Age | Commit message (Collapse) | Author | Files | Lines |
|
Reduces the total number of lines and will allow for easier testing of
the redfish responses.
A main purpose of the node class was to set app.routeDynamic(). However
now app.routeDynamic can handle the complexity that was once in critical
to node. The macro app.routeDynamic() provides a shorter cleaner
interface to the unerlying app.routeDyanic call. The old pattern set
permissions for 6 interfaces (get, head, patch, put, delete_, and post)
even if only one interface is created. That pattern creates unneeded
code that can be safely removed with no effect.
Unit test for the responses would have to mock the node the class in
order to fully test responses.
see https://github.com/openbmc/bmcweb/issues/181
The following files still need node to be extracted.
virtual_media.hpp
account_service.hpp
redfish_sessions.hpp
ethernet.hpp
The files above use a pattern that is not trivial to address. Often their
responses call an async lambda capturing the inherited class. ie
(https://github.com/openbmc/bmcweb/blob/ffed87b5ad1797ca966d030e7f979770
28d258fa/redfish-core/lib/account_service.hpp#L1393)
At a later point I plan to remove node from the files above.
Tested:
I ran the docker unit test with the following command.
WORKSPACE=$(pwd) UNIT_TEST_PKG=bmcweb
./openbmc-build-scripts/run-unit-test-docker.sh
I ran the validator and this change did not create any issues.
python3 RedfishServiceValidator.py -c config.ini
Signed-off-by: John Edward Broadbent <jebr@google.com>
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I147a0289c52cb4198345b1ad9bfe6fdddf57f3df
|
|
Get the core using AsyncResp everywhere, and not have each individual handler
creating its own object.We can call app.handle() without fear of the response
getting ended after the first tree is done populating.
Don't use res.end() anymore.
Tested:
1. Validator passed.
Signed-off-by: zhanghaicheng <zhanghch05@inspur.com>
Change-Id: I867367ce4a0caf8c4b3f4e07e06c11feed0782e8
|
|
These aren't needed and are not in all files.
These aren't being updated. Would perfer these go away.
Tested: Not Tested.
Change-Id: I050874d58f86cae138ce2ab8c0c53831aeba5b21
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
Currently, /v1/CertificateService/CertificateLocations and
/v1/AccountService/LDAP/Certificates endpoints assume the presence of
xyz.openbmc_project.Certs.Manager.Client.Ldap service, and return an
error on D-Bus failures. But this service can be missing if LDAP support
is removed from the build, so we should just return empty responses
instead of errors.
Tested: Passed Redfish service validator.
Signed-off-by: Jonathan Doman <jonathan.doman@intel.com>
Change-Id: Ib8416e850b52e8ce0f8947017d863cee19f7b2c8
|
|
- This commit improves certain while loops to range based for loops.
- This commit also fixes the cppcheck warning that mentions about
performance issues when using postfix operators on non-primitive
types.
Tested By:
- A function is unittested.
- GET on both EthernetInterfaces & certificate service
looks good without any issues.
Signed-off-by: Manojkiran Eda <manojkiran.eda@gmail.com>
Change-Id: I85420f7bf9af45a97e1a93b916f292c2516f5802
|
|
1st, alphabetize the tidy-list for good housekeeping.
Next, enable all the clang-tidy performance checks, and resolve all the
issues. most of the issues boil down to:
1. Using std::move on const variables. This does nothing.
2. Passing big variables (like std::string) by value.
3. Using double quotes on a find call, which constructs an intermediate
string, rather than using the character overload.
Tested
Loaded on system, logged in successfully and pulled down webui-vue. No
new errors.
Walked the Redfish tree a bit, and observed no new problems.
Ran redfish service validator. Got no new failures (although there are
a lot of log service deprecation warnings that we should look at).
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: I2238958c4b22c1e554e09a0a1787c744bdbca43e
|
|
A bad click merged a commit before it was ready (it was +2ed
previously). So far as I'm aware, this was the only change needed.
Happy to revert it if someone sees need to.
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: I4bb842edd78a4d580bb4842e4a708632761fa86d
|
|
Char arrays are outdated, and not needed in this case.
No functional changes
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ibdcebf05880ac2697c9a30f5a86155a09ff7b3d8
|
|
Lots of code has been checked in that doesn't match the naming
conventions. Lets fix that.
Tested:
Code compiles. Variable/function renames only.
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: I6bd107811d0b724f1fad990016113cdf035b604b
|
|
This commit enables the "unused variables" warning in clang. Throughout
this, it did point out several issues that would've been functional
bugs, so I think it was worthwhile. It also cleaned up several unused
variable from old constructs that no longer exist.
Tested:
Built with clang. Code no longer emits warnings.
Downloaded bmcweb to system and pulled up the webui, observed webui
loads and logs in properly.
Change-Id: I51505f4222cc147d6f2b87b14d7e2ac4a74cafa8
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
This commit enables clang warnings, and fixes all warnings that were
found. Most of these fall into a couple categories:
Variable shadow issues were fixed by renaming variables
unused parameter warnings were resolved by either checking error codes
that had been ignored, or removing the name of the variable from the
scope.
Other various warnings were fixed in the best way I was able to come up
with.
Note, the redfish Node class is especially insidious, as it causes all
imlementers to have variables for parameters, regardless of whether or
not they are used. Deprecating the Node class is on my list of things
to do, as it adds extra overhead, and in general isn't a useful
abstraction. For now, I have simply fixed all the handlers.
Tested:
Added the current meta-clang meta layer into bblayers.conf, and added
TOOLCHAIN_pn-bmcweb = "clang" to my local.conf
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ia75b94010359170159c703e535d1c1af182fe700
|
|
Middlewares, while kinda cool from an academic standpoint, make our
build times even worse than they already are. Given that we only really
use 1 real middleware today (token auth) and it needs to move into the
parser mode anyway (for security limiting buffer sizes), we might as well
use this as an opportunity to delete some code.
Some other things that happen:
1. Persistent data now moves out of the crow namespace
2. App is no longer a template
3. All request_routes implementations no longer become templates. This
should be a decent (unmeasured) win on compile times.
This commit was part of a commit previously called "various cleanups".
This separates ONLY the middleware deletion part of that.
Note, this also deletes about 400 lines of hard to understand code.
Change-Id: I4c19e25491a153a2aa2e4ef46fc797bcb5b3581a
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
These spelling errors were found using
https://github.com/codespell-project/codespell
Tested: Top commit (along with this) was built and ran against
validator.
Change-Id: Ic9dce27b1de8567eedf7753164ef564d3aedf8ca
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
This is from openbmc/docs/style/cpp/.clang-format
Other OpenBMC repos are doing the same.
Tested: Built and validator passed.
Change-Id: Ief26c755c9ce012823e16a506342b0547a53517a
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
prime256v1 is okay for now, but secp384r1 is more future-proof (gives us
a couple more years) and in this case does not really have any
drawbacks.
Tested: Checked to see that a new secp384r1 key is generated on first
boot and the generate CSR redfish option works.
Change-Id: I334fc56db3dd55058a4c6780f8966bcc48d8f816
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
|
|
Redfish made odata.context optional (1.6.0 of DSP0266, Sept 2018).
Redfish has removed odata.context from example payloads in the
specification (1.7.0 of DSP0266), removed it from the mockups,
and Redfish recommended not using.
The reason for making optional and removing from mockups/examples,
"no one could figure out how to use it and it did not add value".
Don't see value in it for our implementation.
Change-Id: I3d634aa1a58072589e565f2361e010b459bfd3f5
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
Whenever the Redfish response is that a service is temporarily
unavailable, the "Retry-After" header is added with the same
value, so just set the header automatically with the response.
Tested:
Confirmed that the "Retry-After" header is set correctly with
the Redfish temporarily unavailable message.
Change-Id: I9c940be94d9d284b9633c5caa2ce71ade76d22d5
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
|
|
std::strtol() expects null-terminated string. This means that passing
string_view.data() to it may cause undefined behaviour.
Let's fix it by using boost::convert instead.
Tested: Manually by sending valid requests and looking for empty
responses.
Change-Id: I319277551b5e85586783afdc8c86e4a7d8db876e
Signed-off-by: Iwona Klimaszewska <iwona.klimaszewska@intel.com>
|
|
With introducing Mutual-TLS and option to add multiple certificates
there is a need to give user a possibility to remove them, for example
when they expire. This commit adds implementation of DELETE function
to TLS Certificate node, so each of them can be removed.
Beckend implementation is here:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/25268
Tested with uploaded multiple TLS certificates.
Other certificates remains irremovable as they were so far.
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: I9781c5c79288ec5d080e80e42c63a55e471ddb77
Depends-On: I9dd6fa998e8bd8081fbd13549831bc94a4a7aa54
|
|
Added handling for POSTing certificates the Redfish way (as proper JSON).
Currently it was only possible to add certificate as a RAW certificate in
request body. Now user is able to add it as
{
"CertificateType": "PEM",
"CertificateString": "..."
}
as well as previously in RAW form.
Tested:
- Uploading certificates in RAW form
- Uploading certificates in JSON form
- In case of malformend reqeust a propser error message is returnd.
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: Iab563964102b0a1a351cb0bb1ea181643da33480
|
|
This review is a fix for changes in Install API.
See review:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/25634
Tested: Tested manaually, the POST method on certificate collection returns ID
of created certificate.
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Depends-On: Ic8ab545c931d89a022acdabd5a755e3bf39e5a79
Change-Id: I70c449600623e4f1eabf63c23163683f6f513d43
|
|
using the list of warnings from here:
https://github.com/lefticus/cppbestpractices/blob/e73393f25a85f83fed7399d8b65cb117d00b2231/02-Use_the_Tools_Available.md#L100
Seems like a good place to start, and would improve things a bit
type-wise. This patchset attempts to correct all the issues in one
shot.
Tested:
It builds. Will test various subsystems that have been touched
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I588c26440e5a97f718a0f0ea74cc84107d53aa1e
|
|
Added handling for POSTing certificates the Redfish way (as proper JSON).
Currently it was only possible to add certificate as a RAW certificate in
request body. Now user is able to add it as
{
"CertificateType": "PEM",
"CertificateString": "..."
}
as well as previously in RAW form.
Tested:
- Uploading certificates in RAW form
- Uploading certificates in JSON form
- Uploading invalid certificates
- Uploading invalid JSON requests
Change-Id: Icf0f6b928e63fc3cc5cd089b483b3799fbe715de
Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com>
|
|
1) Implements CertificateCollection schema to upload
CA certificates and to list existing CA certificates
2) Modified CertificateLocatons schema to list CA
certificates
3) Modified ReplaceCertificate action of CertificateService
schema to cater for replacing existing CA certificate
Tested:
1) No validation failure
2) Truststore CertificateCollection
curl -k -H "X-Auth-Token: $bmc_token" -X GET
https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateCollection.CertificateCollection",
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/",
"@odata.type": "#CertificateCollection.CertificateCollection",
"Description": "A Collection of TrustStore certificate instances",
"Members": [],
"Members@odata.count": 0,
"Name": "TrustStore Certificates Collection"
}
3) Upload certificate
curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -H "Content-Type:
application/octet-stream" -X POST -T cert.pem
https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString": ----\n",
"Id": "1",
"Issuer": {
"CommonName": "localhost",
"Organization": "openbmc-project.xyz"
},
}
4) Certificate Locations
curl -k -H "X-Auth-Token: $bmc_token" -X GET
https://${bmc}/redfish/v1/CertificateService/CertificateLocations/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
"@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
"@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
"Description": "Defines a resource that an administrator can use in order
tolocate all certificates installed on a given service",
"Id": "CertificateLocations",
"Links": {
"Certificates": [
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
},
{
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1"
},
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1"
}
],
"Certificates@odata.count": 3
},
"Name": "Certificate Locations"
}
5)Replace certificate
curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/Certificateervice.ReplaceCertificate/
-d @data_auth.json
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString": "-----BEGIN CERTIFICATE--------\n",
"Id": "1",
"Issuer": {
"CommonName": "localhost",
"Organization": "openbmc-project.xyz"
},
6)List CertificateCollection
curl -k -H "X-Auth-Token: $bmc_token" -X GET
https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateCollection.CertificateCollection",
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/",
"@odata.type": "#CertificateCollection.CertificateCollection",
"Description": "A Collection of TrustStore certificate instances",
"Members": [
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1"
}
],
"Members@odata.count": 1,
"Name": "TrustStore Certificates Collection"
}
Change-Id: Ic9644fadfe6fe89b529e16336cc6bcd804810b3a
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
|
|
Tested:
1) Tested schema with validator and no issues
curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR/
-d @generate_ldap_required.json
{
"CSRString": "-----BEGIN CERTIFICATE
REQUEST-----\\nLoyR0IExAw==\n-----END
CERTIFICATE REQUEST-----\n",
"CertificateCollection": {
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/"
}
}
Change-Id: Iae0919a2f222c1f85e5428d9140e386f8695370d
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
|
|
Implemented GenerateCSR action of CertificateService
for generating CSR of HTTPS certificate
CSR requests initiated through D-Bus are time-consuming
and might result D-Bus time-out error
GenerateCSR request is performed in child process in
the backend so that caller is returned immediately.
Caller need to register for "InterfacesAdded" signal
generated when a new CSR object is creatd by backend
after completion of the CSR request.
Caller initiates read on the CSR object created to
read the CSR string.
Timer is added to cancel the operation if "Interfaces
Added" signal is not received in a specified time.
Modified to support only 2048 keybit length due to
time taken in private key generation.
Tested
1) Tested schema with validator and no issues
2)
curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR/
-d @generate_https.json
{
"CSRString": "-----BEGIN CERTIFICATE ..."
"CertificateCollection": {
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/"
}
}
3. generate_https.json
{
"City": "Austin",
"CertificateCollection": {
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/"
},
"CommonName": "www.ibm.com",
"ContactPerson":"myname",
"AlternativeNames":["www.ibm.com"],
"ChallengePassword":"",
"Email":"openbmc@in.ibm.com",
"GivenName":"",
"Initials":"",
"Country": "US",
"KeyCurveId":"",
"KeyUsage":["KeyAgreement"],
"KeyBitLength": 1024,
"KeyPairAlgorithm": "RSA",
"Organization": "IBM",
"OrganizationalUnit": "ISL",
"State": "AU",
"Surname": "",
"UnstructuredName": ""
}
4) Verified Required and Optional parameters
5) Generate EC CSR with curve ID secp224r1
curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR/
-d @generate_https.json
{
"CSRString": "-----BEGIN CERTIFICATE
REQUEST-----\nMIIBQzCB8wIBATCBmzEUMBIGA1UdEQwLd3d3LmlibS5jb20xDzANBgNVBAcMBkF1\nc3RpbjEUMBIGA1UEAwwLd3d3LmlibS5jb20xDzANBgNVBCkMBm15bmFtZTELMAkG\nA1UEBhMCVVMxDDAKBgQrDgMCDAJFQzEVMBMGA1UdDwwMS2V5QWdyZWVtZW50MQww\nCgYDVQQKDANJQk0xCzAJBgNVBAgMAkFVME4wEAYHKoZIzj0CAQYFK4EEACEDOgAE\n7hyL8FWmeCBRpCxWKjlce9nRghwS0lBrBdslOZ+n9+hFD+0KD8L+BORwm7dfzGlG\nTblh2G6cQ8KgADAKBggqhkjOPQQDAgM/ADA8Ahw1nlGdEFfnb+2zxdfVeTQYgCTw\nNos0t2rsGc/zAhxS9/paXZtVqR+WzdQVsjSLC/BedbXv1EmW52Uo\n-----END
CERTIFICATE REQUEST-----\n",
"CertificateCollection": {
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/"
}
}
Change-Id: I2528c802ff3c6f63570cdb355b9c1195797a0e53
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
|
|
During replace/querying for certificates, if the path specified
does not exist InternalError is thrown, the same is modified
to throw ResourceNotFound error.
Fixes: https://github.com/openbmc/bmcweb/issues/88
Tested:
1) Resource not found error is thrown during replace certificate
2) Resource not found error is thrown during querying for
certificate.
bash-4.2$ curl -k -H "X-Auth-Token: $bmc_token" -X GET
https://${bmc}/redfish/v1/AccountService/LDAP/Certificates/1
{
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
"Message": "The requested resource of type LDAP Certificate named 1 was
not found.",
"MessageArgs": [
"LDAP Certificate",
"1"
],
"MessageId": "Base.1.4.0.ResourceNotFound",
"Resolution": "Provide a valid resource identifier and resubmit the
request.",
"Severity": "Critical"
}
],
"code": "Base.1.4.0.ResourceNotFound",
"message": "The requested resource of type LDAP Certificate named 1 was not
found."
}
}
bash-4.2$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/
-d @data_https.json
{
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
"Message": "The requested resource of type HTTPS certificate named 2 was
not found.",
"MessageArgs": [
"HTTPS certificate",
"2"
],
"MessageId": "Base.1.4.0.ResourceNotFound",
"Resolution": "Provide a valid resource identifier and resubmit the
request.",
"Severity": "Critical"
}
],
"code": "Base.1.4.0.ResourceNotFound",
"message": "The requested resource of type HTTPS certificate named 2 was not
found."
}
}
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Change-Id: I88b90cbca88fd5a23929f7e7e0d4e32948d9713b
|
|
Implements CertificateCollection schema to upload/list
existing LDAP certificates
Implements Certificate schema to view existing LDAP
certificate
Implements ReplaceCertificate action to replace existing
LDAP certificate.
Tested:
1. Tested schema with validator and no issues
2. Privilege map for certificate service is not yet pubished
3. POST on /redfish/v1/AccountService/LDAP/Certificates
curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -H "Content-Type: application/octet-stream" -X POST -T testcert.pem https://${bmc}/redfish/v1/AccountServie/LDAP/Certificates
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString": "-----BEGIN CERTIFICATE---------END CERTIFICATE-----\n",
"Description": "LDAP Certificate",
"Id": "1",
"Issuer": {
"City": "SomeCity",
"CommonName": "www.company.com",
"Country": "US",
"Organization": "MyCompany",
"State": "VA",
"organizationUnit": "MyDivision"
},
"KeyUsage": [
"KeyAgreement",
"ServerAuthentication"
],
"Name": "LDAP Certificate",
"Subject": {
"City": "SomeCity",
"CommonName": "www.company.com",
"Organization": "MyCompany",
"State": "VA",
"organizationUnit": "MyDivision"
},
"ValidNotAfter": "2029-03-14T02:11:02+00:00",
"ValidNotBefore": "2019-03-17T02:11:02+00:00"
}
4. GET on /redfish/v1/AccountService/LDAP/Certificates/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateCollection.CertificateCollection",
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates",
"@odata.type": "#CertificateCollection.CertificatesCollection",
"Description": "A Collection of LDAP certificate instances",
"Members": [
{
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1"
}
],
"Members@odata.count": 1,
"Name": "LDAP Certificate Collection"
}
5.GET on /redfish/v1/CertificateService/CertificateLocations/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
"@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
"@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
"Description": "Defines a resource that an administrator can use in order to
locate all certificates installed on a given service",
"Id": "CertificateLocations",
"Links": {
"Certificates": [
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
},
{
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1"
}
],
"Certificates@odata.count": 2
},
"Name": "Certificate Locations"
}
6.GET on /redfish/v1/AccountService/LDAP/Certificates/1
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString": "-----BEGINCERTIFICATE-----\n ... -----ENDCERTIFICATE-----\n",
"CertificateType": "PEM",
"Description": "LDAP Certificate",
"Id": "1",
"Issuer": {
"CommonName": "localhost",
"Organization": "openbmc-project.xyz"
},
"KeyUsage": [],
"Name": "LDAP Certificate",
"Subject": {
"CommonName": "localhost"
}
7.Replace certificate
POST on /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
...
}
8.GET on AccountService
curl -k -H "X-Auth-Token: $bmc_token" -X GET
https://${bmc}/redfish/v1/AccountService
{
"@odata.context": "/redfish/v1/$metadata#AccountService.AccountService",
"@odata.id": "/redfish/v1/AccountService",
"@odata.type": "#AccountService.v1_4_0.AccountService",
"Id": "AccountService",
"LDAP": {
"AccountProviderType": "LDAPService",
"Certificates": {
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates"
},
Change-Id: I056a4cea8b0377e156b660984857cdfadbfe1b2c
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
|
|
Implements CertificateService schema to list the actions
available.
Implements CertificateLocations schema to list the
certificates present in the system.
Implements CertificateCollection schema to upload/list
existing HTTPS certificates
Implements Certificate schema to view existing HTTPS
certificate
Cater for reloading the SSL context after a certificate
is uploaded.
Fix Certificate signature validation failure
At present bmcweb uses the certificate from "/home/root/server.pem"
the same is modified to "/etc/ssl/certs/https/server.pem" as
phosphor-certificate-manager uses the specified path to
install/replace certificates.
Bmcweb creates a self-signed certificate when certificate is not
present. Catered for creating "/etc/ssl/certs/https/" direcotry
structure so that self signed certificate is created in the path.
Implements ReplaceCertificate action of Certificate
Service for replacing existing HTTPS certificates
Cleanup of older self-signed certificate at /home/root/server.pem
1. Tested schema with validator and no issues
2. Privilege map for certificate service is not yet pubished
2. GET on /redfish/v1/CertificateService/
"CertificateService": {
"@odata.id": "/redfish/v1/CertificateService"
},
3. GET on /redfish/v1/CertificateService/CertificateLocations/
"@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
"@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
"@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
"Description": "Defines a resource that an administrator can use in order to
locate all certificates installed on a given service",
"Id": "CertificateLocations",
"Name": "Certificate Locations"
4.POST on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates
{
Returns contents of certificate
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1",
"@odata.type": "#Certificate.v1A_0_0.Certificate",
"Id": "1",
"Issuer": {
...
...
}
5.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateCollection.CertificateCollection",
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates",
"@odata.type": "#CertificateCollection.CertificatesCollection",
"Description": "A Collection of HTTPS certificate instances",
"Members": [
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
}
],
"Members@odata.count": 1,
"Name": "HTTPS Certificate Collection"
}
6.GET on /redfish/v1/CertificateService/CertificateLocations/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
"@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
"@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
"Description": "Defines a resource that an administrator can use in order to
locate all certificates installed on a given service",
"Id": "CertificateLocations",
"Links": {
"Certificates": [
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
}
],
"Certificates@odata.count": 1
},
"Name": "Certificate Locations"
}
7.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString":
"-----BEGINCERTIFICATE-----\n....\n-----ENDCERTIFICATE-----\n",
"CertificateType": "PEM",
"Description": "HTTPS Certificate",
"Id": "1",
"Issuer": {
}
8. Verified SSL context is reloaded after a certificate is installed.
9.curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/
-d @data_https.json
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString": "-----BEGIN CERTIFICATE----END CERTIFICATE-----\n",
"Description": "HTTPS certificate",
"Id": "1",
"Issuer": {
}
4. data_https.json file contents
{
"CertificateString": "-----BEGIN PRIVATE
KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDClW1COSab2O0W\nW0SgTzLxQ1Igl4EpbEmTK8CAQ+wI7loTDZ7sZwYdf6yc9TAs/yNKjlJljgedGszv\nbC7sPNpH4FA63kaM6TbBBKTRshwZ3myXiBOOkOBs6w6V7+c7uEPcMFge6/4W1VXD\nReMi016cnPWZsmQyGzpmPM49YNEDZBfdKZ/pLuCYc9L9t706U7FrUSGfM7swB+mC\n8NH9qMixMuWAV9SBvzUWI6p4OCmN8a/F+4lOdbPMVEUqQ0hCBCjGM4qmiy/5Ng6y\n6rKeJlUdmOSTk8ojrNGcOXKh0nRafNEQFkIuoPHt8k5B/Yw2CX6s2BoGwvF+hS03\n+z3qVSw3AgMBAAECggEBAKpe92kybRGr3/rhMrdCYRJJpZEP1nGUdN89QbGMxxAS\n0h84n9vRYNNXRKWxMNtVEWtoLdDpiNUP8Dv59yO1LFIen2DL2e3rDJv4Gu/YCS7F\nR0NuS+FaDIaRURYLFeV+MzyJv75jVvhbFlqByJxngcGS1KAcSApvOLTnrJSlPpy9\n8ec5gnDhdOUND9PaQt8xCqMs1RPpjqvrgRzMEodZoqT5v+b0K1GmsAdbSHNP2mLM\nrqtpFDefiM1YfsTHUtxQykxG2Ipd2jzJ0a8O0qmVqdXcP9J9aqLcmD/2/r96GEV6\n/5qvIBj3SRFobxCiCwfys2XOXfjz2J+BUZzGoZvKeRECgYEA518hT6mn46LhwrTI\nW+Qpi7iTJgOfeLC+Ng855VHVQFED1P3T2lfyfGDyqKI/wV1DJIJmO8iOXerSPnhi\nb7reQkyHj6ERUtuE+6BQ9oTw2QD3EEvzOK2PEH5UipbhVTDnC3fT62Vz2yb3tR8D\n2h0XVJkj/dng9p1Td5aDGMriRRMCgYEA10vTyYqBPjDIEYw/Sc9aQk2kT6x3hrRQ\ngR4xyuI31RTCRD/KpLh/7z4s11Wkr+F9CyASeLbqu6zymlLOlS5p7IUkJ/x2X027\nJWVY1SR+oF3iF3SHiP4XkOVvWOKwIVUhgTjK1+Di6i3AlwIeAOS7VCCP6W0gbnwJ\nyyAAHZ30NM0CgYAqTur4dj2NEqvVvtkkdIRkWEwQF3mByE//8qjTljM4n5fjysaC\nlrJwrAmzbHfcFAHDG1U2eWYPJnFrmvflFnauCPCBAyL308xtdtNXQNgJ1nNXN4wy\nQQp4KaGr9gseWOLm5fKKiPK2kFmbdSBvMgKiJZ6/PKg2cG5i39L5JaBaoQKBgApw\nqOJ7Du1fHDSNonwHzA6vCSq76Efl8olwV2XJNn/ks87vcPov4DRPxYjjpErLGm8x\nrPOhmxxitJj7Lv1Y9NX9VtWBjpPshwi3M2mSjXllVBNjGTdxat8h4RZkV7omEKvd\nfyicxSQp987a0W2lqdfYhGIDYrE43pi1AoxtHmx5AoGBAJSoRy62oZbW6vjfdkuf\nvVnjNfFZwuiPV/X2NT+BhNPe5ZKFtC6gGedHLaIBBD3ItRhGuHZxgWXccPjGHofi\n6DlPdp2NePJgDT2maSjGSiAcHxyXdmW+Ev27NblvAxktoTUcVqSENrKFb+Fh4FXN\nlXiJzOEwAXiP2ZFbMRyNF/MI\n-----END
PRIVATE KEY-----\n-----BEGIN
CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIJAI1Wr/fK5F0GMA0GCSqGSIb3DQEBCwUAMDIxHDAaBgNV\nBAoME29wZW5ibWMtcHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0x\nOTAyMDExMzIyMDhaFw0yOTAxMjkxMzIyMDhaMDIxHDAaBgNVBAoME29wZW5ibWMt\ncHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAMKVbUI5JpvY7RZbRKBPMvFDUiCXgSlsSZMrwIBD7Aju\nWhMNnuxnBh1/rJz1MCz/I0qOUmWOB50azO9sLuw82kfgUDreRozpNsEEpNGyHBne\nbJeIE46Q4GzrDpXv5zu4Q9wwWB7r/hbVVcNF4yLTXpyc9ZmyZDIbOmY8zj1g0QNk\nF90pn+ku4Jhz0v23vTpTsWtRIZ8zuzAH6YLw0f2oyLEy5YBX1IG/NRYjqng4KY3x\nr8X7iU51s8xURSpDSEIEKMYziqaLL/k2DrLqsp4mVR2Y5JOTyiOs0Zw5cqHSdFp8\n0RAWQi6g8e3yTkH9jDYJfqzYGgbC8X6FLTf7PepVLDcCAwEAAaNQME4wHQYDVR0O\nBBYEFDDohRZ1+QlC3WdIkOAdBHXVyW/SMB8GA1UdIwQYMBaAFDDohRZ1+QlC3WdI\nkOAdBHXVyW/SMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFN0DWy6\nYPXHzidWMKKyQiJ5diqUv6LbujKOHUk+/LGSoCqcUp8NvmFDKWYP9MxjOAi9TVbs\nRGlIHBl38oSwKUayXBTY/vVeSLls90giUAOjswoRbBBQZvKyfEuFpc1zUsrhGLDC\n/6DuRt9l0DWcMcmP6Yh3jePIIwTr3bpxBGrwNLly8fPf16q4bWRIAcI3ZgLOhsrN\nLfD2kf56oYViM44d54Wa0qjuCfeTnJ46x/lo6w2kB9IzF7lwpipMU7+AG8ijDdaQ\nn8t0nADpv6tNNargLcOTTfJ0/P2PaKxwA1B88NhjlymBnNbz4epIn4T3KyysgS62\nzwqs66LPWoDerzc=\n-----END
CERTIFICATE-----",
"CertificateType": "PEM",
"CertificateUri":
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
}
}
Change-Id: I2acbf8afa06bbf7d029d4971f7ab3b3988f5f060
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|