using a PATCH to the Password property at the URI provided."
}
],
"@odata.id": "/redfish/v1/SessionService/Sessions/klDQdHSMME",
"@odata.type": "#Session.v1_7_0.Session",
"ClientOriginIPAddress": "0.0.0.0",
"Description": "Manager User Session",
"Id": "klDQdHSMME",
"Name": "User Session",
"Roles": [
"Administrator"
],
"UserName": "root"
}
```

[1]: https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.22.1.html#password-change-required-handling

Change-Id: I0ab50b4e2298d13ae00f84bc7891c2a14610e1b2
Signed-off-by: Joey Berkovitz <joey@berkovitz.us>

show more ...

Add back include cleaner

Include cleaner helps the code review process. Add it back, by ignoring
some of the more recent boost headers.

Change-Id: I6eddd0e67cd9f469c93fbb344cc1ab46231e450f
Signed-

Add back include cleaner

Include cleaner helps the code review process. Add it back, by ignoring
some of the more recent boost headers.

Change-Id: I6eddd0e67cd9f469c93fbb344cc1ab46231e450f
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Redfish 2025.3

1 line change in scripts/update_schemas.py to point at 2025.3 and run
the script.

See below for more info on this release [1]

Tested: Inspection only. These have not broke things in

Redfish 2025.3

1 line change in scripts/update_schemas.py to point at 2025.3 and run
the script.

See below for more info on this release [1]

Tested: Inspection only. These have not broke things in the past.
Symlinks are getting updated:
```
head -n 4 redfish-core/schema/dmtf/json-schema-installed/ComputerSystem.v1_*.json
{
"$id": "http://redfish.dmtf.org/schemas/v1/ComputerSystem.v1_26_0.json",
"$ref": "#/definitions/ComputerSystem",
"$schema": "http://redfish.dmtf.org/schemas/v1/redfish-schema-v1.json",
```

[1]: https://www.dmtf.org/sites/default/files/Redfish_Release_2025.3_Overview.pdf

Change-Id: Icc0e7b2bc775be6fa0f842670820319b79606507
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Generate update registry

Generate the update registry, needed to return correct error messages
from update service.

Change-Id: Ifaa699cad8531070aea47d2476c1834df7c61e08
Signed-off-by: Alexander Han

Generate update registry

Generate the update registry, needed to return correct error messages
from update service.

Change-Id: Ifaa699cad8531070aea47d2476c1834df7c61e08
Signed-off-by: Alexander Hansen <alexander.hansen@9elements.com>

show more ...

flip http2 flag for generate auth cert integration test

this commit is enhancing the gen auth cert test by using better
flag option for http2 and not flipping the value

Change-Id: I989606807ba0f286

flip http2 flag for generate auth cert integration test

this commit is enhancing the gen auth cert test by using better
flag option for http2 and not flipping the value

Change-Id: I989606807ba0f286a16c1e6e3f1bfc5dbe6a430d
Signed-off-by: Malik Akbar Hashemi Rafsanjani <malikrafsan@meta.com>

show more ...

add integration testing for auth using http2

with this commit, we will make the integration testing of
`generate_auth_certificate` to use http2 by default

this is aligned with previous commit to en

add integration testing for auth using http2

with this commit, we will make the integration testing of
`generate_auth_certificate` to use http2 by default

this is aligned with previous commit to enable http2 for mutual TLS

Change-Id: I79bb95ef1ad3aaa597900c122372a06d205386f2
Signed-off-by: Malik Akbar Hashemi Rafsanjani <malikrafsan@meta.com>

show more ...

Add SubordinateOverrides & Fix Log_services privileges

SubordinateOverrides:
This commit automates the creation of SubordinateOverrides privileges
structures from the redfish privilege registry.

Add SubordinateOverrides & Fix Log_services privileges

SubordinateOverrides:
This commit automates the creation of SubordinateOverrides privileges
structures from the redfish privilege registry. In addition, it
enhances the function of parse_registries.py.

It reads SubordinateOverrides privilege registry from DMTF and
generates const defines SubordinateOverrides for all the privilege
registry entries in the same format that the Privileges struct
accepts.

Moreover, it generates unique const defines for all
SubordinateOverrides target levels.
Ex: EthernetInterface SubordinateOverrides has two "Targets":
["Manager", "EthernetInterfaceCollection"]. So
parse_registries.py generates two unique const

1) Subordinate override for Manager -> EthernetInterface
2) Subordinate override for Manager ->
EthernetInterfaceCollection -> EthernetInterface

Note: if SubordinateOverrides privilege gets changed, then it
automatically updates that route privilege, but if
SubordinateOverrides target gets changed, then the user needs to
update that manually.

Fix Log_services privileges:
In Log_services, some of the privileges not following the
Redfish_1.1.0_PrivilegeRegistry registry.

This commit contains the following LogServices privileges.

1) POST method
```
ComputerSystem -> LogServiceCollection -> LogService
- POST /redfish/v1/Systems/<str>/LogServices/EventLog/Actions/LogService.ClearLog/
- POST /redfish/v1/Systems/<str>/LogServices/Dump/Actions/LogService.CollectDiagnosticData/
- POST /redfish/v1/Systems/<str>/LogServices/Dump/Actions/LogService.ClearLog/
- POST /LogServices/PostCodes/Actions/LogService.ClearLog/
```

2) DELETE method
```
ComputerSystem -> LogServiceCollection -> LogService -> LogEntryCollection -> LogEntry
- DELETE /redfish/v1/Systems/<str>/LogServices/EventLog/Entries/<str>/
```

This commit also changes the current privilege

1) ConfigureManager to ConfigureComponents.

```
DELETE /redfish/v1/Systems/<str>/LogServices/EventLog/Entries/<str>
```

2) ConfigureCompnents -> ConfigureManager

```
POST /redfish/v1/Systems/<str>/LogServices/Dump/Actions/LogService.ClearLog/
POST /redfish/v1/Systems/<str>/LogServices/EventLog/Actions/LogService.ClearLog/
POST /redfish/v1/Systems/<str>/LogServices/Dump/Actions/LogService.CollectDiagnosticData/
```

Tested: manually tested on Witherspoon system, there is no change in
output. Run Redfish validator, with all different Privileges;
Error Get: UUID: String '' does not match pattern ''
this commit doesn't affect UUID

Email sent to openbmc list:
https://lists.ozlabs.org/pipermail/openbmc/2021-August/027232.html

Change-Id: I37d8a2882f1cfaa59a482083f180fdd0805e2e7d
Signed-off-by: Abhishek Patel <Abhishek.Patel@ibm.com>
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Fix json-schema-installed version during schema update

This fixes `update_schemas.py` so that the existing installed csdl and
json symlinks are to be kept and also to be updated with the matching
js

Fix json-schema-installed version during schema update

This fixes `update_schemas.py` so that the existing installed csdl and
json symlinks are to be kept and also to be updated with the matching
json schema version when DMTF schema version is upgraded.

This commit also uses the symlinks to the closed relative paths like
- `../schema/dmtf/installed/<schema>.xml -> ../csdl/<schema>.xml`
- `../schema/dmtf/json-schema-installed/<json-file>.json ->
../json-schema/<json-file>.json`

Tested:
- Change VERSION in `update_schemas.py` and verify the generated files
- CI passes
- Redfish Service Validator passes

Change-Id: Ib7fede7e4c39bdfc13da227eb1e737d96b6c2b5e
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Update to 2025.2

1 line change in update_schemas.py and rerun it.

See below for more info on this release [1]

Tested: Inspection only. These have not broke things in the past.

[1]: https://www.dm

Update to 2025.2

1 line change in update_schemas.py and rerun it.

See below for more info on this release [1]

Tested: Inspection only. These have not broke things in the past.

[1]: https://www.dmtf.org/sites/default/files/Redfish_Release_2025.2_Overview.pdf

Change-Id: I641bc4285fa502a5d81318ff56eaeb75c0af4762
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Make PropertyNotWritable 405

forbidden (403) - "a 403 error means there is an authorization /
permission problem."

405 "Method Not Allowed" error means that the web server understands the
request b

Make PropertyNotWritable 405

forbidden (403) - "a 403 error means there is an authorization /
permission problem."

405 "Method Not Allowed" error means that the web server understands the
request but refuses to process it because the HTTP method (like GET,
POST, PUT, etc.) used in the request is not supported by the server or
the resource.".

Following a stackoverflow response here [1].

Dell mapped PropertyNotWritable to a 400 error. [2] A 400 would be my
2nd choice.

[1]: https://stackoverflow.com/questions/52892076/http-code-to-return-for-unsupported-patch
[2]: https://www.dell.com/support/manuals/en-in/idrac7-8-lifecycle-controller-v2.30.30.30/redfish_v2.30.30.30/managernetworkprotocol?guid=guid-b2be28b5-60a5-4782-83ac-3efb3af79ef2&lang=en-us

Change-Id: Iff3f773a1fdbea96d65f8b82fec75cfc34519ae0
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Make registries return an object_t

All the registry helper functions should return an object_t, given that
they're guaranteed to return an object. nlohmann::json as a type can
technically be string

Make registries return an object_t

All the registry helper functions should return an object_t, given that
they're guaranteed to return an object. nlohmann::json as a type can
technically be string/int/bool/null/object/array, so it causes some
peculiarities in parsing.

Change-Id: If296477cb8d066d7f44ef0d12f17d94a5301e450
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...

registries: make registration dynamic

Rather than having to manually hook code for registries, add a small
registration function to the registry header and use this registration
results throughout t

registries: make registration dynamic

Rather than having to manually hook code for registries, add a small
registration function to the registry header and use this registration
results throughout the registry interactions.

Tested:

Confirmed registries have same behavior.

```
$ curl -s -k https://localhost:18080/redfish/v1/Registries/ | jq '.Members | map(."@odata.id")'
[
"/redfish/v1/Registries/Base",
"/redfish/v1/Registries/HeartbeatEvent",
"/redfish/v1/Registries/OpenBMC",
"/redfish/v1/Registries/ResourceEvent",
"/redfish/v1/Registries/TaskEvent",
"/redfish/v1/Registries/Telemetry"
]
```

```
$ curl -s -k https://localhost:18080/redfish/v1/Registries/TaskEvent/TaskEvent | jq ".Messages | keys"
[
"TaskAborted",
"TaskCancelled",
"TaskCompletedOK",
"TaskCompletedWarning",
"TaskPaused",
"TaskProgressChanged",
"TaskRemoved",
"TaskResumed",
"TaskStarted"
]
```

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Iaa355420736a2587d9da4e995208d579443ca9b8

show more ...

Make Registry description optional

Currently, parse_registries.py assumes the description property exists
in every registry json it parses. However, according to the spec [1]
it is not a required pr

Make Registry description optional

Currently, parse_registries.py assumes the description property exists
in every registry json it parses. However, according to the spec [1]
it is not a required property, so it may not exist, see [2].
Switch it to optional and use an empty string as a default value.

Testing:
Ran the script and made sure the generated files remain unchanged.

[1] https://redfish.dmtf.org/schemas/v1/MessageRegistry.v1_4_0.json
[2] Run: `curl https://redfish.dmtf.org/schemas/v1/MessageRegistry.v1_4_0.json | jq .definitions.MessageRegistry.required`

Change-Id: I3e9ba84bbdb9ba5e6ed8b00cde48c15a1b5abba6
Signed-off-by: Igor Kanyuka <ifelmail@gmail.com>

show more ...

replace_logs: remove scripts per timeframe

The script has previously stated:
> This script will be removed Q2 2024

As such, delete it.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id

replace_logs: remove scripts per timeframe

The script has previously stated:
> This script will be removed Q2 2024

As such, delete it.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Idb35ee22e605bd0a8f456a2eca56904936d791d2

show more ...

Add TypeDefinition support for enumeration generation

TypeDefinition was not supported by generate_schema_enums.py, this
change is to support the 'TypeDefinition' generation from schema.

Tested:
'T

Add TypeDefinition support for enumeration generation

TypeDefinition was not supported by generate_schema_enums.py, this
change is to support the 'TypeDefinition' generation from schema.

Tested:
'TypeDefinition' fields in schema can be generated in generated files
with the change

Change-Id: Ibe61f65b905f2089f9e17a26fbd27e3ff1753166
Signed-off-by: Chandramohan Harkude <chandramohan.harkude@gmail.com>

show more ...

Add support for intermediate certificate chains in mTLS auth

When using the --use-intermediate flag, the script generates:

1. Root CA Certificate:
- Self-signed certificate (CA-cert.cer)
- Us

Add support for intermediate certificate chains in mTLS auth

When using the --use-intermediate flag, the script generates:

1. Root CA Certificate:
- Self-signed certificate (CA-cert.cer)
- Used as the root of trust
- Signs the intermediate certificates

2. Separate intermediate CAs for client and server:
- Client intermediate: client-intermediate-cert.cer
- Server intermediate: server-intermediate-cert.cer
- Each signed by the root CA

3. End-entity certificates with their respective intermediate chains:
- Client certificate chain: client-cert.pem (includes intermediate)
- Server certificate chain: server-cert.pem (includes intermediate)

Change-Id: Ifdfd1c044d1c8745638e44debfc90cad3b5aedb7
Signed-off-by: Ben Peled <bpeled@nvidia.com>

show more ...

Return forbidden return code for RestrictedRole operations

This fixes the http error code of the operations of the restricted role
which currently result in bad_request (400) instead of forbidden (4

Return forbidden return code for RestrictedRole operations

This fixes the http error code of the operations of the restricted role
which currently result in bad_request (400) instead of forbidden (403).

Tested:

```
$ redfishtool -r ${bmc}:18080 -u ${user} -p ${pass} -S Always raw POST /redfish/v1/AccountService/Accounts -d '{"UserName":"service","Password":"newPwd1","RoleId":"Operator"}'
redfishtool: Transport: Response Error: status_code: 403 -- Forbidden--user not authorized to perform action
redfishtool: raw: Error sending POST to resource, aborting

$ redfishtool -r ${bmc}:18080 -u ${user} -p ${pass} -S Always raw PATCH /redfish/v1/AccountService/Accounts/${user} -d '{"Password":"NewTestPwd123"}'
redfishtool: Transport: Response Error: status_code: 403 -- Forbidden--user not authorized to perform action

$ redfishtool -r ${bmc}:18080 -u ${user} -p ${pass} -S Always raw PATCH /redfish/v1/AccountService/Accounts/${user} -d '{"UserName":"new-service"}'
redfishtool: Transport: Response Error: status_code: 403 -- Forbidden--user not authorized to perform action

$ redfishtool -r ${bmc}:18080 -u ${user} -p ${pass} -S Always raw PATCH /redfish/v1/AccountService/Accounts/${user} -d '{"RoleId":"Operator"}'
redfishtool: Transport: Response Error: status_code: 403 -- Forbidden--user not authorized to perform action

$ redfishtool -r ${bmc}:18080 -u ${user} -p ${pass} -S Always raw DELETE /redfish/v1/AccountService/Accounts/${user}
redfishtool: Transport: Response Error: status_code: 403 -- Forbidden--user not authorized to perform action
redfishtool: raw: Error sending DELETE to resource, aborting

```

Change-Id: I1b212ccb5a630750eb5d4197970b4fb75fceffd7
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Sort get_response_code names

It is better to sort get_response_code names in parse_registries.py.

Tested:
- Script run generates the same output

Change-Id: I79028c8f95c4cf6681bc4f5b12dd858188e9eff

Sort get_response_code names

It is better to sort get_response_code names in parse_registries.py.

Tested:
- Script run generates the same output

Change-Id: I79028c8f95c4cf6681bc4f5b12dd858188e9eff8
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Update to 2025.1

1 line change in update_schemas.py and rerun it.

See below for more info on this release:
https://www.dmtf.org/content/redfish-release-20251-now-available

Tested: Inspection only.

Update to 2025.1

1 line change in update_schemas.py and rerun it.

See below for more info on this release:
https://www.dmtf.org/content/redfish-release-20251-now-available

Tested: Inspection only. These have not broke things in the past.

Change-Id: I8d386725b364e2bc7c91c869e519e5e7bfbf11f9
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

extend test script to cover upn testing

This commit is intended to extend existing `generate_auth_certificate`
python script that automatically test the auth functionality of bmcweb.
We extend the s

extend test script to cover upn testing

This commit is intended to extend existing `generate_auth_certificate`
python script that automatically test the auth functionality of bmcweb.
We extend the script by adding test for UserPrincipalName (UPN) feature.
This feature[1] allow us to use SubjectAlternativeName (SAN) extension
on X509 certificate and enable us to use the different name as username.
Previously we can only use CommonName in the certificate as username

By adding this changes, we can test the UPN feature easily using the
script. We add a new flag that enable the user to test using UPN feature
by specifying the UPN name to be tested.

UPN has OID that is specified by Microsoft[2]. The full OID path:
1 ISO
1.3 identified-organization (ISO/IEC 6523),
1.3.6 DoD,
1.3.6.1 internet,
1.3.6.1.4 private,
1.3.6.1.4.1 enterprise,
1.3.6.1.4.1.311 Microsoft,
1.3.6.1.4.1.311.20 Microsoft enrollment infrastructure,
1.3.6.1.4.1.311.20.2 Certificate Type Extension,
1.3.6.1.4.1.311.20.2.3 UserPrincipalName

Tested:
- Regress test on CommonName by running without `--upn` flag
- Test using correct UPN name
- There are two requirements for the UPN name (`username@domain`)
- `username` must exist in the BMC device accounts
- `domain` must match the domain forest of the device
- eg: malik@fb.com match macbmc1.abc.fb.com
- Test using incorrect UPN name
- Violate one of the requirements and the test should fail

[1] Patch feature: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/78519
[2] OID of UPN: https://oidref.com/1.3.6.1.4.1.311.20.2.3

Change-Id: I997bea9a6662fa41c3824fde71ea4f20b606ca9c
Signed-off-by: Malik Akbar Hashemi Rafsanjani <malikrafsan@meta.com>

show more ...

Added type hints to parse_registries.py

Added type hints to reduce possibility of mistakes caused by using wrong
types and make changes safer/faster to make. Fixed bugs related to types
in the scrip

Added type hints to parse_registries.py

Added type hints to reduce possibility of mistakes caused by using wrong
types and make changes safer/faster to make. Fixed bugs related to types
in the script.

Testing:
Ran the script, made sure it did not change anything in the repo (i.e.
produces the same results as before).

Change-Id: Ia7be551705a9eeabb2dd762bf709b113f8f1405b
Signed-off-by: Igor Kanyuka <ifelmail@gmail.com>

show more ...

Update Environmental registry version to 1.1.0

New version includes Leak related messages we need.

Testing:
Redfish service validator passing

Change-Id: Ieca3e5a7bb785ef7fcffb05f86b88bdbf23a3d99
S

Update Environmental registry version to 1.1.0

New version includes Leak related messages we need.

Testing:
Redfish service validator passing

Change-Id: Ieca3e5a7bb785ef7fcffb05f86b88bdbf23a3d99
Signed-off-by: Igor Kanyuka <ifelmail@gmail.com>

show more ...

Refactor parse_registries.py

Minor refactoring:
- Change global scope variable names to capital letters
- get_response_code method to make it more readable and pythonic.
- Now, already processed dat

Refactor parse_registries.py

Minor refactoring:
- Change global scope variable names to capital letters
- get_response_code method to make it more readable and pythonic.
- Now, already processed data is stored in 2 variables - registries_map
and files, use only 1 storage to avoid errors caused by missing some
entries in one storage, but presenting in another.

Testing:
Ran the script and made sure the files it generated did not change.

Change-Id: Ida35adcd3530dbd87040a12de4903eda5f1f93f7
Signed-off-by: Igor Kanyuka <ifelmail@gmail.com>

show more ...

Fix generate auth certificates script

pyCrypto has removed support for the PKCS12 certificates this script
generates, so this script is broken as-is on any distro from the last
year or two.

Rewrite

Fix generate auth certificates script

pyCrypto has removed support for the PKCS12 certificates this script
generates, so this script is broken as-is on any distro from the last
year or two.

Rewrite the script to target python-cryptography instead. While there,
implement TODOs around code formatting, using EC keys, removing the
dependency on the redfish library, using the service root to
determine the correct manager instance to update, and cleaning up the
redfish session after a crash.

Tested: running this script targeting redfish instance shows it runs
to completion and test passes.

Change-Id: Ie1ee1a6f0a548258fe7b7d4c9678a9d55c8b71d1
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...