| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Resolves openbmc/bmcweb#82
Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
Change-Id: I944c1f9afe03ca58f61fdde34f83f092ff8d8ab2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The boost::system::error_code returned by the DBus call will contain the
DBus error name and description in its error_category, use the
category's name and message as REST API's description and message.
Tested: Verify the REST API output when trying to set host time while
the settings does not allow that:
$ curl -k -H "X-Auth-Token: $token" -H "Content-Type: application/json" -X PUT -d '{"data": 1436655598435272}' https://$bmc/xyz/openbmc_project/time/bmc/attr/Elapsed
{
"data": {
"description": "xyz.openbmc_project.Time.Error.NotAllowed"
},
"message": "The operation is not allowed",
"status": "error"
}
Resolves openbmc/bmcweb#83
Change-Id: I90c11c0fc61e55329c809ecb5f948ae041a579d0
Signed-off-by: Lei YU <mine260309@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This function is a utility function which would be needed
by other files.
TestedBy: ran the redfish validator: PASS
Change-Id: I2a0d07f264952f47a724da11f72b15ca5e019d62
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds fan profiles to redfish. This uses the
Thermal Mode interface to allow switching between
different fan profiles. Only the selected fan profile
will be seen. When adding a new controller, they will
also be added to the configuration item for that profile.
Patching of the profile to switch between supported
profiles is also supported.
Tested: Could change profiles in redfish.
Python test script:
def testProfile():
a = {
"Oem": {
"OpenBmc": {
"Fan": {
"Profile" : "Acoustic"
}
}
}
}
return a
def dopatch():
resp = requests.patch(address, json=testProfile(), verify=False,
auth=("root", "0penBmc"))
resp.raise_for_status()
Change-Id: Ie2d8582616ed5bde58e3328b21ba8c59437e88ce
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On receiving a websocket request on endpoint /vm/0/0,
connect to the nbd-proxy app and send/receive stdio.
Tested: Verified that the host could see the virtual
media usb device, mounted it manually and checked
the contents of the iso file used for the test were
there. To test, used the html and js script:
https://github.com/openbmc/jsnbd/tree/master/web
and an Ubuntu iso image file.
Verified that it worked after closing the websocket
(using the stop function from the html file), to
check that the processes were cleaned up and freed
up for a subsequent request.
Change-Id: I0b070310b070c086d67d0ae3e2c165551d6b87cc
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Follow-on to https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/18891
Tested: Checked that the host console and virtual media endpoints
still worked as expected.
Change-Id: Ifdc5f21f3668bdf9bd24189504aaeb17b232c921
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
We're at CPP17 everywhere now, no need to keep the
experimental refrerence.
Tested: It builds
Change-Id: I5f6571eb411bf055e9715f7d96d1be5a3cb2e119
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
A step towards upstream OpenBMC shipping free of any branding (other
than OpenBMC branding) or company references.
Tested: Did not test
Change-Id: I4fea765949ff3ad94e3cd52fedec597a77db0e79
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent change to the URL routing broke all /org endpoints, which now
return 404 instead of the correct data. This resolves it, and points at
the correct object paths again.
Tested:
Given this is a CI failure, will rely on CI to test the /org endpoints.
Resolves #72
Change-Id: I779bb32f1f2bcba45fdb64f5bf510e7fa832e2d2
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patchset is the beginings of the infrastructure to allow
separate registrations, and map privileges to the actual node in the
url table rather than having each registration manage privileges
manually.
Tested by:
Running redfish compliance tool. All things still pass.
Change-Id: I72d278cc19c60ba5b6e563fbd705b0551faf9a6a
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit does 2 things.
1. Upgrades and prepares bmcweb for boost 1.70.
2. Allows us to compile with BOOST_AIO_NO_DEPRECATED
Tested: Compiled against 1.69 and 1.70. All changes should be no-op.
Change-Id: I557ecd840fe2b88c0fa01978a1b666b40ccccca4
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
| |
This reverts commit 6ea007a2faec52ad62680015d2a3f00371a1e351.
Reason for revert: Reports of bmcweb seg faults.
Change-Id: I408f1bb29c2f8e427a6621cdaac8c31b847ebf06
|
| |
|
|
|
|
|
|
|
|
|
|
| |
bmcweb classically has not taken a strong opinion on warnings. With
this commit, that policy is changing, and bmcweb will invoke the best
warnings we are able to enable, and turn on -Werror for all builds.
This is intended to reduce the likelihood of hard-to-debug situations
that the compiler coulve caught early on.
Change-Id: I57474410821e82666b3a108cfd0db7d070e8900a
Signed-off-by: Ed Tanous <ed@tanous.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When logging out of the API, there was no JSON text response.
This implements the requested feature.
Tested: Verified appropriate response is generated when /logout
is called
E.g.
curl -c cjar -b cjar -k -X POST \
-H "Content-Type: application/json" \
-H "X-Auth-Token: g3Heq5rYsz1j0iv4MbUp" \
-d '{"data": [ ] }' \
https://${bmc}/logout
{
"data": "User 'root' logged out",
"message": "200 OK",
"status": "ok"
}
Change-Id: I905f5a0855abaa76ae57cf32b8bae758722f6b9f
Signed-off-by: Anthony Wilson <wilsonan@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit simplifies input buffer delivering logic by removing
a doWrite() call from readDone(). Input events can be delivered
through websocket's onmessage handler only and it's enough.
Also, it fixes a suspicious weak point of commit/consume pair on
outputBuffer.
Change-Id: I5b777993a9d6f05375da0422b168c25dacb1b9f9
Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The timeout was 10 seconds for:
1. The uploaded contenet is written to tmpfs
2. Wait for software version manager to parse the content and create the
version object.
For a tarball without compression, the timeout is enough, but for a
compressed tarball, the timeout may not be enough, e.g. Palmetto takes
about 9.x seconds to decompress the PNOR tarball.
Change the timeout to 15 seconds, and start the timer after the file is
written to tmpfs.
Partially resovles openbmc/bmcweb#60
Tested: Verify no more 400 error on uploading gzipped tarball.
Change-Id: I4e621236ed0c10892f8a5fef0d6a3ca2af911e93
Signed-off-by: Lei YU <mine260309@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With boost 1.69, we get the new option, BOOST_BEAST_USE_STD_STRING_VIEW
which allows us to use std::string for all beast interfaces, instead of
boost string_view. This was originally intended to try to reduce the
binary size, but the comparison shows only a minor improvement.
boost::string_view: 7420780 bytes
std::string_view: 7419948 bytes
832 bytes saved ! ! ! ! !
So instead, we will use the argument that it's more standard and easier
for people to grok.
Tested By:
Pulled down some bmcweb endpoints, and observed no change. Because the
two objects are essentially drop in replacements for one another, there
should be no change.
Change-Id: I001e8cf2a0124de4792a7154bf246e3c35ef3f97
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A quick scan with infer, a static analysis package.
https://fbinfer.com/docs/getting-started.html
Revealed a couple of legitimate bugs. I'm attaching the people on the
blame result to this review so they can look over the change. These are
unlikely to be exploitable in practice, but we should fix them anyway,
to clean up the analysis results.
Tested By:
Code still compiles, changes should be no-op.
Change-Id: I615dad6eb86fa2ea1709e2e2b009d07036d5f8de
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the second attempt to make cipher suites more restrictive. This
was previously attempted in patchset
54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc
Which caused some compatibility issues. This is the second attempt,
which does a better job. OWASP does not enable eppiliptic curve TLS 1.2
cipher suites, which at this time are required for bmcweb to function.
Previously, bmcweb was utilitizing the "mozilla compatibility" cipher
suites. This is overly lenient on broken ciphers and can cause some
issues with security reviews.
This commit also fixes our TLS logic to support _only_ TLS 1.2 and 1.3,
as only updating the cipher suites caused us to fall into TLS 1.3 only,
which broke compatibility with a lot of operating systems.
Tested by:
Ran the testssl.sh script here:
https://github.com/drwetter/testssl.sh
Observed the following in the output:
testssl.sh 3.0rc3 from https://testssl.sh/dev/
(977dc1ac4 2019-02-06 22:42:14 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
on Hades:/home/ed/testssl.sh/bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
Start 2019-02-08 11:04:50 -->> 10.243.49.64:18080 (10.243.49.64) <<--
rDNS (10.243.49.64): wolfpass.jf.intel.com.
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK)
Triple DES Ciphers not offered (OK)
128 Bit ciphers (SEED, IDEA, 128 Bit CBC) offered
High encryption (AES/Aria/Camellia, !AEAD) offered (OK)
Strong encryption (AEAD ciphers) offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256
Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448
Testing server preferences
Has server cipher order? yes (OK) -- only for < TLS 1.3
Negotiated protocol TLSv1.3
Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Cipher order
TLSv1.2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "supported versions/#43"
"key share/#51" "supported_groups/#10" "max fragment length/#1" "encrypt-then-mac/#22"
"extended master secret/#23"
Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily
SSL Session ID support yes
Session Resumption Tickets: yes, ID: no
TLS clock skew Random values, no fingerprinting possible
Signature Algorithm ECDSA with SHA256
Server key size EC 256 bits
Server key usage --
Server extended key usage --
Serial / Fingerprints 669B86F0 / SHA1 0F6BF7C8F1AB59767FCA372A88F7F5457CFE00FB
SHA256 1D8C3AC5BA670C8C4EE8F5A76C8597226D89744510A4998B1A7888EF566256E5
Common Name (CN) testhost
subjectAltName (SAN) missing (NOT ok) -- Browsers are complaining
Issuer self-signed (NOT ok)
Trust (hostname) certificate does not match supplied URI
Chain of trust NOT ok (self signed)
EV cert (experimental) no
"eTLS" (visibility info) not present
Certificate Validity (UTC) 3648 >= 60 days (2019-02-07 10:23 --> 2029-02-04 10:23)
# of certificates provided 1
Certificate Revocation List --
OCSP URI --
NOT ok -- neither CRL nor OCSP URI provided
OCSP stapling not offered
OCSP must staple extension --
DNS CAA RR (experimental) not offered
Certificate Transparency --
Testing HTTP header response @ "/"
HTTP Status Code 200 OK
HTTP clock skew -83092 sec from localtime
Strict Transport Security 365 days=31536000 s, includeSubDomains, preload
Public Key Pinning --
Server banner iBMC
Application banner --
Cookie(s) (none issued at "/")
Security headers X-Frame-Options DENY
X-XSS-Protection 1; mode=block
X-Content-Type-Options nosniff
Content-Security-Policy default-src 'self'
X-UA-Compatible IE=11
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), reply empty
ROBOT Server does not support any cipher suites that use RSA key transport
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
Can be ignored for static pages or if no secrets in the page
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, no protocol below TLS 1.2 offered (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK)
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 521 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 521 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Running client simulations (HTTP) via sockets
Android 4.2.2 No connection
Android 4.4.2 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit ECDH (P-521)
Android 5.0.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
Android 6.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Android 7.0 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
Chrome 65 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
Chrome 70 Win 10 TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
Firefox 59 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
Firefox 62 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
IE 6 XP No connection
IE 7 Vista No connection
IE 8 Win 7 No connection
IE 8 XP No connection
IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win Phone 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
Opera 17 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-SHA256, 256 bit ECDH (P-256)
Safari 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 9 OS X 10.11 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 10 OS X 10.12 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Apple ATS 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Tor 17.0.9 Win 7 No connection
Java 6u45 No connection
Java 7u25 No connection
Java 8u161 TLSv1.2 ECDHE-ECDSA-AES256-SHA384, 256 bit ECDH (P-256)
Java 9.0.4 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
OpenSSL 1.0.1l TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit ECDH (P-521)
OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Done 2019-02-08 11:06:45 [ 118s] -->> 10.243.49.64:18080 (10.243.49.64) <<--
Change-Id: I92a77807848354379ea2cbaa31767eeceadae295
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patchset implements a KVM websocket proxy designed to interoperate
with phosphor-webui and KVM. in short, IP address 127.0.0.1:5900 is
proxied to the websocket. This allows someone to connect from a browser
session.
Requires patchset here for the phosphor-webui side:
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-webui/+/10268/
and requires the kvm patches here:
https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/13536/
Tested By:
Launched webui, observed KVM. Moved mouse, and typed on keyboard,
changes appeared on host system.
Change-Id: I407488f4b16be208b188a0abc19954a0243af173
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
| |
Change-Id: I9d7069668f91f2ac72d2f4a440f63e0e85dd5269
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Boost beast, ASIO, and networking TS already have mechanisms for
injecting unit tests, using template parameters. We already use this to
some extent, although we pass through socket_adapters. Now that we have
constexpr if, we have the ability to simplify this code quite a bit.
Tested by:
Pulled down phosphor-webui, ran redfish service validator. Observed no
errors.
Change-Id: Ib8734aeb4c9139b56705060f6196e8ae16458fe9
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use new_method_call() + async_send() to get back an sd_bus_message
from the org.freedesktop.DBus.Properties.GetAll call in the GET
handler, and then use convertDBusToJSON to extract any possible
property type instead of having to use a variant with all possible
property types defined ahead of time.
Tested: Did a get on several different paths, including one in
/org/open_power/ that had a signature of a(tx) that previously
didn't return anything.
Resolves openbmc/bmcweb#34
Change-Id: I40309664fa969741c4af9a60b9059c60bf6f35f4
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of hardcoding the possible variant types in
the PropertiesChanged and InterfacesAdded callbacks used
by the /subscribe REST operation, use convertDBusToJSON
which can convert every D-Bus type to JSON.
Tested: With the web UI running:
* Restart the State.Host service, which triggers an
InterfacesAdded callback since the web UI subscribes
to that. It no longer crashes bmcweb with an sdbusplus
error.
* Change power states, and verify the web UI sees them
through its subscription on the CurrentHostState property.
Resolves openbmc/bmcweb#35
Change-Id: Ifa16c159d199005b42e3dfd4419bd3f9792c2d22
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When convertDBusToJSON processed an sd_bus_message with
a signature that had multiple high level entries, the
handler code tried to reassign a reference variable to
a new array entry, but references can't be reassigned,
so all it did was reset the passed in JSON object to
the empty value at the end of the array.
Instead, do this with a pointer.
Tested: A message with a signature of "sa{sv}as" was failing,
with nlohmann::json complaining about trying to do a
push_back on a string object. With this fix, that no longer
happens.
Change-Id: Idb3d3a56f0bd38f559f96f828ad95db65bbd11e1
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
| |
This reverts commit 54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc.
Reason for revert: This breaks compatibility with python automation running on ubuntu 16.04, and regresses our ability to run the test harness. Suspect we need to run compat C by default, but lets revert for now to stabilize.
Change-Id: I4a01450836d917cd9558bc826c1877e629280850
|
| |
|
|
|
|
|
|
|
| |
Return a method_not_allowed response when the path for a
DELETE is invalid. This matches what the phosphor-rest
server did.
Change-Id: I6db577d25d92bdbee9e97355ff11a15a5c68288b
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make the following fixes to the image upload code
to make it behave like the phosphor-rest implementation,
which should work for both UBI and non-UBI image formats.
1) Subscribe to an intefacesAdded signal on
/xyz/openbmc_project/software upon invocation.
2) If the signal callback happens within 10s, check that the
xyz.openbmc_project.Software.Version interface was created,
and if it was read the version ID from the last segment of
the object path in the signal data and return it in the
call response.
3) If the callback doesn't occur within 10s, return a 400
error.
Resolves openbmc/bmcweb#30
Change-Id: Ic9572488c13cadfb19c0d57a97833a627cf45df5
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit moves content security policy to use the modern header, not
a header begining with X.
Requires the content-security-policy patch series to function correctly.
Tested by:
Launched phosphor-webui, and observed webui launch, and no warnings in
debug tools.
Change-Id: I14a422d8a4047d0b05c937a31a5845f8eeb858c6
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, bmcweb was utilitizing the "mozilla compatibility" cipher
suites. This is overly lenient on broken ciphers and can cause some
issues with security reviews. In researching this, it looks like we
never actually documented that we follow Mozilla ciphers, aside from the
statement "The OpenBMC webserver shall follow the latest OWASP recommendations for
authentication, session management, and security." Considering that
we're moving _to_ OWASP recommendations, this commit is simply making us
follow the advice we already document, although this commit also updates
the documentation to be more clear.
Tested By:
Loaded on a BMC, opened web page in browser, and observed phosphor-webui
loaded correctly.
Change-Id: I912b35d378ce955c1472b2d54f1a365f6efea160
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a possibility that a method may be implemented
by either different services or interfaces, and 1 or more
of them may return data.
In the unlikely case that is encountered, attempt to handle
that by first setting the final response data to the first
data back from a method, and then on future method responses
that return data:
* If the new and old responses are both dictionaries,
add the new keys/values to the original ones.
* If the new and old responses are both arrays,
add the new array elements to the original array.
* If the new data is of a different type than the
previous data, convert the overall response into
an array and add the new and original responses
as array elements.
Change-Id: I23edc3d9f8154aba1ba4276112cde6ecb4345fdf
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Variants are in their own container. In order to
get the type of the data contained in the variant,
the peek API needs to be used.
Resolves openbmc/bmcweb#24
Change-Id: I085064a8eabe2f57cfa0f1977fe7b9c19baa80e2
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
| |
A struct is in its own sd_bus_message container,
and the output JSON looks like an array.
Change-Id: Ie8e5848a5fa9bc9605f5dda06dc1b5d7be4dea3c
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add support for returning arrays and dictionaries
from methods.
Note that a dictionary can only be seen inside of
an array, and every key/value pair is in its own
sd_bus_message container.
Change-Id: I4f8ff671f7c4403d83443482e7db0487bdc03ff1
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
When converting a bool from JSON into D-Bus, a
dereference was missing causing the code to always
output a 1 since since it checked the address value
and not the actual bool value.
Change-Id: I521418c25bd23c64b59d599f5c5298d8b89cd67c
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for returning the basic D-Bus types,
such as int, string, etc, from methods.
It does this by using the sd_bus_message_read_basic
API to pull the data out of the method response message,
and then converts it to JSON.
Future commits will add array/dict/variant support.
Change-Id: I937d22330a9c2df443942ea84e45d894244388ff
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a method has an output argument in the introspection
data, it has data that should be returned in the response JSON.
This code finds the output type in the introspection
data, and adds two function stubs: one to convert the output
data in the sd_bus message to JSON, and another to handle
combining the possible multiple method responses (from
different services or interfaces) into 1 output.
It also adds some logic on what to do if multiple methods
are called and only a subset fail or return data.
That logic can be summarized as:
* if any method passes, consider it a success
* return all the data that comes back, though the
merging is done in a future commit.
Change-Id: Ic50a3a88bb9d83672f7aed2b832217122e182048
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
All of the useful code in this function is in an else leg
after an error check. Add a return statement in the error
check so the else statement can be removed, to reduce the
level of indent as the code already indents several
additional levels.
Change-Id: Ia664ae2af31a5d72e322dd6c3c83ea8961931e22
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add a missing return statement to convertJsonToDbus.
The function did appear to still work before, but it
fixes a compile warning.
Change-Id: Ib6b15c822fa6b56c9d9fdaca704bc9c53024fa76
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add stepwise configuration information into the oem
redfish configuration. Also move the basic configuration
information into the above loop to not set it multiple
times. Only implemented GET thus far, PATCH will be in
follow-on commit.
Tested-by: Navigated to redfish/v1/Managers/bmc/ and saw
Stepwise configuration.
Change-Id: Id4fdf7b6c6708edc56c1ede717b79c50de2b1c94
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The function dbusArgSplit() was missing the return statement
at the end, which was causing a warning in the bitbake
compile logs.
The function apparently still worked fine without it, but
one wouldn't think it would just by looking at it.
Change-Id: Ifcd1f742de995eb19685d0ef37036860ebbf8b95
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
boost::asio::io_service is removed in leiu of io_context, which is a
closer match to the networking TS. Move us to that implementatio.
This was an automated move using the following command:
git grep -l 'io_service' | xargs sed -i 's/io_service/io_context/g'
Change-Id: I46605521c01f79f86f6901ddf69ddc8c4bc24103
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use 400, which is a client error, for errors when
deciphering method call arguments as opposed to
a server error, 500. The robot testcases expect this
and it also makes sense since the client must have
passed in a bad argument.
Only the error that results from a method call failing
will be 500.
Resolves openbmc/bmcweb#25
Change-Id: I9504905992fee3bc0119ff7cae8512eba899daa4
Signed-off-by: Matt Spinler <spinler@us.ibm.com>
|
| |
|
|
|
|
|
|
| |
sed replacing filesystem should not have happened in
this file.
Change-Id: I3411d655b563edd52cd980bd56277f16fa6f7ac5
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When using Legacy Boot Mode in Intel platforms, HTML5 SOL console will
be disconnected when host start.
When host start, BIOS will send some non UTF-8 data to SOL console,
then SOL console will be disconnected. Changing to binary format can
make WSS protocol work correctly with non UTF-8 data.
Change-Id: I9a440220f16eb07d800dc291897ab3106cd40c32
Signed-off-by: Cheng C Yang <cheng.c.yang@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the obmc-console-server binding to the correct socket, this is not
needed.
Abstract unix sockets start with the nul-charater, but are not nul
terminated. In fact, the nul-character has no meaning in the path.
According to the man page unix(7),
abstract: an abstract socket address is distinguished (from a pathname
socket) by the fact that sun_path[0] is a null byte ('\0').
The socket's address in this namespace is given by the
additional bytes in sun_path that are covered by the
specified length of the address structure. (Null bytes in
the name have no special significance.)
This means that when calling bind/connect, the size of the sockaddr
structure is not sizeof(sockaddr_un), it is sizeof(sockaddr_un) -
sizeof(sun_path) + (path_len)
Change-Id: I2b19d0b9aa8e8ded9162890503c46cad95a6c7b6
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
|
| |
|
|
|
|
|
| |
Splice it into standard for gcc8
Change-Id: I584206dd737c9d90cf93bfa8541980fdd8f6d39b
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Technically, if multiple dump files existed, we could get a double end()
called loading each file. Avoid that by returning.
Tested By:
Downloading a file from dump, using the /dump url. File downloads
correctly.
Change-Id: Icd71a2fbbe365557daa1a7e24c5563f3749a748d
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the below issues in rest actions
- Fetching dbus signature from xml arg elements.
- Double iterator increament, while reading array
of strings 'as'.
Test:
Verified rest API's with actions(POST).
Change-Id: I52ca938bae54c882da2f9f445ea0b4e605a5f8c3
Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Somehow we got the content type wrong on javascript files, which became
apparent when the content security patches were coming out.
This patchset corrects the string.
Tested By:
Opened webui in chrome, and inspected the javascript files. content
type was correct.
Change-Id: I9ba706d5b919bf4c6365d01853c978b1616913d4
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
