Retrieve role information the Redfish standard way

Currently webui-vue has a hardcoded list of pages and sidebar menu items
restricted to a specific Redfish role (from a predefined default set).
To

Retrieve role information the Redfish standard way

Currently webui-vue has a hardcoded list of pages and sidebar menu items
restricted to a specific Redfish role (from a predefined default set).
To disallow navigating to restricted pages and to hide disallowed menu
items the application needs to know the roles assigned to the session.

bmcweb only implements a single role identity per session so the Roles
array returned within a Session object always has just one element.

This patch changes the mechanism used to retrieve the current role from
buggy direct query to AccountService (which can only return information
about BMC local users) to extracting it from standard Redfish Session
object.

In case the role is not available (e.g. when backend implementation
predates #Session.v1_7_0.Session) the application assumes Administrator
role which is meant as a best effort to continue working given the
circumstances. This doesn't pose a security risk because all validation
is always performed by the backend itself, so the worst that can happen
is end user getting error messages trying to access something without
enough privileges.

Tested: logging in and out of accounts with different roles without
reloading the page, observing the list of queries made, the role
variable assignments and presence of the menu items depending on
account, navigating to different pages. Also tested reloading the page
and confirmed the correct role was retrieved without going through login
again. Also tested deleting and mangling localStorage variable
sessionURI prior to doing page reload, in those cases redirect to login
page was observed.

Change-Id: I8b6c84060a987489cc1d35c46c1b00618a88b607
Signed-off-by: Paul Fertser <fercerpav@gmail.com>

show more ...

Use auth token when not communicating with bmcweb

Redfish backends other than OpenBMC bmcweb expect clients to
authenticate using X-Auth-Token HTTP header as that's the only standard
authentication

Use auth token when not communicating with bmcweb

Redfish backends other than OpenBMC bmcweb expect clients to
authenticate using X-Auth-Token HTTP header as that's the only standard
authentication method for Redfish sessions.

This code falls back to using the token in case Session creation didn't
result in obtaining an XSRF cookie (as should normally happen with
bmcweb).

Limitations: all WebSocket-based functionality can not work (JS-based
NBD Virtual Media, IP KVM, SOL), page reload drops the session and
requires to log in again.

Tested: logging in, observing Overview and successfully logging out of
an AMI MegaRAC BMC. Logging in and navigating around a bmcweb-running
system which doesn't have the code to provide cookies for Session POST
request (everything works as usual sans WS-based features).

Change-Id: I81dc881193440d8d252dcd283b99915bd08c0c5e
Signed-off-by: Paul Fertser <fercerpav@gmail.com>

show more ...

Handle expired passwords Redfish standard way

A password can expire at any moment during session lifetime and bmcweb
starts returning 403 Forbidden errors to the requests made after that.
The respon

Handle expired passwords Redfish standard way

A password can expire at any moment during session lifetime and bmcweb
starts returning 403 Forbidden errors to the requests made after that.
The response contains clear indication of the condition in the standard
`@Message.ExtendedInfo` attribute which is an array of Message objects.

Previously the code was trying to detect this condition by querying
AccountService after logging in but this approach doesn't work when
password expires mid-session. Also it was limited to BMC-managed
accounts and used hardcoded account URIs in violation of Redfish spec.

This patch adds to the interceptor of 403 error so that the user is
automatically redirected to the password change page as soon as the
condition is detected.

The same message is also present in the session creation POST response
201 if the password expired before the log in attempt, in this case the
session is created as usual but the user is automatically redirected to
password change page before any further requests are made.

Tested: logging in, navigating, logging out with non-expired password.
Logging in, navigating, then running `passwd -e <accountname>` via ssh
leads to functional password change page on the next request and then
navigating proceeds normally, and logging out too. If password is
expired before logging in the user gets redirected to the password
change page automatically after logging in.

Fixes: https://github.com/openbmc/webui-vue/issues/118
Change-Id: I03f5ee2526a4bb1d35d3bbea1142fea077d6bfed
Signed-off-by: Paul Fertser <fercerpav@gmail.com>

show more ...

Switch to standard Redfish auth endpoint

To be able to talk to a Redfish-compliant implementation webui should
switch from old non-standard login and logout endpoints to creating a
Session via an ap

Switch to standard Redfish auth endpoint

To be able to talk to a Redfish-compliant implementation webui should
switch from old non-standard login and logout endpoints to creating a
Session via an appropriate POST request and to DELETE it on logout. This
also gives us standard Session object with all the relevant parameters
which allows the frontend to know what session it's using, what
permissions it has etc.

This works against bmcweb which checks for the presence of
webui-vue-specific "X-Requested-With" header in the request and provides
cookies in addition to the Redfish authentication token in the header.

Tested: logging in, logging out, navigating the pages, reloading the
page doesn't require logging in (if the session isn't expired),
WebSocket connections work.

Change-Id: I9d6159850b109a658b8f980637653e7e4576058b
Signed-off-by: Paul Fertser <fercerpav@gmail.com>

show more ...

Allow to log in when using remote authentication

For accounts authenticated remotely (e.g. with LDAP or RADIUS) the API
endpoint (handled by bmcweb) can not provide any information about
RoleId curr

Allow to log in when using remote authentication

For accounts authenticated remotely (e.g. with LDAP or RADIUS) the API
endpoint (handled by bmcweb) can not provide any information about
RoleId currently, reporting 404 instead. This confuses the frontend and
it doesn't allow to navigate at all.

Fix this by lifting all frontend-side restrictions by assuming
'Administrator' role in this case. Since the backend verifies validity
of each and every request anyway this doesn't affect security anyhow.

Tested: logging in, out and incorrectly using local BMC and remote LDAP
users, reloading the page with an active session. In all cases frontend
behaved as expected, storing assumed RoleId after getting 404 not found
reply and using it for unrestricted routing decisions.

Change-Id: If17d06bf0b8a372acd1980f6777227e25d9c78d8
Signed-off-by: Paul Fertser <fercerpav@gmail.com>

show more ...

Deduplicate and simplify RoleId handling

To improve UX for users of accounts with restricted permissions the
frontend determines the current RoleId. Knowing that it can hide menus
and inhibit transi

Deduplicate and simplify RoleId handling

To improve UX for users of accounts with restricted permissions the
frontend determines the current RoleId. Knowing that it can hide menus
and inhibit transitions that are not allowed by the backend in any case.

This patch unifies the handling by moving processing of the API reply
containing RoleId in the single place, right where
`authentication/getUserInfo` store gets it. This makes the program flow
easier to understand and change if needed without worrying of where
another copy of the code might be and how it would need to be amended.

No functional change.

Tested: logging in and out, navigating the pages, getting an error
message when wrong credentials are used, reloading the page with an
established session. All while observing Network and Console tabs in Web
Developer tools, no unexpected API requests are made and no unexpected
errors reported. Confirmed in debugger that the retrieved role gets
stored and used for routing restrictions.

Change-Id: Ia8782f44cb6bf813954d30b8bf3a620a626ad455
Signed-off-by: Paul Fertser <fercerpav@gmail.com>

show more ...

Remove phosphor-rest style login

As part of [1] There are deprecated login flows that webui-vue seems to
have copied from phosphor-rest. These were originally added because
phosphor-rest didn't loo

Remove phosphor-rest style login

As part of [1] There are deprecated login flows that webui-vue seems to
have copied from phosphor-rest. These were originally added because
phosphor-rest didn't look at response codes, but webui-vue does, so we
can use the normal version, which allows us to reduce the code in
bmcweb.

This needs to go the same time as [1].

Tested: Gunnar tested with 65810 and this works.

[1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/65810

Change-Id: I1e55f08cf1d7d44b6757ac4173a26546eaca72e5
Signed-off-by: Ed Tanous <edtanous@google.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Fix logout button not work on Safari

After logged on via Safari web browser, click <user> -> Log out button
does not take effect until clicking on other tab. The current page still
works normally. F

Fix logout button not work on Safari

After logged on via Safari web browser, click <user> -> Log out button
does not take effect until clicking on other tab. The current page still
works normally. For example, in Virtual Media page, after clicking on
the Log out button, nothing happens and we can still mount ISO file.
The issue does not happen on Chrome or Firefox.

Fix the issue by changing router.go() to router.push().

Reference:
https://github.com/vuejs/vue-router/issues/2554
https://codewithandrea.com/articles/flutter-navigation-gorouter-go-vs-push/

Tested:
1. Check if the issue does not happen on Safari anymore.
2. Check if no issue with Google Chrome and Mozilla Firefox.

Change-Id: I2ae35dad2dec6b19c3cb9d7f8d577b6077ac8d9c
Signed-off-by: Thang Q. Nguyen <thang@os.amperecomputing.com>
Signed-off-by: HuyLe <hule@amperecomputing.com>

show more ...

Added route restrictions based on user privilege

This commit allows us to add 'exclusiveToRoles' field to
route config files, with the list of roles that can access
this resource, if needed. In this

Added route restrictions based on user privilege

This commit allows us to add 'exclusiveToRoles' field to
route config files, with the list of roles that can access
this resource, if needed. In this case, only Administrator
can access Virtual-Media page and SOL console, and it is blocked for other
users.

Signed-off-by: Sivaprabu Ganesan <sivaprabug@ami.com>
Change-Id: Ibcee18bd92d97c34414ecaf2caf6af28070c5538

show more ...

Closed KVM new window after WEBUI logged out

Description:

When KVM is opened in new window, after WEB UI is logged out,
opened KVM window is not getting closed. It remains opened and
accessible.

R

Closed KVM new window after WEBUI logged out

Description:

When KVM is opened in new window, after WEB UI is logged out,
opened KVM window is not getting closed. It remains opened and
accessible.

Root Cause:

There is not handle to close the KVM new window after the WEB UI
logged out.

Fix:

Added the KVM window opened information in store, and checked that
information to close the window.

Tested:

Step 1: Login to WEB UI
Step 2: Navigate to Operations -> KVM
Step 3: Open KVM in new window
Step 4: Click Logout in WEB UI

Result:

After successful log out, KVM new window is closed as expected.

Change-Id: Iab8e54d3088a08fb0ae9b581b2647fc0ab5460bd
Signed-off-by: Kirankumar Ballapalli <kirankumarb@ami.com>

show more ...

[POC] login: Fix waiting in login page after login

When the user enter the correct username/password and click the "Log in"
button, sometimes the page stays at the login page. The user will have
to

[POC] login: Fix waiting in login page after login

When the user enter the correct username/password and click the "Log in"
button, sometimes the page stays at the login page. The user will have
to reload the page, enter the username/password, and click the "Log in"
button again to actually login the WebUI.

From the browser's debug control, we could see it's waiting for the
response of
https://$bmc/redfish/v1/AccountService/Accounts/root
and it does not get any response.

From the BMC side, we could see the first login is successful.

Somehow if we remove the async keyword of function
checkPasswordChangeRequired(), the issue is not reproduced anymore.

So this is a POC patch to fix the issue, but the root cause is unknown.

Tested: Clear the browser's cookie, successful login multiple times.

Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Change-Id: I01e3ab5ca63baed18045915500fa8ca2e6b247ea

show more ...

Update linting packages to use latest

- 99% of changes were small syntax changes that were changed by the
lint command. There were a couple of small manual changes to meet the
property order pattern

Update linting packages to use latest

- 99% of changes were small syntax changes that were changed by the
lint command. There were a couple of small manual changes to meet the
property order patterns established as part of the vue:recommended
guidelines.

There are rules that were set from errors to warnings and new stories
are being opened to address those issues.

Testing:
- Successfully ran npm run serve
- Successfully ran npm run lint
- Verified functionality works as expected, e.g. success and failure use cases
- Resolved any JavaScript errors thrown to the console

Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: Ie082f31c73ccbe8a60afa8f88a9ef6dbf33d9fd2

show more ...

Add support for mutual TLS

Adding check for 'IsAuthenticated' cookie in AuthenticationStore
and adding a check in created hook for AppHeader component because
it is visible on all authenticated page

Add support for mutual TLS

Adding check for 'IsAuthenticated' cookie in AuthenticationStore
and adding a check in created hook for AppHeader component because
it is visible on all authenticated pages.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: Ic558c9c45fd3f5874c8c516cb6bc005cba4946e2

show more ...

Update relative path imports to use '@' alias

- Add '@/' instead of '../../../'

Signed-off-by: Suren Neware <sneware9@in.ibm.com>
Change-Id: Ida1dc26f2bd62f38914a74b729ee8fd143c360ac

Add check if password change required at Login

After successfully authenticating on the Login page, check
/redfish/v1/AccountService/Accounts/${username} endpoint for
the PasswordChangeRequired prop

Add check if password change required at Login

After successfully authenticating on the Login page, check
/redfish/v1/AccountService/Accounts/${username} endpoint for
the PasswordChangeRequired property to see whether or not the
password is expired. If the password is expired, then navigate
to the Change password page, if the password isn't expired
navigate to the Overview page.
After successfully changing an expired password, navigate to the
Overview page.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: I32de5f71bcfcbe4099c2953a31c05ba0ebe670bc

show more ...

Profile settings page

-To set the profile by setting password.
-This commit adds a profile page which allows the user to change their
password.
In the future, the profile page will also contain user

Profile settings page

-To set the profile by setting password.
-This commit adds a profile page which allows the user to change their
password.
In the future, the profile page will also contain user settings like
language and timezone.

The API called to change the user's
password is '/redfish/v1/AccountService/Accounts/<userName>'

Signed-off-by: Sukanya Pandey <sukapan1@in.ibm.com>
Change-Id: Ie54a54beff8c85bc9ac5af21c35edc481b34cf44

show more ...

Add XSRF token to websocket connection

Resolves HTTP authentication failure when attempting to make
a websocket connection.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: Ie83

Add XSRF token to websocket connection

Resolves HTTP authentication failure when attempting to make
a websocket connection.

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Change-Id: Ie833f1cd281dd3b7124ac798eb5318b24df0ed8f

show more ...

Fix accessibility violations and use b-form-group

- Update authError to be set to false in order to hide the error
message when the user logs in. This is needed if the user name
or password are inco

Fix accessibility violations and use b-form-group

- Update authError to be set to false in order to hide the error
message when the user logs in. This is needed if the user name
or password are incorrect multiple times. If it is not hidden
between login attempts, the user will only be notified on the
first attempt.
- Use the b-form-group component for consistency.
- Add id attributes to the required field error messages so that
the error can be added to the input field's aria-describedby attribute

Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: I86902cc2c85b3bbf156c2920ec2031ee4dccd2ef

show more ...

Clear application state on logout

Remove the authError state property from the logout mutation
since the the authError would not be in the true state after
a successful login.

Signed-off-by: Derick

Clear application state on logout

Remove the authError state property from the logout mutation
since the the authError would not be in the true state after
a successful login.

Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: Ibfe8b07c4e9e37dfab4435596c12e9a36556a714

show more ...

Update local user layout and styles

Resubmitting after reverted–original commit here
https://gerrit.openbmc-project.xyz/c/openbmc/webui-vue/+/28790

- Add BVConfig plugin to modify boostrap componen

Update local user layout and styles

Resubmitting after reverted–original commit here
https://gerrit.openbmc-project.xyz/c/openbmc/webui-vue/+/28790

- Add BVConfig plugin to modify boostrap component
defaults
- Add vuelidate
- Add package and basic validations to user form
- Add all user form validations
- Add checks for edit user
- Create VuelidateMixin for shared methods
- Update Login to use Vuelidate

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: Ib50ee4d1fb5f14637c9460e77f0682869a86ac8a

show more ...

Add login form validation

- Sending incorrect credentials returns a 401 and we don't want the page
to redirect if we are trying to login. Wrapped the redirect in an if
block.
- Returning a promise u

Add login form validation

- Sending incorrect credentials returns a 401 and we don't want the page
to redirect if we are trying to login. Wrapped the redirect in an if
block.
- Returning a promise used by the logout action, which is needed
when not redirecting the page. Didn't add to the if block since
other errors that use the router to redirect will need the Promise
returned also, e.g. 403.

Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: I6db706ef7c71ed13baed95dc4264e6ae11d13ad3

show more ...

Add singlequote override and fix files

Based on phosphor-webui and JavaScript common practices we are setting
ESLint to required single quote for JS files and double quote for
SCSS files. This commi

Add singlequote override and fix files

Based on phosphor-webui and JavaScript common practices we are setting
ESLint to required single quote for JS files and double quote for
SCSS files. This commit adds the ESLint override to the prettier rules
and runs the npm lint script that fixes the files that violate the
rule.

Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: I50cba77b2d0797595ce94258029608efa8665005

show more ...

Add cookie based login authentication

- Changed POST request data structure to match
backend requirements for set-cookie in response
header
- Added withCredentials property to default
axios co

Add cookie based login authentication

- Changed POST request data structure to match
backend requirements for set-cookie in response
header
- Added withCredentials property to default
axios config
- Modifying proxied response to remove 'Secure' flag
so browser can create Cookie while running locally
- Add logout api request
- Add js-cookie package to manage browser cookies
- Update the babel preset config to include useBuiltIns,
which resolves MIME type errors when overlaying
- Disable vue-router history mode to use routher hash mode
to resolves 404 errors when refreshing certain pages. This
is expected behavior with history mode enabled. Server
configuration changes are required to support HTML5
history mode: https://router.vuejs.org/guide/essentials/history-mode.html#example-server-configurations

Signed-off-by: Yoshie Muranaka <yoshiemuranaka@gmail.com>
Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: I5d43f36ef546962474b6cc8fff89564f29048fde

show more ...

Add login and logout functionality

- Add AuthenticationStore
- Add ability to login and logout
- Add route navigation guard
- Add login styles
- Add temporary authentication for api call
- Add Login

Add login and logout functionality

- Add AuthenticationStore
- Add ability to login and logout
- Add route navigation guard
- Add login styles
- Add temporary authentication for api call
- Add Login directory
- Add index.js

In order to login a .env.development.local file that contains
BASE_URL="https://<ip address> or <FQDN>"

Signed-off-by: Derick Montague <derick.montague@ibm.com>
Change-Id: I88b93e287e66f4bae82a1ec2934cdef12d78264e

show more ...