OpenBMC Web server https://git.raptorcs.com/git/bmcweb/atom?h=master 2019-12-17T05:06:45+00:00 2019-12-17T05:06:45+00:00 RAJESWARAN THILLAIGOVINDAN rajeswgo@in.ibm.com 2019-12-13T10:26:54+00:00 urn:sha1:61dbeef97168db1a1f7a351c5f95e09afd361e48 Modified the code to make an asynchronous call to GetUserInfo to get the user role for authorization. For local users, DBus matches are used to store user role map hot in memory. Hence, bmcweb has to know whether a user is a local user or LDAP user to get the role. To avoid this, removed the existing DBus matches and modified the code to call GetUserInfo to get the role of local users as well as LDAP users. Tested: - Created a local user having admin privilege and verified that he is able to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a local user having user privilege and verified that he is unauthorized to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a remote user having admin privilege and verified that he is able to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a remote user having user privilege and verified that he is unauthorized to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Tested Redfish ConfigureSelf privilege Signed-off-by: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com> Change-Id: Ic3e46a0c0aff2cf456c98048350e58e302011c57 2019-12-10T17:22:47+00:00 James Feist james.feist@linux.intel.com 2019-12-10T16:52:14+00:00 urn:sha1:7166bf0fd7453f2b5d6bfb3afbdad5eb00f74990 This reverts commit 5e931ae994307babe6c3520cbaca6a7139acc81d. Reason for revert: Causing build failures /bmcweb/redfish-core/include/node.hpp: In member function ‘bool redfish::Node::isAllowedWithoutConfigureSelf(const crow::Request&)’: /bmcweb/redfish-core/include/node.hpp:182:36: error: ‘crow::persistent_data::UserRoleMap’ has not been declared crow::persistent_data::UserRoleMap::getInstance().getUserRole( When 900f949773795141266271107219ea019f2839cd was merged first this patch was not successfully rebased. Change-Id: I947d96362c7dadea5572888468a11fac5ee361d4 Signed-off-by: James Feist <james.feist@linux.intel.com> 2019-12-09T15:17:13+00:00 RAJESWARAN THILLAIGOVINDAN rajeswgo@in.ibm.com 2019-07-15T12:51:33+00:00 urn:sha1:5e931ae994307babe6c3520cbaca6a7139acc81d Modified the code to make an asynchronous call to GetUserInfo to get the user role for authorization. For local users, DBus matches are used to store user role map hot in memory. Hence, bmcweb has to know whether a user is a local user or LDAP user to get the role. To avoid this, removed the existing DBus matches and modified the code to call GetUserInfo to get the role of local users as well as LDAP users. Tested: - Created a local user having admin privilege and verified that he is able to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a local user having user privilege and verified that he is unauthorized to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a remote user having admin privilege and verified that he is able to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' - Created a remote user having user privilege and verified that he is unauthorized to restart the system /redfish/v1/Systems/system/Actions/ComputerSystem.Reset -d '{"ResetType": "GracefulRestart"}' Signed-off-by: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com> Change-Id: Ifd813e1af4dfcb7aeaba18e04b6c9767d2a5e95a 2019-11-21T13:35:56+00:00 Iwona Klimaszewska iwona.klimaszewska@intel.com 2019-07-12T16:26:38+00:00 urn:sha1:c0a1c8a0ecc55aef54e6f44ea89a4dd232e265a2 Nbd-proxy is responsible for exposing websocket endpoint in bmcweb. It matches WS endpoints with unix socket paths using configuration exposed on D-Bus by Virtual-Media. Virtual-Media is then notified about unix socket availability through mount/unmount D-Bus methods. Currently, this feature is disabled by default. Tested: Integrated with initial version of Virtual-Media. Change-Id: I9c572e9841b16785727e5676fea1bb63b0311c63 Signed-off-by: Iwona Klimaszewska <iwona.klimaszewska@intel.com> Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski@intel.com> 2019-10-18T16:20:11+00:00 Ed Tanous ed.tanous@intel.com 2019-10-10T22:39:33+00:00 urn:sha1:c94ad49bc747e7a7170287b9f4c859e3638cf432 Recently, a number of people in the community have made the (admittedly easy) mistake that we use a significant portion of crow. Today, we use crow for the router, and the "app" structure, and even those have been significantly modified to meet the bmc needs. All other components have been replaced with Boost beast. This commit removes the crow mentions from the Readme, and moves the crow folder to "http" to camouflage it a little. No code content has changed. Tested: Code compiles. No functional change made to any executable code. Signed-off-by: Ed Tanous <ed.tanous@intel.com> Change-Id: Iceb57b26306cc8bdcfc77f3874246338864fd118 2019-10-10T23:25:26+00:00 Ed Tanous ed.tanous@intel.com 2019-07-09T23:24:22+00:00 urn:sha1:271584ab78b4c1926f766aa26ddfde7da329059f using the list of warnings from here: https://github.com/lefticus/cppbestpractices/blob/e73393f25a85f83fed7399d8b65cb117d00b2231/02-Use_the_Tools_Available.md#L100 Seems like a good place to start, and would improve things a bit type-wise. This patchset attempts to correct all the issues in one shot. Tested: It builds. Will test various subsystems that have been touched Signed-off-by: Ed Tanous <ed.tanous@intel.com> Change-Id: I588c26440e5a97f718a0f0ea74cc84107d53aa1e 2019-07-09T16:36:10+00:00 Ratan Gupta ratagupt@linux.vnet.ibm.com 2019-04-03T04:38:11+00:00 urn:sha1:12c04ef5d04d62fd7b19506faf4eb2b08662e979 This commit fetches the user privilege during creation of the session by making D-bus call and add the privilege in the user session object. Change-Id: I0e9da8a52df00fc753b13101066ce6d0be9e2ce3 Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com> 2019-06-12T22:53:05+00:00 Marri Devender Rao devenrao@in.ibm.com 2019-01-21T16:27:12+00:00 urn:sha1:5968caee7ccf978755a9a63d225965101a0c0378 Implements CertificateService schema to list the actions available. Implements CertificateLocations schema to list the certificates present in the system. Implements CertificateCollection schema to upload/list existing HTTPS certificates Implements Certificate schema to view existing HTTPS certificate Cater for reloading the SSL context after a certificate is uploaded. Fix Certificate signature validation failure At present bmcweb uses the certificate from "/home/root/server.pem" the same is modified to "/etc/ssl/certs/https/server.pem" as phosphor-certificate-manager uses the specified path to install/replace certificates. Bmcweb creates a self-signed certificate when certificate is not present. Catered for creating "/etc/ssl/certs/https/" direcotry structure so that self signed certificate is created in the path. Implements ReplaceCertificate action of Certificate Service for replacing existing HTTPS certificates Cleanup of older self-signed certificate at /home/root/server.pem 1. Tested schema with validator and no issues 2. Privilege map for certificate service is not yet pubished 2. GET on /redfish/v1/CertificateService/ "CertificateService": { "@odata.id": "/redfish/v1/CertificateService" }, 3. GET on /redfish/v1/CertificateService/CertificateLocations/ "@odata.context": "/redfish/v1/$metadata#CertificateLocations.CertificateLocations", "@odata.id": "/redfish/v1/CertificateService/CertificateLocations", "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations", "Description": "Defines a resource that an administrator can use in order to locate all certificates installed on a given service", "Id": "CertificateLocations", "Name": "Certificate Locations" 4.POST on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates { Returns contents of certificate "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1", "@odata.type": "#Certificate.v1A_0_0.Certificate", "Id": "1", "Issuer": { ... ... } 5.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/ { "@odata.context": "/redfish/v1/$metadata#CertificateCollection.CertificateCollection", "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates", "@odata.type": "#CertificateCollection.CertificatesCollection", "Description": "A Collection of HTTPS certificate instances", "Members": [ { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" } ], "Members@odata.count": 1, "Name": "HTTPS Certificate Collection" } 6.GET on /redfish/v1/CertificateService/CertificateLocations/ { "@odata.context": "/redfish/v1/$metadata#CertificateLocations.CertificateLocations", "@odata.id": "/redfish/v1/CertificateService/CertificateLocations", "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations", "Description": "Defines a resource that an administrator can use in order to locate all certificates installed on a given service", "Id": "CertificateLocations", "Links": { "Certificates": [ { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" } ], "Certificates@odata.count": 1 }, "Name": "Certificate Locations" } 7.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 { "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": "-----BEGINCERTIFICATE-----\n....\n-----ENDCERTIFICATE-----\n", "CertificateType": "PEM", "Description": "HTTPS Certificate", "Id": "1", "Issuer": { } 8. Verified SSL context is reloaded after a certificate is installed. 9.curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ -d @data_https.json { "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": "-----BEGIN CERTIFICATE----END CERTIFICATE-----\n", "Description": "HTTPS certificate", "Id": "1", "Issuer": { } 4. data_https.json file contents { "CertificateString": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDClW1COSab2O0W\nW0SgTzLxQ1Igl4EpbEmTK8CAQ+wI7loTDZ7sZwYdf6yc9TAs/yNKjlJljgedGszv\nbC7sPNpH4FA63kaM6TbBBKTRshwZ3myXiBOOkOBs6w6V7+c7uEPcMFge6/4W1VXD\nReMi016cnPWZsmQyGzpmPM49YNEDZBfdKZ/pLuCYc9L9t706U7FrUSGfM7swB+mC\n8NH9qMixMuWAV9SBvzUWI6p4OCmN8a/F+4lOdbPMVEUqQ0hCBCjGM4qmiy/5Ng6y\n6rKeJlUdmOSTk8ojrNGcOXKh0nRafNEQFkIuoPHt8k5B/Yw2CX6s2BoGwvF+hS03\n+z3qVSw3AgMBAAECggEBAKpe92kybRGr3/rhMrdCYRJJpZEP1nGUdN89QbGMxxAS\n0h84n9vRYNNXRKWxMNtVEWtoLdDpiNUP8Dv59yO1LFIen2DL2e3rDJv4Gu/YCS7F\nR0NuS+FaDIaRURYLFeV+MzyJv75jVvhbFlqByJxngcGS1KAcSApvOLTnrJSlPpy9\n8ec5gnDhdOUND9PaQt8xCqMs1RPpjqvrgRzMEodZoqT5v+b0K1GmsAdbSHNP2mLM\nrqtpFDefiM1YfsTHUtxQykxG2Ipd2jzJ0a8O0qmVqdXcP9J9aqLcmD/2/r96GEV6\n/5qvIBj3SRFobxCiCwfys2XOXfjz2J+BUZzGoZvKeRECgYEA518hT6mn46LhwrTI\nW+Qpi7iTJgOfeLC+Ng855VHVQFED1P3T2lfyfGDyqKI/wV1DJIJmO8iOXerSPnhi\nb7reQkyHj6ERUtuE+6BQ9oTw2QD3EEvzOK2PEH5UipbhVTDnC3fT62Vz2yb3tR8D\n2h0XVJkj/dng9p1Td5aDGMriRRMCgYEA10vTyYqBPjDIEYw/Sc9aQk2kT6x3hrRQ\ngR4xyuI31RTCRD/KpLh/7z4s11Wkr+F9CyASeLbqu6zymlLOlS5p7IUkJ/x2X027\nJWVY1SR+oF3iF3SHiP4XkOVvWOKwIVUhgTjK1+Di6i3AlwIeAOS7VCCP6W0gbnwJ\nyyAAHZ30NM0CgYAqTur4dj2NEqvVvtkkdIRkWEwQF3mByE//8qjTljM4n5fjysaC\nlrJwrAmzbHfcFAHDG1U2eWYPJnFrmvflFnauCPCBAyL308xtdtNXQNgJ1nNXN4wy\nQQp4KaGr9gseWOLm5fKKiPK2kFmbdSBvMgKiJZ6/PKg2cG5i39L5JaBaoQKBgApw\nqOJ7Du1fHDSNonwHzA6vCSq76Efl8olwV2XJNn/ks87vcPov4DRPxYjjpErLGm8x\nrPOhmxxitJj7Lv1Y9NX9VtWBjpPshwi3M2mSjXllVBNjGTdxat8h4RZkV7omEKvd\nfyicxSQp987a0W2lqdfYhGIDYrE43pi1AoxtHmx5AoGBAJSoRy62oZbW6vjfdkuf\nvVnjNfFZwuiPV/X2NT+BhNPe5ZKFtC6gGedHLaIBBD3ItRhGuHZxgWXccPjGHofi\n6DlPdp2NePJgDT2maSjGSiAcHxyXdmW+Ev27NblvAxktoTUcVqSENrKFb+Fh4FXN\nlXiJzOEwAXiP2ZFbMRyNF/MI\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIJAI1Wr/fK5F0GMA0GCSqGSIb3DQEBCwUAMDIxHDAaBgNV\nBAoME29wZW5ibWMtcHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0x\nOTAyMDExMzIyMDhaFw0yOTAxMjkxMzIyMDhaMDIxHDAaBgNVBAoME29wZW5ibWMt\ncHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAMKVbUI5JpvY7RZbRKBPMvFDUiCXgSlsSZMrwIBD7Aju\nWhMNnuxnBh1/rJz1MCz/I0qOUmWOB50azO9sLuw82kfgUDreRozpNsEEpNGyHBne\nbJeIE46Q4GzrDpXv5zu4Q9wwWB7r/hbVVcNF4yLTXpyc9ZmyZDIbOmY8zj1g0QNk\nF90pn+ku4Jhz0v23vTpTsWtRIZ8zuzAH6YLw0f2oyLEy5YBX1IG/NRYjqng4KY3x\nr8X7iU51s8xURSpDSEIEKMYziqaLL/k2DrLqsp4mVR2Y5JOTyiOs0Zw5cqHSdFp8\n0RAWQi6g8e3yTkH9jDYJfqzYGgbC8X6FLTf7PepVLDcCAwEAAaNQME4wHQYDVR0O\nBBYEFDDohRZ1+QlC3WdIkOAdBHXVyW/SMB8GA1UdIwQYMBaAFDDohRZ1+QlC3WdI\nkOAdBHXVyW/SMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFN0DWy6\nYPXHzidWMKKyQiJ5diqUv6LbujKOHUk+/LGSoCqcUp8NvmFDKWYP9MxjOAi9TVbs\nRGlIHBl38oSwKUayXBTY/vVeSLls90giUAOjswoRbBBQZvKyfEuFpc1zUsrhGLDC\n/6DuRt9l0DWcMcmP6Yh3jePIIwTr3bpxBGrwNLly8fPf16q4bWRIAcI3ZgLOhsrN\nLfD2kf56oYViM44d54Wa0qjuCfeTnJ46x/lo6w2kB9IzF7lwpipMU7+AG8ijDdaQ\nn8t0nADpv6tNNargLcOTTfJ0/P2PaKxwA1B88NhjlymBnNbz4epIn4T3KyysgS62\nzwqs66LPWoDerzc=\n-----END CERTIFICATE-----", "CertificateType": "PEM", "CertificateUri": { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" } } Change-Id: I2acbf8afa06bbf7d029d4971f7ab3b3988f5f060 Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com> Signed-off-by: Ed Tanous <ed.tanous@intel.com> 2019-05-21T17:22:09+00:00 Adriana Kobylak anoo@us.ibm.com 2019-01-17T18:08:38+00:00 urn:sha1:1bfbe0e0372de7991bab9bb0a7ba015356f7d3b2 On receiving a websocket request on endpoint /vm/0/0, connect to the nbd-proxy app and send/receive stdio. Tested: Verified that the host could see the virtual media usb device, mounted it manually and checked the contents of the iso file used for the test were there. To test, used the html and js script: https://github.com/openbmc/jsnbd/tree/master/web and an Ubuntu iso image file. Verified that it worked after closing the websocket (using the stop function from the html file), to check that the processes were cleaned up and freed up for a subsequent request. Change-Id: I0b070310b070c086d67d0ae3e2c165551d6b87cc Signed-off-by: Adriana Kobylak <anoo@us.ibm.com> 2019-02-21T01:45:55+00:00 Ed Tanous ed.tanous@intel.com 2018-12-20T20:30:45+00:00 urn:sha1:3eb2f35f28249b9b5dc2159a44ca75a0fa7677a5 This patchset implements a KVM websocket proxy designed to interoperate with phosphor-webui and KVM. in short, IP address 127.0.0.1:5900 is proxied to the websocket. This allows someone to connect from a browser session. Requires patchset here for the phosphor-webui side: https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-webui/+/10268/ and requires the kvm patches here: https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/13536/ Tested By: Launched webui, observed KVM. Moved mouse, and typed on keyboard, changes appeared on host system. Change-Id: I407488f4b16be208b188a0abc19954a0243af173 Signed-off-by: Ed Tanous <ed.tanous@intel.com>