Bug #9852
closedREST API violation in BMC smart proxy API
Description
[root@puppet ~]# wget --header "Accept: application/json"
--ca-certificate=ca.pem --private-key=puppet.example.com.pem
--certificate=puppet.example.com.pem
https://puppet.example.com:8443/bmc/10.0.0.1/chassis/power/status
--user=admin --password=blahpass
HTTP/1.1 400 Bad Request
Date: Wed, 11 Feb 2015 13:38:43 GMT
Content-Length: 12
Server: WEBrick/1.3.1 (Ruby/1.8.7/2011-06-30) OpenSSL/1.0.1e
Content-Type: application/json
Connection: Keep-Alive
https://puppet.example.com:8443/bmc/10.0.0.1/chassis/power/status:
2015-02-11 14:38:43 ERROR 400: Bad Request.
[root@puppet ~]#
This is because of the `raise` at [1]. A proper REST implementation
should instead return a "401 Unauthorized" code to indicate the client
to retry with credentials. Although I do admire the technical prowess of
the hack, I would question the (ab)use of the basic authentication
mechanism for passing the ipmi username/password.
This can be worked around by passing "--auth-no-challenge" to wget to
force sending the credentials without being issued a 401.