Redfish validator is throwing error on In band and Action URI's

[manipk01]

Hi @mraineri ,

We are seeing two recurring FAIL items in the Redfish Service Validator as below

1. The validator is performing GET requests on OriginOfCondition URIs referenced in Audit Log entries. Some of these are OEM-internal resources that we can see the response internally (in band), so we intentionally return HTTP 404 or HTTP 403 (restricted access) from out of band. We believe this is an expected behaviour from our end.

URI: /redfish/v1/Managers/instance/LogServices/AuditLog/Entries/instance
"Links": { "OriginOfCondition": { "@odata.id": "/redfish/v1/Oem/contoso/abcd" } },

2. The validator is performing GET requests on oem Action target URIs, which are POST-only endpoints. Since the Redfish specification does not require Action URIs to support GET, we believe a 405 response here is correct and expected.

So would like to clarify whether these issues are from tools side, or whether it is from our side.

Thanks,
Mani P K

[mraineri]

1. Generally speaking, it's in good practice to not provide users with URIs that they cannot access. It can be considered leakage just by virtue of the fact the URI is present in the payload. We have a little bit of this in the spec already:

A service may perform additional checks based on the identity of the user and remove data from responses. For example, a service might restrict access for non-administrative users to only access their own ManagerAccount, Session, and EventDestination resources.

We could elevate the 403 responses to a warning at the very least.

2. Can you provide the logs (the entire .log and .html file) showing this? The tool does not follow "target", but will follow other links. If you're providing action URIs anywhere outside of "target", then this is an incorrect usage of action URIs.