Bug #9852
closed
REST API violation in BMC smart proxy API
Description
[root@puppet ~]# wget --header "Accept: application/json"
--ca-certificate=ca.pem --private-key=puppet.example.com.pem
--certificate=puppet.example.com.pem
https://puppet.example.com:8443/bmc/10.0.0.1/chassis/power/status
--user=admin --password=blahpass
HTTP/1.1 400 Bad Request
Date: Wed, 11 Feb 2015 13:38:43 GMT
Content-Length: 12
Server: WEBrick/1.3.1 (Ruby/1.8.7/2011-06-30) OpenSSL/1.0.1e
Content-Type: application/json
Connection: Keep-Alive
https://puppet.example.com:8443/bmc/10.0.0.1/chassis/power/status:
2015-02-11 14:38:43 ERROR 400: Bad Request.
[root@puppet ~]#
This is because of the `raise` at [1]. A proper REST implementation
should instead return a "401 Unauthorized" code to indicate the client
to retry with credentials. Although I do admire the technical prowess of
the hack, I would question the (ab)use of the basic authentication
mechanism for passing the ipmi username/password.
This can be worked around by passing "--auth-no-challenge" to wget to
force sending the credentials without being issued a 401.
Updated by The Foreman Bot about 9 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/270 added
- Pull request deleted (
)
Updated by Corey Osman about 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 46cf170344193422ca11da7ef6e3eab5c7937209.
Updated by Dominic Cleal about 9 years ago
- translation missing: en.field_release set to 28