Project

General

Profile

Bug #9852

REST API violation in BMC smart proxy API

Added by Corey Osman over 5 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
BMC
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

[root@puppet ~]# wget --header "Accept: application/json"
--ca-certificate=ca.pem --private-key=puppet.example.com.pem
--certificate=puppet.example.com.pem
https://puppet.example.com:8443/bmc/10.0.0.1/chassis/power/status
--user=admin --password=blahpass
HTTP/1.1 400 Bad Request
Date: Wed, 11 Feb 2015 13:38:43 GMT
Content-Length: 12
Server: WEBrick/1.3.1 (Ruby/1.8.7/2011-06-30) OpenSSL/1.0.1e
Content-Type: application/json
Connection: Keep-Alive
https://puppet.example.com:8443/bmc/10.0.0.1/chassis/power/status:
2015-02-11 14:38:43 ERROR 400: Bad Request.

[root@puppet ~]#

This is because of the `raise` at [1]. A proper REST implementation
should instead return a "401 Unauthorized" code to indicate the client
to retry with credentials. Although I do admire the technical prowess of
the hack, I would question the (ab)use of the basic authentication
mechanism for passing the ipmi username/password.

This can be worked around by passing "--auth-no-challenge" to wget to
force sending the credentials without being issued a 401.

Associated revisions

Revision 46cf1703 (diff)
Added by Corey Osman over 5 years ago

Fixes #9852 - REST API violation in BMC smart proxy API * authentication errors now return 401 and proper message

History

#1 Updated by The Foreman Bot over 5 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/270 added
  • Pull request deleted ()

#2 Updated by Corey Osman over 5 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#3 Updated by Dominic Cleal over 5 years ago

  • Legacy Backlogs Release (now unused) set to 28

Also available in: Atom PDF