DMTF / Redfish-Protocol-Validator

The Redfish Protocol Validator tests the HTTP protocol behavior of a Redfish service to validate that it conforms to the Redfish specification.
Other
14 stars 12 forks source link

Some requests returned 401 status code but manual test not return same response #18

Closed FelixD999 closed 3 years ago

FelixD999 commented 3 years ago

As mentioned in the title, Attach the following examples for reference. Are there any certification procedures that leads to respond 401 code?

Tool Version: 1.0.4 python3 rf_protocol_validator.py -r https://{IP} -u USERNAME -p PASSWORD --avoid-http-redirect --no-cert-check

Example:

  1. REQ_HEADERS_ACCEPT: "Redfish Services shall process the [Accept header] in the following table as defined by the HTTP 1.1 specification if the value in the Service Requirement column is set to "Yes", or if the value is "Conditional" under the conditions noted in the Description column.

Tool report: Message: GET request to /redfish/v1/EventService/SSE failed with status code 401 using header Accept: text/event-stream; extended error: While attempting to establish a connection to /redfish/v1/EventService/SSE, the service was denied access. Manual test result: 200

Tool report: Message: GET request to /redfish/v1/EventService/SSE failed with status code 401 using header Accept: text/event-stream;charset=utf-8; extended error: While attempting to establish a connection to /redfish/v1/EventService/SSE, the service was denied access. Manual test result: 200

  1. SERV_SSE_UNSUCCESSFUL_RESPONSE: "Unsuccessful resource responses for SSE shall return an HTTP status code of 400 or greater, have a Content-Type header set as "application/json" or "application/json;charset=utf-8", and contain a JSON object in the response body, as described in Error responses, which details the error or errors.

Tool report: URI: GET /redfish/v1/EventService/SSE Tool status code: 401 Message: One or more problems found with error response: Property "code" missing from "error" complex property. Property "message" missing from "error" complex property. Manual test result: 200

  1. SEC_PWD_CHANGE_REQ_ALLOW_SESSION_LOGIN: "[When using an account with PasswordChangeRequired set to true] the service shall allow a session login and include a @Message.ExtendedInfo object in the response containing the PasswordChangeRequired message from the Base Message Registry.

Tool report: Message: POST request to /redfish/v1/SessionService/Sessions using account with PasswordChangeRequired set failed with status 401 Manual test result: 403

mraineri commented 3 years ago

Usually a 401 indicates an invalid set of credentials was provided; depending on the permissions of the given user account, it may be able to access some resources but not others. Are you using the same credentials with the protocol validator as you are with your manual tests?

FelixD999 commented 3 years ago

Yes, I sure using the same credentials with them.

mraineri commented 3 years ago

For your manual testing, how did you insert the Accept header in the GET request for items 1 and 2? Are you able to provide the full sequence with HTTP request headers included?

For item 3, the POST to /redfish/v1/SessionService/Sessions for an account that requires a password change is supposed to return 200 OK; all other operations are supposed to be 403 until the user changes their password. Can you provide a trace of what you're doing with your manual test for POST to /redfish/v1/SessionService/Sessions and any subsequent operations?

mraineri commented 3 years ago

Are you also able to provide the test report?

FelixD999 commented 3 years ago

Attach the following picture for your reference: For items 1 and 2 SSE_1

SSE_2

For item 3

  1. POST /redfish/v1/AccountService/Accounts { "Name": "Test User Account", "Description": "Test User Account", "Enabled": true, "Password": "superuser", "UserName": "user_account", "RoleId": "Operator", "Locked": false, "PasswordChangeRequired": true }

Return 201

  1. POST /redfish/v1/SessionService/Sessions (No Auth) { "UserName":"user_account", "Password":"superuser" }

Return 201 header X-Auth-Token MTUwNzQ3MDI0ODEyMzIyMjgxOTExMzI1MDQxNTIxNzIyMzUyMzUxNzEyNTQ4NTQyMjE4MTk5MTE2MjQxODY4MjE4MjMzMTI1MjQ4MTcwNzgxMDMw

  1. GET /redfish/v1/Systems (No Auth) Headers X-Auth-Token MTUwNzQ3MDI0ODEyMzIyMjgxOTExMzI1MDQxNTIxNzIyMzUyMzUxNzEyNTQ4NTQyMjE4MTk5MTE2MjQxODY4MjE4MjMzMTI1MjQ4MTcwNzgxMDMw

Return 403 passwordchange_1_wolfpass_active

FelixD999 commented 3 years ago

Attach the following report for your reference RedfishProtocolValidationReport_06_01_2021_190256.zip

mraineri commented 3 years ago

I pushed changes to branch "Issue18-Debug" to help trace what's going on. @FelixD999 would you be able to run the tool from that branch and provide the console output?

One thing to note with regards to the SSE tests is the tool will use the X-Auth-Token assigned at session login to access the SSE stream, but I see in your testing you're using Basic Authentication; can you use sessions in your manual testing?

FelixD999 commented 3 years ago

Although use "Issue18-Debug" still exist the previous fail items, we found this situation is limited by our code design. In our design, we lack the feature that use the X-Auth-Token assigned at session login to access the SSE. Thanks for your help us to clarify test problems.

FelixD999 commented 3 years ago

Hi, May I ask one more question:

[When using an account with PasswordChangeRequired set to true] the service shall allow a session login and include a @Message.ExtendedInfo object in the response containing the PasswordChangeRequired message from the Base Message Registry.

If POST /redfish/v1/SessionService/Sessions for an account that requires a password change is supposed to return 200, the session member will created successful or not?

mraineri commented 3 years ago

That's correct, the session member will be created successfully; there will be a message in the response payload that indicates a password change is required. It would look something like this:

HTTP/1.1 201 Created
Location: /redfish/v1/SessionService/Sessions/1
X-Auth-Token: <session-auth-token>

{
    "@odata.id": "/redfish/v1/SessionService/Sessions/1",
    "@odata.type": "#Session.v1_3_0.Session",
    "Id": "1",
    "Name": "User Session",
    "Description": "User Session",
    "UserName": "<username>",
    "Password": null,
    "@Message.ExtendedInfo": [
        {
            "@odata.type": "#Message.v1_1_2.Message",
            "MessageId": "Base.1.10.PasswordChangeRequired",
            "Message": "The password provided for this account must be changed before access is granted.  PATCH the Password property for this account located at the target URI '/redfish/v1/AccountService/Accounts/{AccountId}' to complete this process.",
            "MessageArgs": [
                "/redfish/v1/AccountService/Accounts/{AccountId}"
            ],
            "Severity": "Critical",
            "MessageSeverity": "Critical",
            "Resolution": "Change the password for this account using a PATCH to the Password property at the URI provided."
        }
    ]
}
FelixD999 commented 3 years ago

Excuse me, I have some confuse on it. The previous comment mentioned "the POST to /redfish/v1/SessionService/Sessions for an account that requires a password change is supposed to return 200 OK", but the latest example is 201 Created. Did I miss anything?

mraineri commented 3 years ago

Sorry, I looked back at my older comment and made a mistake; I should not have said 200 OK.

201 Created is the proper response code; successful POST operations that create a new resource are supposed to use "201 Created".

FelixD999 commented 3 years ago

Got it. Thank you very much for your explanation.