Fix "Clear Oem Logs" functionality in System Logs

Issue Symptom:
1. "Clear Oem Logs" button didn't show on webui when type select to "Oem".
2. "Clear Oem Logs" button was showed on then pressed with

Fix "Clear Oem Logs" functionality in System Logs

Issue Symptom:
1. "Clear Oem Logs" button didn't show on webui when type select to "Oem".
2. "Clear Oem Logs" button was showed on then pressed with fix, but the function didn't work correctly.
Event logs were deleted instead of Oem logs.

Root cause:
1. getSystemLogs() always get Event logs by default no matter type be selected to "Oem".
2. clearSystemLogs() always clear Event logs by default no matter type be selected to "Oem".

Solution:
1. According "recordType" to get Oem logs from uri:
'/redfish/v1/Systems/' + DataService.systemName + '/LogServices/Crashdump/Entries'
2. According "selectedRecordType" to clear Oem logs by action: uri = '/redfish/v1/Systems/' +
DataService.systemName + '/LogServices/Crashdump/Actions/LogService.ClearLog'

Modified files:
webui/app/common/services/api-utils.js
webui/app/server-health/controllers/syslog-controller.html
webui/app/server-health/controllers/syslog-controller.js

Tested by:
1. In WebUI/Server health/System Logs, select system log type as "Oem", then click "Clear Oem Logs" button.
The Oem logs (CPU Crashdump log) all were deleted.
2. Select system log type as "Event", then click "Clear Event Logs" button.
The System Event Log all were deleted.

Signed-off-by: Tim Lee <timlee660101@gmail.com>
Change-Id: I2a3d42a61f53df84b88585cf7c65a10688eaef05

show more ...

Create profile settings page

Adding a profile settings page so readonly and operator
roles are able to change their own password.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id

Create profile settings page

Adding a profile settings page so readonly and operator
roles are able to change their own password.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: Iee9536255ad47f4df4af8746c1e01da37c407f2b

show more ...

Block forwarding to non-local url

Currently we don't protect against forwarding to remote
url, so things like:

https://<bmc-address>/#/login?next=http:%2F%2Fyahoo.com

can be used to forward an uns

Block forwarding to non-local url

Currently we don't protect against forwarding to remote
url, so things like:

https://<bmc-address>/#/login?next=http:%2F%2Fyahoo.com

can be used to forward an unsuspecting user to a different
url. This fixes that issue.

Tested: Local redirects still work, above link does not

Closes #109

Change-Id: I4d6c52880156802860f405af43037fb84235912f
Signed-off-by: James Feist <james.feist@linux.intel.com>

show more ...

Fix security vulnerabilities

Had a few more vulnerabilities show up including:
regular expressions Cross-Site Scripting (XSS) vulnerability

https://github.com/advisories/GHSA-h9rv-jmmf-4pgx

Remedi

Fix security vulnerabilities

Had a few more vulnerabilities show up including:
regular expressions Cross-Site Scripting (XSS) vulnerability

https://github.com/advisories/GHSA-h9rv-jmmf-4pgx

Remediation
Upgrade serialize-javascript to version 2.1.1 or later.

Ran npm audit fix.

Don't think this was a real vulnerability but always good to fix.

Tested: Built for a Witherspoon, loaded on the code, and tested.

Change-Id: I3af6941fdef98b950c7e17ddfeb368fdccc5cabc
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Update navigation to accordian-style menu

- New navigation provides intuitive structure for showing relationship
between sections and pages
- Menu keeps an open state, which allows easy clicking to

Update navigation to accordian-style menu

- New navigation provides intuitive structure for showing relationship
between sections and pages
- Menu keeps an open state, which allows easy clicking to sibling pages
- Ability to preview all page sections w/o hover over blocking page content
- Allows user to see where they are within navigation at all times

Tested: Opened each page and confirmed new navigation worked, clicked through
to all pages successfully.

Change-Id: Ie10dc95d8e15ee9bf89a3bec9ff231c0a7065ed9
Signed-off-by: Kathy Pine <kathryn.elainex.pine@intel.com>

show more ...

Users: Role Table: Update ssh

https://github.com/openbmc/openbmc/commit/19e81d3f3b731681a57bb5ef9681d33cc291bde8
restricts SSH authentication to only admin role users.

Updated the table.

Tested: L

Users: Role Table: Update ssh

https://github.com/openbmc/openbmc/commit/19e81d3f3b731681a57bb5ef9681d33cc291bde8
restricts SSH authentication to only admin role users.

Updated the table.

Tested: Loaded on a Witherspoon
Change-Id: Ice5c93dc6dc4aa937de2c3fb9072c2f81719325c
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Users: Update Callback/NoAccess Role

https://github.com/openbmc/bmcweb/commit/e9e6d240ab85e515f8d264e39b47a75043b73374
added a new user role, NoAccess.

https://github.com/openbmc/bmcweb/commit/cb3e

Users: Update Callback/NoAccess Role

https://github.com/openbmc/bmcweb/commit/e9e6d240ab85e515f8d264e39b47a75043b73374
added a new user role, NoAccess.

https://github.com/openbmc/bmcweb/commit/cb3e11fadd77b04f5b26aefbde18411625e5e304
removed Callback.

This "NoAccess" role can not ssh, access Redfish, the D-Bus API, or
IPMI.

Tested: Loaded on a witherspoon.
Change-Id: I4f870fdefb5342344fd442876d671a59864bbf34
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

User logged in when IsAuthenticated cookie is set.

Related to https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270

Currently the only condition checked when user is logged in was the
"LOGIN_

User logged in when IsAuthenticated cookie is set.

Related to https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270

Currently the only condition checked when user is logged in was the
"LOGIN_ID" value in browser session storage. The only place in the code
where it is set is the Basic Authorization flow.

In case of mTLS authentication, we are not able to set session storage
value. This is why additional 'IsAuthenticated' cookie is added.

In the case when user session expires, the failing XHR should cause the
page to redirect to the login prompt. Additionally, IsAuthenticated
cookie is removed to disable redirection.

Tested: verified the flow with the mTLS changes. User is put in the
webUI interface without login prompt when using mTLS authentication. If
the authentication fails, browser redirects to the login page.

Signed-off-by: Wiktor Gołgowski <wiktor.golgowski@intel.com>
Change-Id: Ia7061f3e146c6547d4bfdf42940150b1a5c06903

show more ...

AngularJS: vulnerability: npm audit fix

https://github.com/advisories/GHSA-89mq-4x47-5v83
"In AngularJS before 1.7.9 the function merge() could be tricked
into adding or modifying properties of Obje

AngularJS: vulnerability: npm audit fix

https://github.com/advisories/GHSA-89mq-4x47-5v83
"In AngularJS before 1.7.9 the function merge() could be tricked
into adding or modifying properties of Object.prototype using
a __proto__ payload."

Although, don't see how this is a real threat to the webui
fixed anyway.

https://github.com/angular/angular.js/compare/v1.7.8...v1.7.9
The difference between 1.7.8 and 1.7.9 is small.

Discussion in the works to move any from AngularJS
https://lists.ozlabs.org/pipermail/openbmc/2019-November/019431.html

Tested: Built and loaded on a Witherspoon
Change-Id: Ibe2c9671203a76cd8b4dbb8b1dbbaae2a8230138
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Fix LDAP request resulting in 400 response

- Remove all references to the AuthenticationType property since our
request is a PATCH and we are not changing the value.

Resolves: https://github.com/op

Fix LDAP request resulting in 400 response

- Remove all references to the AuthenticationType property since our
request is a PATCH and we are not changing the value.

Resolves: https://github.com/openbmc/phosphor-webui/issues/102

Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: I911ac41bf61250847e4c308f09df8fd59dd27fa7

show more ...

Sorting certificate table

So far the certificate table was not sorted and it happen that having
multiple certificates they appear on different table position after
machine restart.
That is because t

Sorting certificate table

So far the certificate table was not sorted and it happen that having
multiple certificates they appear on different table position after
machine restart.
That is because the Redfish was used to get the list of certificates
and it does not guarantee any order of elements in returned
collections.

After merging this commit certificates will be always sorted by:
type, issuer name and then by date.

Tested:
Manual tests were made to cofirm that certificates are properly sorted.

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: Ie8e63d598cd04e2396ed09244a69284e49566f8d

show more ...

Add file upload component

Created reusuable file upload component to be used on updated firmware page.
Component can:
-Upload file
-Display status icon
-Clear upload field

Made minor style change t

Add file upload component

Created reusuable file upload component to be used on updated firmware page.
Component can:
-Upload file
-Display status icon
-Clear upload field

Made minor style change to file upload on certificate management.

Tested in GUI.

Signed-off-by: Dixsie Wolmers <dixsiew@gmail.com>
Change-Id: I09bf56eee4d670681ea5e95c1807f8177c0e4c08

show more ...

Update loading spinner

Loader was updated with loading icon svg. Added inline style
for loading icon and added loader svg to status-icon directive.
Status icons will be used in file-upload component

Update loading spinner

Loader was updated with loading icon svg. Added inline style
for loading icon and added loader svg to status-icon directive.
Status icons will be used in file-upload component for firmware page update.

Signed-off-by: Dixsie Wolmers <dixsiew@gmail.com>
Change-Id: I15e6f9fa39a08fcc8cfe354f8ed4447aab6425a9

show more ...

Fix truncated button icons on Safari

Removing margin offset to fix issue with button icons being
visually truncated on Safari. Removing additional redundant
code around same icon/buttons.

Signed-of

Fix truncated button icons on Safari

Removing margin offset to fix issue with button icons being
visually truncated on Safari. Removing additional redundant
code around same icon/buttons.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: Ie1ef89023a043a70a0126a21be57febb9afae19a

show more ...

Create alert banner component

This reusuable component will help to make sure banner
implementations are consistent and will help reduce
redundant code.

Signed-off-by: Yoshie Muranaka <yoshiemurana

Create alert banner component

This reusuable component will help to make sure banner
implementations are consistent and will help reduce
redundant code.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: I3a16f65d36c2d61abf54c300e2ed5defeadee298

show more ...

Create firmware-card component

Create reusable firmware card component that will be
used in the updated firmware page:
https://ibm.invisionapp.com/share/4XNZ0JAMJ7B#/screens/319212821_4-8-D-1_Home

Create firmware-card component

Create reusable firmware card component that will be
used in the updated firmware page:
https://ibm.invisionapp.com/share/4XNZ0JAMJ7B#/screens/319212821_4-8-D-1_Home

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: I86e526c59ac5c2e2c011aed0ce4bc3d82db63b5e

show more ...

Fix table-actions error

When using the table component with table actions
enabled, if an icon file name isn't provided, the
action type should display in the table.
This will fix the webpack error w

Fix table-actions error

When using the table component with table actions
enabled, if an icon file name isn't provided, the
action type should display in the table.
This will fix the webpack error when compiling the
table component without an icon to display by changing
the ng-if directive to check for falsy values instead
of just 'null' to also catch 'undefined' values.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: I72daeb035e4e5f0391953f9f2ae042d0b9fc2b99

show more ...

Remove firmware reboot timeout

A 10 second timeout was used as a tempoary work-around
before rebooting the BMC on the firmware page–removing
the timeout since it is no longer needed.

Signed-off-by:

Remove firmware reboot timeout

A 10 second timeout was used as a tempoary work-around
before rebooting the BMC on the firmware page–removing
the timeout since it is no longer needed.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: I6a95d5f5bb377d3fd3cc0802f7fb3d6d0f177870

show more ...

Send password when saving LDAP settings

- Add password to the createLdapEnableRequest Authentication object to
be sent with the LDAP payload
- Add a Password to scoped ldapProperties object

Sign

Send password when saving LDAP settings

- Add password to the createLdapEnableRequest Authentication object to
be sent with the LDAP payload
- Add a Password to scoped ldapProperties object

Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: I63a880548bc3d9d61c4b73719457ce19222aa354

show more ...

Remove Ed as Maintainer

Ed is no longer working on the OpenBMC project.
https://lists.ozlabs.org/pipermail/openbmc/2019-October/019000.html

During Ed's time as a Maintainer, the Web UI moved from a

Remove Ed as Maintainer

Ed is no longer working on the OpenBMC project.
https://lists.ozlabs.org/pipermail/openbmc/2019-October/019000.html

During Ed's time as a Maintainer, the Web UI moved from a prototype,
that could only be run locally to a full-fledged ~20 page Web
Interface with features such as Serial Over Lan Console, IP KVM,
Virtual Media, LDAP, and Multiple User Mangement, that takes up
only ~450KB in the build.

Change-Id: I85aafbde5cc600a3e80cfbd1f2f5c38223275f26
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Certificate delete API – frontend

With introducing option to add multiple certificates there is a need to give
user a possibility to remove selected certificates, for example when they
expire.
This

Certificate delete API – frontend

With introducing option to add multiple certificates there is a need to give
user a possibility to remove selected certificates, for example when they
expire.
This commit adds implementation of DELETE function to GUI.
A new icon will appear in action section on certificate table.
The delete icon will be enabled only for TrustStore certificates and disabled
for others which does not have support for delete option.
When user clicks on the delete icon then ‘user prompt’ is displayed and after
confirmation, proper redfish action is used to delete the certificate.

Middlewere implementation is here:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/25281

Backend implementation is here:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/25268

Tested on Chrome and Mozilla.
New icon appears in action section.
The delete option is available only for TrustStore certificates.
User is able to delete selected certificate.

Depends-On: I9781c5c79288ec5d080e80e42c63a55e471ddb77
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: I68c5f54767d6982ae3cb00830b3a1b4f5e237bea

show more ...

Remove CSP protections from HTML

When I originally wrote CSP into the webui files, I intended to drop it
into the HTML file so it could be removed from bmcweb. Unfortunately,
that plan doesn't fly,

Remove CSP protections from HTML

When I originally wrote CSP into the webui files, I intended to drop it
into the HTML file so it could be removed from bmcweb. Unfortunately,
that plan doesn't fly, as the CSP headers in bmcweb need to remain for
non-html files.

This normally wouldn't matter, but a number of people utilize
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION to run the webui locally and
debug a new webui patch from a working BMC. This causes the CSP headers
to conflict, and the browser to fail with a CSP error on connect-src
when debugging locally.

Removing the CSP section entirely from the webui resolves this, and
doesn't change functionality at all, as it's still covered in bmcweb.

Tested: Will verify on a real platform.

Verified that building the webui locally with the above bmcweb flag
allows the webui to launch correctly.

Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I60e5011361ec3ce1930249a20cf34480beb48a7f

show more ...

Update toast notification

Added new toast notification types, warn and info,
and updated visual styling. All toasts will need
to be manually closed by clicking the 'X' close icon,
except a success t

Update toast notification

Added new toast notification types, warn and info,
and updated visual styling. All toasts will need
to be manually closed by clicking the 'X' close icon,
except a success toast which will be dismissed
automatically after 10 secs.

- Small updates to critical and success/on icon
- Added new colors for toast status background colors

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: I9077109042621b2d3346b4121d6344da502b6b26

show more ...

Rename "User" role "ReadOnly"

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/26156
is renaming the User role ReadOnly. Update the Roles table.

26156 needs to merge first.

Tested: Loaded on

Rename "User" role "ReadOnly"

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/26156
is renaming the User role ReadOnly. Update the Roles table.

26156 needs to merge first.

Tested: Loaded on a Witherspoon.
Change-Id: I948a6287d2c447072d5c34595589387e127d59ac
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Update certificate management page consistency

This change applies global styles to improve
page layout consistency and modal management

- Adds page and section styles
- Removes unused styles
- Cre

Update certificate management page consistency

This change applies global styles to improve
page layout consistency and modal management

- Adds page and section styles
- Removes unused styles
- Creates individual html files for modals
- Updates certificate modals to bootstrap modal
- Updates global styles for input file field in file-upload.scss

TODO:
- Update certificate table with table component in separate commit
- Update CSR modal to use global form-field styles in separate commit

Signed-off-by: Dixsie Wolmers <dixsiew@gmail.com>
Change-Id: I9b800cb684740da1a9168294433e726efb0f9d0e

show more ...