Closed FelixD999 closed 3 years ago
Usually a 401 indicates an invalid set of credentials was provided; depending on the permissions of the given user account, it may be able to access some resources but not others. Are you using the same credentials with the protocol validator as you are with your manual tests?
Yes, I sure using the same credentials with them.
For your manual testing, how did you insert the Accept header in the GET request for items 1 and 2? Are you able to provide the full sequence with HTTP request headers included?
For item 3, the POST to /redfish/v1/SessionService/Sessions for an account that requires a password change is supposed to return 200 OK; all other operations are supposed to be 403 until the user changes their password. Can you provide a trace of what you're doing with your manual test for POST to /redfish/v1/SessionService/Sessions and any subsequent operations?
Are you also able to provide the test report?
Attach the following picture for your reference: For items 1 and 2
For item 3
Return 201
Return 201 header X-Auth-Token MTUwNzQ3MDI0ODEyMzIyMjgxOTExMzI1MDQxNTIxNzIyMzUyMzUxNzEyNTQ4NTQyMjE4MTk5MTE2MjQxODY4MjE4MjMzMTI1MjQ4MTcwNzgxMDMw
Return 403
Attach the following report for your reference RedfishProtocolValidationReport_06_01_2021_190256.zip
I pushed changes to branch "Issue18-Debug" to help trace what's going on. @FelixD999 would you be able to run the tool from that branch and provide the console output?
One thing to note with regards to the SSE tests is the tool will use the X-Auth-Token assigned at session login to access the SSE stream, but I see in your testing you're using Basic Authentication; can you use sessions in your manual testing?
Although use "Issue18-Debug" still exist the previous fail items, we found this situation is limited by our code design. In our design, we lack the feature that use the X-Auth-Token assigned at session login to access the SSE. Thanks for your help us to clarify test problems.
Hi, May I ask one more question:
[When using an account with PasswordChangeRequired set to true] the service shall allow a session login and include a @Message.ExtendedInfo object in the response containing the PasswordChangeRequired message from the Base Message Registry.
If POST /redfish/v1/SessionService/Sessions for an account that requires a password change is supposed to return 200, the session member will created successful or not?
That's correct, the session member will be created successfully; there will be a message in the response payload that indicates a password change is required. It would look something like this:
HTTP/1.1 201 Created
Location: /redfish/v1/SessionService/Sessions/1
X-Auth-Token: <session-auth-token>
{
"@odata.id": "/redfish/v1/SessionService/Sessions/1",
"@odata.type": "#Session.v1_3_0.Session",
"Id": "1",
"Name": "User Session",
"Description": "User Session",
"UserName": "<username>",
"Password": null,
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_2.Message",
"MessageId": "Base.1.10.PasswordChangeRequired",
"Message": "The password provided for this account must be changed before access is granted. PATCH the Password property for this account located at the target URI '/redfish/v1/AccountService/Accounts/{AccountId}' to complete this process.",
"MessageArgs": [
"/redfish/v1/AccountService/Accounts/{AccountId}"
],
"Severity": "Critical",
"MessageSeverity": "Critical",
"Resolution": "Change the password for this account using a PATCH to the Password property at the URI provided."
}
]
}
Excuse me, I have some confuse on it. The previous comment mentioned "the POST to /redfish/v1/SessionService/Sessions for an account that requires a password change is supposed to return 200 OK", but the latest example is 201 Created. Did I miss anything?
Sorry, I looked back at my older comment and made a mistake; I should not have said 200 OK.
201 Created is the proper response code; successful POST operations that create a new resource are supposed to use "201 Created".
Got it. Thank you very much for your explanation.
As mentioned in the title, Attach the following examples for reference. Are there any certification procedures that leads to respond 401 code?
Tool Version: 1.0.4 python3 rf_protocol_validator.py -r https://{IP} -u USERNAME -p PASSWORD --avoid-http-redirect --no-cert-check
Example:
Tool report: Message: GET request to /redfish/v1/EventService/SSE failed with status code 401 using header Accept: text/event-stream; extended error: While attempting to establish a connection to /redfish/v1/EventService/SSE, the service was denied access. Manual test result: 200
Tool report: Message: GET request to /redfish/v1/EventService/SSE failed with status code 401 using header Accept: text/event-stream;charset=utf-8; extended error: While attempting to establish a connection to /redfish/v1/EventService/SSE, the service was denied access. Manual test result: 200
Tool report: URI: GET /redfish/v1/EventService/SSE Tool status code: 401 Message: One or more problems found with error response: Property "code" missing from "error" complex property. Property "message" missing from "error" complex property. Manual test result: 200
Tool report: Message: POST request to /redfish/v1/SessionService/Sessions using account with PasswordChangeRequired set failed with status 401 Manual test result: 403