| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
System DC power On-Off events are added to the message registry
Change-Id: Ib3cbe065a096dedde8b5eecb7ac29aec855cbbcb
Signed-off-by: Nikhil Potade <nikhil.potade@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define a new build option named BMCWEB_ENABLE_REDFISH_ONE_CHASSIS that
is not set by default.
When this build option is set, bmcweb will always return a single
chassis named "chassis".
Setting this option will also cause all sensors to be shown under this
chassis.
This is a short-term solution. Long term, inventory-manager needs to be
enhanced to allow sensors to be under a chassis, or the rest of the
project needs to move to EntityManager.
Currently IBM does not use EntityManager, but EntityManager is called
directly in sensors.hpp. This results in an HTTP 500 Internal Server
Error.
Tested: The URLs /redfish/v1/Chassis/ and /redfish/v1/Chassis/chassis
show correct data on a Witherspoon. /redfish/v1/Managers/bmc/
now has a link to the single chassis.
/redfish/v1/Chassis/chassis/Power and
/redfish/v1/Chassis/chassis/Thermal no longer result in an
HTTP 500 Internal Server Error. Ran Redfish Service Validator.
Change-Id: Iec8f4da333946f19330f37ab084cd9787c52c8ea
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Signed-off-by: Shawn McCarney <shawnmm@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tested by:
Assuming there are two IP addresses in the IPv4Addresses for the
following PATCH request.
1) PATCH {"IPv4Addresses": [{},{}]} =>No change in the existing list.
2) PATCH {"IPv4Addresses": [{},{},{}]}
Following error for the third list item.
"IPv4Addresses/0/Address@Message.ExtendedInfo": [
{
"@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
"Message": "The property IPv4Addresses/2/Address is a required property
and must be included in the request.",
"MessageArgs": [
"IPv4Addresses/2/Address"
],
"MessageId": "Base.1.4.0.PropertyMissing",
"Resolution": "Ensure that the property is in the request body and has a
valid value and resubmit the request if the operation failed.",
"Severity": "Warning"
}
Change-Id: I24d11ca82cf6843611f72912499878bcbe1aecac
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During Property Update for the Ipv4address, Index was getting
converted into string which was causing the bmcweb to crash.
This commit fixes this problem.
TestedBy:
Assumption: There is already three IP address and updating the
third one.
PATCH -D patch.txt -d '{"IPv4Addresses":
[{},{},{"Address": "x.x.x.x","AddressOrigin": "Static","SubnetMask": "255.255.0.0","Gateway":"x.x.x.x"}]}
Change-Id: Ic055649b75aaa36e16bda5d8dc4e4e9c87dcb315
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These variables are of type std::optional,The values should be
filled by the readJSON function,as further decision to handle the
patch for the vlan is dependent on whether the value for vlanID and vlanEnable
is not null.
Due to this issue, control goes to handle the vlan patch and the
readJSON inside the handleVlanPatch doesn't find the values for
vlanID and vlanEnable so set the resp result to forbidden.
After that if any other readJSON would be called it would return failure
and due to that no other PATCH operation on the ipv4Address can be
completed.
Change-Id: I3ebab18ae4adfa7c871ecab862a2865dc14f154d
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
property
MinPasswordLength and MaxPasswordLength is a readOnly property
in the account service schema, so send the correct message
if the user tries to PATCH these properties.
Change-Id: If231ca13ef97fc05928435ac14a8190a186beb06
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support added for overriding multiple sensor, in single
patch method. Can accept Thermal (Temperatures/Fans) and
Power (Voltages) collections.
Unit-Test:
1. Verified sensor values are getting updated by doing PATCH
method to a known sensor. Verified the value got updated
using ipmitool sensor list.
2. Verified negative cases of making PATCH call on invalid
chasisId, Invalid MemberId etc.
Testedeby:
Used Postman tool to issue the PATCH call to the
1. https://xx.xx.xx.xx/redfish/v1/Chassis/XXYYZZ/Thermal with
content
{
"Temperatures": [
{
"MemberId" : "SensorNameXX",
"ReadingCelsius" : valueXX
}
]
"Fans": [
{
"MemberId" : "SensorNameYY",
"Reading" : valueYY
}
]
}
2. https://xx.xx.xx.xx/redfish/v1/Chassis/XXYYZZ/Power with
content
{
"Voltages": [
{
"MemberId" : "SensorNameXX",
"ReadingVolts" : valueXX
},
{
"MemberId" : "SensorNameYY",
"ReadingVolts" : valueYY
}
]
}
Change-Id: Ie30a7dff421f1a459dfe7bac262ae29e98754810
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
| |
|
|
|
|
|
|
|
| |
Currently during successfully PATCH operation, implementation
doesn't send the success message.
This commit fixes this problem.
Change-Id: Iade15ed2b3efa73578f4b2710e0005b84419cc21
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Blink is not a valid value for Redfish IndicatorLED.
Blinking is though. Changed. See:
https://redfish.dmtf.org/schemas/ComputerSystem.v1_6_0.json
http://redfish.dmtf.org/schemas/v1/Resource.json#/definitions/IndicatorLED
LED D-Bus interface has the value "Blink". Updated.
https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/xyz/openbmc_project/Led/Physical.interface.yaml#L40
Tested: Limited.
Change-Id: I183b72f06f2dddf6a37592893e841d810d06a0d6
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Power & Thermal patch method role is updated to
ConfigureComponents instead of ConfigureManager, as PATCH
method can be executed by ConfigureComponents role.
Tested-by:
Verified the PATCH method works with ConfigureComponents
role user itself.
Change-Id: I4de06233dd3eebdeadf160d790ccac853a4972da
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
should be fan_tach instad of fan
Tested-by:
Did a Get method on thermal profile, and made sure, fans
are listed as expected.
Change-Id: Ic5ac321b8f998136b646d6cfd3c7bb5946fe9194
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this commit PATCH operation on the Locked property of
ManagerAccount schema would allow the user/admin to unlock
an account,however admin would not be allowed to lock an
account as account can be locked automatically by configured
consecutive authentication failures.
TestedBy: Run the following patch request to test the locked property.
GET https://${BMC_IP}/redfish/v1/AccountService/Accounts/esalinux0
{
"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
"@odata.id": "/redfish/v1/AccountService/Accounts/esalinux0",
"@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
"Description": "User Account",
"Enabled": true,
"Id": "esalinux0",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}
},
"Locked": true,
"Locked@Redfish.AllowableValues": [
false
],
"Name": "User Account",
"Password": null,
"RoleId": "Administrator",
"UserName": "esalinux0"
}
PATCH https://${BMC_IP}/redfish/v1/AccountService/Accounts/esalinux0 -d '{"Locked" : false}'
{
"@Message.ExtendedInfo": [
{
"@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
"Message": "Successfully Completed Request",
"MessageArgs": [],
"MessageId": "Base.1.4.0.Success",
"Resolution": "None",
"Severity": "OK"
}
]
}
Change-Id: I5d7a3d8f6330bbf01292ed4079542a1c65c9cc35
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support added for overriding sensor, which can be
used for validation / ad-hoc debugging. This provides
option to make PATCH call to redfish/v1/<chassisId>/Thermal
or power id. Based on schema, will accept Temperatures /
Voltages collection with properties MemberId and
ReadingCelsius / ReadingVolts.
TODO:
1. Need to make a dynamic way of enabling / disbaling this command.
Unit-Test:
1. Verified sensor values are getting updated by doing PATCH
method to a known sensor. Verified the value got updated
using ipmitool sensor list.
2. Verified negative cases of making PATCH call on invalid
chasisId, Invalid MemberId etc.
Testedeby:
Used Postman tool to issue the PATCH call to the
1. https://xx.xx.xx.xx/redfish/v1/Chassis/XXYYZZ/Thermal with
content
{
"Temperatures": [
{
"MemberId" : "SensorNameXX",
"ReadingCelsius" : valueXX
}
]
}
2. https://xx.xx.xx.xx/redfish/v1/Chassis/XXYYZZ/Power with
content
{
"Voltages": [
{
"MemberId" : "SensorNameXX",
"ReadingVolts" : valueXX
}
]
}
Change-Id: Idf2d891ac0d10b5d20f78c386232cae8a6896f1a
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for DBUS properties BootMode and BootSource
in the Redfish ComputerSystems schema. These properties reside on the
BMC in two DBUS objects:
/xyz/openbmc_project/control/host0/boot contains settings that apply
on each boot
/xyz/openbmc_project/control/host0/boot/one_time contains settings
that apply for one boot only
The interface definition can be looked up in
phosphor-dbus-interfaces/tree/master/xyz/openbmc_project/Control/Boot
BootMode and BootSource are together mapped into the Redfish property
BootSourceOverrideTarget. Specifically, we only support the following
BootSource's: None (default source), Pxe, Hdd, Cd, Diags and BiosSetup
Diags and BiosSetup get mapped to the BootMode property, whereas the
other values get mapped to the BootSource property.
In addition, we map the BootSourceOverrideEnabled redfish property
to the Enabled property in
/xyz/openbmc_project/control/host0/boot/one_time to indicate if the
override applies for just this boot or all future boots.
Tested:
-- Ran the Redfish schema validator - no errors.
-- Ran GET and PATCH requets on the ComputerSystem node to test
setting of each property individually as well as together.
Ex:
curl -k -H "X-Auth-Token: $bmc_token" -XGET
https://${bmc}:${port}/redfish/v1/Systems/system
....
....
"Boot": {
"BootSourceOverrideEnabled": "Disabled",
"BootSourceOverrideMode": "Legacy",
"BootSourceOverrideTarget": "None",
"BootSourceOverrideTarget@Redfish.AllowableValues": [
"None",
"Pxe",
"Hdd",
"Cd",
"Diags",
"BiosSetup"
]
}
....
curl -k -H "X-Auth-Token: $bmc_token" -X PATCH
https://${bmc}:${port}/redfish/v1/Systems/system -d '{"Boot":
{"BootSourceOverrideEnabled": "Once",
"BootSourceOverrideTarget": "Diags"}}'
curl -k -H "X-Auth-Token: $bmc_token" -XGET
https://${bmc}:${port}/redfish/v1/Systems/system
....
....
"Boot": {
"BootSourceOverrideEnabled": "Once",
"BootSourceOverrideMode": "Legacy",
"BootSourceOverrideTarget": "Diags",
"BootSourceOverrideTarget@Redfish.AllowableValues": [
"None",
"Pxe",
"Hdd",
"Cd",
"Diags",
"BiosSetup"
]
}
....
curl -k -H "X-Auth-Token: $bmc_token" -X PATCH
https://${bmc}:${port}/redfish/v1/Systems/system -d '{"Boot":
{"BootSourceOverrideEnabled": "Disabled"}}'
curl -k -H "X-Auth-Token: $bmc_token" -XGET
https://${bmc}:${port}/redfish/v1/Systems/system'
....
....
"Boot": {
"BootSourceOverrideEnabled": "Disabled",
"BootSourceOverrideMode": "Legacy",
"BootSourceOverrideTarget": "None",
"BootSourceOverrideTarget@Redfish.AllowableValues": [
"None",
"Pxe",
"Hdd",
"Cd",
"Diags",
"BiosSetup"
]
}
....
Change-Id: If8850428422de822cd0e220ceaff4168f4b50391
Signed-off-by: Santosh Puranik <santosh.puranik@in.ibm.com>
|
| |
|
|
|
| |
Change-Id: I763534d54b7630aec30883d04e02b4f478c10ab4
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get intrusion status from dbus and display property of physical security
Related patches to run test:
- meta-phosphor: dbus-sensors: Enable new service of intrusion sensor
https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/17063/
- Add chassis intrusion sensor daemon
https://gerrit.openbmc-project.xyz/#/c/openbmc/dbus-sensors/+/17064/
Tested-by:
- Verified redfish/v1/Chassis/<ChassisId> when intrusion status is true
"PhysicalSecurity": {
"IntrusionSensor": "HardwareIntrusion",
"IntrusionSensorNumber": 1
},
Change-Id: Ib231ccb847d48641eac363f578de9f930035db89
Signed-off-by: Qiang XU <qiang.xu@linux.intel.com>
|
| |
|
|
|
|
|
|
| |
- Protocol HTTPS was missing the property "Port"
- The property "ProtocolEnabled" was showing incorrect data for each protocol
Signed-off-by: Jennifer Lee <jennifer1.lee@intel.com>
Change-Id: Ibaa7b81845714ad13b2b44d6af033df98da236e2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The timeout was 10 seconds for:
1. The uploaded contenet is written to tmpfs
2. Wait for software version manager to parse the content and create the
version object.
For a tarball without compression, the timeout is enough, but for a
compressed tarball, the timeout may not be enough, e.g. Palmetto takes
about 9.x seconds to decompress the PNOR tarball.
Change the timeout to 15 seconds, and start the timer after the file is
written to tmpfs.
Partially resovles openbmc/bmcweb#60
Tested: Verify no more 400 error on uploading gzipped tarball.
Change-Id: I4e621236ed0c10892f8a5fef0d6a3ca2af911e93
Signed-off-by: Lei YU <mine260309@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed the following errors when obtaining the Redfish properties of a
Chassis:
* @odata.id URI did not contain the chassis name
* Non-Redfish DBus properties like BuildDate were returned
Tested: Verified the URL /redfish/v1/Chassis/<chassis>/ returns the
correct properties on a Witherspoon system. Ran Redfish
Service Validator.
Change-Id: I73280990db0b468aea1b12b2b919dabb2e20ca89
Signed-off-by: Shawn McCarney <shawnmm@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With boost 1.69, we get the new option, BOOST_BEAST_USE_STD_STRING_VIEW
which allows us to use std::string for all beast interfaces, instead of
boost string_view. This was originally intended to try to reduce the
binary size, but the comparison shows only a minor improvement.
boost::string_view: 7420780 bytes
std::string_view: 7419948 bytes
832 bytes saved ! ! ! ! !
So instead, we will use the argument that it's more standard and easier
for people to grok.
Tested By:
Pulled down some bmcweb endpoints, and observed no change. Because the
two objects are essentially drop in replacements for one another, there
should be no change.
Change-Id: I001e8cf2a0124de4792a7154bf246e3c35ef3f97
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A quick scan with infer, a static analysis package.
https://fbinfer.com/docs/getting-started.html
Revealed a couple of legitimate bugs. I'm attaching the people on the
blame result to this review so they can look over the change. These are
unlikely to be exploitable in practice, but we should fix them anyway,
to clean up the analysis results.
Tested By:
Code still compiles, changes should be no-op.
Change-Id: I615dad6eb86fa2ea1709e2e2b009d07036d5f8de
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
| |
Tested by:
Code still compiles
Change-Id: I95d443f5c21e9839b6338fb72c5a940d0d91d479
|
| |
|
|
|
|
|
|
|
| |
TestedBy:
PATCH '{"HostName": "bmcbmc"}'
Tested with validator and no errors.
Change-Id: I610dcda7b8c56486f22214e177b4dc6ad7018e7c
Signed-off-by: raviteja-b <raviteja28031990@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
BuildDate does not exist in the Redfish ComputerSystem schema. Checks for
the appropriate properties for system and adds them, rather than adding
all properties returned.
Tested: Verified /redfish/v1/Systems/system/ returns the correct
properties on a Witherspoon system, and buildDate is no
longer returned.
Change-Id: I83e8f637b17868eda810cbe342d1569d534a6d1b
Signed-off-by: beccabroek <beccabroek@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
res.success is the default, if one async call
sets failure, and another later sets success, we
don't want to overwrite the failure with sucess.
Tested-by: still got success on good patch
Change-Id: Iee76892f7517d508ed98929d9ecd127dd83b1329
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
We now have upper and lower clipping curves, add direction
so we can tell which is which.
Tested-by: GET and PATCH work
Change-Id: I0cdfa159a3a27355a8e67c65e42e765f191f7719
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
| |
This variable was changed in pid-control.
Change-Id: I377057910214085043704af4e076f688212113e2
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We now allow regexes to define the inputs for things
like CPU 0 Core \d+, however the inputs were being used
to define the chassis. Change to using the key and or
the zone to define the chassis to put the configuration
on so this isn't an issue.
Tested-by: Created new pid and patched regex pids
and it was successful
Change-Id: I7c054259e9c9118af1dde63fd798a57ca6830678
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
|
| |
This commit moves the various vlan interfaces to use the existing
std::vector based implementations, and not the existing implementations.
Change-Id: Id2503d5e2f1503b61ec7dbdb25098611382b24c5
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the second attempt to make cipher suites more restrictive. This
was previously attempted in patchset
54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc
Which caused some compatibility issues. This is the second attempt,
which does a better job. OWASP does not enable eppiliptic curve TLS 1.2
cipher suites, which at this time are required for bmcweb to function.
Previously, bmcweb was utilitizing the "mozilla compatibility" cipher
suites. This is overly lenient on broken ciphers and can cause some
issues with security reviews.
This commit also fixes our TLS logic to support _only_ TLS 1.2 and 1.3,
as only updating the cipher suites caused us to fall into TLS 1.3 only,
which broke compatibility with a lot of operating systems.
Tested by:
Ran the testssl.sh script here:
https://github.com/drwetter/testssl.sh
Observed the following in the output:
testssl.sh 3.0rc3 from https://testssl.sh/dev/
(977dc1ac4 2019-02-06 22:42:14 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
on Hades:/home/ed/testssl.sh/bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
Start 2019-02-08 11:04:50 -->> 10.243.49.64:18080 (10.243.49.64) <<--
rDNS (10.243.49.64): wolfpass.jf.intel.com.
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK)
Triple DES Ciphers not offered (OK)
128 Bit ciphers (SEED, IDEA, 128 Bit CBC) offered
High encryption (AES/Aria/Camellia, !AEAD) offered (OK)
Strong encryption (AEAD ciphers) offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256
Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448
Testing server preferences
Has server cipher order? yes (OK) -- only for < TLS 1.3
Negotiated protocol TLSv1.3
Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Cipher order
TLSv1.2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "supported versions/#43"
"key share/#51" "supported_groups/#10" "max fragment length/#1" "encrypt-then-mac/#22"
"extended master secret/#23"
Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily
SSL Session ID support yes
Session Resumption Tickets: yes, ID: no
TLS clock skew Random values, no fingerprinting possible
Signature Algorithm ECDSA with SHA256
Server key size EC 256 bits
Server key usage --
Server extended key usage --
Serial / Fingerprints 669B86F0 / SHA1 0F6BF7C8F1AB59767FCA372A88F7F5457CFE00FB
SHA256 1D8C3AC5BA670C8C4EE8F5A76C8597226D89744510A4998B1A7888EF566256E5
Common Name (CN) testhost
subjectAltName (SAN) missing (NOT ok) -- Browsers are complaining
Issuer self-signed (NOT ok)
Trust (hostname) certificate does not match supplied URI
Chain of trust NOT ok (self signed)
EV cert (experimental) no
"eTLS" (visibility info) not present
Certificate Validity (UTC) 3648 >= 60 days (2019-02-07 10:23 --> 2029-02-04 10:23)
# of certificates provided 1
Certificate Revocation List --
OCSP URI --
NOT ok -- neither CRL nor OCSP URI provided
OCSP stapling not offered
OCSP must staple extension --
DNS CAA RR (experimental) not offered
Certificate Transparency --
Testing HTTP header response @ "/"
HTTP Status Code 200 OK
HTTP clock skew -83092 sec from localtime
Strict Transport Security 365 days=31536000 s, includeSubDomains, preload
Public Key Pinning --
Server banner iBMC
Application banner --
Cookie(s) (none issued at "/")
Security headers X-Frame-Options DENY
X-XSS-Protection 1; mode=block
X-Content-Type-Options nosniff
Content-Security-Policy default-src 'self'
X-UA-Compatible IE=11
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), reply empty
ROBOT Server does not support any cipher suites that use RSA key transport
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
Can be ignored for static pages or if no secrets in the page
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, no protocol below TLS 1.2 offered (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK)
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 521 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 521 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Running client simulations (HTTP) via sockets
Android 4.2.2 No connection
Android 4.4.2 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit ECDH (P-521)
Android 5.0.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
Android 6.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Android 7.0 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
Chrome 65 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
Chrome 70 Win 10 TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
Firefox 59 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
Firefox 62 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
IE 6 XP No connection
IE 7 Vista No connection
IE 8 Win 7 No connection
IE 8 XP No connection
IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win Phone 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
Opera 17 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-SHA256, 256 bit ECDH (P-256)
Safari 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 9 OS X 10.11 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 10 OS X 10.12 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Apple ATS 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Tor 17.0.9 Win 7 No connection
Java 6u45 No connection
Java 7u25 No connection
Java 8u161 TLSv1.2 ECDHE-ECDSA-AES256-SHA384, 256 bit ECDH (P-256)
Java 9.0.4 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
OpenSSL 1.0.1l TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit ECDH (P-521)
OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Done 2019-02-08 11:06:45 [ 118s] -->> 10.243.49.64:18080 (10.243.49.64) <<--
Change-Id: I92a77807848354379ea2cbaa31767eeceadae295
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-- Fixed typo: "IndicatorLed" ==> "IndicatorLED"
-- Fixed readJson call which was taking in an empty std::string
This caused PATCH to send back a warning if Indicator LED was
missing from the incoming JSON.
-- Fixed a segfault due to accessing an invalid shared_ptr
(The shared_ptr being accessed was previously moved to an async
callback)
Tested:
-- Limited testing done. I tried PATCH'ing the IndicatorLED property
on QEMU.
-- Made sure no segfault anymore.
Change-Id: If47dbacdeee791dd3cc2ac0e37c0b74bb3920df0
Signed-off-by: Santosh Puranik <santosh.puranik@in.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patchset attempts to fix all compiler warnings in bmcweb owned
files. There are 2 warnings left, both in sdbusplus, which will be
resolved in a patchset there.
Tested By:
Recompiled, observed warning count went from 30, to zero.
Change-Id: Ife90207aa5773bc28faa8b04c732cafa5a56e4e4
Signed-off-by: Ed Tanous <ed@tanous.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patchset implements a KVM websocket proxy designed to interoperate
with phosphor-webui and KVM. in short, IP address 127.0.0.1:5900 is
proxied to the websocket. This allows someone to connect from a browser
session.
Requires patchset here for the phosphor-webui side:
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-webui/+/10268/
and requires the kvm patches here:
https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/13536/
Tested By:
Launched webui, observed KVM. Moved mouse, and typed on keyboard,
changes appeared on host system.
Change-Id: I407488f4b16be208b188a0abc19954a0243af173
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves #40
Tested by:
Built with BMCWEB_INSECURE_DISABLE_SSL. Build suceeded.
Change-Id: I3641e18b097d54c21720728ec72999e963e668a3
Signed-off-by: Ed Tanous <ed@tanous.net>
|
| |
|
|
|
|
|
|
|
| |
Add hysteresis support into the pid controllers.
Tested-by: Get and Patch worked.
Change-Id: I89f1c128a234ebdf4d69aec35956f11b9e189263
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The CPU LogService doesn't belong under BMC LogServices,
so moving it to Systems LogServices.
Tested: Verified that the CPU LogService shows up under Systems
and passed the Redfish Service Validator.
Change-Id: Ic04157b966dc0395db94046f37c33590a4e20553
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The CPU and BMC LogServices were missing their Entries
fields, so adding them back.
Tested: Checked for presence of Entries fields and passed the
Redfish Service Validator.
Change-Id: I3caa251dd8acf05d4c37c2b30bb0374500849e84
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The CPU Log timestamp was moved to a new location in the schema,
so this looks in the new place to get the timestamp for the
Created field.
Tested: Verified that the Created field is correctly populated in
the LogEntry.
Change-Id: Ie90e169aa999284ebc009867634beb35a4e74587
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit changes the redfish behavior to move to a single, known name
under the /redfish/v1/Systems/system path. This is advantageous for a
lot of reasons.
1. Lots fewer dbus calls to determine the system name for every path.
This could be optimized in other ways, like checking the system name on
startup, but because redfish paths are not intended to be informative,
this patchset takes the opinion that less code is better.
2. Lots of lowered complexity, given that each endpoint underneath
/system doesn't need an individual "does this system exist, and is the
name right" check.
3. This makes it possible to correctly implement the "Links" property in
Chassis, which is required for the OCP base server profile
Tested By:
Very minimal testing done, but it seems to pass the validator.
Change-Id: Iea3cb5081b92a3843b6877decd009936de00561c
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two errors were identified in the Redfish sessions implementation.
1. All user "roles" return a description containing Adminstrator,
instead of containing the name of the role.
2. The SessionService implementation was missing the link to sessions
collection.
These are resolved in this commit.
Tested By:
Ran service validator, no errors.
Change-Id: Ib48ab1756d78724b4bab124c8cf135c8a61d94a6
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
| |
Change-Id: I9d7069668f91f2ac72d2f4a440f63e0e85dd5269
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the same interfaces used to determine members of
/redfish/v1/Chassis/ as to determine if a chassis exists,
/redfish/v1/Chassis/<ChassisId>.
Using something different, Inventory.Item.Asset, means
a /redfish/v1/Chassis/<ChassisId> could return found when it
does not belong to members of /redfish/v1/Chassis/ and
vice versa.
Changed the search depth of both commands to infinite.
Tested: Verified /redfish/v1/Chassis/ and
/redfish/v1/Chassis/<ChassisId> on a Witherspoon
Change-Id: I45cfbadfb5199224039df2d894a599e1e237cf15
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
| |
|
|
|
| |
Change-Id: I993ae392d87a19acd51fe093f8244a9c781dd339
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Boost beast, ASIO, and networking TS already have mechanisms for
injecting unit tests, using template parameters. We already use this to
some extent, although we pass through socket_adapters. Now that we have
constexpr if, we have the ability to simplify this code quite a bit.
Tested by:
Pulled down phosphor-webui, ran redfish service validator. Observed no
errors.
Change-Id: Ib8734aeb4c9139b56705060f6196e8ae16458fe9
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
If Processor Manufacturer is IBM set ProcessorArchitecture and
InstructionSet.
This works the same as if the Manufacturer is Intel.
Change-Id: I61df182a12db6601004f1717471b4b34cdcf961b
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Redfish schema 2018.3 was released on January 11th, 2019. While there
aren't any plans to utilize any of the new services, it makes sense to
keep up to date with the latest static data.
This commit was largely done automatically using the update_schemas.py
script.
Change-Id: I74c6fac08d21629ca976ff8694fce011b5247e34
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use new_method_call() + async_send() to get back an sd_bus_message
from the org.freedesktop.DBus.Properties.GetAll call in the GET
handler, and then use convertDBusToJSON to extract any possible
property type instead of having to use a variant with all possible
property types defined ahead of time.
Tested: Did a get on several different paths, including one in
/org/open_power/ that had a signature of a(tx) that previously
didn't return anything.
Resolves openbmc/bmcweb#34
Change-Id: I40309664fa969741c4af9a60b9059c60bf6f35f4
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of hardcoding the possible variant types in
the PropertiesChanged and InterfacesAdded callbacks used
by the /subscribe REST operation, use convertDBusToJSON
which can convert every D-Bus type to JSON.
Tested: With the web UI running:
* Restart the State.Host service, which triggers an
InterfacesAdded callback since the web UI subscribes
to that. It no longer crashes bmcweb with an sdbusplus
error.
* Change power states, and verify the web UI sees them
through its subscription on the CurrentHostState property.
Resolves openbmc/bmcweb#35
Change-Id: Ifa16c159d199005b42e3dfd4419bd3f9792c2d22
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When convertDBusToJSON processed an sd_bus_message with
a signature that had multiple high level entries, the
handler code tried to reassign a reference variable to
a new array entry, but references can't be reassigned,
so all it did was reset the passed in JSON object to
the empty value at the end of the array.
Instead, do this with a pointer.
Tested: A message with a signature of "sa{sv}as" was failing,
with nlohmann::json complaining about trying to do a
push_back on a string object. With this fix, that no longer
happens.
Change-Id: Idb3d3a56f0bd38f559f96f828ad95db65bbd11e1
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
| |
This reverts commit 54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc.
Reason for revert: This breaks compatibility with python automation running on ubuntu 16.04, and regresses our ability to run the test harness. Suspect we need to run compat C by default, but lets revert for now to stabilize.
Change-Id: I4a01450836d917cd9558bc826c1877e629280850
|
