Relace node-sass with dart-sass

This patchset moves phosphor-webui away from node-sass. This is a good
thing overall, and should make phosphor-webui build a little faster,
given it doesn't have to

Relace node-sass with dart-sass

This patchset moves phosphor-webui away from node-sass. This is a good
thing overall, and should make phosphor-webui build a little faster,
given it doesn't have to compile libsass. It also dumps a significant
number of dependencies from the tree.

webui-vue has a similar patch:
https://gerrit.openbmc-project.xyz/c/openbmc/webui-vue/+/35663

Tested:
Build phosphor-webui with changes. Builds as expected.

Change-Id: I30537284518ebf2e0816568e25320a55ade323e4
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...

Drop encoding library

Commit f4a43cca440535a63592877c9bdbbe28636d803c attempted to fix a IE
bug in the SOL library. Unfortunately, it did it by pulling in the
entire NPM encoding library, which is

Drop encoding library

Commit f4a43cca440535a63592877c9bdbbe28636d803c attempted to fix a IE
bug in the SOL library. Unfortunately, it did it by pulling in the
entire NPM encoding library, which is insanely large (190kb after
minification and compression). This is almost equivalent to the rest of
our javascript put together! That's nuts, and I don't think anyone
would argue that's a binary hit worth taking for IE9 support.

This commit removes it, and swaps in an inline polyfill from the mozilla
recommendations, that compresses much....much smaller.

Before this patchset build prints:
app.bundle.js.gz 522 KiB [emitted] [big]

After this patchset:
app.bundle.js.gz 332 KiB [emitted] [big]

If you don't want to break out a calculator, that's 190KB savings in the
root filesystem, and should cut the initial page load time (on slow
connections) by nearly 30 percent.

Note: text-encodings was never pinned in the package-lock.json, hence
why you don't see a diff removing it from package lock. This was a miss
on the original commiters part, although it doesn't really matter, as
it's now removed.

PS: A reviewer may note, I could've moved the polyfill into its own
file. Considering the serial console is the only page that uses that,
and it's not that big I elected not to, to make removing it analagous
with removing xterm/the serial console.

Bonus content!
Added a (commented out) webpack config that allows you to generate the
webui as individual gzipped fragments, instead of one bundle. This
allows you to see file sizes on a package by package basis, and was how
I found this commit in question.

Testing:
This is where this patchset gets hairy. I dont' have an IE9 instance to
test on. Given it's low usage, and the fact that it's a relatively
straightforward change we can probably just wait for someone to tell us
it's broken again.

Enjoy the sweet sweet savings.

Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: I2820ff1c4b33d725ebc63490793a72fe600b8ed3
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...

Python3 Support: Force node-gyp to 6.1.0

The version of node-gyp, ^3.8.0, used by node-sass does not support
Python 3 only environments.

Starting with node-gyp 5.0.0, support for Python 3 only was

Python3 Support: Force node-gyp to 6.1.0

The version of node-gyp, ^3.8.0, used by node-sass does not support
Python 3 only environments.

Starting with node-gyp 5.0.0, support for Python 3 only was added.

Added node-gyp 6.1.0 to package.json and edited the node-sass
"requires" in package-lock.json to force node-sass to use this
version.

This problem can be seen if building an image or the webui
recipe with the meta-oe and poky subtree bumps:
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/31299
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/31297

This poky refresh deprecates python2. From the mailing list:
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020421.html

node-sass knows of this issue and has a fix, same fix as this,
move node-gyp to 6.1.0, but that fix isn't in a release yet.
Asked for a timeline of when a release with this fix will
happen. This change can be removed after moving to a
version of node-sass with this fix.
https://github.com/sass/node-sass/issues/2877

Considered using https://www.npmjs.com/package/npm-force-resolutions
but required more packages and wasn't simple to make work.

Modifying package-lock.json manually is not recommended but
in this case until fixed upstream, not a better solution.

Tested: Built for a Witherspoon and no regression.
Was able to build the GUI with change and 31299 / 31297.
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Change-Id: I514395ca0ae2fda6d46cb7a2a3e70cc5b92be58d

show more ...

Update packages and fix vulnerabilities

Ran "npm-check --update-all --save-exact"
then "npm audit fix".
Rolled back to xterm 3, since problems building xterm 4.

Tested: Built the GUI and loaded on

Update packages and fix vulnerabilities

Ran "npm-check --update-all --save-exact"
then "npm audit fix".
Rolled back to xterm 3, since problems building xterm 4.

Tested: Built the GUI and loaded on a Witherspoon.

Change-Id: Ibe86fba54090bfa8b4ef0a6d87baf3dd4f88d48f
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

NoVNC: Changes to package-lock.json

Changes added to package-lock.json from building.

Change-Id: Idb1af188e312e5aae808948871f2c867b594b1d1
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

Add XSRF token into websocket request

Add XSRF token so we can implement CRSF checking
on websockets.

Tested: Saw it in bmcweb logs

Change-Id: Ie9479508bc69fad631f66fb282133ad18d025300
Signed-off-

Add XSRF token into websocket request

Add XSRF token so we can implement CRSF checking
on websockets.

Tested: Saw it in bmcweb logs

Change-Id: Ie9479508bc69fad631f66fb282133ad18d025300
Signed-off-by: James Feist <james.feist@linux.intel.com>

show more ...

Fix security vulnerabilities

Had a few more vulnerabilities show up including:
regular expressions Cross-Site Scripting (XSS) vulnerability

https://github.com/advisories/GHSA-h9rv-jmmf-4pgx

Remedi

Fix security vulnerabilities

Had a few more vulnerabilities show up including:
regular expressions Cross-Site Scripting (XSS) vulnerability

https://github.com/advisories/GHSA-h9rv-jmmf-4pgx

Remediation
Upgrade serialize-javascript to version 2.1.1 or later.

Ran npm audit fix.

Don't think this was a real vulnerability but always good to fix.

Tested: Built for a Witherspoon, loaded on the code, and tested.

Change-Id: I3af6941fdef98b950c7e17ddfeb368fdccc5cabc
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

AngularJS: vulnerability: npm audit fix

https://github.com/advisories/GHSA-89mq-4x47-5v83
"In AngularJS before 1.7.9 the function merge() could be tricked
into adding or modifying properties of Obje

AngularJS: vulnerability: npm audit fix

https://github.com/advisories/GHSA-89mq-4x47-5v83
"In AngularJS before 1.7.9 the function merge() could be tricked
into adding or modifying properties of Object.prototype using
a __proto__ payload."

Although, don't see how this is a real threat to the webui
fixed anyway.

https://github.com/angular/angular.js/compare/v1.7.8...v1.7.9
The difference between 1.7.8 and 1.7.9 is small.

Discussion in the works to move any from AngularJS
https://lists.ozlabs.org/pipermail/openbmc/2019-November/019431.html

Tested: Built and loaded on a Witherspoon
Change-Id: Ibe2c9671203a76cd8b4dbb8b1dbbaae2a8230138
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Remove CSP protections from HTML

When I originally wrote CSP into the webui files, I intended to drop it
into the HTML file so it could be removed from bmcweb. Unfortunately,
that plan doesn't fly,

Remove CSP protections from HTML

When I originally wrote CSP into the webui files, I intended to drop it
into the HTML file so it could be removed from bmcweb. Unfortunately,
that plan doesn't fly, as the CSP headers in bmcweb need to remain for
non-html files.

This normally wouldn't matter, but a number of people utilize
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION to run the webui locally and
debug a new webui patch from a working BMC. This causes the CSP headers
to conflict, and the browser to fail with a CSP error on connect-src
when debugging locally.

Removing the CSP section entirely from the webui resolves this, and
doesn't change functionality at all, as it's still covered in bmcweb.

Tested: Will verify on a real platform.

Verified that building the webui locally with the above bmcweb flag
allows the webui to launch correctly.

Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I60e5011361ec3ce1930249a20cf34480beb48a7f

show more ...

Update package version

Have the package.json version follow the version used in OpenBMC.

cat /etc/os-release
ID="openbmc-phosphor"
NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro)

Update package version

Have the package.json version follow the version used in OpenBMC.

cat /etc/os-release
ID="openbmc-phosphor"
NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro)"
VERSION="2.8.0-dev"
VERSION_ID="2.8.0-dev-277-g08902b0-dirty"
PRETTY_NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro) 2.8.0-dev"
BUILD_ID="2.8.0-dev"
OPENBMC_TARGET_MACHINE="witherspoon

When a 2.8.0 branch is created this should be updated to "2.8.0" before the
2.8.0 tag in the 2.8.0 branch.
After the 2.8.0 branch, when a 2.9.0-dev OpenBMC tag is created, this
should be updated to "2.9.0-dev".

Tested: npm install
Change-Id: Ica774624efb49b194250b61488c7c68f4c74c1a8
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Fix issue on IE cannot open SOL page

The root cause is that TextEncoder/TextDecoder does not support IE
More detail at https://caniuse.com/#feat=textencoder

One workable solution is to include text

Fix issue on IE cannot open SOL page

The root cause is that TextEncoder/TextDecoder does not support IE
More detail at https://caniuse.com/#feat=textencoder

One workable solution is to include text-encoder lib,
as this patch did.

Tested:
IE visit BMC and navigate to "#/server-control/remote-console"
SOL page is working well.

Change-Id: I5019c626afcf67916252db4115af7616c7a9759b
Signed-off-by: Kuiying Wang <kuiying.wang@intel.com>

show more ...

Run npm-check update

Ran "npm-check --update-all --save-exact".

We were missing the following dependencies:
Missing dependencies
* regenerator-runtime
* is-path-inside
* pkg-dir

https://github.com

Run npm-check update

Ran "npm-check --update-all --save-exact".

We were missing the following dependencies:
Missing dependencies
* regenerator-runtime
* is-path-inside
* pkg-dir

https://github.com/openbmc/phosphor-webui/commit/dc25db0301ae6d4dabab6d98fb8447832a8c30e2
added regenerator-runtime, is-path-inside, and pkg-dir.

This change adds them as a dependency.

Running npm-check also updated a few packages.

Since moving to webpack-dev-server 3.8, a random port will be used,
need the following bmcweb change:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/24610

A random port breaks running the GUI locally (assuming XSS disabled)
because of:
https://github.com/openbmc/bmcweb/blob/43b761d0c8f5c4c39199093ee4bcd60698e77138/include/security_headers_middleware.hpp#L52

Tested: Built and loaded on a Witherspoon. No regressions observed.
Ran the GUI locally with CSRF and XSS disabled with 24610.
Change-Id: I57ff3edff979b24f7c0a7256d47fa47412041ad7
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Fix IE11 support

While we don't really officially support IE, it would be nice if
_most_ non-complicated things actually worked. Given where
transpilation is, and the fact that we already have webp

Fix IE11 support

While we don't really officially support IE, it would be nice if
_most_ non-complicated things actually worked. Given where
transpilation is, and the fact that we already have webpack, this isn't
actually that riddiculous of an idea.

using babel was the intent with the original webpack stuff, but it turns out
babel-loader wasn't pulling in the babelrc properly when it was in the
root dir, so babel wasn't actually transpiling anything properly.

Functionally, this commit does 3 things:
1. Fixes the published Accepts header, as the ajax call confuses IE if
it doesn't have an encoding.
2. Includes core-js, to allow us to not really have to worry about
javascript features that aren't present in a given browser.
4. Includes the config to support all browsers with > 0.25% market
share, which should keep us compatible with most stuff.

Requires a patch to bmcweb for the updated charset header, as we didn't
handle that properly previously.
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/24063

Tested:
Loaded the bmcweb patch.
Started the webui in IE11 with the console open. Observed that webui
launches and logs in properly with no errors on the console.
Opened the webui in chrome to verify that nothing was broken. Appears
working as it was before.

Measured the pre-rootfs size before and after this patchset. It
adds 36KB to the final package size. (404KB to 440KB). For supporting
IE11 (and probably other browsers) I think this is well worth the cost.

Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Change-Id: Ie402e3296deede466a7a05726ebd7a18bead0b80

show more ...

Use npm-check-updates and npm audit fix

Upgraded npm to 6.10.2, which includes npm audit.
Installed npm-check-updates and then ran:
ncu -u; npm audit fix

This is a npm 6 package-lock.json.
Recomme

Use npm-check-updates and npm audit fix

Upgraded npm to 6.10.2, which includes npm audit.
Installed npm-check-updates and then ran:
ncu -u; npm audit fix

This is a npm 6 package-lock.json.
Recommend using npm 6 from here out to avoid churn in the
package-lock.json caused by npm 5 vs npm 6.

Before:
found 24 high severity vulnerabilities in 12251 scanned packages
run `npm audit fix` to fix 24 of them.

After:
found 0 vulnerabilities
in 12251 scanned packages

npm 6 was released a year and half ago and has "security is built in".

npm 6/5.10 moved package-lock.json from exact versions to loosly versions.
tilde and caret are now present in the package-lock.json

The previous commits helps a little by "specific version in
package.json guarantees the version only a the top level commit"

Even though package-lock.json has tilde and carets (scary!), the
package-lock.json still lock sub-dependencies according to npm.

https://github.com/npm/npm/issues/20434#issuecomment-395637874

OpenBMC uses nodejs_10.15.3 which has npm 6.4.1.
https://github.com/openbmc/openbmc/blob/master/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_10.15.3.bb
https://nodejs.org/en/download/releases/

Also see:
https://github.com/npm/npm/issues/20891

Resolves openbmc/phosphor-webui#91

Tested: Built image and loaded on Witherspoon
Change-Id: I436be724ac4b27bb00a4b4c20077ddf981c43c9f
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Change package name to phosphor-webui

Most other npm projects have the same package.json name as the
repository. phosphor-webui makes more sense here a name.

Tested: npm install && npm run build
Ch

Change package name to phosphor-webui

Most other npm projects have the same package.json name as the
repository. phosphor-webui makes more sense here a name.

Tested: npm install && npm run build
Change-Id: If0d8697bda5332ce3b4ae86bda620d37cb447de2
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

npm update

Have a security vulnerability around lodash.
This partially addresses.

See https://github.com/lodash/lodash/pull/4336
for more information.

Opened to address the remaining vulnerability

npm update

Have a security vulnerability around lodash.
This partially addresses.

See https://github.com/lodash/lodash/pull/4336
for more information.

Opened to address the remaining vulnerability:
https://github.com/openbmc/phosphor-webui/issues/91

Tested: Built image and loaded on a Witherspoon.
Change-Id: I071c916058bc6ce7dd2032bf1af5b5c8e6545dec
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

NPM update to address TAR vulnerability

This security vulnerability is in the phosphor-webui
repo:
"We found a potential security vulnerability in one of your
dependencies.
tar
Upgrade tar to vers

NPM update to address TAR vulnerability

This security vulnerability is in the phosphor-webui
repo:
"We found a potential security vulnerability in one of your
dependencies.
tar
Upgrade tar to version 4.4.2 or later."

See https://nvd.nist.gov/vuln/detail/CVE-2018-20834
for more information.

Ran "NPM update" && "npm install node-sass@latest --save".

Before:

bash-4.1$ npm audit

....

found 3 high severity vulnerabilities in 12118 scanned packages
run `npm audit fix` to fix 3 of them.

After:

bash-4.1$ npm audit

=== npm audit security report ===

found 0 vulnerabilities
in 12124 scanned packages

Resolves https://github.com/openbmc/phosphor-webui/issues/85

Tested: Built the GUI and loaded it on a Witherspoon. No
regressions observed.

Change-Id: I67cf4111021d7097a4a0726fecc320853810c6fd
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

NPM update to partially address vulnerability

Observed this security vulnerability in the phosphor-webui
repo on GitHub:
"We found a potential security vulnerability in one of your
dependencies.
ta

NPM update to partially address vulnerability

Observed this security vulnerability in the phosphor-webui
repo on GitHub:
"We found a potential security vulnerability in one of your
dependencies.
tar
Upgrade tar to version 4.4.2 or later."

See https://nvd.nist.gov/vuln/detail/CVE-2018-20834
for more information.
Ran "NPM update" && "npm install tar@latest --save".

Unfortunately, this only addresses one of the packages
that uses tar, the other, node-sass, has not published a
release to fix this vulnerability.
See https://github.com/sass/node-sass/issues/2625
Not a easy fix for node-sass.

Opened
https://github.com/openbmc/phosphor-webui/issues/85
to track this work.

Tested: Built the GUI and loaded it on a Witherspoon. No
regressions observed.

Change-Id: I9e06d77a03dff4a3d12f472fd18671cc8c41fcd4
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Pull the latest novnc package

Investigated that IKVM issues on Windows browsers were caused by
old novnc package. Currently, webui downloads novnc 1.0.0 from npm
but the version was released a year

Pull the latest novnc package

Investigated that IKVM issues on Windows browsers were caused by
old novnc package. Currently, webui downloads novnc 1.0.0 from npm
but the version was released a year ago so it doesn't have lots of
bug fixes. Since novnc team published v1.1.0 recently so this
commit updates novnc version to fix the Windows browser issue.

Tested: From Windows FireFox or Chrome browser,
Navigated to 'Server control -> KVM'.
KVM worked stably.

Change-Id: Iaf415f57678573fbbb7c2f33234a63da6c50acd9
Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>

show more ...

Implement KVM in webui

This patchset adds the infrastructure to allow KVM sessions
through the webui. A websocket capable VNC/RFB connection
on the BMC is needed for KVM sessions.

To access, naviga

Implement KVM in webui

This patchset adds the infrastructure to allow KVM sessions
through the webui. A websocket capable VNC/RFB connection
on the BMC is needed for KVM sessions.

To access, navigate to Server control -> KVM.

Tested: Ran obmc-ikvm on the BMC, added a KVM Handler to
Phosphor Rest Server, and was able to establish a
KVM session in the webui on a Witherspoon.
Change-Id: I7dda5bec41d270ae8d0913697714d4df4ec3a257
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Fix always loading issue on IE11

In some pages like server view page, always in loading status.

Import babel-polyfill to solve cross browser issue on HTML5/CSS3,
especially for the older browsers.

Fix always loading issue on IE11

In some pages like server view page, always in loading status.

Import babel-polyfill to solve cross browser issue on HTML5/CSS3,
especially for the older browsers.

Tested:
launch IE11 visit https://BMC_IP_ADDR

Change-Id: Ib8e59e236171fff595ac1e5df3a9111005b39268
Signed-off-by: Kuiying Wang <kuiying.wang@intel.com>

show more ...

Remove angular-websocket dependency

The WebUI does not use angular-websocket for websockets instead
uses https://developer.mozilla.org/en-US/docs/Web/API/WebSocket/WebSocket
https://github.com/openb

Remove angular-websocket dependency

The WebUI does not use angular-websocket for websockets instead
uses https://developer.mozilla.org/en-US/docs/Web/API/WebSocket/WebSocket
https://github.com/openbmc/phosphor-webui/blob/457ca04073ff10cb1df2e7c5ab5192430a2ac6a9/app/common/directives/serial-console.js#L38

This unused dependency was found with depcheck.

Tested: Built this code and loaded it onto a Witherspoon.
Still see the SOL console.
Change-Id: Iffc1f31f94ae0ff5bf7173d06208b1c7bef6ca2a
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

NPM update

Observed this security vulnerability in the phosphor-webui
repo on GitHub:
"We found a potential security vulnerability in one of your
dependencies.
lodash vulnerability found in package-

NPM update

Observed this security vulnerability in the phosphor-webui
repo on GitHub:
"We found a potential security vulnerability in one of your
dependencies.
lodash vulnerability found in package-lock.json
Upgrade lodash to version 4.17.11 or later."

See https://nvd.nist.gov/vuln/detail/CVE-2018-16487 for more
information.
Ran "NPM update" && "npm install lodash@latest --save".

Tested: Built the GUI and loaded it on a Witherspoon. No
regressions observed

Change-Id: I0b848a6aedea699a1b1a26f58c342ff781618a3d
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Add ngMessages

Brings in the angular ngMessages directive to be used for form
validation.

Adds 1.057KB to finished javascript package

Change-Id: I367672c4871040e92cd530abb6f23a5f86912f5f
Signed-of

Add ngMessages

Brings in the angular ngMessages directive to be used for form
validation.

Adds 1.057KB to finished javascript package

Change-Id: I367672c4871040e92cd530abb6f23a5f86912f5f
Signed-off-by: beccabroek <beccabroek@gmail.com>

show more ...

Add toast notifications to SNMP page

Design team proposed that our error and success messages be
delivered as 'toast' messages on the right side of the screen.
This brings in ngToast and implements

Add toast notifications to SNMP page

Design team proposed that our error and success messages be
delivered as 'toast' messages on the right side of the screen.
This brings in ngToast and implements notifications on SNMP page.
Notifications will fade after 10 seconds or can be dismissed.

https://github.com/tameraydin/ngToast

Change-Id: I1053534cd1ab189ae5c2ac07e2a922acea231c70
Signed-off-by: beccabroek <beccabroek@gmail.com>

show more ...