search

DMTF / python-redfish-library

Python3 library for interacting with devices that support a Redfish service
Other
166 stars 178 forks source link

redfish.redfish_client insecure connection #152

Closed ravixilinx closed 2 months ago

ravixilinx commented 11 months ago

Hi,

Is there any option with redfish_client to make insecure connection, similar to package "requests.request" with "verify=false" option?

Regards, Ravi

mraineri commented 11 months ago

At this time this is entirely driven based on the usage of CA certificates when instantiating the Redfish object (it's not a simple boolean to toggle this off/on). The intent in the original implementation of this library is the cafile parameter contains the file path to the CA certificate to use for verification.

Although looking at the code here, I think this is a bug: https://github.com/DMTF/python-redfish-library/blob/main/src/redfish/rest/v1.py#L908

We should be passing "verify" down as a boolean and not the CA filepath string (if given). I'm surprised no one has hit this yet, but since the default behavior is to pass down false here, no one must be providing their own CA certificate.

ravixilinx commented 11 months ago

I was able to run a redfish get command using "requests.request" with insecure connection.

But using redfish module (redfish_client) leads an error "redfish.rest.v1.ServerDownOrUnreachableError: Server not reachable, return code: 401", hence asked the above query. For this test, I had modified the example from this repo with IP and port number. Any help in this regard is much appreciated.

mraineri commented 11 months ago

With requests, are you using HTTP Basic Auth? For the example, can you try changing REDFISH_OBJ.login(auth="session") to REDFISH_OBJ.login(auth="basic")?

I'm wondering if there's an issue with the service and Redfish session login.

mraineri commented 11 months ago

Also looking at the usage of that exception, it would occur prior to any sort of authentication. The first thing the library does is discover the service by accessing /redfish/v1/ without any sort of credentials.

When you're using requests, are you able to access /redfish/v1/ without providing any authorization headers?

I'm wondering if your service could be enforcing authorization on resources that are called out in the standard to not require authorization.

ravixilinx commented 11 months ago

Thanks for the response.

import requests url = "https://:/2/redfish/v1" payload = {} headers = { 'Authorization': 'Basic ' } # without 'verify=Flase' this code does not work response = requests.request("GET", url, headers=headers, data=payload, verify=False) print(response.text)

With redfish module that has issues is:

import sys import redfish

login_host = "https://:"

## Below line leads to error REDFISH_OBJ = redfish.redfish_client(base_url=login_host, sessionkey='', default_prefix='/2/redfish/v1') REDFISH_OBJ.login(auth="session") response = REDFISH_OBJ.get("/redfish/v1/systems/1", None) sys.stdout.write("%s\n" % response) REDFISH_OBJ.logout()

mraineri commented 11 months ago

Can you try this (no authorization header)?

import requests
url = "https://<IP>:<port>/2/redfish/v1"
**# without 'verify=Flase' this code does not work**
response = requests.request("GET", url, verify=False)
print(response.text)
ravixilinx commented 11 months ago

Without header, i get 'access denied' error as below:

warnings.warn( { "error": { "@Message.ExtendedInfo": [ { "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message", "Oem": { "Microsoft": { "@odata.type": "#Ocs.v1_0_0.Message", "CompletionCode": "Failure", "Description": "Access denied" } } } ] } }

mraineri commented 11 months ago

So, that confirms my suspicion. It's not an issue with the "verify" flag, but rather the service you're using is non-conformant. "/redfish/v1/" is required by the specification to allow requests without authorization headers. The Redfish library needs to do upfront discovery of the service prior to logging in, and this behavior makes it impossible.

mraineri commented 11 months ago

@ravixilinx is there any way to reach out to the vendor for support on this? There is definitely a problem with the Redfish service and its handling of resources listed in the spec as not requiring authentication.

The other path to work around this would be to wrap the instantiation of the Redfish client object with try/except blocks, something like...

try:
    REDFISH_OBJ = redfish.redfish_client( <.... parameters> )
except ServerDownOrUnreachableError:
    pass
ravixilinx commented 11 months ago

At present I dont have any way to reach the vendor. I will let them know about this issue when I come accross. With 'try, except' code, it goes through but REDFISH_OBJ does not get created.

mraineri commented 11 months ago

@ravixilinx we've been discussing this more internally and we're still hesitant to put a workaround in the official repository for this issue; adding such things can encourage other implementations to misbehave. We do think this really needs to be reported to the vendor so they can fix their software.

However, you should be able to fork the repository and apply a workaround for yourself so you can make forward progress. The patch file here should work around the issue you're having. Please let me know if you need help with applying this patch.

Auth-Workaround.patch

ravixilinx commented 11 months ago

[AMD Official Use Only - General]

Hi Mike,

Please ignore this request for now. We will get back if we don't find alternative.

Regards, Ravi

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: Mike Raineri @.> Sent: Tuesday, October 17, 2023 5:46:45 PM To: DMTF/python-redfish-library @.> Cc: ravixilinx @.>; Mention @.> Subject: Re: [DMTF/python-redfish-library] redfish.redfish_client insecure connection (Issue #152)

CAUTION: This message has originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email.

@ravixilinxhttps://github.com/ravixilinx we've been discussing this more internally and we're still hesitant to put a workaround in the official repository for this issue; adding such things can encourage other implementations to misbehave. We do think this really needs to be reported to the vendor so they can fix their software.

However, you should be able to fork the repository and apply a workaround for yourself so you can make forward progress. The patch file here should work around the issue you're having. Please let me know if you need help with applying this patch.

Auth-Workaround.patchhttps://github.com/DMTF/python-redfish-library/files/12972874/Auth-Workaround.patch

— Reply to this email directly, view it on GitHubhttps://github.com/DMTF/python-redfish-library/issues/152#issuecomment-1767415435, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AILQRHRNXCX72KRIM56AA63X74RHLAVCNFSM6AAAAAA5FTNMWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRXGQYTKNBTGU. You are receiving this because you were mentioned.Message ID: @.***>

ravixilinx commented 11 months ago

Kamtalwar, Ravi Shankar would like to recall the message, "[DMTF/python-redfish-library] redfish.redfish_client insecure connection (Issue #152)".

mraineri commented 2 months ago

Closing; issue is with a non-conformant service that needs to be fixed by the vendor.