| e5dd4999 | 17-Feb-2025 |
Ed Tanous <etanous@nvidia.com> |
Remove getNthStringFromPath function
This utility function is being removed for several reasons. First, it
does not verify the full string on URIs and paths, so things like
/foo/bar/baz/valid_id wo
Remove getNthStringFromPath function
This utility function is being removed for several reasons. First, it
does not verify the full string on URIs and paths, so things like
/foo/bar/baz/valid_id would still pass this check.
Second, it is used for both URIs and dbus paths, both of which we have
better utility functions these days respectively, boost::url for urls
and sdbusplus::message::object_path for dbus paths. Neither of the two
is escaped properly when this function is used.
Therefore, remove it and replace it with the appropriate alternatives.
The existing URI functions were found to not accept fragments (given
they are rarely used in PATCH). Add support for fragments to cover the
getNthStringFromPath use cases.
Tested: Redfish service validator passes.
Change-Id: Ibc6755ad69397123d7fef0e0b764042bbb48888b
Signed-off-by: Ed Tanous <etanous@nvidia.com>
show more ...
|
| d07a5ee3 | 25-Sep-2025 |
Ed Tanous <etanous@nvidia.com> |
Tune http2 window and frame sizes
http2 maintains its own frame ACK window per stream. While the defaults
work well in most cases, for large binary uploads, like Redfish
UpdateService, the relative
Tune http2 window and frame sizes
http2 maintains its own frame ACK window per stream. While the defaults
work well in most cases, for large binary uploads, like Redfish
UpdateService, the relatively small default window size of 16KB leads to
slower performance than http1. While it's not expected to see a
performance improvement, we would prefer to not see a regression for a
normal use case.
Update the HTTP2 max frame size to 16KB. Setting the internal buffer to
the same size + the http2 header allows clocking in the entire frame in
one async read. Note, setting the value higher than 16KB doesn't appear
to allow curl to send larger frames.
Also update the HTTP window size to 512KB, or 32 times the max frame
size. Note, all streams including the control stream are set to this
value, which, while somewhat arbitrary, allows for continued
UpdateService pushing without pauses for window ACK.
Tested:
POST /redfish/v1/UpdateService/update-multipart
Of an arbitrary 100MB file through curl shows that --http1.1 option and
--http2 option are within 5% of the same upload time.
Change-Id: I7ff6296a9cc0794aad63f5058620c0f1fb9299e3
Signed-off-by: Ed Tanous <etanous@nvidia.com>
show more ...
|
| dd859f90 | 23-Sep-2025 |
Ed Tanous <etanous@nvidia.com> |
Filter http2 headers
When using aggregation with http2, :authority headers were getting
forwarded to the client, which didn't know how to deal with them on
http1.
Filter all http2 headers.
Tested:
Filter http2 headers
When using aggregation with http2, :authority headers were getting
forwarded to the client, which didn't know how to deal with them on
http1.
Filter all http2 headers.
Tested: Unit tests pass.
Change-Id: I6a834656b604004eeba1a2aa2f245ef211f28495
Signed-off-by: Ed Tanous <etanous@nvidia.com>
show more ...
|
| 4d7b5ddb | 26-Feb-2025 |
Malik Akbar Hashemi Rafsanjani <malikrafsan@meta.com> |
mtls: implement UPN parse mode
This commit is intended to implement the UserPrincipalName (UPN) parse
mode on mutual TLS (MTLS). By implementing this we can use the X509
certificate extension Subjec
mtls: implement UPN parse mode
This commit is intended to implement the UserPrincipalName (UPN) parse
mode on mutual TLS (MTLS). By implementing this we can use the X509
certificate extension Subject Alternative Name (SAN), specifically UPN
to be used as the username
In our case, this feature is needed because we have a specific format
on our Subject CN of X509 certificate. This format cannot directly
mapped to the username of bmcweb because it contains special
characters (`/` and `:`), which cannot exist in the username.
Changing the format of our Subject CN is very risky. By enabling
this feature we can use other field, which is the SAN extension to
be used as the username and do not change our Subject CN on the
X509 certificate
In general, by implementing this feature, we can enable multiple
options for the system. There might be other cases where we want to
have the username of the bmcweb is not equal to the Subject CN of the
certificate, instead the username is added as the UserPrincipalName
field in the certificate
The format of the UPN is `<username>@<domain>` [1][2]. The format
is similar to email format. The domain name identifies the domain
in which the user is located [3] and it should match the device name's
domain (domain forest).
Tested
- Test using `generate_auth_certificate.py` (extended on patch [4])
- Manual testing (please see the script mentioned above for more detail)
- Setup certificate with UPN inside SAN extension
- Change the CertificateMappingAttribute to use UPN
- Get request to `/SessionService/Sessions`
- Run unit tests
[1] UPN Format: https://learn.microsoft.com/en-us/windows/win32/secauthn/user-name-formats#user-principal-name
[2] UPN Properties: https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname
[3] UPN Glossary: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_9d606f55-b798-4def-bf96-97b878bb92c6
[4] Patch Testing Script: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/78837
Change-Id: I490da8b95aee9579546971e58ab2c4afd64c5997
Signed-off-by: Malik Akbar Hashemi Rafsanjani <malikrafsan@meta.com>
show more ...
|
| ebe4c574 | 08-Feb-2025 |
Ed Tanous <etanous@nvidia.com> |
Implement http2 TODO
To support HTTP2 simultaneously on http and https connections, the HTTP
connection classes formerly took the socket as a template option,
allowing passing ssl::stream<tcp::socke
Implement http2 TODO
To support HTTP2 simultaneously on http and https connections, the HTTP
connection classes formerly took the socket as a template option,
allowing passing ssl::stream<tcp::socket> or simply tcp socket. With
the addition of the multiple-sockets option, this would cause two copies
of the template to be instantiated, increasing both compile times and
binary size.
This commit applies the same logic to http2connection as was applied to
HTTPConnection, adding an http type parameter to the constructor, which
allows switching between adapter and adapter.next_level() on each read
or write operation. In compiled code, this means that the connection
classes are only specialized once.
Tested:
When configured for one of each http and https socket and http2
curl --http2 http://<ip>/redfish/v1
succeeds
curl --http2 https://<ip>/redfish/v1 succeeds
Change-Id: I8f33796edd5874d5b93d10a3f253cfadd4f6d7a4
Signed-off-by: Ed Tanous <etanous@nvidia.com>
show more ...
|
| 796ba93b | 01-Aug-2020 |
Ed Tanous <ed@tanous.net> |
Enable HTTP additional sockets
This commit attempts to add the concept of an SSL detector from beast,
and add the capability into bmcweb. This allows directing multiple
socket files to the bmcweb i
Enable HTTP additional sockets
This commit attempts to add the concept of an SSL detector from beast,
and add the capability into bmcweb. This allows directing multiple
socket files to the bmcweb instance, and bmcweb will automatically sort
out whether or not they're SSL, and give the correct response. This
allows users to plug in erroneous urls like "https://mybmc:80" and they
will forward and work correctly.
Some key design points:
The HTTP side of bmcweb implements the exact same http headers as the
HTTPS side, with the exception of HSTS, which is explicitly disallowed.
This is for consistency and security.
The above allows bmcweb builds to "select" the appropriate security
posture (http, https, or both) for a given channel using the
FileDescriptorName field within a socket file. Items ending in:
both: Will support both HTTPS and HTTP redirect to HTTPS
https: Will support HTTPS only
http: will support HTTP only
Given the flexibility in bind statements, this allows administrators to
support essentially any security posture they like. The openbmc
defaults are:
HTTPS + Redirect on both ports 443 and port 80 if http-redirect is
enabled
And HTTPS only if http-redirect is disabled.
This commit adds the following meson options that each take an array of
strings, indexex on the port.
additional-ports
Adds additional ports that bmcweb should listen to. This is always
required when adding new ports.
additional-protocol
Specifies 'http', 'https', or 'both' for whether or not tls is enfoced
on this socket. 'both' allows bmcweb to detect whether a user has
specified tls or not on a given connection and give the correct
response.
additional-bind-to-device
Accepts values that fill the SO_BINDTODEVICE flag in systemd/linux,
and allows binding to a specific device
additional-auth
Accepts values of 'auth' or 'noauth' that determines whether this
socket should apply the normal authentication routines, or treat the
socket as unauthenticated.
Tested:
Previous commits ran the below tests.
Ran the server with options enabled. Tried:
```
curl -vvvv --insecure --user root:0penBmc http://192.168.7.2/redfish/v1/Managers/bmc
* Trying 192.168.7.2:80...
* Connected to 192.168.7.2 (192.168.7.2) port 80 (#0)
* Server auth using Basic with user 'root'
> GET /redfish/v1/Managers/bmc HTTP/1.1
> Host: 192.168.7.2
> Authorization: Basic cm9vdDowcGVuQm1j
> User-Agent: curl/7.72.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.7.2
< X-Frame-Options: DENY
< Pragma: no-cache
< Cache-Control: no-Store,no-Cache
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
< Date: Fri, 08 Jan 2021 01:43:49 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
```
Observe above:
webserver returned 301 redirect.
webserver returned the appropriate security headers
webserver immediately closed the connection.
The same test above over https:// returns the values as expected
Loaded the webui to test static file hosting. Webui logs in and works
as expected.
Used the scripts/websocket_test.py to verify that websockets work.
Sensors report as expected.
Change-Id: Ib5733bbe5473fed6e0e27c56cdead0bffedf2993
Signed-off-by: Ed Tanous <ed@tanous.net>
show more ...
|
| 80d2ef31 | 04-Feb-2025 |
Ed Tanous <etanous@nvidia.com> |
Implement urlsafe base64 decode
base64 decoding comes in two flavors, "normal" which we already
implement, and "url safe" which modifies the alphabet to create base64
encodings that are safe to use
Implement urlsafe base64 decode
base64 decoding comes in two flavors, "normal" which we already
implement, and "url safe" which modifies the alphabet to create base64
encodings that are safe to use in filenames and urls. Functionally this
just involves swapping two characters with underscore and minus in the
encode/decode table. To avoid duplicating a lot of code, this commit
refactors the base64 tables to be generated at compile time.
Tested: Included unit tests pass. No usage until next commit.
Change-Id: I71724fd2e04000f115c22a40d382d411986d7b39
Signed-off-by: Ed Tanous <etanous@nvidia.com>
show more ...
|
| e4628c81 | 16-Dec-2024 |
Ed Tanous <etanous@nvidia.com> |
Move isJSONContentType to content-type parser
Previously this function was based on a basic string comparison. This
is fine, but found several inconsistencies, like not handling spaces in
the appro
Move isJSONContentType to content-type parser
Previously this function was based on a basic string comparison. This
is fine, but found several inconsistencies, like not handling spaces in
the appropriate places.
This commit creates a new function getContentType, using the new parsing
infrastructure. As doing this, it showed that the existing parser
functions were not handling case insensitive compares for the mime type.
While this is technically not required, it's something we unit test for,
and relatively easy to add.
Note, that because this parser ignores charset, this moves charset=ascii
from something that previously failed, to something that now succeeds.
This is expected.
Tested: Unit tests pass. Good coverage
Change-Id: I825a72862135b62112ee504ab0d9ead9d6796354
Signed-off-by: Ed Tanous <etanous@nvidia.com>
show more ...
|