bmcweb/include, branch master

Remove IBM specific variable name

2020-02-03T17:14:45+00:00

Considering that the webui is no longer an "IBM" specific entity, and is now the standard for the project, there's no need for this variable to call it out explicitly. Update comment and variable name to be more correct. Tested: No functional change, only comments. Signed-off-by: Ed Tanous Change-Id: I2169876c38ccd558a3cfcfc61637720bd290b3ee

Enhance return value from pamAuthenticateUser

2020-01-30T16:24:12+00:00

This enhances the return value from the pamAuthenticateUser function so callers can articulate PAM error codes like PAM_NEW_AUTHTOK_REQD which means the credentials are correct, but the password must be changed. Tested: Yes, scenarios via both Redfish login and Basic Auth: - correct username and password, password is not expired - correct username and password, password is expired - correct username and incorrect password, password is not expired - correct username and incorrect password, password is expired - non-existent user (passsword is not relevant) Signed-off-by: Joseph Reynolds Change-Id: I1114d6c9cc591fb0a1853cb4edea32ad22f7b015

nbd-proxy closing fixes

2020-01-02T08:54:35+00:00

This commit fixes: - handling of virtual media unmount method - cancels unix socket async accept upon early websocket closing (reproduction with rapid start/stop button pressing or closing websocket just after negotation msg from NBD server) Tested: - unmount method via WebUI - unix socket accept cancellation - modified NBD server to close websocket after sending negotation message & rapid start/stop button pressing Signed-off-by: Iwona Winiarska Signed-off-by: Jan Sowinski Change-Id: Ibcbb87a7e35cfbee8c8b4686f64c9090c66f0c17

Turning ON the mutual TLS

2019-12-19T07:52:01+00:00

This commit sets the mutual TLS option to ON by default. Core mTLS implementation was accepted under this commit: https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/23588 where by default the mTLS was disabled. Tested: Manual tests were made to verify if this option turns the mTLS ON. Signed-off-by: Zbigniew Kurzynski Change-Id: I3bc5f5453d4c4df1cd7ecb0b8868423285b6ab83

Remove #include of self

2019-12-18T18:27:08+00:00

Through one of the refactors, webserver_common.hpp picked up an include to itself, presumably when code was moved. This doesn't cause any ill effects, but is cruft that can be cleaned up. Tested: Code compiles. No functional change to verify. Signed-off-by: Ed Tanous Change-Id: Ie901baa3cfd88decdbecbad01c6b577d92d2441b

Fix authorization for LDAP users

2019-12-17T05:06:45+00:00

Modified the code to make an asynchronous call to GetUserInfo to get the user role for authorization. For local users, DBus matches are used to store user role map hot in memory. Hence, bmcweb has to know whether a user is a local user or LDAP user to get the role. To avoid this, removed the existing DBus matches and modified the code to call GetUserInfo to get the role of local users as well as LDAP users. Tested: - Created a local user having admin privilege and verified that he is able to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a local user having user privilege and verified that he is unauthorized to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a remote user having admin privilege and verified that he is able to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a remote user having user privilege and verified that he is unauthorized to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Tested Redfish ConfigureSelf privilege Signed-off-by: RAJESWARAN THILLAIGOVINDAN Change-Id: Ic3e46a0c0aff2cf456c98048350e58e302011c57

Fixing mTLS switches

2019-12-16T08:07:09+00:00

This commit is a fix for revert: https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27205 The mTLS will work only when: * Compilation flag BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION is enabled and, * AccountService->Oem->OpenBMC->AuthMethods->TLS is set and, * at least one certificate is uploaded to TrustStore. To enforce a new mTLS settings after switching AuthMethods->TLS all awaiting for acceptance connections are dropped. In case of authorized mTLS requests a cookie with XSRF-TOKEN entry and SESSION is added to response. It will force the X-XSRF-TOKEN challenge in case of applications supporting cookies like web browsers. Also some minor log messages changes were made in this commit. Tested: validator_service run with status: 'Validation has succeeded'. Tests were made with Chrome browser Version 78.0.3904.108. The certificate popup appears only when mTLS is enabled in CMake, the TLS option is set and at least one CA certificate is present. In other cases mTLS is not active and there is no popup for certs. Signed-off-by: Zbigniew Kurzynski Change-Id: I778b848b767356b60386694f802a89b3c1f6cb14

Change PAM service_name for password changes

2019-12-11T21:00:05+00:00

BMCWeb was using the "passwd" command PAM configuration settings when changing the password. This changes it to use PAM service_name="webserver", the same name it already uses for PAM authentication and account management functions. Doing so allows the BMC system administrator to provide separate PAM config files for the "passwd" command and BMCWeb's password changing function, and for these activities to be correctly identified in the system logs. Here is a sample incorrect log message (truncated & wrapped): bmcweb[353]: pam_warn(passwd:chauthtok): function=[pam_sm_chauthtok] flags=0xc000 service=[passwd] terminal=[] user=[testuser] ruser=[] rhost=[] The "service" should be "webserver". Tested: yes, password change successful Change-Id: I593f42c8f0494df967fb498fb4dd66fa4168596b Signed-off-by: Joseph Reynolds

Revert "Fix authorization for LDAP users"

2019-12-10T17:22:47+00:00

This reverts commit 5e931ae994307babe6c3520cbaca6a7139acc81d. Reason for revert: Causing build failures /bmcweb/redfish-core/include/node.hpp: In member function ‘bool redfish::Node::isAllowedWithoutConfigureSelf(const crow::Request&)’: /bmcweb/redfish-core/include/node.hpp:182:36: error: ‘crow::persistent_data::UserRoleMap’ has not been declared crow::persistent_data::UserRoleMap::getInstance().getUserRole( When 900f949773795141266271107219ea019f2839cd was merged first this patch was not successfully rebased. Change-Id: I947d96362c7dadea5572888468a11fac5ee361d4 Signed-off-by: James Feist

Fix authorization for LDAP users

2019-12-09T15:17:13+00:00

Modified the code to make an asynchronous call to GetUserInfo to get the user role for authorization. For local users, DBus matches are used to store user role map hot in memory. Hence, bmcweb has to know whether a user is a local user or LDAP user to get the role. To avoid this, removed the existing DBus matches and modified the code to call GetUserInfo to get the role of local users as well as LDAP users. Tested: - Created a local user having admin privilege and verified that he is able to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a local user having user privilege and verified that he is unauthorized to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a remote user having admin privilege and verified that he is able to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a remote user having user privilege and verified that he is unauthorized to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' Signed-off-by: RAJESWARAN THILLAIGOVINDAN Change-Id: Ifd813e1af4dfcb7aeaba18e04b6c9767d2a5e95a