Project

General

Profile

Actions

Bug #9852

closed

REST API violation in BMC smart proxy API

Added by Corey Osman almost 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
BMC
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

[root@puppet ~]# wget --header "Accept: application/json"
--ca-certificate=ca.pem --private-key=puppet.example.com.pem
--certificate=puppet.example.com.pem
https://puppet.example.com:8443/bmc/10.0.0.1/chassis/power/status
--user=admin --password=blahpass
HTTP/1.1 400 Bad Request
Date: Wed, 11 Feb 2015 13:38:43 GMT
Content-Length: 12
Server: WEBrick/1.3.1 (Ruby/1.8.7/2011-06-30) OpenSSL/1.0.1e
Content-Type: application/json
Connection: Keep-Alive
https://puppet.example.com:8443/bmc/10.0.0.1/chassis/power/status:
2015-02-11 14:38:43 ERROR 400: Bad Request.

[root@puppet ~]#

This is because of the `raise` at [1]. A proper REST implementation
should instead return a "401 Unauthorized" code to indicate the client
to retry with credentials. Although I do admire the technical prowess of
the hack, I would question the (ab)use of the basic authentication
mechanism for passing the ipmi username/password.

This can be worked around by passing "--auth-no-challenge" to wget to
force sending the credentials without being issued a 401.

Actions #1

Updated by The Foreman Bot almost 10 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/270 added
  • Pull request deleted ()
Actions #2

Updated by Corey Osman over 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #3

Updated by Dominic Cleal over 9 years ago

  • Translation missing: en.field_release set to 28
Actions

Also available in: Atom PDF