search

DMTF / Redfish-Protocol-Validator

The Redfish Protocol Validator tests the HTTP protocol behavior of a Redfish service to validate that it conforms to the Redfish specification.
Other
14 stars 12 forks source link

Redfish Protocol Validator report FAIL #57

Closed chandramohan83 closed 1 year ago

chandramohan83 commented 1 year ago

Describe the bug Redfish Protocol Validator report FAIL in POST /redfish/v1/AccountService/Accounts

Environment Enabled TLS Redfish Protocol Validator Version: 1.1.6 https://github.com/DMTF/Redfish-Protocol-Validator

To Reproduce

Run Redfish Protocol Validator python3 rf_protocol_validator.py --user root --password 0penBmc --rhost https://BMC_IP --no-cert-check --avoid-http-redirect --log-level DEBUG The tool will report Method POST Status code 400 URI /redfish/v1/AccountService/Accounts Message POST request to URI /redfish/v1/AccountService/Accounts failed with 400; expected 405; extended error

Below test case is identified to be returning 400 but expected 405.

POST /redfish/v1/AccountService/Accounts HTTP/1.1\r\nHost: 127.0.0.1:2443\r\nUser-Agent: python-requests/2.28.1\r\nAccept-Encoding: identity\r\nAccept: /\r\nConnection: keep-alive\r\nX-Auth-Token: wcyxd8KgOI0Rd3uERDy3\r\nOData-Version: 4.0\r\nContent-Length: 72\r\nContent-Type: application/json\r\n\r\n' '{"UserName": "rfpv397e", "Password": "7gCdKlziqi", "RoleId": "ReadOnly"}'

Please provide reason why this test case is expected to be returning 405 not 400 since POST method is allowed by bmcweb for resource provided in this request for account service.

mraineri commented 1 year ago

My guess is the implementation you're testing against doesn't show POST in the Allow response header, but it's hard to tell without any reports or log information. Can you please provide these?

chandramohan83 commented 1 year ago

The bmcweb code Allows POST method https://github.com/openbmc/bmcweb/blob/6f8273e49cffdd347c223b9538558edfb05e818a/redfish-core/lib/account_service.hpp#L2137

Its redfish validator test case expecting 405 https://github.com/DMTF/Redfish-Protocol-Validator/blob/d037530864d43a9f52da96be6a6167a4c1551f3a/redfish_protocol_validator/service_requests.py#L1137

Please find the console logs below for redfish_validator.

DEBUG:root:Account usernames: {'root'} DEBUG:root:Available roles: {'NoAccess', 'ReadOnly', 'Administrator', 'Operator'} DEBUG:root:Role selected for account creation: ReadOnly send: b'POST /redfish/v1/AccountService/Accounts HTTP/1.1\r\nHost: 127.0.0.1:2443\r\nUser-Agent: python-requests/2.28.1\r\nAccept-Encoding: identity\r\nAccept: /\r\nConnection: keep-alive\r\nX-Auth-Token: wcyxd8KgOI0Rd3uERDy3\r\nOData-Version: 4.0\r\nContent-Length: 72\r\nContent-Type: application/json\r\n\r\n' send: b'{"UserName": "rfpv397e", "Password": "7gCdKlziqi", "RoleId": "ReadOnly"}' reply: 'HTTP/1.1 400 Bad Request\r\n' header: Strict-Transport-Security: max-age=31536000; includeSubdomains; preload header: X-Frame-Options: DENY header: Pragma: no-cache header: Cache-Control: no-Store,no-Cache header: X-XSS-Protection: 1; mode=block header: X-Content-Type-Options: nosniff header: Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; plugin-types 'none'; base-uri 'none' header: Content-Type: application/json header: Date: Thu, 05 Jan 2023 09:03:19 GMT header: Content-Length: 520 DEBUG:urllib3.connectionpool:https://127.0.0.1:2443 "POST /redfish/v1/AccountService/Accounts HTTP/1.1" 400 520 DEBUG:root:response status = 400, method = POST, uri = /redfish/v1/AccountService/Accounts, resource_type = None, request_type = RequestType.NORMAL

mraineri commented 1 year ago

@chandramohan83 please provide the full debug log. The tool performs inspections of this and other resources to determine what tests is will run and what responses to expect.

chandramohan83 commented 1 year ago

Redfish_Validator_log.txt

mraineri commented 1 year ago

There's a bit of a shortcut I see going on for this test. When it creates a temporary user account, it's expecting the transaction to either succeed or fail due to POST not being allowed. The error is very misleading, but it is highlighting a real issue with the service; it's rejecting a valid (at least everything about it looks valid to me) request to create a new user account.

Do you know why it's rejecting this payload in the first place?

{"UserName": "rfpv397e", "Password": "7gCdKlziqi", "RoleId": "ReadOnly"}

chandramohan83 commented 1 year ago

It's not rejecting this payload, it is just verifying whether password follows password policy, if not then return passwd_format_error (400) is returning, in our case password must be (minimumlength = 13 characters, minUppecase=1, minLowerCase=1, minSpecialChar=1)

chandramohan83 commented 1 year ago

It's not rejecting this payload, it is just verifying whether password follows password policy, if not then return passwd_format_error (400) is returning, in our case password must be (minimulength = 13 characters, minUppecase=1, minSmallCase=1, minSpecialChar=1)

mraineri commented 1 year ago

Well, that's still a rejection (responding with a 400 Bad Request is a form of rejecting the request), but that is a reasonable thing to do here... We may need to think about this beyond just this 405 test since not being able to create a new user account is going to impact other tests.