Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / a3b9eb98d65c22793229fbd6ec2e6ecf0e974aee
commita3b9eb98d65c22793229fbd6ec2e6ecf0e974aee[log] [tgz]
authorEd Tanous <ed@tanous.net>Mon Jun 03 08:39:37 2024 -0700
committerEd Tanous <ed@tanous.net>Wed Jun 05 16:54:51 2024 +0000
tree82840112a9430e9a941ed45cc6367bdf746b6837
parent049079f651fbfc465f136c8e9fe6acbd67f0434a [diff]
Make SSE pass

Redfish protocol validator is failing SSE.  This is due to a clause in
the Redfish specification that requires a "json" error to be returned
when the SSE URI is hit with a standard request.

In what exists today, we return 4XX (method not allowed) but because
this is handled by the HTTP layer, it's not possible to return the
correct Redfish payloads for when that 4XX happens within the Redfish
tree, because there is in fact a route that matches, that route just
doesn't support the type that we need.

This commit rearranges the router such that there are now 4 classes of
rules.

1. "verb" rules.  These are GET/POST/PATCH type, and they are stored
   using the existing PerMethod array index.
2. "upgrade" rules.  These are for websocket or SSE routes that we
   expect to upgrade to another route
3. 404 routes.  These are called in the case where no route exists with
   that given URI pattern, and no routes exist in the table for any
   verb.
4. 405 method not allowed.  These are called in the case where routes
   exist in the tree for some method, but not for the method the user
   requested.

To accomplish this, some minor refactors are implemented to separate out
the 4xx handlers to be their own variables, rather than just existing at
an index at the end of the verb table.  This in turn means that
getRouteByIndex now changes to allow getting the route by PerMethod
instance, rather than index.

Tested:
unit tests pass (okish coverage)
Redfish protocol validator passes (with the exception of #277, which
fails identically before and after).  SSE tests now pass.
Redfish service validator passes.

Change-Id: I555c50f392cb12ecbc39fbadbae6a3d50f4d1b23
Signed-off-by: Ed Tanous <etanous@nvidia.com>
6 files changed
tree: 82840112a9430e9a941ed45cc6367bdf746b6837
  1. .github/
  2. config/
  3. http/
  4. include/
  5. redfish-core/
  6. scripts/
  7. src/
  8. static/
  9. subprojects/
  10. test/
  11. .clang-format
  12. .clang-tidy
  13. .codespell-ignore
  14. .dockerignore
  15. .gitignore
  16. .markdownlint.yaml
  17. .openbmc-enforce-gitlint
  18. .prettierignore
  19. .shellcheck
  20. AGGREGATION.md
  21. CLIENTS.md
  22. COMMON_ERRORS.md
  23. DBUS_USAGE.md
  24. DEVELOPING.md
  25. HEADERS.md
  26. LICENSE
  27. meson.build
  28. meson_options.txt
  29. OEM_SCHEMAS.md
  30. OWNERS
  31. README.md
  32. Redfish.md
  33. REDFISH_CHECKLIST.md
  34. run-ci
  35. TESTING.md
README.md

OpenBMC webserver

This component attempts to be a "do everything" embedded webserver for OpenBMC.

Features

The webserver implements a few distinct interfaces:

  • DBus event websocket. Allows registering on changes to specific dbus paths, properties, and will send an event from the websocket if those filters match.
  • OpenBMC DBus REST api. Allows direct, low interference, high fidelity access to dbus and the objects it represents.
  • Serial: A serial websocket for interacting with the host serial console through websockets.
  • Redfish: A protocol compliant, DBus to Redfish translator.
  • KVM: A websocket based implementation of the RFB (VNC) frame buffer protocol intended to mate to webui-vue to provide a complete KVM implementation.

Protocols

bmcweb at a protocol level supports http and https. TLS is supported through OpenSSL.

AuthX

Authentication

Bmcweb supports multiple authentication protocols:

  • Basic authentication per RFC7617
  • Cookie based authentication for authenticating against webui-vue
  • Mutual TLS authentication based on OpenSSL
  • Session authentication through webui-vue
  • XToken based authentication conformant to Redfish DSP0266

Each of these types of authentication is able to be enabled or disabled both via runtime policy changes (through the relevant Redfish APIs) or via configure time options. All authentication mechanisms supporting username/password are routed to libpam, to allow for customization in authentication implementations.

Authorization

All authorization in bmcweb is determined at routing time, and per route, and conform to the Redfish PrivilegeRegistry.

*Note: Non-Redfish functions are mapped to the closest equivalent Redfish privilege level.

Configuration

bmcweb is configured per the meson build files. Available options are documented in meson_options.txt

Compile bmcweb with default options

meson setup builddir
ninja -C builddir

If any of the dependencies are not found on the host system during configuration, meson will automatically download them via its wrap dependencies mentioned in bmcweb/subprojects.

Use of persistent data

bmcweb relies on some on-system data for storage of persistent data that is internal to the process. Details on the exact data stored and when it is read/written can seen from the persistent_data namespace.

TLS certificate generation

When SSL support is enabled and a usable certificate is not found, bmcweb will generate a self-signed a certificate before launching the server. Please see the bmcweb source code for details on the parameters this certificate is built with.

Redfish Aggregation

bmcweb is capable of aggregating resources from satellite BMCs. Refer to AGGREGATION.md for more information on how to enable and use this feature.