Figure out Redfish-correct way to deal with expired passwords #118
Labels
enhancement
New feature or request
Comments
|
In the login code handling path, we should check for the existence of a message "Base.PasswordChangeRequired", which is what bmcweb signals when a password change is required on login. In addition, any requests that return 401 should be checked for a similar message. |
gtmills
added
bug
bradbishop
pushed a commit
that referenced
this issue
Aug 29, 2024
A password can expire at any moment during session lifetime and bmcweb starts returning 403 Forbidden errors to the requests made after that. The response contains clear indication of the condition in the standard `@Message.ExtendedInfo` attribute which is an array of Message objects. Previously the code was trying to detect this condition by querying AccountService after logging in but this approach doesn't work when password expires mid-session. Also it was limited to BMC-managed accounts and used hardcoded account URIs in violation of Redfish spec. This patch adds to the interceptor of 403 error so that the user is automatically redirected to the password change page as soon as the condition is detected. The same message is also present in the session creation POST response 201 if the password expired before the log in attempt, in this case the session is created as usual but the user is automatically redirected to password change page before any further requests are made. Tested: logging in, navigating, logging out with non-expired password. Logging in, navigating, then running `passwd -e <accountname>` via ssh leads to functional password change page on the next request and then navigating proceeds normally, and logging out too. If password is expired before logging in the user gets redirected to the password change page automatically after logging in. Fixes: #118 Change-Id: I03f5ee2526a4bb1d35d3bbea1142fea077d6bfed Signed-off-by: Paul Fertser <[email protected]> Signed-off-by: Surya Venkatesan <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As mentioned at https://gerrit.openbmc.org/c/openbmc/webui-vue/+/70758/2#message-ba4ad7929c11f36024cdf13fdb98173df7d1882e it's unclear whether webue-vue is currently dealing with accounts that have expired passwords the right (envisioned by Redfish) way.
It basically requests
/redfish/v1/AccountService/Accounts/${username}and if it seesPasswordChangeRequiredthat evaluates to true it redirects to/change-password. We already know it's wrong to use${username}there but is otherwise this flow is the Redfish-recommended one.How should expired accounts with external authentication (e.g. LDAP or RADIUS) be detected and treated?
The text was updated successfully, but these errors were encountered: