search

openbmc / bmcweb

A do everything Redfish, KVM, GUI, and DBus webserver for OpenBMC
Apache License 2.0
156 stars 131 forks source link

Improper error message given upon changing redfish user password /username to invalid password/ username #67

Closed sansomas closed 1 year ago

sansomas commented 5 years ago

Expected behavior:

Error message shown upon trying to change redfish user password to wrong password should be as or similar to below message

"Invalid password provided"

Error message shown upon trying to change redfish username to wrong username should be as or similar to below message

"Invalid user name"

Actual behavior:

Error message shown upon trying to change redfish user password to wrong password is as below message

"Message": "The request failed due to an internal service error. The service is still operational.",

Error message shown upon trying to change redfish username to wrong username is as below message

"Message": "The requested resource of type #ManagerAccount.v1_0_3.ManagerAccount named testadmin15 was not found."

Steps to reproduce:

1) Create a redfish user with any privilege

curl -k -H "X-Auth-Token: $bmc_token" -X POST https://${bmc}/redfish/v1/AccountService/Accounts -d '{
> "UserName":"testadmin15",
> "Password":"TestPwd123",
> "RoleId":"Administrator",
> "Enabled":true}'

2) Try to change its password to an invalid password 

-bash-4.1$ curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${bmc}/redfish/v1/AccountService/Accounts/testadmin15 -d '{"Password":"abc123"}
'
{
  "error": {
    "@Message.ExtendedInfo": [
      {
        "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
        "Message": "The request failed due to an internal service error.  The service is still operational.",
        "MessageArgs": [],
        "MessageId": "Base.1.4.0.InternalError",
        "Resolution": "Resubmit the request.  If the problem persists, consider resetting the service.",
        "Severity": "Critical"
      }
    ],
    "code": "Base.1.4.0.InternalError",
    "message": "The request failed due to an internal service error.  The service is still operational."
  }
}-bash-4.1$

3) Try to change username to invalid username

-bash-4.1$ curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${bmc}/redfish/v1/AccountService/Accounts/testadmin15 -d '{"UserName":"1234*^&)("}'
{
  "error": {
    "@Message.ExtendedInfo": [
      {
        "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
        "Message": "The requested resource of type #ManagerAccount.v1_0_3.ManagerAccount named testadmin15 was not found.",
        "MessageArgs": [
          "#ManagerAccount.v1_0_3.ManagerAccount",
          "testadmin15"
        ],
        "MessageId": "Base.1.4.0.ResourceNotFound",
        "Resolution": "Provide a valid resource identifier and resubmit the request.",
        "Severity": "Critical"
      }
    ],
    "code": "Base.1.4.0.ResourceNotFound",
    "message": "The requested resource of type #ManagerAccount.v1_0_3.ManagerAccount named testadmin15 was not found."
  }
}-bash-4.1$
rthomaiy commented 5 years ago

@rthomaiy adding myself for easy tracking. Will address the same in few weeks.

gtmills commented 4 years ago

@joseph-reynolds Was doing some work in this area

joseph-reynolds commented 4 years ago

There is an patch to address the bad password: https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27503 and see also https://redfishforum.com/thread/246/message-send-patch-password-failure. I would be happy for someone else to work on this, and if is not done when I need it, I'll take another look, but don't expect anything soon.

edtanous commented 1 year ago

No updates in 2.5 years. Please comment if you'd like this reopened, but significant code changes have been made in the area, including the PasswordChangeRequired feature, which possibly invalidate this.