phosphor-webui, branch master

Create profile settings page

2020-02-11T16:43:22+00:00

Adding a profile settings page so readonly and operator roles are able to change their own password. Signed-off-by: Yoshie Muranaka Change-Id: Iee9536255ad47f4df4af8746c1e01da37c407f2b

Block forwarding to non-local url

2020-02-11T16:43:02+00:00

Currently we don't protect against forwarding to remote url, so things like: https:///#/login?next=http:%2F%2Fyahoo.com can be used to forward an unsuspecting user to a different url. This fixes that issue. Tested: Local redirects still work, above link does not Closes #109 Change-Id: I4d6c52880156802860f405af43037fb84235912f Signed-off-by: James Feist

Fix security vulnerabilities

2020-01-16T20:30:38+00:00

Had a few more vulnerabilities show up including: regular expressions Cross-Site Scripting (XSS) vulnerability https://github.com/advisories/GHSA-h9rv-jmmf-4pgx Remediation Upgrade serialize-javascript to version 2.1.1 or later. Ran npm audit fix. Don't think this was a real vulnerability but always good to fix. Tested: Built for a Witherspoon, loaded on the code, and tested. Change-Id: I3af6941fdef98b950c7e17ddfeb368fdccc5cabc Signed-off-by: Gunnar Mills

Update navigation to accordian-style menu

2020-01-13T15:24:01+00:00

- New navigation provides intuitive structure for showing relationship between sections and pages - Menu keeps an open state, which allows easy clicking to sibling pages - Ability to preview all page sections w/o hover over blocking page content - Allows user to see where they are within navigation at all times Tested: Opened each page and confirmed new navigation worked, clicked through to all pages successfully. Change-Id: Ie10dc95d8e15ee9bf89a3bec9ff231c0a7065ed9 Signed-off-by: Kathy Pine

Users: Role Table: Update ssh

2019-12-19T00:45:00+00:00

https://github.com/openbmc/openbmc/commit/19e81d3f3b731681a57bb5ef9681d33cc291bde8 restricts SSH authentication to only admin role users. Updated the table. Tested: Loaded on a Witherspoon Change-Id: Ice5c93dc6dc4aa937de2c3fb9072c2f81719325c Signed-off-by: Gunnar Mills

Users: Update Callback/NoAccess Role

2019-12-19T00:44:53+00:00

https://github.com/openbmc/bmcweb/commit/e9e6d240ab85e515f8d264e39b47a75043b73374 added a new user role, NoAccess. https://github.com/openbmc/bmcweb/commit/cb3e11fadd77b04f5b26aefbde18411625e5e304 removed Callback. This "NoAccess" role can not ssh, access Redfish, the D-Bus API, or IPMI. Tested: Loaded on a witherspoon. Change-Id: I4f870fdefb5342344fd442876d671a59864bbf34 Signed-off-by: Gunnar Mills

User logged in when IsAuthenticated cookie is set.

2019-12-16T12:45:09+00:00

Related to https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 Currently the only condition checked when user is logged in was the "LOGIN_ID" value in browser session storage. The only place in the code where it is set is the Basic Authorization flow. In case of mTLS authentication, we are not able to set session storage value. This is why additional 'IsAuthenticated' cookie is added. In the case when user session expires, the failing XHR should cause the page to redirect to the login prompt. Additionally, IsAuthenticated cookie is removed to disable redirection. Tested: verified the flow with the mTLS changes. User is put in the webUI interface without login prompt when using mTLS authentication. If the authentication fails, browser redirects to the login page. Signed-off-by: Wiktor Gołgowski Change-Id: Ia7061f3e146c6547d4bfdf42940150b1a5c06903

AngularJS: vulnerability: npm audit fix

2019-12-04T22:23:03+00:00

https://github.com/advisories/GHSA-89mq-4x47-5v83 "In AngularJS before 1.7.9 the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload." Although, don't see how this is a real threat to the webui fixed anyway. https://github.com/angular/angular.js/compare/v1.7.8...v1.7.9 The difference between 1.7.8 and 1.7.9 is small. Discussion in the works to move any from AngularJS https://lists.ozlabs.org/pipermail/openbmc/2019-November/019431.html Tested: Built and loaded on a Witherspoon Change-Id: Ibe2c9671203a76cd8b4dbb8b1dbbaae2a8230138 Signed-off-by: Gunnar Mills

Fix LDAP request resulting in 400 response

2019-12-04T18:00:25+00:00

- Remove all references to the AuthenticationType property since our request is a PATCH and we are not changing the value. Resolves: https://github.com/openbmc/phosphor-webui/issues/102 Signed-off-by: Derick Montague Change-Id: I911ac41bf61250847e4c308f09df8fd59dd27fa7

Sorting certificate table

2019-12-04T18:00:17+00:00

So far the certificate table was not sorted and it happen that having multiple certificates they appear on different table position after machine restart. That is because the Redfish was used to get the list of certificates and it does not guarantee any order of elements in returned collections. After merging this commit certificates will be always sorted by: type, issuer name and then by date. Tested: Manual tests were made to cofirm that certificates are properly sorted. Signed-off-by: Zbigniew Kurzynski Change-Id: Ie8e63d598cd04e2396ed09244a69284e49566f8d