Enable readability-redundant-control-flow checks

These checks are a nice addition to our static analysis, as they
simplify code quite a bit, as can be seen by this diff being negative
lines.

Signed

Enable readability-redundant-control-flow checks

These checks are a nice addition to our static analysis, as they
simplify code quite a bit, as can be seen by this diff being negative
lines.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I60ede4ad23d7e5337e811d70ddcab24bf8986891

show more ...

Implement MIME parsing

This commit adds two core features to bmcweb:

1. A multipart mime parser that can read multipart form requests into
bmcweb. This is implemented as a generic parser that iden

Implement MIME parsing

This commit adds two core features to bmcweb:

1. A multipart mime parser that can read multipart form requests into
bmcweb. This is implemented as a generic parser that identifies the
content-type strings and parses them into structures.

2. A /login route that can be logged into with a multipart form. This
is to allow changing the login screen to a purely forms based
implementation, thus removing the very large whitelist we currently have
to maintain, and removing javascript from our threat envelope.

More testing is still needed, as this is a parser that exists outside of
the secured areas, but in this simple example, it seems to work well.

Tested: curl -vvvvv --insecure -X POST -F 'username=root' -F
'password=0penBmc' https://<bmc ip address>:18080/login

Returned; { "data": "User 'root' logged in", "message": "200 OK",
"status": "ok" }

Change-Id: Icc3f4c082d584170b65b9e82f7876926cd38035d
Signed-off-by: Ed Tanous<ed@tanous.net>
Signed-off-by: George Liu <liuxiwei@inspur.com>

show more ...

Convert IPv4-mapped IPv6 ClientIP back to IPv4

Current HTTP server creates an IPv6 acceptor to accept both IPv4 and
IPv6 connections. In this way, IPv4 address will be presented as IPv6
address in I

Convert IPv4-mapped IPv6 ClientIP back to IPv4

Current HTTP server creates an IPv6 acceptor to accept both IPv4 and
IPv6 connections. In this way, IPv4 address will be presented as IPv6
address in IPv4-mapped format. This patch converts it back to IPv4.

Tested:
Verified the ClientOriginIP in Session is shown in native IPv4 format
instead of IPv4-mapped IPv6 format.

Change-Id: Icd51260b2d4572d52f5c670128b7f07f6b5e6912
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>

show more ...

Using AsyncResp everywhere

Get the core using AsyncResp everywhere, and not have each individual handler
creating its own object.We can call app.handle() without fear of the response
getting ended a

Using AsyncResp everywhere

Get the core using AsyncResp everywhere, and not have each individual handler
creating its own object.We can call app.handle() without fear of the response
getting ended after the first tree is done populating.
Don't use res.end() anymore.

Tested:
1. Validator passed.

Signed-off-by: zhanghaicheng <zhanghch05@inspur.com>
Change-Id: I867367ce4a0caf8c4b3f4e07e06c11feed0782e8

show more ...

Add SameSite=Strict on Set-Cookie

Set SameSite to Strict since OpenBMC does not have functionality
that requires Lax or None.

SameSite Strict provides a little protection against CSRF attacks
by en

Add SameSite=Strict on Set-Cookie

Set SameSite to Strict since OpenBMC does not have functionality
that requires Lax or None.

SameSite Strict provides a little protection against CSRF attacks
by ensuring the cookie is only sent to requests originating from
the same site that set the cookie.

This came from some discussion on discord.

From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

SameSite=<samesite-value> Optional
Controls whether a cookie is sent with cross-origin requests,
providing some protection against cross-site request forgery attacks

Inline options are:

Strict: The browser sends the cookie only for same-site requests
(that is, requests originating from the same site that set the
cookie). If the request originated from a different URL than the
current one, no cookies with the SameSite=Strict attribute are sent.

Lax: The cookie is not sent on cross-site requests, such as calls
to load images or frames, but is sent when a user is navigating to
the origin site from an external site (e.g. if following a link).
This is the default behavior if the SameSite attribute is not
specified.

None: The browser sends the cookie with both cross-site and
same-site requests. The Secure attribute must also be set when
SameSite=None!

Note: On Firefox 85, FireFox still doesn't have the Default set
to SameSite=Lax. This can be changed via "about:config" and
"network.cookie.sameSite.laxByDefault".

Tested: Webui-vue works. Redfish GUI browser works.
Websockets work on the GUI.
Tested GUI functions that call POST and PATCH.
Can see the XSRF-TOKEN and SESSION cookies are SameSite
Strict with this build. Before were SameSite None.
Browser DevTools -> Storage on Firefox to view cookies.
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

Change-Id: I4402f2930847c1d47b22696631be26d33c78b6f9

show more ...

Redfish Session : Fix clientIp getting mapped to clientId

When the session is created using /login, the ClientOriginIPAddress
is mapped to the clientId parameter which displayed the clientIP
instead

Redfish Session : Fix clientIp getting mapped to clientId

When the session is created using /login, the ClientOriginIPAddress
is mapped to the clientId parameter which displayed the clientIP
instead of the of clientId.
The similar problem is observed with auth methods other than sessions
created using the SessionService resource

This commit swaps the clientId and clientIp parameters passed to
generateUserSession API, so that the optional clientId is
passed as the last parameter

Tested by :
1. Create session using Redfish command
POST https://${bmc}/login -d '{"username": <>,"password": <>}'
POST https://${bmc}/redfish/v1/SessionService/Sessions
-d '{"username": <>,"password": <>}'
2. Open the GUI session to check the clientId is not displaying the
ClientOriginIPAddress

Signed-off-by: Sunitha Harish <sunithaharish04@gmail.com>
Change-Id: I6cee3de963c489e690d2ad0bb09ba78dca39e4f9

show more ...

Redfish Session : Support ClientOriginIPAddress

This commit implements the ClientOriginIPAddress property on
the session resource. The IP address is persisted across the reboot

Tested by:
1. Crea

Redfish Session : Support ClientOriginIPAddress

This commit implements the ClientOriginIPAddress property on
the session resource. The IP address is persisted across the reboot

Tested by:
1. Create session
POST https://${bmc}/redfish/v1/SessionService/Sessions -d '{"UserName":<>, "Password":<>}'
2. Check the session gets updated with the ClientOriginIPAddress
GET https://${bmc}/redfish/v1/SessionService/Sessions/<id>
3. Redfish validator passed
4. Create session and reboot the BMC to ensure the IP address is persisted
5. Tested the basic auth populates the clientIp at req

Signed-off-by: Sunitha Harish <sunharis@in.ibm.com>
Change-Id: Iaa60d0657c991bde4bcf6c86819055c71c92e421

show more ...

fix include names

cppcheck isn't smart enough to recognize these are c++ headers, not c
headers. Considering we're already inconsistent about our naming, it's
easier to just be consistent, and move

fix include names

cppcheck isn't smart enough to recognize these are c++ headers, not c
headers. Considering we're already inconsistent about our naming, it's
easier to just be consistent, and move the last few files to use .hpp
instead of .h.

Tested:
Code builds, no changes.

Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ic348d695f8527fa4a0ded53f433e1558c319db40

show more ...

Enable clang warnings

This commit enables clang warnings, and fixes all warnings that were
found. Most of these fall into a couple categories:

Variable shadow issues were fixed by renaming variabl

Enable clang warnings

This commit enables clang warnings, and fixes all warnings that were
found. Most of these fall into a couple categories:

Variable shadow issues were fixed by renaming variables

unused parameter warnings were resolved by either checking error codes
that had been ignored, or removing the name of the variable from the
scope.

Other various warnings were fixed in the best way I was able to come up
with.

Note, the redfish Node class is especially insidious, as it causes all
imlementers to have variables for parameters, regardless of whether or
not they are used. Deprecating the Node class is on my list of things
to do, as it adds extra overhead, and in general isn't a useful
abstraction. For now, I have simply fixed all the handlers.

Tested:
Added the current meta-clang meta layer into bblayers.conf, and added
TOOLCHAIN_pn-bmcweb = "clang" to my local.conf

Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ia75b94010359170159c703e535d1c1af182fe700

show more ...

Remove middlewares

Middlewares, while kinda cool from an academic standpoint, make our
build times even worse than they already are. Given that we only really
use 1 real middleware today (token aut

Remove middlewares

Middlewares, while kinda cool from an academic standpoint, make our
build times even worse than they already are. Given that we only really
use 1 real middleware today (token auth) and it needs to move into the
parser mode anyway (for security limiting buffer sizes), we might as well
use this as an opportunity to delete some code.

Some other things that happen:
1. Persistent data now moves out of the crow namespace
2. App is no longer a template
3. All request_routes implementations no longer become templates. This
should be a decent (unmeasured) win on compile times.

This commit was part of a commit previously called "various cleanups".
This separates ONLY the middleware deletion part of that.

Note, this also deletes about 400 lines of hard to understand code.

Change-Id: I4c19e25491a153a2aa2e4ef46fc797bcb5b3581a
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...

Deprecate the "" operator, and isEqP

While a cool example of how to do string matching in constexpr space,
the set of verbs available to HTTP has been fixed for a very long time.

This was ported ov

Deprecate the "" operator, and isEqP

While a cool example of how to do string matching in constexpr space,
the set of verbs available to HTTP has been fixed for a very long time.

This was ported over to beast a while back, but we kept the API for....
mediocre reasons of backward compatibility. Remove that, and delete the
now unused code.

Tested: Built and loaded on a Witherspoon. Validator passes.

Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: Iaf048e196f9b6e71983189877203bf80390df286
Signed-off-by: James Feist <james.feist@linux.intel.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Rework Authorization flow

Currently we parse the whole message before authenticating,
allowing an attacker the ability to upload a large image,
or keep a connection open for the max amount of time e

Rework Authorization flow

Currently we parse the whole message before authenticating,
allowing an attacker the ability to upload a large image,
or keep a connection open for the max amount of time easier
than it should be. This moves the authentication to the
earliest point possible, and restricts unauthenticated users
timeouts and max upload sizes. It also makes it so that
unauthenticated users cannot keep the connection alive
forever by refusing to close the connection.

Tested:
- login/logout
- firmware update
- large POST when unauthenticated
- timeouts when unauthenticated
- slowhttptest

Change-Id: Ifa02d8db04eac1821e8950eb85e71634a9e6d265
Signed-off-by: James Feist <james.feist@linux.intel.com>

show more ...