Age | Commit message (Collapse) | Author | Files | Lines |
|
This commit enables separate compilation for asio and beast. Details on
how this option works are here:
https://www.boost.org/doc/libs/1_77_0/doc/html/boost_asio/using.html
This allows separating out the build of the boost components from the
rest of the components, which should decrease our intermediate build
times in the future as we start breaking things up better.
Tested:
Code builds.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I1614bb4ccddebcf1d4858112a25a870378497ecc
|
|
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I93925bf34b4fec181a56d6524cbe9c6182a16b1f
|
|
Update to the latest version of boost::uri
The newest version of boost uri makes some breaking changes that we need
to account for. At the same time, we take the opportunity to move to
the error code based parse methods that don't rely on exceptions.
The biggest changes are:
The standalone build is no longer present. A discussion with the
boost::url maintainers shows that our best option is to do a simple
copy of the headers, and compile boost/url/src.hpp in a separate file.
This is intended to allow people to pull the library in "standalone" and
not have to rely on the build machinery in boost-url, which we don't
really need. Interestingly, this file doesn't have a newline at the
end, which clang correctly flags. OpenBMC doesn't really need that
warning, as we rely on clang-format to do that, so we add
-Wno-newline-eof clang to get the code to compile there.
All url parsers are moved to the parse_uri, or parse_relative_uri
equivalents. This slightly tightens the requirements around what URLs
are accepted, but in no ways that should break anything. (Ie,
"/redfish/v1" is no longer accepted for a virtual media endpoint.
boost::urls::url_view::params_type has been renamed to
query_params_type, and the relevant methods have been updated.
Because of the missing standalone mode, we now need to use
boost::string_view which doesn't implicitly construct from
std::string_view. Some discussion on the boost list shows that this is
coming soon, so that cruft can eventually be cleaned up, but for now we
need the construction.
Tested:
Loaded in qemu, and ran some URLs (/redfish/v1 and /redfish/v1/Chassis)
to ensure that the url handler functions as intended.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I5843776d4ec01b4d92af2ee3a9cf1ebb1d920ae7
|
|
`catch` should always be done by reference to avoid object slicing and
excess copy-constructor calls. Preference is for exceptions to also
be caught 'const'. (Both of these come from the C++ Core Guidelines)
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I7753abbef218a87ceecbd068245c14f413fadabc
|
|
This commit introduces the following
=> Service root for Google
=> compiler option for the Google Root of Trust specific functionalities
Tested:
curl -vvvv --insecure --user $user_pass https://${bmc}/google/v1
Desing Doc can be found here https://github.com/openbmc/docs/blob/master/designs/oem/google/root_of_trust.md
Change-Id: I941b5cab55179279d0eff18aa29df62c3f226e47
Signed-off-by: Feras Aldahlawi <faldahlawi@gmail.com>
|
|
Add return 0 for int main()
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
Change-Id: Ifa3216ae1b4cd0eb422679149ace6a1b59dbf85e
|
|
As part of rearranging include files, it was found that a couple files
don't include what they use. bmcweb_config.h.in uses size_t, which
isn't in cstdint, and a couple files use variables out of
bmcweb_config.h, which it didn't include.
Tested:
Code compiles; No functional changes.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I6d8f3617d10a30a1f0209e492841e9d3adc9c3f3
|
|
The bmcweb crash issue seen when there is eventservice
config with subscriptions in persistent file.
During EventService instantiation, it uses the "get_io_context()"
from systemBus, so it should be called after systemBus init. So
moved systemBus initialization to early stage of main process to
avoid ordering issue.
Tested:
- bmcweb crash issue resolved.
Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com>
Change-Id: Iab52f0e89478e306af475066fb5691153a05677d
|
|
The requestRoutes somehow got put into the crow namespace, despite
everything else being put into redfish. This commit makes the
namespacing consistent, which is a good thing overall for complexity.
Tested:
curl -vvvv --insecure --user root:0penBmc https://192.168.7.2/redfish/v1
returns 200
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I954e1a34893b1b5918eeee25d201c938ef4b55b6
|
|
Added instantiation of EventServiceManager Object to
initialize Event Service Config and register the subscriptions
from the config.
During BMC boot, there would be many redfish events logged
due to which, once bmcweb service is up, the EventServiceManager
object is instantiated by getInstance method called from
inotify. But, on bmcweb service restart, the getInstance
method is not called untill a redfish event is logged, or
untill a GET/POST/PATCH/DELETE etc. call is made to
/redfish/v1/EventService route, due to which none of the
Subscriptions would be functional.
Hence this commit.
Tested:
- Subscribed Events were successfully received on restart
of bmcweb Service as well as on reboot of bmc
- Redfish validator passed
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
Change-Id: I50b6fd21a262e7b73fbf9f2ac94c1ffdacef4800
|
|
Fixes #178
Every few months, this option breaks because of some combination of
compiler options. I'm hoping that this is a more permenant fix, and
will keep it working forever.
Functionally, this commit changes a couple things.
1. It fixes the regression that snuck into this option, by making the
req variable optional using the c++17 [[maybe_unused]] syntax.
2. It promotes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION into the
config.h file, and a constexpr variable rather than a #define. This has
the benefit that both the code paths in question will compiled
regardless of whether or not they're used, thus ensuring they stay
buildable forever. The optimization path will still delete the code
later, but we won't have so many one-off build options breaking. We
should move all the other feature driven #ifdefs to this pattern in the
future.
3. As a mechnaical change to #2, this adds a config.h.in, which delcares
the various variables as their respective constexpr types. This allows
the constants to be used in a cleaner way.
As an aside, at some point, DISABLE_XSS_PREVENTION should really move to
a non-persistent runtime option rather than a compile time option. Too
many people get hung up on having to recompile their BMC, and moving it
to runtime under admin credentials is no more a security risk.
As another aside, we should move all the other #ifdef style options to
this pattern. It seems like it would help with keeping all options
buildable, and is definitely more modern than #ifdefs for features,
especially if they don't require #include changes or linker changes.
Tested:
enabled meson option insecure-disable-xss, and verified code builds and
works again.
Change-Id: Id03faa17cffdbabaf4e5b0d46b24bb58b7f44669
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
Remove some ancient files that are no longer used or required.
1. JenkinsFile: Was used when this was a project that only existed on my
desktop, and I used a private Jenkins instance to test it. Today,
bmcweb uses the openbmc CI, which doesn't require this file.
2. scripts/run_clang_tiidy.py. This script is now part of the clang
builds themselves, so it should be used from there.
3. src/ast*.cpp and src/test_resources. These were left from when
bmcweb handled the ast video driver itself, and had unit tests to prove
it worked. The code to run the unit tests has been long removed, we
just forgot to remove the tests.
4. static/highlight.pack.js. This was previously used for json parsing
in the HTML UI. It is no longer used as of commit
57fce80e24cfe08e530e0697d6c70bba14076d1c and should've been removed as
part of it, but unfortunately was not.
Tested:
None of the above were used previously, so should have no measurable
impact to the build.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I757b0dc8e4dc6cc93ba60d39218016e2f4d47ed0
|
|
- Add a hostname listener that will create a self-signed HTTPS
certificate with the appropriate subject when the BMC gets its
hostname assigned via IPMI. The "insecure-disable-ssl" must be
disabled for this feature to take effect.
Note:
- New self-signed certificate subject: C=US, O=OpenBMC, CN=${hostname}
- If the same hostname is assigned, it will not be triggered
- Only the self-signed certificate with Netscape Comment of
"Generated from OpenBMC service" will be replaced
Details about certificate key usage:
- NID_basic_constraints
The CA boolean indicates whether the certified public key may be
used to verify certificate signatures.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.9
- NID_subject_alt_name
Although the use of the Common Name is existing practice, it is
deprecated and Certification Authorities are encouraged to use the
dNSName instead.
Refer to: https://tools.ietf.org/html/rfc2818#section-3.1
- NID_subject_key_identifier
The subject key identifier extension provides a means of
identifying certificates that contain a particular public key.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
- NID_authority_key_identifier
The authority key identifier extension provides a means of
identifying the public key corresponding to the private key used
to sign a certificate.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
- NID_key_usage
- NID_ext_key_usage
id-kp-serverAuth
-- TLS WWW server authentication
-- Key usage bits that may be consistent: digitalSignature,
-- keyEncipherment or keyAgreement
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Tested:
- To test and verify the service is functionally working correctly,
we can use `openssl` and `ipmitool` to execute the following
commands:
- Assign BMC hostname
ipmitool -H $IP -I lanplus -U root -P 0penBmc -C 17 dcmi
set_mc_id_string $hostname
- Get BMC server certificate infomation
echo quit | openssl s_client -showcerts -servername $IP -connect
$IP:443
Signed-off-by: Alan Kuo <Alan_Kuo@quantatw.com>
Change-Id: I24aeb4d2fb46ff5f0cc1c6aa65984f46b0e1d3e2
|
|
cppcheck isn't smart enough to recognize these are c++ headers, not c
headers. Considering we're already inconsistent about our naming, it's
easier to just be consistent, and move the last few files to use .hpp
instead of .h.
Tested:
Code builds, no changes.
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ic348d695f8527fa4a0ded53f433e1558c319db40
|
|
Lots of the utils functions have been superceeded or replaced by std::
implementations, or are no longer needed because of the removal of
middlewares.
Tested:
Ran on a bmc with this implemented. Pulled down the webui, and
observed no issues. Code compiles and passes clang-tidy cert checks.
Change-Id: If29bb5f4ba9979912aeb2a8fa4cbd9f4e4f32006
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
Tested:
No functional changes.
Change-Id: I10144229b07959de4d8a5d5a471caff8a2b87e6f
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
- It looks like there were certain experiments done related
to memory santinizer builds in the past, but right now in
the current state of bmcweb , msan_test.cpp can be removed
as it is not doing any worthy job in CI and eats up time.
- CI for meson repos already runs an address sanitizer apart
from normal build, and that can be extended for memory as
well without needing any changes in the repo incase we need
it.
[The value of b_sanitize can be one of: none, address, thread,
undefined, memory, address,undefined]
Signed-off-by: Manojkiran Eda <manojkiran.eda@gmail.com>
Change-Id: I3fd473ec6e5764b59fc437b390374a372a29efa1
|
|
- This commit enables the support for meson build system for
bmcweb and also remove the cmake support
- The inital thought of migrating to meson build system was based
on [link](https://mesonbuild.com/Simple-comparison.html)
- Other things to praise about meson are its simplicity and userfriendly ness.
It also have native support for modern tools such as precompiled headers,
coverage, Valgrind , unity builds e.t.c
- This commit also support the automatic download and setup of dependencies
if they are not found in usual places using meson wraps that are already
available in [wrap db](https://wrapdb.mesonbuild.com/)
- For few dependencies like boost, boost-url which does not have meson
wrap support yet, i have misused the meson subproject command to download
boost & boot-url and build against them if they are not found in usual
places.
- For boost & boost-url the subproject command will always fail as meson
supports other meson projects as subprojects but it will always download
the source, and since we dont actually build boost/boost-url but just use
the the source headers this should not be a problem.
- Cmake options removed:
- BUILD_STATIC_LIBS has been removed as it is not being used any where as per the
review comments.
- By default the meson wraps are enabled and it downloads the dependencies if they
are not found, and via bitbake this behaviour is disabled by default as download
fallback feature is disabled.
- This commit also adds the README, changes for bmcweb as well.
- The meta-* layer changes are also pushed and marked as WIP under bmcweb_meson_port
topic.
Tested By :
===========
1. Compilation is passed without error or warning in both arm & x86 sdks that
are populated by yocto.
2. The unittests are also passed on both x86 & arm machines.
3. Compilation passed with various build types supported by meson (debug,debugoptimized,
relase)
4. modified the meta-phosphor & meta-ibm to leverage meson build for bmcweb, and loaded
the resulted image on qemu & real machine, checked the bmcweb status and was also able
to pull the web-gui on both.
5. Tested few common commands related to session service & network service manually on a
real machine and also also had run a CT regression bucket, and it looked clean.
The binary sizes when bmcweb is compiled via bitbake(using meta-ibm) are :
cmake: 3100080 bytes approx (3 MB)
meson: 2822596 bytes approx (2.7 MB)
1:1 equivalent hash is not possible due to couple of things:
1. The build types in meson does not have a 1:1 mapping with cmake build types.
2. Meson adds below mentioned compiler & linker flags than cmake as a part of
warning_level & build types
CXXFLAGS :' -O2 -pipe -g -feliminate-unused-debug-types -fdiagnostics-color=always
-D_FILE_OFFSET_BITS=64 -Winvalid-pch -DNDEBUG'
LDFLAGS : ' -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -Wl,--no-undefined,-Wl,--end-group'
Tried to match the compile commands in both cmake & meson as much as possible and this
is what i could get.I have attached the compile_commands.json for both duing an yocto
full build in the [link](https://gofile.io/d/gM80fw) for reference.
Signed-off-by: Manojkiran Eda <manojkiran.eda@gmail.com>
Change-Id: Ia65689fdacb8c398dd0a019258369b2442fad2f3
|
|
Lots of missing inline definitions, a case where a RVO move is not
guaranteed when returning a variant, and removing the header checks,
which means that these types of build errors wont happen in the future.
Tested:
Should be no impact, but could someone from the IBM team grab these
changes and sanity check them?
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Iea0a06b8e744542a7d08e38217718e7a969f2827
|
|
Index the decode array with an unsigned char rather than a signed int
(which could accees outside the bounds of decodingData, leading to
undefined behavior).
Add unit tests for basic decoding functionality.
Remove duplicate unused base64 functions.
Tested: ran webtest and observed that previously failing
Base64DecodeNonAscii now passes. Also tested basic auth:
$ curl -vku root:0penBmc https://<ip>/redfish/v1/Managers/bmc
...
< HTTP/1.1 200 OK
...
Change-Id: I9f9e32650b1796f9fc0b2b25d482dffa35fac72d
Signed-off-by: Jonathan Doman <jonathan.doman@intel.com>
|
|
This commit enables the "unused variables" warning in clang. Throughout
this, it did point out several issues that would've been functional
bugs, so I think it was worthwhile. It also cleaned up several unused
variable from old constructs that no longer exist.
Tested:
Built with clang. Code no longer emits warnings.
Downloaded bmcweb to system and pulled up the webui, observed webui
loads and logs in properly.
Change-Id: I51505f4222cc147d6f2b87b14d7e2ac4a74cafa8
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
This commit enables clang warnings, and fixes all warnings that were
found. Most of these fall into a couple categories:
Variable shadow issues were fixed by renaming variables
unused parameter warnings were resolved by either checking error codes
that had been ignored, or removing the name of the variable from the
scope.
Other various warnings were fixed in the best way I was able to come up
with.
Note, the redfish Node class is especially insidious, as it causes all
imlementers to have variables for parameters, regardless of whether or
not they are used. Deprecating the Node class is on my list of things
to do, as it adds extra overhead, and in general isn't a useful
abstraction. For now, I have simply fixed all the handlers.
Tested:
Added the current meta-clang meta layer into bblayers.conf, and added
TOOLCHAIN_pn-bmcweb = "clang" to my local.conf
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ia75b94010359170159c703e535d1c1af182fe700
|
|
Middlewares, while kinda cool from an academic standpoint, make our
build times even worse than they already are. Given that we only really
use 1 real middleware today (token auth) and it needs to move into the
parser mode anyway (for security limiting buffer sizes), we might as well
use this as an opportunity to delete some code.
Some other things that happen:
1. Persistent data now moves out of the crow namespace
2. App is no longer a template
3. All request_routes implementations no longer become templates. This
should be a decent (unmeasured) win on compile times.
This commit was part of a commit previously called "various cleanups".
This separates ONLY the middleware deletion part of that.
Note, this also deletes about 400 lines of hard to understand code.
Change-Id: I4c19e25491a153a2aa2e4ef46fc797bcb5b3581a
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
While a cool example of how to do string matching in constexpr space,
the set of verbs available to HTTP has been fixed for a very long time.
This was ported over to beast a while back, but we kept the API for....
mediocre reasons of backward compatibility. Remove that, and delete the
now unused code.
Tested: Built and loaded on a Witherspoon. Validator passes.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: Iaf048e196f9b6e71983189877203bf80390df286
Signed-off-by: James Feist <james.feist@linux.intel.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
Currently we parse the whole message before authenticating,
allowing an attacker the ability to upload a large image,
or keep a connection open for the max amount of time easier
than it should be. This moves the authentication to the
earliest point possible, and restricts unauthenticated users
timeouts and max upload sizes. It also makes it so that
unauthenticated users cannot keep the connection alive
forever by refusing to close the connection.
Tested:
- login/logout
- firmware update
- large POST when unauthenticated
- timeouts when unauthenticated
- slowhttptest
Change-Id: Ifa02d8db04eac1821e8950eb85e71634a9e6d265
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
These spelling errors were found using
https://github.com/codespell-project/codespell
Tested: Built and ran against validator.
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Change-Id: I214fe102550295578cfdf0fc58305897d261ce55
|
|
This reverts commit 29d2a95ba12f8b5abed040df7fd59790d6ba2517.
Enable EventService back by fixing issue with
not having '/var/log/redfish' file.
Fix is at: https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/33639/
Tested:
- Along with above mentioned change, removed
'/var/log/redfish' file and restarted bmcweb. It works.
Change-Id: Ia908bbdf5b9a643afee212a526074f62372208dc
Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com>
|
|
This is from openbmc/docs/style/cpp/.clang-format
Other OpenBMC repos are doing the same.
Tested: Built and validator passed.
Change-Id: Ief26c755c9ce012823e16a506342b0547a53517a
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
|
This reverts commit e9a14131650d30389eaf9dc38a3c32f1cb552f52.
Reason for revert: if /var/log/redfish does not exist this
causes bmcweb to crash on start
Fixes #126
Change-Id: If6ba4717a32d4cd72aa92a9bc9c696d5813b5cac
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
This commit does the following
=> makes the lock class singleton.
=> during session timeout erase the locks associated
with the session.
=> Erase the locks when the session is explicitly deleted
on a user request.
We need to find a different way of calculating session timeout
currently session timeout gets calculated when the
request comes to BMC.
TODO: We need some module which keeps looking at the sessions
in certain time interval and earse the session if it is
timeout, It is useful in the case where there is resources
which gets free after session timeout.
It may happen that client gets the session, obtain cerain resources
on that session and never sends any request, in that case session timeout
will never occur for that session.
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: Ic9962f761fc84a03747a90bd951ea36eb8962455
|
|
Add event logs support
- Event log monitor by adding inotify on redfish log file.
- Read event logs from "/var/log/redfish" file.
- Filter the event logs using configured settings.
- Format the event log data as per Events schema.
- Send event log information to subcribed client.
Tested:
- Added new event log subscription with filters
and verified the event logs on event listener.
- Ran redfish validater successfully.
- Disabled BMCWEB_ENABLE_REDFISH_DBUS_LOG_ENTRIES
and build successful.
Event on listener looks as below:
{
"@odata.type":"#Event.v1_4_0.Event",
"Events":[
{
"Context":"CustomText",
"EventId":"94787",
"EventTimestamp":"1970-01-02T02:19:47+00:00",
"EventType":"Event",
"Message":"Memory ThermTrip asserted: .",
"MessageArgs":[
""
],
"MessageId":"OpenBMC.0.1.MemoryThermTrip",
"Severity":"Critical"
}
],
"Id":"3",
"Name":"Event Log"
}
Change-Id: Ie87322ff59f9f7caa26fb18d2e3b8d7af77ec540
Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com>
|
|
This commit introduces the following
=> Service root implementation
=> compiler option for the IBM management console specific functionalities
TestedBy:
curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${bmc}/ibm/v1
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I2dcb8eee0b69b1723e0cc3d980a5846b3519e7d9
|
|
Aparently the static analysers have gotten smarter, as has my
understanding of operator[] on std::array. Fix the character array to
not use c style arrays.
Tested:
Should have no impact. Will test using webui to verify that sessions
are still generated properly.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: Iaa6cbac7594dfb0c83383ff62fc591dd1d786547
|
|
Modified the code to make an asynchronous call to GetUserInfo to get
the user role for authorization.
For local users, DBus matches are used to store user role map hot in
memory. Hence, bmcweb has to know whether a user is a local user or
LDAP user to get the role. To avoid this, removed the existing DBus
matches and modified the code to call GetUserInfo to get the role of
local users as well as LDAP users.
Tested:
- Created a local user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a local user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Tested Redfish ConfigureSelf privilege
Signed-off-by: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>
Change-Id: Ic3e46a0c0aff2cf456c98048350e58e302011c57
|
|
This reverts commit 5e931ae994307babe6c3520cbaca6a7139acc81d.
Reason for revert: Causing build failures
/bmcweb/redfish-core/include/node.hpp: In member function ‘bool redfish::Node::isAllowedWithoutConfigureSelf(const crow::Request&)’:
/bmcweb/redfish-core/include/node.hpp:182:36: error: ‘crow::persistent_data::UserRoleMap’ has not been declared
crow::persistent_data::UserRoleMap::getInstance().getUserRole(
When 900f949773795141266271107219ea019f2839cd was merged first
this patch was not successfully rebased.
Change-Id: I947d96362c7dadea5572888468a11fac5ee361d4
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
Modified the code to make an asynchronous call to GetUserInfo to get
the user role for authorization.
For local users, DBus matches are used to store user role map hot in
memory. Hence, bmcweb has to know whether a user is a local user or
LDAP user to get the role. To avoid this, removed the existing DBus
matches and modified the code to call GetUserInfo to get the role of
local users as well as LDAP users.
Tested:
- Created a local user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a local user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
Signed-off-by: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>
Change-Id: Ifd813e1af4dfcb7aeaba18e04b6c9767d2a5e95a
|
|
Nbd-proxy is responsible for exposing websocket endpoint in bmcweb.
It matches WS endpoints with unix socket paths using configuration
exposed on D-Bus by Virtual-Media.
Virtual-Media is then notified about unix socket availability through
mount/unmount D-Bus methods.
Currently, this feature is disabled by default.
Tested: Integrated with initial version of Virtual-Media.
Change-Id: I9c572e9841b16785727e5676fea1bb63b0311c63
Signed-off-by: Iwona Klimaszewska <iwona.klimaszewska@intel.com>
Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Recently, a number of people in the community have made the (admittedly
easy) mistake that we use a significant portion of crow.
Today, we use crow for the router, and the "app" structure, and even
those have been significantly modified to meet the bmc needs. All other
components have been replaced with Boost beast. This commit removes the
crow mentions from the Readme, and moves the crow folder to "http" to
camouflage it a little. No code content has changed.
Tested:
Code compiles. No functional change made to any executable code.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: Iceb57b26306cc8bdcfc77f3874246338864fd118
|
|
using the list of warnings from here:
https://github.com/lefticus/cppbestpractices/blob/e73393f25a85f83fed7399d8b65cb117d00b2231/02-Use_the_Tools_Available.md#L100
Seems like a good place to start, and would improve things a bit
type-wise. This patchset attempts to correct all the issues in one
shot.
Tested:
It builds. Will test various subsystems that have been touched
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I588c26440e5a97f718a0f0ea74cc84107d53aa1e
|
|
This commit fetches the user privilege during creation of the
session by making D-bus call and add the privilege in the
user session object.
Change-Id: I0e9da8a52df00fc753b13101066ce6d0be9e2ce3
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
|
Implements CertificateService schema to list the actions
available.
Implements CertificateLocations schema to list the
certificates present in the system.
Implements CertificateCollection schema to upload/list
existing HTTPS certificates
Implements Certificate schema to view existing HTTPS
certificate
Cater for reloading the SSL context after a certificate
is uploaded.
Fix Certificate signature validation failure
At present bmcweb uses the certificate from "/home/root/server.pem"
the same is modified to "/etc/ssl/certs/https/server.pem" as
phosphor-certificate-manager uses the specified path to
install/replace certificates.
Bmcweb creates a self-signed certificate when certificate is not
present. Catered for creating "/etc/ssl/certs/https/" direcotry
structure so that self signed certificate is created in the path.
Implements ReplaceCertificate action of Certificate
Service for replacing existing HTTPS certificates
Cleanup of older self-signed certificate at /home/root/server.pem
1. Tested schema with validator and no issues
2. Privilege map for certificate service is not yet pubished
2. GET on /redfish/v1/CertificateService/
"CertificateService": {
"@odata.id": "/redfish/v1/CertificateService"
},
3. GET on /redfish/v1/CertificateService/CertificateLocations/
"@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
"@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
"@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
"Description": "Defines a resource that an administrator can use in order to
locate all certificates installed on a given service",
"Id": "CertificateLocations",
"Name": "Certificate Locations"
4.POST on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates
{
Returns contents of certificate
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1",
"@odata.type": "#Certificate.v1A_0_0.Certificate",
"Id": "1",
"Issuer": {
...
...
}
5.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateCollection.CertificateCollection",
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates",
"@odata.type": "#CertificateCollection.CertificatesCollection",
"Description": "A Collection of HTTPS certificate instances",
"Members": [
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
}
],
"Members@odata.count": 1,
"Name": "HTTPS Certificate Collection"
}
6.GET on /redfish/v1/CertificateService/CertificateLocations/
{
"@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
"@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
"@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
"Description": "Defines a resource that an administrator can use in order to
locate all certificates installed on a given service",
"Id": "CertificateLocations",
"Links": {
"Certificates": [
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
}
],
"Certificates@odata.count": 1
},
"Name": "Certificate Locations"
}
7.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString":
"-----BEGINCERTIFICATE-----\n....\n-----ENDCERTIFICATE-----\n",
"CertificateType": "PEM",
"Description": "HTTPS Certificate",
"Id": "1",
"Issuer": {
}
8. Verified SSL context is reloaded after a certificate is installed.
9.curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/
-d @data_https.json
{
"@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
"@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString": "-----BEGIN CERTIFICATE----END CERTIFICATE-----\n",
"Description": "HTTPS certificate",
"Id": "1",
"Issuer": {
}
4. data_https.json file contents
{
"CertificateString": "-----BEGIN PRIVATE
KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDClW1COSab2O0W\nW0SgTzLxQ1Igl4EpbEmTK8CAQ+wI7loTDZ7sZwYdf6yc9TAs/yNKjlJljgedGszv\nbC7sPNpH4FA63kaM6TbBBKTRshwZ3myXiBOOkOBs6w6V7+c7uEPcMFge6/4W1VXD\nReMi016cnPWZsmQyGzpmPM49YNEDZBfdKZ/pLuCYc9L9t706U7FrUSGfM7swB+mC\n8NH9qMixMuWAV9SBvzUWI6p4OCmN8a/F+4lOdbPMVEUqQ0hCBCjGM4qmiy/5Ng6y\n6rKeJlUdmOSTk8ojrNGcOXKh0nRafNEQFkIuoPHt8k5B/Yw2CX6s2BoGwvF+hS03\n+z3qVSw3AgMBAAECggEBAKpe92kybRGr3/rhMrdCYRJJpZEP1nGUdN89QbGMxxAS\n0h84n9vRYNNXRKWxMNtVEWtoLdDpiNUP8Dv59yO1LFIen2DL2e3rDJv4Gu/YCS7F\nR0NuS+FaDIaRURYLFeV+MzyJv75jVvhbFlqByJxngcGS1KAcSApvOLTnrJSlPpy9\n8ec5gnDhdOUND9PaQt8xCqMs1RPpjqvrgRzMEodZoqT5v+b0K1GmsAdbSHNP2mLM\nrqtpFDefiM1YfsTHUtxQykxG2Ipd2jzJ0a8O0qmVqdXcP9J9aqLcmD/2/r96GEV6\n/5qvIBj3SRFobxCiCwfys2XOXfjz2J+BUZzGoZvKeRECgYEA518hT6mn46LhwrTI\nW+Qpi7iTJgOfeLC+Ng855VHVQFED1P3T2lfyfGDyqKI/wV1DJIJmO8iOXerSPnhi\nb7reQkyHj6ERUtuE+6BQ9oTw2QD3EEvzOK2PEH5UipbhVTDnC3fT62Vz2yb3tR8D\n2h0XVJkj/dng9p1Td5aDGMriRRMCgYEA10vTyYqBPjDIEYw/Sc9aQk2kT6x3hrRQ\ngR4xyuI31RTCRD/KpLh/7z4s11Wkr+F9CyASeLbqu6zymlLOlS5p7IUkJ/x2X027\nJWVY1SR+oF3iF3SHiP4XkOVvWOKwIVUhgTjK1+Di6i3AlwIeAOS7VCCP6W0gbnwJ\nyyAAHZ30NM0CgYAqTur4dj2NEqvVvtkkdIRkWEwQF3mByE//8qjTljM4n5fjysaC\nlrJwrAmzbHfcFAHDG1U2eWYPJnFrmvflFnauCPCBAyL308xtdtNXQNgJ1nNXN4wy\nQQp4KaGr9gseWOLm5fKKiPK2kFmbdSBvMgKiJZ6/PKg2cG5i39L5JaBaoQKBgApw\nqOJ7Du1fHDSNonwHzA6vCSq76Efl8olwV2XJNn/ks87vcPov4DRPxYjjpErLGm8x\nrPOhmxxitJj7Lv1Y9NX9VtWBjpPshwi3M2mSjXllVBNjGTdxat8h4RZkV7omEKvd\nfyicxSQp987a0W2lqdfYhGIDYrE43pi1AoxtHmx5AoGBAJSoRy62oZbW6vjfdkuf\nvVnjNfFZwuiPV/X2NT+BhNPe5ZKFtC6gGedHLaIBBD3ItRhGuHZxgWXccPjGHofi\n6DlPdp2NePJgDT2maSjGSiAcHxyXdmW+Ev27NblvAxktoTUcVqSENrKFb+Fh4FXN\nlXiJzOEwAXiP2ZFbMRyNF/MI\n-----END
PRIVATE KEY-----\n-----BEGIN
CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIJAI1Wr/fK5F0GMA0GCSqGSIb3DQEBCwUAMDIxHDAaBgNV\nBAoME29wZW5ibWMtcHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0x\nOTAyMDExMzIyMDhaFw0yOTAxMjkxMzIyMDhaMDIxHDAaBgNVBAoME29wZW5ibWMt\ncHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAMKVbUI5JpvY7RZbRKBPMvFDUiCXgSlsSZMrwIBD7Aju\nWhMNnuxnBh1/rJz1MCz/I0qOUmWOB50azO9sLuw82kfgUDreRozpNsEEpNGyHBne\nbJeIE46Q4GzrDpXv5zu4Q9wwWB7r/hbVVcNF4yLTXpyc9ZmyZDIbOmY8zj1g0QNk\nF90pn+ku4Jhz0v23vTpTsWtRIZ8zuzAH6YLw0f2oyLEy5YBX1IG/NRYjqng4KY3x\nr8X7iU51s8xURSpDSEIEKMYziqaLL/k2DrLqsp4mVR2Y5JOTyiOs0Zw5cqHSdFp8\n0RAWQi6g8e3yTkH9jDYJfqzYGgbC8X6FLTf7PepVLDcCAwEAAaNQME4wHQYDVR0O\nBBYEFDDohRZ1+QlC3WdIkOAdBHXVyW/SMB8GA1UdIwQYMBaAFDDohRZ1+QlC3WdI\nkOAdBHXVyW/SMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFN0DWy6\nYPXHzidWMKKyQiJ5diqUv6LbujKOHUk+/LGSoCqcUp8NvmFDKWYP9MxjOAi9TVbs\nRGlIHBl38oSwKUayXBTY/vVeSLls90giUAOjswoRbBBQZvKyfEuFpc1zUsrhGLDC\n/6DuRt9l0DWcMcmP6Yh3jePIIwTr3bpxBGrwNLly8fPf16q4bWRIAcI3ZgLOhsrN\nLfD2kf56oYViM44d54Wa0qjuCfeTnJ46x/lo6w2kB9IzF7lwpipMU7+AG8ijDdaQ\nn8t0nADpv6tNNargLcOTTfJ0/P2PaKxwA1B88NhjlymBnNbz4epIn4T3KyysgS62\nzwqs66LPWoDerzc=\n-----END
CERTIFICATE-----",
"CertificateType": "PEM",
"CertificateUri":
{
"@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
}
}
Change-Id: I2acbf8afa06bbf7d029d4971f7ab3b3988f5f060
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
On receiving a websocket request on endpoint /vm/0/0,
connect to the nbd-proxy app and send/receive stdio.
Tested: Verified that the host could see the virtual
media usb device, mounted it manually and checked
the contents of the iso file used for the test were
there. To test, used the html and js script:
https://github.com/openbmc/jsnbd/tree/master/web
and an Ubuntu iso image file.
Verified that it worked after closing the websocket
(using the stop function from the html file), to
check that the processes were cleaned up and freed
up for a subsequent request.
Change-Id: I0b070310b070c086d67d0ae3e2c165551d6b87cc
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
|
|
This patchset implements a KVM websocket proxy designed to interoperate
with phosphor-webui and KVM. in short, IP address 127.0.0.1:5900 is
proxied to the websocket. This allows someone to connect from a browser
session.
Requires patchset here for the phosphor-webui side:
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-webui/+/10268/
and requires the kvm patches here:
https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/13536/
Tested By:
Launched webui, observed KVM. Moved mouse, and typed on keyboard,
changes appeared on host system.
Change-Id: I407488f4b16be208b188a0abc19954a0243af173
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
boost::asio::io_service is removed in leiu of io_context, which is a
closer match to the networking TS. Move us to that implementatio.
This was an automated move using the following command:
git grep -l 'io_service' | xargs sed -i 's/io_service/io_context/g'
Change-Id: I46605521c01f79f86f6901ddf69ddc8c4bc24103
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
In a lot of cases, the header include patterns were really bad. For
example, pulling in all of boost asio via boost/asio.hpp, rather than
pulling in the lesser equivalents. This should reduce the build times,
although I have no data on that at the moment.
Tested By:
Code still compiles
Change-Id: I0f4656d35cf6d7722d1b515baaccbfc27cf98961
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
This change moves the bmcweb build flags out of settings.hpp
and into the CMakeLists.txt file as target_compile_definitions().
This makes it so it is no longer required to #include settings.hpp
to use build flags in the source.
Tested: Enabled and disabled some Redfish flags and confirmed that
the desired components were added and removed.
Change-Id: Ibeedb4fc8f3dcc286c73843823693a04c55c0615
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
|
|
Clean up missing fclose calls.
[src/getvideo_main.cpp:77]: (error) Resource leak: fp
[src/ast_video_puller_test.cpp:56]: (error) Resource leak: fp
Change-Id: I4d460e861a6275bfa6c02a319894d3154aec8ee7
Signed-off-by: Patrick Venture <venture@google.com>
|
|
A merge conflict caused the SOL websocket code to get removed from
master. This resolves the merge conflict, and reenables SOL in bmcweb.
Tested By: Launched SOL console in phosphor-webui, and observed
appropriate behavior.
Change-Id: I88116fdfb488b6c41aa859e4904b38e918111d04
|
|
This commit moves the codebase to the lastest clang-format file from
upstream, as well as clang-format-6.0.
Change-Id: Ice8313468097c0c42317fbb9e10ddf036e8cff4c
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
Changing this config option to better represent what it
does, which is to host the static files from /usr/share/www/
Change-Id: Iaf785666f59f937567b6d0319c884c8ed29d2844
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|