search

stmcginnis / gofish

Gofish is a Golang client library for DMTF Redfish and SNIA Swordfish interaction.
BSD 3-Clause "New" or "Revised" License
224 stars 117 forks source link

bugfix: unexpected http header with `Cookie` #191

Closed Sn0rt closed 2 years ago

Sn0rt commented 2 years ago

the gofish pakcage will set unexpected header (this case occur in inspur vendor

I created the session already. and I create a curl CLI as the follow .

$ curl -v -k -X GET  https://192.168.134.16/redfish/v1/Systems/1/Bios -H "X-Auth-Token: b71b00fcd0124c7eb0jNdA8O8inx3noZQV9Zoo" -H "User-Agent: gofish/1.0"
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 192.168.134.16:443...
* TCP_NODELAY set
* Connected to 192.168.134.16 (192.168.134.16) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; O=American Megatrends Incorporated; OU=Service Processors; L=Norcross; ST=Georgia; CN=www.ami.com; emailAddress=support@ami.com
*  start date: Apr 23 17:25:49 2018 GMT
*  expire date: Jun 22 17:25:49 2037 GMT
*  issuer: C=US; O=American Megatrends Incorporated; OU=Service Processors; L=Norcross; ST=Georgia; CN=www.ami.com; emailAddress=support@ami.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /redfish/v1/Systems/1/Bios HTTP/1.1
> Host: 192.168.134.16
> Accept: */*
> X-Auth-Token: b71b00fcd0124c7eb0jNdA8O8inx3noZQV9Zoo
> User-Agent: gofish/1.0
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: default-src 'none'; child-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://*:*; img-src 'self' data:; frame-src 'self'; font-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< X-Permitted-Cross-Domain-Policies: master-only
< X-Download-Options: noopen
< Etag: "1658910184"
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Wed, 27 Jul 2022 08:54:23 GMT
<
{ "@odata.context": "\/redfish\/v1\/$metadata#Bios.Bios", "@odata.etag": "FFF8192527103838382D44B5784E6323", "@odata.type": "#Bios.v1_0_0.Bios", "Actions": { "#Bios.ChangePassword": { "target": "\/redfish\/v1\/systems\/1\/bios\/settings\/Actions\/Bios.ChangePasswords\/" }, "#Bios.ResetBios": { "target": "\/redfish\/v1\/systems\/1\/bios\/settings\/Actions\/Bios.ResetBios\/" } }, "AttributeRegistry": "BiosAttributeRegistryU30.v1_1_20", "Id": "bios", "Name": "BIOS Current Settings", "Oem": { "Hpe": { "@odata.type": "#HpeBiosExt.v2_0_0.HpeBiosExt", "SettingsObject": { "UnmodifiedETag": "B91D93C576E8D0D0D09C294894C1C7BC" }, "Links": { "BaseConfigs": { "@odata.id": "\/redfish\/v1\/Systems\/1\/Bios\/BaseConfigs" }, "Boot": { "@odata.id": "\/redfish\/v1\/Systems\/1\/Bios\/Boot" } } } }, "@odata.id": "\/redfish\/v1\/Systems\/1\/Bios", "Attributes": { "Advanced SecurityDeviceSupport": "Enabled", "Advanced Console_Redirection": "Disabled", "Advanced Baud_Rate": "115200", "Advanced Above_4G": "Enabled", "Advanced SR_IOVSupport": "Enabled", "Advanced NetworkStack": "Enabled", "Advanced IPV4PXESupport": "Disabled", "Advanced IPV4HTTPSupport": "Disabled", "Advanced IPV6PXESupport": "Disabled", "Advanced IPV6HTTPSupport": "Disabled", "Advanced CSMSupport": "Enabled", "Advanced BootMode": "Legacy Mode", "Advanced OptionRomNetwork": "Legacy", "Advanced OptionRomStorage": "Legacy", "Advanced OptionRomVideo": "Legacy", "Advanced OptionRomOtherPCIE": "Legacy", "Advanced NIC1_PXE_ROM": "Enabled", "Advanced NIC2_PXE_ROM": "Enabled", "Advanced NIC3_PXE_ROM": "Enabled", "Advanced NIC4_PXE_ROM": "Enabled", "Advanced VT_D": "Enabled", "Chipset SATAContoller": "Enabled", "Chipset SATAModeOptions": "AHCI", "Chipset sSATAContoller": "Enabled", "Chipset sSATAModeOptions": "AHCI", "Chipset RestoreACPowerLoss": "Power on", "Chipset MaxPageTableSize": "1G", "Chipset VGAPriority": "Onboard Device", "Chipset SystemErrors": "Enabled", "Process PCIEHotPlug": "Enabled", "Process PCIEASPMSupport": "Disabled", "Process UncoreFreqScaling": "Enabled", "Process PStates": "Enabled", "Process TurboMode": "Enabled", "Process HardwarePstates": "Native Mode", "Process EPPEnable": "Enabled", "Process MonitorMWaitSupport": "Enabled", "Process AutonomousCoreCState": "Disabled", "Process CPUC6Report": "Disabled", "Process EnhancedHaltState": "Disabled", "Process PackageCState": "C0\/C1 State", "Process PowerPerformTuning": "OS Controls EPB", "Process ENERGY_PERF_BIAS_CFGMode": "Performance", "Process HyperThreadingTechnology": "Enabled", "Process IntelTXTSupport": "Disabled", "Process VMX": "Enabled", "Process SMX": "Disabled", "Process HardwarePrefetcher": "Enabled", "Process AdjacentCachePrefetch": "Enabled", "Process DCUStreamerPrefetcher": "Enabled", "Process DCUIPPrefetcher": "Enabled", "Process LLCPrefetch": "Disabled", "Process DCUMode": "32KB 8Way Without ECC", "Process ExtendedAPIC": "Enabled", "Process MMIOHighBase": "56T", "Process MMIOHighGranularitySize": "1024G", "Process Numa": "Enabled", "Process SubNUMAClustering": "Disabled", "Process LegacyVGASocket": "0", "Process EnforcePOR": "POR", "Process MemoryFrequency": "Auto", "Process DataScramblingForNVMDIMM": "Enabled", "Process DataScramblingForDDR4": "Enabled", "Process EnableADR": "Enabled", "Process LegacyADRMode": "Disabled", "Process VolatileMemoryMode": "Auto", "Process MemoryInterleaveGranularity": "Auto", "Process IMCInterleaving": "Auto", "Process ChannelInterleaving": "Auto", "Process RankInterleaving": "Auto", "Process SocketInterleaveBelow4GB": "Disabled", "Process StaticVirtualLockstepMode": "Disabled", "Process MirrorMode": "Disabled", "Process MemoryRankSparing": "Disabled", "Process CorrectableErrorThreshold": "Correctable Error Threshold: 6000", "Process SDDCPlusOne": "Disabled", "Process ADDDCSparing": "Disabled", "Process PatrolScrub": "Enabled", "Process PatrolScrubInterval": "24 hours", "Process PowerPolicy": "Custom", "Process CPUFlexRatio": "CPU Flex Ratio: 23", "Process CPUFlexRatioOverride": "Disabled", "Mnmt FRB2Timer": "Enabled", "Mnmt FRB2TimerTimeout": "6 minutes", "Mnmt FRB2Time* Connection #0 to host 192.168.134.16 left intact
rPolicy": "Power Cycle", "Mnmt OSWatchDogTimer": "Disabled", "Mnmt SharelinkNetwork": "Enabled", "Boot Boot_Retry": "Enabled", "Boot QuietBoot": "Enabled", "Boot BootOption1": "Hard Disk", "Boot BootOption2": "Network", "Boot BootOption3": "CD\/DVD", "Boot BootOption4": "Other Device", "Boot BootAddEFIShellToBootOption": "Disabled" } }

I resend the request with the Cookie header (this is gofish action), it's doesn't work fine.

$ curl -v -k -X GET  https://192.168.134.16/redfish/v1/Systems/1/Bios -H "X-Auth-Token: b71b00fcd0124c7eb0jNdA8O8inx3noZQV9Zoo" -H "User-Agent: gofish/1.0" -H "Cookie: sessionKey=b71b00fcd0124c7eb0jNdA8O8inx3noZQV9Zoo"
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 192.168.134.16:443...
* TCP_NODELAY set
* Connected to 192.168.134.16 (192.168.134.16) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; O=American Megatrends Incorporated; OU=Service Processors; L=Norcross; ST=Georgia; CN=www.ami.com; emailAddress=support@ami.com
*  start date: Apr 23 17:25:49 2018 GMT
*  expire date: Jun 22 17:25:49 2037 GMT
*  issuer: C=US; O=American Megatrends Incorporated; OU=Service Processors; L=Norcross; ST=Georgia; CN=www.ami.com; emailAddress=support@ami.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /redfish/v1/Systems/1/Bios HTTP/1.1
> Host: 192.168.134.16
> Accept: */*
> X-Auth-Token: b71b00fcd0124c7eb0jNdA8O8inx3noZQV9Zoo
> User-Agent: gofish/1.0
> Cookie: sessionKey=b71b00fcd0124c7eb0jNdA8O8inx3noZQV9Zoo
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: default-src 'none'; child-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://*:*; img-src 'self' data:; frame-src 'self'; font-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< X-Permitted-Cross-Domain-Policies: master-only
< X-Download-Options: noopen
< Set-Cookie: QSESSIONID=ad5700fd4f124cc7c69XecbvbmHJt2; path=/; secure;HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Wed, 27 Jul 2022 08:54:39 GMT
<
* Connection #0 to host 192.168.134.16 left intact
{ "cc": 7, "error": "Invalid Authentication" }

I can found the code at

// runRawRequestWithHeaders actually performs the REST calls but allowing custom headers
func (c *APIClient) runRawRequestWithHeaders(method, url string, payloadBuffer io.ReadSeeker, contentType string, customHeaders map[string]string) (*http.Response, error) {
...
    // Add auth info if authenticated
    if c.auth != nil {
        if c.auth.Token != "" {
            req.Header.Set("X-Auth-Token", c.auth.Token)
            req.Header.Set("Cookie", fmt.Sprintf("sessionKey=%s", c.auth.Token)) // here
        } else if c.auth.BasicAuth && c.auth.Username != "" && c.auth.Password != "" {
....
stmcginnis commented 2 years ago

Looks like that was added in https://github.com/stmcginnis/gofish/pull/105

@DanDanN00dle do you remember what type of system you were using that needed that Cookie header added?

DanDanN00dle commented 2 years ago

I believe it was an HP DL380 G10?

Sn0rt commented 2 years ago

Can we consinder move this header setting by the customHeaders parameter of runRawRequestWithHeaders

stmcginnis commented 2 years ago

I believe this is closed by #194.