Relace node-sass with dart-sass

This patchset moves phosphor-webui away from node-sass. This is a good
thing overall, and should make phosphor-webui build a little faster,
given it doesn't have to

Relace node-sass with dart-sass

This patchset moves phosphor-webui away from node-sass. This is a good
thing overall, and should make phosphor-webui build a little faster,
given it doesn't have to compile libsass. It also dumps a significant
number of dependencies from the tree.

webui-vue has a similar patch:
https://gerrit.openbmc-project.xyz/c/openbmc/webui-vue/+/35663

Tested:
Build phosphor-webui with changes. Builds as expected.

Change-Id: I30537284518ebf2e0816568e25320a55ade323e4
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...

Drop encoding library

Commit f4a43cca440535a63592877c9bdbbe28636d803c attempted to fix a IE
bug in the SOL library. Unfortunately, it did it by pulling in the
entire NPM encoding library, which is

Drop encoding library

Commit f4a43cca440535a63592877c9bdbbe28636d803c attempted to fix a IE
bug in the SOL library. Unfortunately, it did it by pulling in the
entire NPM encoding library, which is insanely large (190kb after
minification and compression). This is almost equivalent to the rest of
our javascript put together! That's nuts, and I don't think anyone
would argue that's a binary hit worth taking for IE9 support.

This commit removes it, and swaps in an inline polyfill from the mozilla
recommendations, that compresses much....much smaller.

Before this patchset build prints:
app.bundle.js.gz 522 KiB [emitted] [big]

After this patchset:
app.bundle.js.gz 332 KiB [emitted] [big]

If you don't want to break out a calculator, that's 190KB savings in the
root filesystem, and should cut the initial page load time (on slow
connections) by nearly 30 percent.

Note: text-encodings was never pinned in the package-lock.json, hence
why you don't see a diff removing it from package lock. This was a miss
on the original commiters part, although it doesn't really matter, as
it's now removed.

PS: A reviewer may note, I could've moved the polyfill into its own
file. Considering the serial console is the only page that uses that,
and it's not that big I elected not to, to make removing it analagous
with removing xterm/the serial console.

Bonus content!
Added a (commented out) webpack config that allows you to generate the
webui as individual gzipped fragments, instead of one bundle. This
allows you to see file sizes on a package by package basis, and was how
I found this commit in question.

Testing:
This is where this patchset gets hairy. I dont' have an IE9 instance to
test on. Given it's low usage, and the fact that it's a relatively
straightforward change we can probably just wait for someone to tell us
it's broken again.

Enjoy the sweet sweet savings.

Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: I2820ff1c4b33d725ebc63490793a72fe600b8ed3
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...

Python3 Support: Force node-gyp to 6.1.0

The version of node-gyp, ^3.8.0, used by node-sass does not support
Python 3 only environments.

Starting with node-gyp 5.0.0, support for Python 3 only was

Python3 Support: Force node-gyp to 6.1.0

The version of node-gyp, ^3.8.0, used by node-sass does not support
Python 3 only environments.

Starting with node-gyp 5.0.0, support for Python 3 only was added.

Added node-gyp 6.1.0 to package.json and edited the node-sass
"requires" in package-lock.json to force node-sass to use this
version.

This problem can be seen if building an image or the webui
recipe with the meta-oe and poky subtree bumps:
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/31299
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/31297

This poky refresh deprecates python2. From the mailing list:
https://lists.ozlabs.org/pipermail/openbmc/2020-February/020421.html

node-sass knows of this issue and has a fix, same fix as this,
move node-gyp to 6.1.0, but that fix isn't in a release yet.
Asked for a timeline of when a release with this fix will
happen. This change can be removed after moving to a
version of node-sass with this fix.
https://github.com/sass/node-sass/issues/2877

Considered using https://www.npmjs.com/package/npm-force-resolutions
but required more packages and wasn't simple to make work.

Modifying package-lock.json manually is not recommended but
in this case until fixed upstream, not a better solution.

Tested: Built for a Witherspoon and no regression.
Was able to build the GUI with change and 31299 / 31297.
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Change-Id: I514395ca0ae2fda6d46cb7a2a3e70cc5b92be58d

show more ...

Update packages and fix vulnerabilities

Ran "npm-check --update-all --save-exact"
then "npm audit fix".
Rolled back to xterm 3, since problems building xterm 4.

Tested: Built the GUI and loaded on

Update packages and fix vulnerabilities

Ran "npm-check --update-all --save-exact"
then "npm audit fix".
Rolled back to xterm 3, since problems building xterm 4.

Tested: Built the GUI and loaded on a Witherspoon.

Change-Id: Ibe86fba54090bfa8b4ef0a6d87baf3dd4f88d48f
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Add XSRF token into websocket request

Add XSRF token so we can implement CRSF checking
on websockets.

Tested: Saw it in bmcweb logs

Change-Id: Ie9479508bc69fad631f66fb282133ad18d025300
Signed-off-

Add XSRF token into websocket request

Add XSRF token so we can implement CRSF checking
on websockets.

Tested: Saw it in bmcweb logs

Change-Id: Ie9479508bc69fad631f66fb282133ad18d025300
Signed-off-by: James Feist <james.feist@linux.intel.com>

show more ...

Fix security vulnerabilities

Had a few more vulnerabilities show up including:
regular expressions Cross-Site Scripting (XSS) vulnerability

https://github.com/advisories/GHSA-h9rv-jmmf-4pgx

Remedi

Fix security vulnerabilities

Had a few more vulnerabilities show up including:
regular expressions Cross-Site Scripting (XSS) vulnerability

https://github.com/advisories/GHSA-h9rv-jmmf-4pgx

Remediation
Upgrade serialize-javascript to version 2.1.1 or later.

Ran npm audit fix.

Don't think this was a real vulnerability but always good to fix.

Tested: Built for a Witherspoon, loaded on the code, and tested.

Change-Id: I3af6941fdef98b950c7e17ddfeb368fdccc5cabc
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

AngularJS: vulnerability: npm audit fix

https://github.com/advisories/GHSA-89mq-4x47-5v83
"In AngularJS before 1.7.9 the function merge() could be tricked
into adding or modifying properties of Obje

AngularJS: vulnerability: npm audit fix

https://github.com/advisories/GHSA-89mq-4x47-5v83
"In AngularJS before 1.7.9 the function merge() could be tricked
into adding or modifying properties of Object.prototype using
a __proto__ payload."

Although, don't see how this is a real threat to the webui
fixed anyway.

https://github.com/angular/angular.js/compare/v1.7.8...v1.7.9
The difference between 1.7.8 and 1.7.9 is small.

Discussion in the works to move any from AngularJS
https://lists.ozlabs.org/pipermail/openbmc/2019-November/019431.html

Tested: Built and loaded on a Witherspoon
Change-Id: Ibe2c9671203a76cd8b4dbb8b1dbbaae2a8230138
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Remove CSP protections from HTML

When I originally wrote CSP into the webui files, I intended to drop it
into the HTML file so it could be removed from bmcweb. Unfortunately,
that plan doesn't fly,

Remove CSP protections from HTML

When I originally wrote CSP into the webui files, I intended to drop it
into the HTML file so it could be removed from bmcweb. Unfortunately,
that plan doesn't fly, as the CSP headers in bmcweb need to remain for
non-html files.

This normally wouldn't matter, but a number of people utilize
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION to run the webui locally and
debug a new webui patch from a working BMC. This causes the CSP headers
to conflict, and the browser to fail with a CSP error on connect-src
when debugging locally.

Removing the CSP section entirely from the webui resolves this, and
doesn't change functionality at all, as it's still covered in bmcweb.

Tested: Will verify on a real platform.

Verified that building the webui locally with the above bmcweb flag
allows the webui to launch correctly.

Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I60e5011361ec3ce1930249a20cf34480beb48a7f

show more ...

Update package version

Have the package.json version follow the version used in OpenBMC.

cat /etc/os-release
ID="openbmc-phosphor"
NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro)

Update package version

Have the package.json version follow the version used in OpenBMC.

cat /etc/os-release
ID="openbmc-phosphor"
NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro)"
VERSION="2.8.0-dev"
VERSION_ID="2.8.0-dev-277-g08902b0-dirty"
PRETTY_NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro) 2.8.0-dev"
BUILD_ID="2.8.0-dev"
OPENBMC_TARGET_MACHINE="witherspoon

When a 2.8.0 branch is created this should be updated to "2.8.0" before the
2.8.0 tag in the 2.8.0 branch.
After the 2.8.0 branch, when a 2.9.0-dev OpenBMC tag is created, this
should be updated to "2.9.0-dev".

Tested: npm install
Change-Id: Ica774624efb49b194250b61488c7c68f4c74c1a8
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Fix issue on IE cannot open SOL page

The root cause is that TextEncoder/TextDecoder does not support IE
More detail at https://caniuse.com/#feat=textencoder

One workable solution is to include text

Fix issue on IE cannot open SOL page

The root cause is that TextEncoder/TextDecoder does not support IE
More detail at https://caniuse.com/#feat=textencoder

One workable solution is to include text-encoder lib,
as this patch did.

Tested:
IE visit BMC and navigate to "#/server-control/remote-console"
SOL page is working well.

Change-Id: I5019c626afcf67916252db4115af7616c7a9759b
Signed-off-by: Kuiying Wang <kuiying.wang@intel.com>

show more ...

Run npm-check update

Ran "npm-check --update-all --save-exact".

We were missing the following dependencies:
Missing dependencies
* regenerator-runtime
* is-path-inside
* pkg-dir

https://github.com

Run npm-check update

Ran "npm-check --update-all --save-exact".

We were missing the following dependencies:
Missing dependencies
* regenerator-runtime
* is-path-inside
* pkg-dir

https://github.com/openbmc/phosphor-webui/commit/dc25db0301ae6d4dabab6d98fb8447832a8c30e2
added regenerator-runtime, is-path-inside, and pkg-dir.

This change adds them as a dependency.

Running npm-check also updated a few packages.

Since moving to webpack-dev-server 3.8, a random port will be used,
need the following bmcweb change:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/24610

A random port breaks running the GUI locally (assuming XSS disabled)
because of:
https://github.com/openbmc/bmcweb/blob/43b761d0c8f5c4c39199093ee4bcd60698e77138/include/security_headers_middleware.hpp#L52

Tested: Built and loaded on a Witherspoon. No regressions observed.
Ran the GUI locally with CSRF and XSS disabled with 24610.
Change-Id: I57ff3edff979b24f7c0a7256d47fa47412041ad7
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Fix IE11 support

While we don't really officially support IE, it would be nice if
_most_ non-complicated things actually worked. Given where
transpilation is, and the fact that we already have webp

Fix IE11 support

While we don't really officially support IE, it would be nice if
_most_ non-complicated things actually worked. Given where
transpilation is, and the fact that we already have webpack, this isn't
actually that riddiculous of an idea.

using babel was the intent with the original webpack stuff, but it turns out
babel-loader wasn't pulling in the babelrc properly when it was in the
root dir, so babel wasn't actually transpiling anything properly.

Functionally, this commit does 3 things:
1. Fixes the published Accepts header, as the ajax call confuses IE if
it doesn't have an encoding.
2. Includes core-js, to allow us to not really have to worry about
javascript features that aren't present in a given browser.
4. Includes the config to support all browsers with > 0.25% market
share, which should keep us compatible with most stuff.

Requires a patch to bmcweb for the updated charset header, as we didn't
handle that properly previously.
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/24063

Tested:
Loaded the bmcweb patch.
Started the webui in IE11 with the console open. Observed that webui
launches and logs in properly with no errors on the console.
Opened the webui in chrome to verify that nothing was broken. Appears
working as it was before.

Measured the pre-rootfs size before and after this patchset. It
adds 36KB to the final package size. (404KB to 440KB). For supporting
IE11 (and probably other browsers) I think this is well worth the cost.

Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Change-Id: Ie402e3296deede466a7a05726ebd7a18bead0b80

show more ...

Move the required npm version to 6.0.1

Since moved to a npm 6 generated package-lock.json, bump the required
npm version to prevent churn in package-lock.json.

This is a "advisory only", to enforc

Move the required npm version to 6.0.1

Since moved to a npm 6 generated package-lock.json, bump the required
npm version to prevent churn in package-lock.json.

This is a "advisory only", to enforce, the package.json would need
"engineStrict" : true,

http://www.marcusoft.net/2015/03/packagejson-and-engines-and-enginestrict.html

Fine that users build with npm 5 as long as they don't check in their
package-lock.json.

After downgrading to 5.6 and running npm install
bash-4.1$ git diff package-lock.json | wc -l
7913

Tested: "npm install && npm run build" with an npm 5.6, still builds.
Change-Id: I77899eabc1f6a450a40e005dd43404b034c31768
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Use npm-check-updates and npm audit fix

Upgraded npm to 6.10.2, which includes npm audit.
Installed npm-check-updates and then ran:
ncu -u; npm audit fix

This is a npm 6 package-lock.json.
Recomme

Use npm-check-updates and npm audit fix

Upgraded npm to 6.10.2, which includes npm audit.
Installed npm-check-updates and then ran:
ncu -u; npm audit fix

This is a npm 6 package-lock.json.
Recommend using npm 6 from here out to avoid churn in the
package-lock.json caused by npm 5 vs npm 6.

Before:
found 24 high severity vulnerabilities in 12251 scanned packages
run `npm audit fix` to fix 24 of them.

After:
found 0 vulnerabilities
in 12251 scanned packages

npm 6 was released a year and half ago and has "security is built in".

npm 6/5.10 moved package-lock.json from exact versions to loosly versions.
tilde and caret are now present in the package-lock.json

The previous commits helps a little by "specific version in
package.json guarantees the version only a the top level commit"

Even though package-lock.json has tilde and carets (scary!), the
package-lock.json still lock sub-dependencies according to npm.

https://github.com/npm/npm/issues/20434#issuecomment-395637874

OpenBMC uses nodejs_10.15.3 which has npm 6.4.1.
https://github.com/openbmc/openbmc/blob/master/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_10.15.3.bb
https://nodejs.org/en/download/releases/

Also see:
https://github.com/npm/npm/issues/20891

Resolves openbmc/phosphor-webui#91

Tested: Built image and loaded on Witherspoon
Change-Id: I436be724ac4b27bb00a4b4c20077ddf981c43c9f
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Remove carets from package.json

caret (^)

backwards compatible new functionality
old functionality deprecated, but operational
large internal refactor
bug fix

Some of the packages

Remove carets from package.json

caret (^)

backwards compatible new functionality
old functionality deprecated, but operational
large internal refactor
bug fix

Some of the packages were already missing carets.
This better reflects our package management, we have a npm 5
package-lock.json that is intended to lock the repo down to
a specific set of versions of packages to help our build
reliability, and insulate us a little from the NPM stability
issues.

When the Web UI was still in its infancy, OpenBMC got burned from
this. What NPM called "Compatible with version" introduced build
failures overnight without a code change.

Found in some package-lock.json documentation:
"A specific version in package.json guarantees the version only at
the top level."

npm update, npm audit fix, npm-check-updates will still
behave the same.

This is helps a future commit that moves to a
package-lock.json generated by npm 6.

npm 6 changes package-lock.json from exact versions to loosly
versions.
tilde and caret will be added to the package-log.json.
See:
https://github.com/npm/npm/issues/20434
https://github.com/npm/npm/issues/20891

Tested: Build and loaded on a Witherspoon
Change-Id: Ie28f5b903f71215285df07c650a58c11037efccd
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Change package name to phosphor-webui

Most other npm projects have the same package.json name as the
repository. phosphor-webui makes more sense here a name.

Tested: npm install && npm run build
Ch

Change package name to phosphor-webui

Most other npm projects have the same package.json name as the
repository. phosphor-webui makes more sense here a name.

Tested: npm install && npm run build
Change-Id: If0d8697bda5332ce3b4ae86bda620d37cb447de2
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

package.json add author

Added OpenBMC developers as the author, along with an email and url.

Tested: npm install
Change-Id: I57eee00db1904d72c9791128a194be19761b01f4
Signed-off-by: Gunnar Mills <gm

package.json add author

Added OpenBMC developers as the author, along with an email and url.

Tested: npm install
Change-Id: I57eee00db1904d72c9791128a194be19761b01f4
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Improve package.json description

Description was lacking. Took this description from the README.

Tested: npm install
Change-Id: Ie9664a6bc9f3d6418c3e6ee63053ec643cc733f1
Signed-off-by: Gunnar Mills

Improve package.json description

Description was lacking. Took this description from the README.

Tested: npm install
Change-Id: Ie9664a6bc9f3d6418c3e6ee63053ec643cc733f1
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Update package.json license

package.json had the wrong license.
Use the Apache 2.0 license defined at
https://github.com/openbmc/phosphor-webui/blob/master/LICENSE

Tested: npm install
Change-Id: I8

Update package.json license

package.json had the wrong license.
Use the Apache 2.0 license defined at
https://github.com/openbmc/phosphor-webui/blob/master/LICENSE

Tested: npm install
Change-Id: I82e94b5261fa159bb8066101199c539725b0f782
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

npm update

Have a security vulnerability around lodash.
This partially addresses.

See https://github.com/lodash/lodash/pull/4336
for more information.

Opened to address the remaining vulnerability

npm update

Have a security vulnerability around lodash.
This partially addresses.

See https://github.com/lodash/lodash/pull/4336
for more information.

Opened to address the remaining vulnerability:
https://github.com/openbmc/phosphor-webui/issues/91

Tested: Built image and loaded on a Witherspoon.
Change-Id: I071c916058bc6ce7dd2032bf1af5b5c8e6545dec
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

NPM update to address TAR vulnerability

This security vulnerability is in the phosphor-webui
repo:
"We found a potential security vulnerability in one of your
dependencies.
tar
Upgrade tar to vers

NPM update to address TAR vulnerability

This security vulnerability is in the phosphor-webui
repo:
"We found a potential security vulnerability in one of your
dependencies.
tar
Upgrade tar to version 4.4.2 or later."

See https://nvd.nist.gov/vuln/detail/CVE-2018-20834
for more information.

Ran "NPM update" && "npm install node-sass@latest --save".

Before:

bash-4.1$ npm audit

....

found 3 high severity vulnerabilities in 12118 scanned packages
run `npm audit fix` to fix 3 of them.

After:

bash-4.1$ npm audit

=== npm audit security report ===

found 0 vulnerabilities
in 12124 scanned packages

Resolves https://github.com/openbmc/phosphor-webui/issues/85

Tested: Built the GUI and loaded it on a Witherspoon. No
regressions observed.

Change-Id: I67cf4111021d7097a4a0726fecc320853810c6fd
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

NPM update to partially address vulnerability

Observed this security vulnerability in the phosphor-webui
repo on GitHub:
"We found a potential security vulnerability in one of your
dependencies.
ta

NPM update to partially address vulnerability

Observed this security vulnerability in the phosphor-webui
repo on GitHub:
"We found a potential security vulnerability in one of your
dependencies.
tar
Upgrade tar to version 4.4.2 or later."

See https://nvd.nist.gov/vuln/detail/CVE-2018-20834
for more information.
Ran "NPM update" && "npm install tar@latest --save".

Unfortunately, this only addresses one of the packages
that uses tar, the other, node-sass, has not published a
release to fix this vulnerability.
See https://github.com/sass/node-sass/issues/2625
Not a easy fix for node-sass.

Opened
https://github.com/openbmc/phosphor-webui/issues/85
to track this work.

Tested: Built the GUI and loaded it on a Witherspoon. No
regressions observed.

Change-Id: I9e06d77a03dff4a3d12f472fd18671cc8c41fcd4
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Pull the latest novnc package

Investigated that IKVM issues on Windows browsers were caused by
old novnc package. Currently, webui downloads novnc 1.0.0 from npm
but the version was released a year

Pull the latest novnc package

Investigated that IKVM issues on Windows browsers were caused by
old novnc package. Currently, webui downloads novnc 1.0.0 from npm
but the version was released a year ago so it doesn't have lots of
bug fixes. Since novnc team published v1.1.0 recently so this
commit updates novnc version to fix the Windows browser issue.

Tested: From Windows FireFox or Chrome browser,
Navigated to 'Server control -> KVM'.
KVM worked stably.

Change-Id: Iaf415f57678573fbbb7c2f33234a63da6c50acd9
Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>

show more ...

Implement KVM in webui

This patchset adds the infrastructure to allow KVM sessions
through the webui. A websocket capable VNC/RFB connection
on the BMC is needed for KVM sessions.

To access, naviga

Implement KVM in webui

This patchset adds the infrastructure to allow KVM sessions
through the webui. A websocket capable VNC/RFB connection
on the BMC is needed for KVM sessions.

To access, navigate to Server control -> KVM.

Tested: Ran obmc-ikvm on the BMC, added a KVM Handler to
Phosphor Rest Server, and was able to establish a
KVM session in the webui on a Witherspoon.
Change-Id: I7dda5bec41d270ae8d0913697714d4df4ec3a257
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Fix always loading issue on IE11

In some pages like server view page, always in loading status.

Import babel-polyfill to solve cross browser issue on HTML5/CSS3,
especially for the older browsers.

Fix always loading issue on IE11

In some pages like server view page, always in loading status.

Import babel-polyfill to solve cross browser issue on HTML5/CSS3,
especially for the older browsers.

Tested:
launch IE11 visit https://BMC_IP_ADDR

Change-Id: Ib8e59e236171fff595ac1e5df3a9111005b39268
Signed-off-by: Kuiying Wang <kuiying.wang@intel.com>

show more ...