| 3ce3688a | 09-Jun-2024 |
Ed Tanous <ed@tanous.net> |
Mutual TLS parsing change at runtime
Redfish AccountService[1] defines methods for selecting how to map a
certificate CommonName attribute to a user. These are intended to be a
patch parameter.
Th
Mutual TLS parsing change at runtime
Redfish AccountService[1] defines methods for selecting how to map a
certificate CommonName attribute to a user. These are intended to be a
patch parameter.
This commit implements the Redfish defined schemas; The parsing mode is
stored in the bmcweb persistent configuration file as an integer enum,
with Mapping to the Redfish schema.
To handle OEM specific parsing modes, an enum value of 100+ is defined
to allow the additional OEM parameters. Unfortunately, Redfish doesn't
have a way to represent these today, so those modes are currently not
selectable at runtime.
Now that things are runtime selectable, this obsoletes the option
mutual-tls-common-name-parsing, as it is not longer required at compile
time.
Tested:
GET /redfish/v1/AccountService
returns MultiFactorAuth/ClientCertificate/CertificateMappingAttribute
PATCH /redfish/v1/AccountService
```
{"MultiFactorAuth": {"ClientCertificate": {"CertificateMappingAttribute":"CommonName"}}}
```
Returns 200
[1] https://github.com/DMTF/Redfish-Publications/blob/5b217908b5378b24e4f390c063427d7a707cd308/csdl/AccountService_v1.xml#L1631
Change-Id: I67db0dfa5245a9da973320aab666d12dbd9229e4
Signed-off-by: Ed Tanous <ed@tanous.net>
show more ...
|
| ac1e1246 | 11-Jul-2024 |
Ed Tanous <ed@tanous.net> |
Make multipart use consistent parse
This is an instance of common error #5. Fix it.
Tested: Code compiles. Inspection only.
Change-Id: I5580a9789930ffab6513a03689b633d5201e72a4
Signed-off-by: Ed
Make multipart use consistent parse
This is an instance of common error #5. Fix it.
Tested: Code compiles. Inspection only.
Change-Id: I5580a9789930ffab6513a03689b633d5201e72a4
Signed-off-by: Ed Tanous <ed@tanous.net>
show more ...
|
| 29aab242 | 12-Jun-2024 |
Paul Fertser <fercerpav@gmail.com> |
Send cookies to webui-vue from Sessions POST
Using Redfish-standard X-Auth-Token authentication is less secure
(against injected JS code) compared to an HttpOnly (not available to the
JS VM) SESSION
Send cookies to webui-vue from Sessions POST
Using Redfish-standard X-Auth-Token authentication is less secure
(against injected JS code) compared to an HttpOnly (not available to the
JS VM) SESSION cookie. Currently webui-vue authenticates connections to
WebSocket URIs not only by a JS-accessible token (passed as subprotocol
when upgrading to WS) but also via a SESSION cookie (even though it is
not subject to CORS policy).
To allow WebSocket-based functionality (IP KVM, SOL, VM) after creating
a Session object send a set of cookies instead of the X-Auth-Token
header if the request was made by webui-vue (detected by presence of
"X-Requested-With" header).
Factor out cookie setting and clearing functions and use explicit Path=/
attribute as the cookies are valid for the whole server, not just the
path of the endpoint they were created by.
Not specifying Path was functional for /login endpoint because
https://www.rfc-editor.org/rfc/rfc6265#section-5.3 point 7 for this case
says "set the cookie's path to the default-path of the request-uri" and
https://www.rfc-editor.org/rfc/rfc6265#section-5.1.4 tells how to
compute the default path. Basically, it was a "happy coincidence" that
/login defaults to / for the Path, if it was /openbmc/login then the
cookies would have been set to Path=/openbmc and not work at all for
/redfish/v1 endpoints.
Tested: Redfish-Service-Validator doesn't see a difference. Runtime
testing logging in via Sessions endpoint, getting data, using websockets
and logging out against webui-vue with a corresponding change while
carefully observing Request and Response headers. Creating a session
with curl without the special header shows just X-Auth-Token and no
cookies in the response.
Change-Id: I0b1774e586671874bb79f115e9cddf194f9ea653
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
show more ...
|
| 28ee563e | 24-May-2024 |
Myung Bae <myungbae@us.ibm.com> |
Fix Chassis Topology Links Handling
https://gerrit.openbmc.org/c/openbmc/bmcweb/+/60914 implements topology
links for chassis using `getAssociationEndPoints()` for
`containing/contained_by` associat
Fix Chassis Topology Links Handling
https://gerrit.openbmc.org/c/openbmc/bmcweb/+/60914 implements topology
links for chassis using `getAssociationEndPoints()` for
`containing/contained_by` associations.
If the association is used only between chassis, the desired result is
obtained.
```
busctl get-property xyz.openbmc_project.Inventory.Manager \
/xyz/openbmc_project/inventory/system/chassis \
xyz.openbmc_project.Association.Definitions Associations
a(sss) ...
containing" "contained_by" "/xyz/openbmc_project/inventory/system/chassis/motherboard/rdx0"
```
```
$ curl -k -X GET https://${bmc}/redfish/v1/Chassis/chassis
{
"@odata.id": "/redfish/v1/Chassis/chassis",
"@odata.type": "#Chassis.v1_22_0.Chassis",
"Links": {
"Contains": [
...
{
"@odata.id": "/redfish/v1/Chassis/rdx0"
},
```
However, the same associations can also be used for the other cases
which may also be used for the other types[1].
For example, https://gerrit.openbmc.org/c/openbmc/openbmc/+/70372 also
adds the associations between chassis and the non-chassis/board
resources.
```
busctl get-property xyz.openbmc_project.Inventory.Manager \
/xyz/openbmc_project/inventory/system/chassis \
xyz.openbmc_project.Association.Definitions Associations
…
"containing" "contained_by" "/xyz/openbmc_project/inventory/system/chassis/motherboard/connector0"
…
"containing" "contained_by" "/xyz/openbmc_project/inventory/system/chassis/motherboard/rdx0"
```
In that case, Chassis Links gives the undesired result including
the non-chassis resources in `Contains` collection.
```
$ curl -k -X GET https://${bmc}/redfish/v1/Chassis/chassis
{
"@odata.id": "/redfish/v1/Chassis/chassis",
"@odata.type": "#Chassis.v1_22_0.Chassis",
"Links": {
"Contains": [
...
{
"@odata.id": "/redfish/v1/Chassis/connector0"
},
...
```
This commit is to limit to get the chassis/board resources for Chassis
`Contains` collection.
Tested:
- Check Chassis/Links collection to see whether there are non-chassis
`curl -k -X GET https://${bmc}/redfish/v1/Chassis/chassis`
- Redfish Service Validator passes
[1] https://github.com/openbmc/phosphor-dbus-interfaces/blob/e2c9bc74f2b8c0e78c305894289f8938d75ee108/yaml/xyz/openbmc_project/Inventory/Item/README.md?plain=1#L21
Change-Id: I472fc12379694acc35055965400141dbb1b33bfc
Signed-off-by: Myung Bae <myungbae@us.ibm.com>
show more ...
|
| 478c5a57 | 26-Jun-2024 |
Paul Fertser <fercerpav@gmail.com> |
Fix returning Roles for Sessions POST
When the session is just getting created the normal privileges
validation workflow isn't executed and so the current role remains
unknown. Fix this by refactori
Fix returning Roles for Sessions POST
When the session is just getting created the normal privileges
validation workflow isn't executed and so the current role remains
unknown. Fix this by refactoring dbus_privileges.hpp to allow obtaining
the information from phosphor-user-manager late in the request
processing.
Tested: Redfish Service Validator passes.
Creating a session for local user:
```
$ curl -k -H "Content-Type: application/json" -X POST https://172.41.1.250:18080/redfish/v1/SessionService/Sessions -d '{"UserName":"root", "Password":"0penBmc"}'
{
"@odata.id": "/redfish/v1/SessionService/Sessions/lfFsCNjshV",
"@odata.type": "#Session.v1_7_0.Session",
"ClientOriginIPAddress": "172.40.1.4",
"Description": "Manager User Session",
"Id": "lfFsCNjshV",
"Name": "User Session",
"Roles": [
"Administrator"
],
"UserName": "root"
}
```
Creating a session for remote user mapped to Operator:
```
$ curl -k -H "Content-Type: application/json" -X POST https://172.41.1.250:18080/redfish/v1/SessionService/Sessions -d '{"UserName":ldap_sync", "Password":"ldap_password"}'
{
"@odata.id": "/redfish/v1/SessionService/Sessions/qVffc4ePJK",
"@odata.type": "#Session.v1_7_0.Session",
"ClientOriginIPAddress": "172.40.1.4",
"Description": "Manager User Session",
"Id": "qVffc4ePJK",
"Name": "User Session",
"Roles": [
"Operator"
],
"UserName": "ldap_sync"
}
```
Fixes: https://github.com/openbmc/bmcweb/issues/280
Fixes: ce22f6099e7e28ae26591348bf484ebedbc1ed42
Change-Id: If76c43563244e3819ee3fbc60d9df7f6a21c1fa3
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
show more ...
|
| 25991f7d | 13-Jun-2024 |
Ed Tanous <ed@tanous.net> |
Add filter parameter support
$filter is a parameter documented in the Redfish specification, section
7.3.4. It defines a mechanism for filtering arbitrary collections of
parameters based on a set o
Add filter parameter support
$filter is a parameter documented in the Redfish specification, section
7.3.4. It defines a mechanism for filtering arbitrary collections of
parameters based on a set of arbitrary language expressions.
From the specification, it supports the following language operators:
() Precedence grouping operator.
(Status/State eq 'Enabled' and Status/Health eq 'OK')
or SystemType eq 'Physical'
and Logical and operator.
ProcessorSummary/Count eq 2 and MemorySummary/TotalSystemMemoryGiB gt 64
eq Equal comparison operator.
ProcessorSummary/Count eq 2
ge Greater than or equal to comparison operator.
ProcessorSummary/Count ge 2
gt Great than comparison operator.
ProcessorSummary/Count gt 2
le Less than or equal to comparison operator
MemorySummary/TotalSystemMemoryGiB le 64
lt Less than comparison operator.
MemorySummary/TotalSystemMemoryGiB lt 64
ne Not equal comparison operator.
SystemType ne 'Physical'
not Logical negation operator.
not (ProcessorSummary/Count eq 2)
or Logical or operator.
ProcessorSummary/Count eq 2 or ProcessorSummary/Count eq 4
Support for these operators have been added in previous commits. This
commit enables them behind the insecure-enable-redfish-query meson
option. This is an arbitrary language, so the likelihood there's some
improper implementation in the patch is high. This gives folks the
ability to test it.
Tested:
Lots of unit tests included in this patch.
Functionally tested the basic operators:
```
GET /redfish/v1/Managers/bmc/LogServices/Journal/Entries?\$filter=EntryType+eq+'Oem'
GET /redfish/v1/Managers/bmc/LogServices/Journal/Entries?\$filter=EntryType+ne+'Oem'
```
Function as expected, producing multiple results or no results
respectively.
GET /redfish/v1 reports "FilterQuery": true
Redfish service validator passes.
Change-Id: Id568acc5dcfce868af12da5ee16c4f0caae8060a
Signed-off-by: Ed Tanous <ed@tanous.net>
show more ...
|
| 9dae4dee | 03-Jun-2024 |
Jagpal Singh Gill <paligill@gmail.com> |
add D-Bus interface for unstructured HTTP push
Add the D-Bus interface for unstructured HTTP push update. Unstructured
HTTP push updates are discouraged in favor of Multipart-form based
updates, hen
add D-Bus interface for unstructured HTTP push
Add the D-Bus interface for unstructured HTTP push update. Unstructured
HTTP push updates are discouraged in favor of Multipart-form based
updates, hence D-Bus interface has been added only for BMC updates for
backward compatibility. Fore more details refer to [1].
Tested:
```
> curl -k -H "X-Auth-Token: $token" -H "Content-Type: application/octet-stream" -X POST -T obmc-phosphor-image-romulus-20240529184214.static.mtd.tar https://${bmc}/redfish/v1/UpdateService/update
{
"@odata.id": "/redfish/v1/TaskService/Tasks/0",
"@odata.type": "#Task.v1_4_3.Task",
"Id": "0",
"TaskState": "Running",
"TaskStatus": "OK"
}
```
[1]: https://www.dmtf.org/sites/default/files/standards/documents/DSP2062_1.0.1.pdf
Change-Id: I365c0c188190032cb191940072399d9abd8a87b3
Signed-off-by: Jagpal Singh Gill <paligill@gmail.com>
show more ...
|
| e93abac6 | 14-Jun-2024 |
Ginu George <ginugeorge@ami.com> |
Pass redfishPropertyName earlier argument
It was pointed out that the setDbusProperty method should have an end
that approximately matches dbus-send and busctl set-property in its
arguments, to aid
Pass redfishPropertyName earlier argument
It was pointed out that the setDbusProperty method should have an end
that approximately matches dbus-send and busctl set-property in its
arguments, to aid with debug. This seems reasonable.
Tested: Redfish service validator passes.
Change-Id: Ic20295d93c71c957e3e76704e1eda9da187861b1
Signed-off-by: Ginu George <ginugeorge@ami.com>
Signed-off-by: Ed Tanous <ed@tanous.net>
show more ...
|
| 9c95be77 | 03-Jun-2024 |
Jagpal Singh Gill <paligill@gmail.com> |
remove unstructured HTTP patch for ApplyOptions
Remove the support for Unstructured HTTP patch as the main user of this
Redfish API is IBM and they only use this API to set the ApplyTime as
immediat
remove unstructured HTTP patch for ApplyOptions
Remove the support for Unstructured HTTP patch as the main user of this
Redfish API is IBM and they only use this API to set the ApplyTime as
immediate. Hence ApplyTime will be passed as immediate (as default) for
Unstructured HTTP POST updates. Modify the get for ApplyTime to only
return immediate.
Tested:
Patch operation removal test:
```
> curl -k -H "X-Auth-Token: $token" -H "Content-Type: application/json" -X PATCH -d '{"HttpPushUriOptions":{"HttpPushUriApplyTime":{"ApplyTime":"Immediate"}}}' https://${bmc}/redfish/v1/UpdateService
{
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The HTTP method is not allowed on this resource.",
"MessageArgs": [],
"MessageId": "Base.1.16.0.OperationNotAllowed",
"MessageSeverity": "Critical",
"Resolution": "None."
}
],
"code": "Base.1.16.0.OperationNotAllowed",
"message": "The HTTP method is not allowed on this resource."
}
}
```
ApplyTime get test:
```
> curl -k -H "X-Auth-Token: $token" https://${bmc}/redfish/v1/UpdateService
{
"@odata.id": "/redfish/v1/UpdateService",
"@odata.type": "#UpdateService.v1_11_1.UpdateService",
"Actions": {
"#UpdateService.SimpleUpdate": {
"TransferProtocol@Redfish.AllowableValues": [
"HTTPS"
],
"target": "/redfish/v1/UpdateService/Actions/UpdateService.SimpleUpdate"
}
},
"Description": "Service for Software Update",
"FirmwareInventory": {
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory"
},
"HttpPushUri": "/redfish/v1/UpdateService/update",
"HttpPushUriOptions": {
"HttpPushUriApplyTime": {
"ApplyTime": "Immediate"
}
},
"Id": "UpdateService",
"MaxImageSizeBytes": 31457280,
"MultipartHttpPushUri": "/redfish/v1/UpdateService/update",
"Name": "Update Service",
"ServiceEnabled": true
}
```
Change-Id: I25d21119d74a3411cd1fd581c9d56e1e9e1604f8
Signed-off-by: Jagpal Singh Gill <paligill@gmail.com>
show more ...
|
| 91f75caf | 10-Jun-2024 |
Ed Tanous <ed@tanous.net> |
Fix regression in Manager chassis finding
18f8f60 introduced two regressions where the config was checking
parent_path() instead of filename, where previously they used ends_with,
not starts_with.
Fix regression in Manager chassis finding
18f8f60 introduced two regressions where the config was checking
parent_path() instead of filename, where previously they used ends_with,
not starts_with. This was found via inspection.
Testing: Unclear how to exactly test this, but we should at least get
the code to appear correct in inspection.
[1] https://github.com/openbmc/bmcweb/commit/18f8f608b966c802b3e2a389e3c1ec5a1fd9407b#diff-c49b52746d73fb038cb7892f9204d663efd1b9e4fa6b4dac38c5c9620b2c2944R1495
Change-Id: I45441a6e1549f09e7a570c74d3ee4438ecc07cbe
Signed-off-by: Ed Tanous <ed@tanous.net>
show more ...
|
| 049079f6 | 02-Jun-2024 |
Jagpal Singh Gill <paligill@gmail.com> |
update service: update applytime value
Update interface has been updated to use ApplyTime from ApplyTime
interface. This helps to avoid any conversions between the values. Hence
update the BMCWeb to
update service: update applytime value
Update interface has been updated to use ApplyTime from ApplyTime
interface. This helps to avoid any conversions between the values. Hence
update the BMCWeb to reflect this change.
Tested:
```
curl -k -H "X-Auth-Token: $token" -H "Content-Type:multipart/form-data" -X POST -F UpdateParameters="{\"Targets\":[\"/redfish/v1/UpdateService/FirmwareInventory/3c956be0\"],\"@Redfish.OperationApplyTime\":\"Immediate\"}
;type=application/json" -F "UpdateFile=@obmc-phosphor-image-romulus-20240529184214.static.mtd.tar;type=application/octet-stream" https://${bmc}/redfish/v1/UpdateService/update
{
"@odata.id": "/redfish/v1/TaskService/Tasks/2",
"@odata.type": "#Task.v1_4_3.Task",
"Id": "2",
"TaskState": "Running",
"TaskStatus": "OK"
}
```
Change-Id: I311d8048d80616cc8933c3e32ca44b4cfa64b1e9
Signed-off-by: Jagpal Singh Gill <paligill@gmail.com>
show more ...
|
| ce22f609 | 03-Jun-2024 |
Paul Fertser <fercerpav@gmail.com> |
Expose current Role in Session object
As discussed at https://gerrit.openbmc.org/c/openbmc/webui-vue/+/70758
having that information available to front end is desired for UX
purposes (hiding pages a
Expose current Role in Session object
As discussed at https://gerrit.openbmc.org/c/openbmc/webui-vue/+/70758
having that information available to front end is desired for UX
purposes (hiding pages and actions that are not permitted to the current
user anyway).
This field was added in #Session.v1_7_0.Session released on 2023.2.
Tested: current role correctly reported (e.g. "Administrator") as the
only array element, Redfish-Service-Validator passes.
Fixes: #275
Change-Id: Ic9d8f02ca5859cb4b9996fd85b0896ce76ea22aa
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
show more ...
|
| 20fa6a2c | 20-May-2024 |
Ed Tanous <ed@tanous.net> |
Remove the last instances of json pattern
In the past, we've tried to erradicate the use of
nlohmann::json(initiatlizer_list<...>) because it bloats binary sizes,
as every type is given a new nlohma
Remove the last instances of json pattern
In the past, we've tried to erradicate the use of
nlohmann::json(initiatlizer_list<...>) because it bloats binary sizes,
as every type is given a new nlohmann constructor.
This commit hunts down the last few places where we call this. There is
still 2 remaining in openbmc_dbus_rest after this, but those are variant
accesses that are difficult to triage, and considering it's a less used
api, they're left as is.
Tested: WIP
Change-Id: Iaac24584bb78bb238da69010b511c1d598bd38bc
Signed-off-by: Ed Tanous <ed@tanous.net>
show more ...
|
| de0c960c | 29-Apr-2024 |
Jagpal Singh Gill <paligill@gmail.com> |
updateservice: add start update D-Bus interface
Add the start update D-Bus interface based flow for multi-form content
path. This involves mapping the TargetURI to the corresponding
serviceName and
updateservice: add start update D-Bus interface
Add the start update D-Bus interface based flow for multi-form content
path. This involves mapping the TargetURI to the corresponding
serviceName and objectPath which hosts the specific D-Bus interface.
As per discussion with Redfish community both ResourceURI and
FirmwareInventory Redfish URI can be used as TargetURI. Current
implementation already allows /redfish/v1/Managers/<bmc>, hence support
for this specific ResourceURI has been preserved. New implementation
adds FirmwareInventory Redfish URI for TargetURI as default option.
https://redfishforum.com/thread/1054.
For more details on design refer to -
https://gerrit.openbmc.org/c/openbmc/phosphor-dbus-interfaces/+/65738
https://gerrit.openbmc.org/c/openbmc/docs/+/65739
Tested: Redfish Validator and Build passes.
multipart form data update request with Resource URI as target
```
curl -k -H "X-Auth-Token: $token" -H "Content-Type:multipart/form-data" \
-X POST -F UpdateParameters="{\"Targets\":[\"/redfish/v1/Managers/bmc\"],\"@Redfish.OperationApplyTime\":\"Immediate\"};type=application/json" \
-F "UpdateFile=@obmc-phosphor-image-romulus-20240425222313.static.mtd.all.tar;type=application/octet-stream" \
https://${bmc}/redfish/v1/UpdateService/update
{
"@odata.id": "/redfish/v1/TaskService/Tasks/0",
"@odata.type": "#Task.v1_4_3.Task",
"Id": "0",
"TaskState": "Running",
"TaskStatus": "OK"
}
```
multipart form data update request with Firmware Inventory URI as target
```
curl -k -H "X-Auth-Token: $token" -H "Content-Type:multipart/form-data" \
-X POST -F UpdateParameters="{\"Targets\":[\"/redfish/v1/Managers/bmc\"],\"@Redfish.OperationApplyTime\":\"Immediate\"};type=application/json" \
-F "UpdateFile=@obmc-phosphor-image-romulus-20240509003505.static.mtd.all.tar;type=application/octet-stream" \
https://${bmc}/redfish/v1/UpdateService/update
{
"@odata.id": "/redfish/v1/TaskService/Tasks/1",
"@odata.type": "#Task.v1_4_3.Task",
"Id": "1",
"TaskState": "Running",
"TaskStatus": "OK"
}
```
Change-Id: Id46de79d3af8834630a793678a6fc0e859295afe
Signed-off-by: Jagpal Singh Gill <paligill@gmail.com>
show more ...
|
| 4a8f5d43 | 24-May-2024 |
Johnathan Mantey <johnathanx.mantey@intel.com> |
Improve IPv4 default gateway removal
Removing the IPv4 default gateway doesn't work correctly when only a
single static address has been assigned. This is expected to be the
common mode of operation
Improve IPv4 default gateway removal
Removing the IPv4 default gateway doesn't work correctly when only a
single static address has been assigned. This is expected to be the
common mode of operation, and needs to work correctly.
When more than one static address is managed it's necessary to
preserve the existing gateway. If any address is left unmodified,
added, or is modified the gateway must be preserved.
Tested:
Turned off DHCPv4, and assigned a single static address
Sent a PATCH null to delete the address.
Confirmed the default gateway got cleared.
Assigned two static addresses.
Sent a PATCH {}, null
Sent PATCH null
Confirmed expected default gateway handling
Assigned two static addresses.
Sent a PATCH null, {}
Sent PATCH null
Confirmed expected default gateway handling
Change-Id: I85c4a0533f9468b424602aeb636b8f4f218a9a13
Signed-off-by: Johnathan Mantey <johnathanx.mantey@intel.com>
show more ...
|
| e67543c2 | 20-May-2024 |
Ed Tanous <ed@tanous.net> |
Remove openbmc-rest includes
These includes seem to have snuck in. In theory nothing in redfish
should be taking a #include in anything in openbmc-rest.
Tested: Code compiles
Change-Id: Ifec2a9b1
Remove openbmc-rest includes
These includes seem to have snuck in. In theory nothing in redfish
should be taking a #include in anything in openbmc-rest.
Tested: Code compiles
Change-Id: Ifec2a9b18f296870f67b15f98fc44c67050e9e28
Signed-off-by: Ed Tanous <ed@tanous.net>
show more ...
|
| 253f11b8 | 16-May-2024 |
Ed Tanous <ed@tanous.net> |
Allow configuring "bmc" and "system"
In the early days of bmcweb, we made two pretty critical assumptions;
First, is that a given platform would only have a single BMC instance
(represented as "bmc"
Allow configuring "bmc" and "system"
In the early days of bmcweb, we made two pretty critical assumptions;
First, is that a given platform would only have a single BMC instance
(represented as "bmc") and a single host instance (represented as
"system").
Second we assumed that, given that Redfish suggests against hardcoding
URIs in client implementation and leaves them freeform, clients would
code to the standard.
Our own webui-vue hardcodes Redfish URIs [1], and the documentation is
littered with examples of hardcoded curl examples of hardcoding these
URIs. That bug was filed in 2020, and the issue has only gotten worse
over time.
This patchset is an attempt to give a target that we can start solving
these issues, without trying to boil the ocean and fix all clients in
parallel.
This commit adds the meson options
redfish-manager-uri-name
and
redfish-system-uri-name
These are used to control the "name" that bmcweb places in the fixed
locations in the ManagerCollection and ComputerSystemCollection schemas.
Note, managers is added, but is not currently testable. It will be
iterated on over time.
Tested:
Changed the URL options to "edsbmc" and "edssystem" in meson options.
Redfish service validator passes.
URLs appear changed when walking the tree.
[1] https://github.com/openbmc/webui-vue/issues/43
Change-Id: I4b44685067051512bd065da8c2e3db68ae5ce23a
Signed-off-by: Ed Tanous <ed@tanous.net>
show more ...
|
| e518ef32 | 16-May-2024 |
Ravi Teja <raviteja28031990@gmail.com> |
Remove sessions on user password update
When a user's password is changed, existing Redfish sessions for that
user, created with the old password, continue to work.
As per OWASP session management,
Remove sessions on user password update
When a user's password is changed, existing Redfish sessions for that
user, created with the old password, continue to work.
As per OWASP session management, "The session ID must be renewed or
regenerated by the web application after any privilege level change
within the associated user session... Common scenarios to consider
include; password changes, permission changes, or switching from a
regular user role to an administrator role within the web application."
[1] https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
This commit removes existing user sessions when the user's password is
changed. This commit leaves the current session in place though a new
removeSessionsByUsernameExceptSession().
This commit doesn't completely get us fully to what owasp says but is a
start.
Tested:
Create some users:
```
curl -k -v -X POST -H "Content-Type: application/json" \
https://$bmc/redfish/v1/AccountService/Accounts/ -d \
'{"UserName":"testadminuser","Password":"<password>","RoleId":"Administrator","Enabled":true}'
```
Using basic auth was able to update own password and another user's
password.
Using token auth, verified the current session did not get deleted but
other sessions from that user did.
```
curl -k -H "Content-Type: application/json" -X POST -D headers.txt \
https://${bmc}/redfish/v1/SessionService/Sessions -d \
'{"UserName":"testadminuser", "Password":"<password>"}'
```
```
curl -k -v -X PATCH -H "X-Auth-Token: $token" \
-H "Content-Type:application/json" \
https://$bmc/redfish/v1/AccountService/Accounts/testadminuser \
-d '{"Password":"<password>"}'
```
Verified when changing another user's password all sessions were
dropped.
Change-Id: I4de60b84964a6b29c021dc3a2bece9ed4bc09eac
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
show more ...
|
| c71b6c99 | 29-Apr-2024 |
Jagpal Singh Gill <paligill@gmail.com> |
updateservice: refactor task creation
Refactor task creation into a separate function so it can be used from
different places in code. The new usage of this function will be from
start update interf
updateservice: refactor task creation
Refactor task creation into a separate function so it can be used from
different places in code. The new usage of this function will be from
start update interface based flow. More details refer to -
https://gerrit.openbmc.org/c/openbmc/phosphor-dbus-interfaces/+/65738
https://gerrit.openbmc.org/c/openbmc/docs/+/65739
Tested: Firmware update using curl.
Change-Id: I5e8a0ab98f49657178ee733fa4d34fbf40a7b1f3
Signed-off-by: Jagpal Singh Gill <paligill@gmail.com>
show more ...
|