| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This commit adds a meson option to allow selecting which dns resolver
bmcweb uses. There are use cases, like Open Compute Project Inband
Management Agent, that would require not using dbus, which would require
us to fall back to the asio resolver. This commit makes the existing
asio resolver constructor, and async_resolve methods match the
equivalents in asio (which we intended to do anyway), then adds a macro
and configure option for being able to select which resolver backend to
rely on.
Tested: Code can now compile without sdbusplus.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I3220214367179f131a60082bdfaf7e725d35c125
|
|
System includes should be included with <>, in-tree includes should be
included with "". This was found manually, with the help of the
following grep statement[1].
git grep -o -h "#include .*" | sort | uniq
Tested:
Code compiles
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I1a6b2a5ba35ccbbb61c67b7c4b036a2d7b3a36a3
|
|
In order to be able to more easily debug bmcweb related issue,
a new meson option is added to set a specific logging level
Which generates the targeted logging traces rather than all of
debug traces.
The current option -Dbmcweb-logging which can be either
disabled or enabled is changed to allow to set the log level
for the specific level traces (e.g. error or critical traces)
to be written to the journal.
-Dbmcweb-logging=<log-level>
where <log-level> can be disabled, enabled, debug, info,
warning, error, or critical.
- `disabled`: Turns off all bmcweb log traces.
- `enabled` : treated as `debug`
- Other option can be described in
[Logging Levels](DEVELOPING.md).
For an example, to enable only 'error', 'critical' log
entries, bmcweb can be built with
-Dbmcweb-logging=error
Testing:
- Verified that only the specific logs (e.g. error and
critical logs) were displayed by compiling bmcweb with the
specific bmcweb-logging level.
Change-Id: I522ca26700ea420fee1a5cf688d3e8c6661f2f55
Signed-off-by: Myung Bae <myungbae@us.ibm.com>
|
|
With Redfish aggregation, responses from satellite BMCs can be on the
order of MBs due to use cases like logging or binary payloads.
Offloading $expand could similar result in responses that exceed the
current read limit of 128 KB.
Splits the connection pools used for aggregation and EventService so
that the response read limit is 50MB for responses associated with
aggregation. Pools used by EventService keep the current limit of 2^17
bytes or 128 KB. It also propogates a ConnectionPolicy object that gets
instantiated within HttpClient, which allows per-client policies for
retry/byte limits. This allows EventService and aggregation to have
different policies.
Tested:
With aggregation enabled I was able to return a response from a
satellite BMC which was than 2MB. Ran the Redfish Mockup Creator and it
was able to successfully query all aggregated resources as part of
walking the tree. Also verified that HTTP push events still work with
EventListener.
Change-Id: I91de6f82aadf8ad6f7bc3f58dfa0d14c0759dd47
Signed-off-by: Carson Labrado <clabrado@google.com>
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
An Internal server Error will happen if you delete the login user.
Match the "InterfacesRemoved" signal for monitoring the user status and
delete the session to fix this bug.
Tested:
1. Add a new user such as test
2. Login with the new user in web
3. Delete or rename the user by web and ipmi command
4. Refresh the web and a new user was needed to login in the web
Signed-off-by: Xie Ning <xiening.xll@bytedance.com>
Change-Id: I2b53edb71d9a4e904c7da54393539f87eeb2d7a3
|
|
Most of these missing includes were found by running clang-tidy on all
files, including headers. The existing scripts just run clang-tidy on
source files, which doesn't catch most of these.
Tested: Code compiles
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Ic741fbb2cc9e5e92955fd5a1b778a482830e80e8
|
|
Although exceptions should not happen in bmcweb, the underlying Crow
code sometimes throws, and so do bugs caused by accidental usage of
functions that throw.
Adding e.what() output when std::exception is thrown.
Tested: Accidentally tested more often than I would care to admit....
Signed-off-by: Josh Lehan <krellan@google.com>
Change-Id: Ifcd30dc53369708b21bf958c627755651422f18a
|
|
Log statement was after the return, so therefore didn't do anything.
cppcheck found.
Tested: No way to test without a bug that causes an uncaught exception.
Code review only.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I5a4ae7d5ac83065040e3c4d9e390b5883fd0f1f9
|
|
Currently, the |systemBus| connection is a static variable declared in
headers. This has a problem that every translation unit will keep its
own copy. It's not a problem today because there's only one translation
unit "webserver_main.cpp.o". This issue was brounght up in
https://gerrit.openbmc.org/c/openbmc/bmcweb/+/54758
Actually, the |systemBus| doesn't need to be a singleton. It can just be
a stack variable, which is normally more efficient than heap variables.
To keep minimum changes treeside, this commits keeps the existing
|systemBus| variable as an external variable. It is defined in its own
translation unit. It is initialized in the main translation unit.
Reference:
1. Extern
https://stackoverflow.com/questions/1433204/how-do-i-use-extern-to-share-variables-between-source-files
Tested:
1. Romulus QEMU robot Redfish test passed;
2. Start and restart service on real hardware, no issues;
3. No new validator failures
4. Code compies
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I03b387bd5f218a86c9d1765415a46e3c2ad83ff9
|
|
We very intentionally don't do this "only include header if option is
enabled" thing to make sure that compile issues are seen across all
builds.
Tested: Code compiles. Header changes only.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I749aed62ed6cd73690f3d89d75df65bec77562c2
|
|
Make /redfish/v1 get instantiated in the same place as the other redfish
routes, and not in main().
Tested:
curl -vvvv --insecure --user root:0penBmc https://192.168.7.2/redfish
returns the same value as previously.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Icb93954c00a4cf41708f1b323ddbd83e61146e5d
|
|
Adds a RedfishAggregator class which is able to pull configuration
information from D-Bus for Satellite BMCs. These BMCs will be
aggregated by Redfish Aggregation. Also added is a new compiler
option which will be used to enable Redfish Aggregation.
This patch only allows configurations with unencrypted and
unauthenticated satellite BMC communication. Support for encryption
and authentication willneed to be added in future patches.
Note that this patch does not actually use the config information
after it has been fetched. That functionality will be added in
future patches.
Tested:
I made this example config information available on D-Bus
busctl introspect xyz.openbmc_project.EntityManager \
/xyz/openbmc_project/inventory/system/board/SatelliteBMC/aggregated0 \
xyz.openbmc_project.Configuration.SatelliteController
NAME TYPE SIGNATURE RESULT/VALUE FLAGS
.AuthType property s "None" emits-change
.Hostname property s "127.0.0.1" emits-change
.Name property s "aggregated0" emits-change
.Port property t 443 emits-change
.Type property s "SatelliteController" emits-change
That information was picked up by the changes in this CL:
[DEBUG "redfish_aggregator.hpp":80] Found Satellite Controller at /xyz/openbmc_project/inventory/system/board/SatelliteBMC/aggregated0
[DEBUG "redfish_aggregator.hpp":209] Added satellite config aggregated0 at http://127.0.0.1:443
[DEBUG "redfish_aggregator.hpp":52] Redfish Aggregation enabled with 1 satellite BMCs
[DEBUG "redfish_aggregator.hpp":21] There were 1 satellite configs found at startup
Signed-off-by: Carson Labrado <clabrado@google.com>
Change-Id: Ib5eee2c93aeb209157191055975c127759d73627
|
|
clang correctly notes that this should be static, as it's not used
outside the compile unit.
Tested: code compiles with clang.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I7c540fe74b9fce1f3e498fb75089a143c7af4581
|
|
These checks ensure that we're not implicitly converting ints or
pointers into bools, which makes the code easier to read.
Tested:
Ran series through redfish service validator. No changes observed.
UUID failing in Qemu both before and after.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I1ca0be980d136bd4e5474341f4fd62f2f6bbdbae
|
|
clang-13 includes new checks, and finds some issues. The first is that
the boost::vector constructor can possibly throw, so replace the
underlying flat_map container with std::vector instead.
The others are places where we could possibly throw in destructors,
which would be bad. Ideally we wouldn't use the destructor pattern, but
that would be non-trivial to clean up at this point, so just catch the
exception, and log it. At the same time, catch exceptions thrown to
main and log them.
Tested: Code compiles
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I77b86eaa2fc79e43d1ca044c78ca3b0ce0a7c38c
|
|
This commit introduces the following
=> Service root for Google
=> compiler option for the Google Root of Trust specific functionalities
Tested:
curl -vvvv --insecure --user $user_pass https://${bmc}/google/v1
Desing Doc can be found here https://github.com/openbmc/docs/blob/master/designs/oem/google/root_of_trust.md
Change-Id: I941b5cab55179279d0eff18aa29df62c3f226e47
Signed-off-by: Feras Aldahlawi <faldahlawi@gmail.com>
|
|
Add return 0 for int main()
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
Change-Id: Ifa3216ae1b4cd0eb422679149ace6a1b59dbf85e
|
|
As part of rearranging include files, it was found that a couple files
don't include what they use. bmcweb_config.h.in uses size_t, which
isn't in cstdint, and a couple files use variables out of
bmcweb_config.h, which it didn't include.
Tested:
Code compiles; No functional changes.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I6d8f3617d10a30a1f0209e492841e9d3adc9c3f3
|
|
The bmcweb crash issue seen when there is eventservice
config with subscriptions in persistent file.
During EventService instantiation, it uses the "get_io_context()"
from systemBus, so it should be called after systemBus init. So
moved systemBus initialization to early stage of main process to
avoid ordering issue.
Tested:
- bmcweb crash issue resolved.
Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com>
Change-Id: Iab52f0e89478e306af475066fb5691153a05677d
|
|
The requestRoutes somehow got put into the crow namespace, despite
everything else being put into redfish. This commit makes the
namespacing consistent, which is a good thing overall for complexity.
Tested:
curl -vvvv --insecure --user root:0penBmc https://192.168.7.2/redfish/v1
returns 200
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I954e1a34893b1b5918eeee25d201c938ef4b55b6
|
|
Added instantiation of EventServiceManager Object to
initialize Event Service Config and register the subscriptions
from the config.
During BMC boot, there would be many redfish events logged
due to which, once bmcweb service is up, the EventServiceManager
object is instantiated by getInstance method called from
inotify. But, on bmcweb service restart, the getInstance
method is not called untill a redfish event is logged, or
untill a GET/POST/PATCH/DELETE etc. call is made to
/redfish/v1/EventService route, due to which none of the
Subscriptions would be functional.
Hence this commit.
Tested:
- Subscribed Events were successfully received on restart
of bmcweb Service as well as on reboot of bmc
- Redfish validator passed
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
Change-Id: I50b6fd21a262e7b73fbf9f2ac94c1ffdacef4800
|
|
Fixes #178
Every few months, this option breaks because of some combination of
compiler options. I'm hoping that this is a more permenant fix, and
will keep it working forever.
Functionally, this commit changes a couple things.
1. It fixes the regression that snuck into this option, by making the
req variable optional using the c++17 [[maybe_unused]] syntax.
2. It promotes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION into the
config.h file, and a constexpr variable rather than a #define. This has
the benefit that both the code paths in question will compiled
regardless of whether or not they're used, thus ensuring they stay
buildable forever. The optimization path will still delete the code
later, but we won't have so many one-off build options breaking. We
should move all the other feature driven #ifdefs to this pattern in the
future.
3. As a mechnaical change to #2, this adds a config.h.in, which delcares
the various variables as their respective constexpr types. This allows
the constants to be used in a cleaner way.
As an aside, at some point, DISABLE_XSS_PREVENTION should really move to
a non-persistent runtime option rather than a compile time option. Too
many people get hung up on having to recompile their BMC, and moving it
to runtime under admin credentials is no more a security risk.
As another aside, we should move all the other #ifdef style options to
this pattern. It seems like it would help with keeping all options
buildable, and is definitely more modern than #ifdefs for features,
especially if they don't require #include changes or linker changes.
Tested:
enabled meson option insecure-disable-xss, and verified code builds and
works again.
Change-Id: Id03faa17cffdbabaf4e5b0d46b24bb58b7f44669
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
- Add a hostname listener that will create a self-signed HTTPS
certificate with the appropriate subject when the BMC gets its
hostname assigned via IPMI. The "insecure-disable-ssl" must be
disabled for this feature to take effect.
Note:
- New self-signed certificate subject: C=US, O=OpenBMC, CN=${hostname}
- If the same hostname is assigned, it will not be triggered
- Only the self-signed certificate with Netscape Comment of
"Generated from OpenBMC service" will be replaced
Details about certificate key usage:
- NID_basic_constraints
The CA boolean indicates whether the certified public key may be
used to verify certificate signatures.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.9
- NID_subject_alt_name
Although the use of the Common Name is existing practice, it is
deprecated and Certification Authorities are encouraged to use the
dNSName instead.
Refer to: https://tools.ietf.org/html/rfc2818#section-3.1
- NID_subject_key_identifier
The subject key identifier extension provides a means of
identifying certificates that contain a particular public key.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
- NID_authority_key_identifier
The authority key identifier extension provides a means of
identifying the public key corresponding to the private key used
to sign a certificate.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
- NID_key_usage
- NID_ext_key_usage
id-kp-serverAuth
-- TLS WWW server authentication
-- Key usage bits that may be consistent: digitalSignature,
-- keyEncipherment or keyAgreement
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Tested:
- To test and verify the service is functionally working correctly,
we can use `openssl` and `ipmitool` to execute the following
commands:
- Assign BMC hostname
ipmitool -H $IP -I lanplus -U root -P 0penBmc -C 17 dcmi
set_mc_id_string $hostname
- Get BMC server certificate infomation
echo quit | openssl s_client -showcerts -servername $IP -connect
$IP:443
Signed-off-by: Alan Kuo <Alan_Kuo@quantatw.com>
Change-Id: I24aeb4d2fb46ff5f0cc1c6aa65984f46b0e1d3e2
|
|
cppcheck isn't smart enough to recognize these are c++ headers, not c
headers. Considering we're already inconsistent about our naming, it's
easier to just be consistent, and move the last few files to use .hpp
instead of .h.
Tested:
Code builds, no changes.
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ic348d695f8527fa4a0ded53f433e1558c319db40
|
|
Tested:
No functional changes.
Change-Id: I10144229b07959de4d8a5d5a471caff8a2b87e6f
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
Lots of missing inline definitions, a case where a RVO move is not
guaranteed when returning a variant, and removing the header checks,
which means that these types of build errors wont happen in the future.
Tested:
Should be no impact, but could someone from the IBM team grab these
changes and sanity check them?
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Iea0a06b8e744542a7d08e38217718e7a969f2827
|
|
This commit enables the "unused variables" warning in clang. Throughout
this, it did point out several issues that would've been functional
bugs, so I think it was worthwhile. It also cleaned up several unused
variable from old constructs that no longer exist.
Tested:
Built with clang. Code no longer emits warnings.
Downloaded bmcweb to system and pulled up the webui, observed webui
loads and logs in properly.
Change-Id: I51505f4222cc147d6f2b87b14d7e2ac4a74cafa8
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
This commit enables clang warnings, and fixes all warnings that were
found. Most of these fall into a couple categories:
Variable shadow issues were fixed by renaming variables
unused parameter warnings were resolved by either checking error codes
that had been ignored, or removing the name of the variable from the
scope.
Other various warnings were fixed in the best way I was able to come up
with.
Note, the redfish Node class is especially insidious, as it causes all
imlementers to have variables for parameters, regardless of whether or
not they are used. Deprecating the Node class is on my list of things
to do, as it adds extra overhead, and in general isn't a useful
abstraction. For now, I have simply fixed all the handlers.
Tested:
Added the current meta-clang meta layer into bblayers.conf, and added
TOOLCHAIN_pn-bmcweb = "clang" to my local.conf
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ia75b94010359170159c703e535d1c1af182fe700
|
|
Middlewares, while kinda cool from an academic standpoint, make our
build times even worse than they already are. Given that we only really
use 1 real middleware today (token auth) and it needs to move into the
parser mode anyway (for security limiting buffer sizes), we might as well
use this as an opportunity to delete some code.
Some other things that happen:
1. Persistent data now moves out of the crow namespace
2. App is no longer a template
3. All request_routes implementations no longer become templates. This
should be a decent (unmeasured) win on compile times.
This commit was part of a commit previously called "various cleanups".
This separates ONLY the middleware deletion part of that.
Note, this also deletes about 400 lines of hard to understand code.
Change-Id: I4c19e25491a153a2aa2e4ef46fc797bcb5b3581a
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
Currently we parse the whole message before authenticating,
allowing an attacker the ability to upload a large image,
or keep a connection open for the max amount of time easier
than it should be. This moves the authentication to the
earliest point possible, and restricts unauthenticated users
timeouts and max upload sizes. It also makes it so that
unauthenticated users cannot keep the connection alive
forever by refusing to close the connection.
Tested:
- login/logout
- firmware update
- large POST when unauthenticated
- timeouts when unauthenticated
- slowhttptest
Change-Id: Ifa02d8db04eac1821e8950eb85e71634a9e6d265
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
This reverts commit 29d2a95ba12f8b5abed040df7fd59790d6ba2517.
Enable EventService back by fixing issue with
not having '/var/log/redfish' file.
Fix is at: https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/33639/
Tested:
- Along with above mentioned change, removed
'/var/log/redfish' file and restarted bmcweb. It works.
Change-Id: Ia908bbdf5b9a643afee212a526074f62372208dc
Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com>
|
|
This is from openbmc/docs/style/cpp/.clang-format
Other OpenBMC repos are doing the same.
Tested: Built and validator passed.
Change-Id: Ief26c755c9ce012823e16a506342b0547a53517a
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
This reverts commit e9a14131650d30389eaf9dc38a3c32f1cb552f52.
Reason for revert: if /var/log/redfish does not exist this
causes bmcweb to crash on start
Fixes #126
Change-Id: If6ba4717a32d4cd72aa92a9bc9c696d5813b5cac
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
This commit does the following
=> makes the lock class singleton.
=> during session timeout erase the locks associated
with the session.
=> Erase the locks when the session is explicitly deleted
on a user request.
We need to find a different way of calculating session timeout
currently session timeout gets calculated when the
request comes to BMC.
TODO: We need some module which keeps looking at the sessions
in certain time interval and earse the session if it is
timeout, It is useful in the case where there is resources
which gets free after session timeout.
It may happen that client gets the session, obtain cerain resources
on that session and never sends any request, in that case session timeout
will never occur for that session.
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: Ic9962f761fc84a03747a90bd951ea36eb8962455
|
|
Add event logs support
- Event log monitor by adding inotify on redfish log file.
- Read event logs from "/var/log/redfish" file.
- Filter the event logs using configured settings.
- Format the event log data as per Events schema.
- Send event log information to subcribed client.
Tested:
- Added new event log subscription with filters
and verified the event logs on event listener.
- Ran redfish validater successfully.
- Disabled BMCWEB_ENABLE_REDFISH_DBUS_LOG_ENTRIES
and build successful.
Event on listener looks as below:
{
"@odata.type":"#Event.v1_4_0.Event",
"Events":[
{
"Context":"CustomText",
"EventId":"94787",
"EventTimestamp":"1970-01-02T02:19:47+00:00",
"EventType":"Event",
"Message":"Memory ThermTrip asserted: .",
"MessageArgs":[
""
],
"MessageId":"OpenBMC.0.1.MemoryThermTrip",
"Severity":"Critical"
}
],
"Id":"3",
"Name":"Event Log"
}
Change-Id: Ie87322ff59f9f7caa26fb18d2e3b8d7af77ec540
Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com>
|
|
This commit introduces the following
=> Service root implementation
=> compiler option for the IBM management console specific functionalities
TestedBy:
curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${bmc}/ibm/v1
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I2dcb8eee0b69b1723e0cc3d980a5846b3519e7d9
|
|
Modified the code to make an asynchronous call to GetUserInfo to get
the user role for authorization.
For local users, DBus matches are used to store user role map hot in
memory. Hence, bmcweb has to know whether a user is a local user or
LDAP user to get the role. To avoid this, removed the existing DBus
matches and modified the code to call GetUserInfo to get the role of
local users as well as LDAP users.
Tested:
- Created a local user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a local user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Tested Redfish ConfigureSelf privilege
Signed-off-by: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>
Change-Id: Ic3e46a0c0aff2cf456c98048350e58e302011c57
|
|
This reverts commit 5e931ae994307babe6c3520cbaca6a7139acc81d.
Reason for revert: Causing build failures
/bmcweb/redfish-core/include/node.hpp: In member function ‘bool redfish::Node::isAllowedWithoutConfigureSelf(const crow::Request&)’:
/bmcweb/redfish-core/include/node.hpp:182:36: error: ‘crow::persistent_data::UserRoleMap’ has not been declared
crow::persistent_data::UserRoleMap::getInstance().getUserRole(
When 900f949773795141266271107219ea019f2839cd was merged first
this patch was not successfully rebased.
Change-Id: I947d96362c7dadea5572888468a11fac5ee361d4
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
Modified the code to make an asynchronous call to GetUserInfo to get
the user role for authorization.
For local users, DBus matches are used to store user role map hot in
memory. Hence, bmcweb has to know whether a user is a local user or
LDAP user to get the role. To avoid this, removed the existing DBus
matches and modified the code to call GetUserInfo to get the role of
local users as well as LDAP users.
Tested:
- Created a local user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a local user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
Signed-off-by: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>
Change-Id: Ifd813e1af4dfcb7aeaba18e04b6c9767d2a5e95a
|
|
Nbd-proxy is responsible for exposing websocket endpoint in bmcweb.
It matches WS endpoints with unix socket paths using configuration
exposed on D-Bus by Virtual-Media.
Virtual-Media is then notified about unix socket availability through
mount/unmount D-Bus methods.
Currently, this feature is disabled by default.
Tested: Integrated with initial version of Virtual-Media.
Change-Id: I9c572e9841b16785727e5676fea1bb63b0311c63
Signed-off-by: Iwona Klimaszewska <iwona.klimaszewska@intel.com>
Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Recently, a number of people in the community have made the (admittedly
easy) mistake that we use a significant portion of crow.
Today, we use crow for the router, and the "app" structure, and even
those have been significantly modified to meet the bmc needs. All other
components have been replaced with Boost beast. This commit removes the
crow mentions from the Readme, and moves the crow folder to "http" to
camouflage it a little. No code content has changed.
Tested:
Code compiles. No functional change made to any executable code.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: Iceb57b26306cc8bdcfc77f3874246338864fd118
|
|
using the list of warnings from here:
https://github.com/lefticus/cppbestpractices/blob/e73393f25a85f83fed7399d8b65cb117d00b2231/02-Use_the_Tools_Available.md#L100
Seems like a good place to start, and would improve things a bit
type-wise. This patchset attempts to correct all the issues in one
shot.
Tested:
It builds. Will test various subsystems that have been touched
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I588c26440e5a97f718a0f0ea74cc84107d53aa1e
|
|
This commit fetches the user privilege during creation of the
session by making D-bus call and add the privilege in the
user session object.
Change-Id: I0e9da8a52df00fc753b13101066ce6d0be9e2ce3
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
|
Implements CertificateService schema to list the actions
available.
Implements CertificateLocations schema to list the
certificates present in the system.
Implements CertificateCollection schema to upload/list
existing HTTPS certificates
Implements Certificate schema to view existing HTTPS
certificate
Cater for reloading the SSL context after a certificate
is uploaded.
Fix Certificate signature validation failure
At present bmcweb uses the certificate from "/home/root/server.pem"
the same is modified to "/etc/ssl/certs/https/server.pem" as
phosphor-certificate-manager uses the specified path to
install/replace certificates.
Bmcweb creates a self-signed certificate when certificate is not
present. Catered for creating "/etc/ssl/certs/https/" direcotry
structure so that self signed certificate is created in the path.
Implements ReplaceCertificate action of Certificate
Service for replacing existing HTTPS certificates
Cleanup of older self-signed certificate at /home/root/server.pem
1. Tested schema with validator and no issues
2. Privilege map for certificate service is not yet pubished
2. GET on /redfish/v1/CertificateService/
"CertificateService": {
"@odata.id": "/redfish/v1/CertificateService"
},
3. GET on /redfish/v1/CertificateService/CertificateLocations/
"@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
"@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
"@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
"Description": "Defines a resource that an administrator can use in order to
locate all certificates installed on a given service",
"Id": "CertificateLocations",
"Name": "Certificate Locations"
4.POST on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates
{
Returns contents of certificate
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1",
"@odata.type": "#Certificate.v1A_0_0.Certificate",
"Id": "1",
"Issuer": {
...
...
}
5.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateCollection.CertificateCollection",
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates",
"@odata.type": "#CertificateCollection.CertificatesCollection",
"Description": "A Collection of HTTPS certificate instances",
"Members": [
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
}
],
"Members@odata.count": 1,
"Name": "HTTPS Certificate Collection"
}
6.GET on /redfish/v1/CertificateService/CertificateLocations/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
"@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
"@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
"Description": "Defines a resource that an administrator can use in order to
locate all certificates installed on a given service",
"Id": "CertificateLocations",
"Links": {
"Certificates": [
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
}
],
"Certificates@odata.count": 1
},
"Name": "Certificate Locations"
}
7.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString":
"-----BEGINCERTIFICATE-----\n....\n-----ENDCERTIFICATE-----\n",
"CertificateType": "PEM",
"Description": "HTTPS Certificate",
"Id": "1",
"Issuer": {
}
8. Verified SSL context is reloaded after a certificate is installed.
9.curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/
-d @data_https.json
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString": "-----BEGIN CERTIFICATE----END CERTIFICATE-----\n",
"Description": "HTTPS certificate",
"Id": "1",
"Issuer": {
}
4. data_https.json file contents
{
"CertificateString": "-----BEGIN PRIVATE
KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDClW1COSab2O0W\nW0SgTzLxQ1Igl4EpbEmTK8CAQ+wI7loTDZ7sZwYdf6yc9TAs/yNKjlJljgedGszv\nbC7sPNpH4FA63kaM6TbBBKTRshwZ3myXiBOOkOBs6w6V7+c7uEPcMFge6/4W1VXD\nReMi016cnPWZsmQyGzpmPM49YNEDZBfdKZ/pLuCYc9L9t706U7FrUSGfM7swB+mC\n8NH9qMixMuWAV9SBvzUWI6p4OCmN8a/F+4lOdbPMVEUqQ0hCBCjGM4qmiy/5Ng6y\n6rKeJlUdmOSTk8ojrNGcOXKh0nRafNEQFkIuoPHt8k5B/Yw2CX6s2BoGwvF+hS03\n+z3qVSw3AgMBAAECggEBAKpe92kybRGr3/rhMrdCYRJJpZEP1nGUdN89QbGMxxAS\n0h84n9vRYNNXRKWxMNtVEWtoLdDpiNUP8Dv59yO1LFIen2DL2e3rDJv4Gu/YCS7F\nR0NuS+FaDIaRURYLFeV+MzyJv75jVvhbFlqByJxngcGS1KAcSApvOLTnrJSlPpy9\n8ec5gnDhdOUND9PaQt8xCqMs1RPpjqvrgRzMEodZoqT5v+b0K1GmsAdbSHNP2mLM\nrqtpFDefiM1YfsTHUtxQykxG2Ipd2jzJ0a8O0qmVqdXcP9J9aqLcmD/2/r96GEV6\n/5qvIBj3SRFobxCiCwfys2XOXfjz2J+BUZzGoZvKeRECgYEA518hT6mn46LhwrTI\nW+Qpi7iTJgOfeLC+Ng855VHVQFED1P3T2lfyfGDyqKI/wV1DJIJmO8iOXerSPnhi\nb7reQkyHj6ERUtuE+6BQ9oTw2QD3EEvzOK2PEH5UipbhVTDnC3fT62Vz2yb3tR8D\n2h0XVJkj/dng9p1Td5aDGMriRRMCgYEA10vTyYqBPjDIEYw/Sc9aQk2kT6x3hrRQ\ngR4xyuI31RTCRD/KpLh/7z4s11Wkr+F9CyASeLbqu6zymlLOlS5p7IUkJ/x2X027\nJWVY1SR+oF3iF3SHiP4XkOVvWOKwIVUhgTjK1+Di6i3AlwIeAOS7VCCP6W0gbnwJ\nyyAAHZ30NM0CgYAqTur4dj2NEqvVvtkkdIRkWEwQF3mByE//8qjTljM4n5fjysaC\nlrJwrAmzbHfcFAHDG1U2eWYPJnFrmvflFnauCPCBAyL308xtdtNXQNgJ1nNXN4wy\nQQp4KaGr9gseWOLm5fKKiPK2kFmbdSBvMgKiJZ6/PKg2cG5i39L5JaBaoQKBgApw\nqOJ7Du1fHDSNonwHzA6vCSq76Efl8olwV2XJNn/ks87vcPov4DRPxYjjpErLGm8x\nrPOhmxxitJj7Lv1Y9NX9VtWBjpPshwi3M2mSjXllVBNjGTdxat8h4RZkV7omEKvd\nfyicxSQp987a0W2lqdfYhGIDYrE43pi1AoxtHmx5AoGBAJSoRy62oZbW6vjfdkuf\nvVnjNfFZwuiPV/X2NT+BhNPe5ZKFtC6gGedHLaIBBD3ItRhGuHZxgWXccPjGHofi\n6DlPdp2NePJgDT2maSjGSiAcHxyXdmW+Ev27NblvAxktoTUcVqSENrKFb+Fh4FXN\nlXiJzOEwAXiP2ZFbMRyNF/MI\n-----END
PRIVATE KEY-----\n-----BEGIN
CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIJAI1Wr/fK5F0GMA0GCSqGSIb3DQEBCwUAMDIxHDAaBgNV\nBAoME29wZW5ibWMtcHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0x\nOTAyMDExMzIyMDhaFw0yOTAxMjkxMzIyMDhaMDIxHDAaBgNVBAoME29wZW5ibWMt\ncHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAMKVbUI5JpvY7RZbRKBPMvFDUiCXgSlsSZMrwIBD7Aju\nWhMNnuxnBh1/rJz1MCz/I0qOUmWOB50azO9sLuw82kfgUDreRozpNsEEpNGyHBne\nbJeIE46Q4GzrDpXv5zu4Q9wwWB7r/hbVVcNF4yLTXpyc9ZmyZDIbOmY8zj1g0QNk\nF90pn+ku4Jhz0v23vTpTsWtRIZ8zuzAH6YLw0f2oyLEy5YBX1IG/NRYjqng4KY3x\nr8X7iU51s8xURSpDSEIEKMYziqaLL/k2DrLqsp4mVR2Y5JOTyiOs0Zw5cqHSdFp8\n0RAWQi6g8e3yTkH9jDYJfqzYGgbC8X6FLTf7PepVLDcCAwEAAaNQME4wHQYDVR0O\nBBYEFDDohRZ1+QlC3WdIkOAdBHXVyW/SMB8GA1UdIwQYMBaAFDDohRZ1+QlC3WdI\nkOAdBHXVyW/SMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFN0DWy6\nYPXHzidWMKKyQiJ5diqUv6LbujKOHUk+/LGSoCqcUp8NvmFDKWYP9MxjOAi9TVbs\nRGlIHBl38oSwKUayXBTY/vVeSLls90giUAOjswoRbBBQZvKyfEuFpc1zUsrhGLDC\n/6DuRt9l0DWcMcmP6Yh3jePIIwTr3bpxBGrwNLly8fPf16q4bWRIAcI3ZgLOhsrN\nLfD2kf56oYViM44d54Wa0qjuCfeTnJ46x/lo6w2kB9IzF7lwpipMU7+AG8ijDdaQ\nn8t0nADpv6tNNargLcOTTfJ0/P2PaKxwA1B88NhjlymBnNbz4epIn4T3KyysgS62\nzwqs66LPWoDerzc=\n-----END
CERTIFICATE-----",
"CertificateType": "PEM",
"CertificateUri":
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
}
}
Change-Id: I2acbf8afa06bbf7d029d4971f7ab3b3988f5f060
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
On receiving a websocket request on endpoint /vm/0/0,
connect to the nbd-proxy app and send/receive stdio.
Tested: Verified that the host could see the virtual
media usb device, mounted it manually and checked
the contents of the iso file used for the test were
there. To test, used the html and js script:
https://github.com/openbmc/jsnbd/tree/master/web
and an Ubuntu iso image file.
Verified that it worked after closing the websocket
(using the stop function from the html file), to
check that the processes were cleaned up and freed
up for a subsequent request.
Change-Id: I0b070310b070c086d67d0ae3e2c165551d6b87cc
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
|
|
This patchset implements a KVM websocket proxy designed to interoperate
with phosphor-webui and KVM. in short, IP address 127.0.0.1:5900 is
proxied to the websocket. This allows someone to connect from a browser
session.
Requires patchset here for the phosphor-webui side:
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-webui/+/10268/
and requires the kvm patches here:
https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/13536/
Tested By:
Launched webui, observed KVM. Moved mouse, and typed on keyboard,
changes appeared on host system.
Change-Id: I407488f4b16be208b188a0abc19954a0243af173
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
boost::asio::io_service is removed in leiu of io_context, which is a
closer match to the networking TS. Move us to that implementatio.
This was an automated move using the following command:
git grep -l 'io_service' | xargs sed -i 's/io_service/io_context/g'
Change-Id: I46605521c01f79f86f6901ddf69ddc8c4bc24103
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
In a lot of cases, the header include patterns were really bad. For
example, pulling in all of boost asio via boost/asio.hpp, rather than
pulling in the lesser equivalents. This should reduce the build times,
although I have no data on that at the moment.
Tested By:
Code still compiles
Change-Id: I0f4656d35cf6d7722d1b515baaccbfc27cf98961
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
This change moves the bmcweb build flags out of settings.hpp
and into the CMakeLists.txt file as target_compile_definitions().
This makes it so it is no longer required to #include settings.hpp
to use build flags in the source.
Tested: Enabled and disabled some Redfish flags and confirmed that
the desired components were added and removed.
Change-Id: Ibeedb4fc8f3dcc286c73843823693a04c55c0615
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
|
|
A merge conflict caused the SOL websocket code to get removed from
master. This resolves the merge conflict, and reenables SOL in bmcweb.
Tested By: Launched SOL console in phosphor-webui, and observed
appropriate behavior.
Change-Id: I88116fdfb488b6c41aa859e4904b38e918111d04
|
