Asset key auth doesn't work properly

[msquantori]

Steps to reproduce

I'm trying to use asset tag during provisioning, and have the folllowing issues:

1. Default dhcpd.conf.ww in host overlay knows nothing about asset parameter and generates the following URL:
   http://IP:PORT/ipxe/${mac:hexhyp}
   though it should be
   http://IP:PORT/ipxe/${mac:hexhyp}?assetkey=${asset}&uuid=${uuid}"

Without this modification - the system can't boot. Probably should be documented or just added to the default template.

2. After system boots - it has hard times to update the runtime overlay. Asset tag is set and obviously working fine during PXEboot. Though - after system has booted, wwclient can't get the value. No errors. So I see "Bad Asset" error.

I have DELL hardware, and I can see Asset in dmidecode:
Chassis Information Manufacturer: Dell Inc. Type: Rack Mount Chassis Lock: Present Version: Not Specified Serial Number: ******* Asset Tag: ZAZAZA1

I assume it has something to do with the way WW client gets asset_tag

Error message

No response

Information on your system

`wwctl version
wwctl version: 4.5.0rc2-1
rpc version: apiPrefix:"rc1" apiVersion:"1" warewulfVersion:"4.5.0rc2-1"

cat /etc/redhat-release
Rocky Linux release 9.3 (Blue Onyx)`

General information

• I have run wwctl version and reported the contents of /etc/os-release
• I have searched the issues of this repo and believe this is not a duplicate
• I have captured and reported relevant error messages and logs

[JasonYangShadow]

@msquantori
Thanks for the report.
I am trying to dig into this issue. It looks like this Bad Asset error is thrown here
https://github.com/warewulf/warewulf/blob/main/internal/pkg/warewulfd/provision.go#L82
so the server side should print related denied messages. Can you confirm that?
Besides, the wwclient side should have a debug message when making requests during provisioning
https://github.com/warewulf/warewulf/blob/main/internal/app/wwclient/root.go#L212
where tag is the Asset Key and localUUID is the UUID as defined and fetched here

warewulf/internal/app/wwclient/root.go

Line 128 in 911dab2

tag = strings.ReplaceAll(x.AssetTagNumber(), " ", "_")

I am guessing there might be errors thrown during the smbios info reading.

warewulf/internal/app/wwclient/root.go

Line 123 in 911dab2

smbiosDump, smbiosErr := smbios.New()

Feel free to share your minds. cc @anderbubble @mslacken

[rthomson]

I can confirm this issue on Dell hardware (R640). I can boot the node by supplying assetkey=$(asset} as a parameter to the HTTP URL for fetching the iPXE config during DHCP boot (I use dnsmasq) but once the node is booted and wwclient tries to update the runtime overlay(s), it fails to download with HTTP 401 and the following log message in syslog:

warewulfd[12345] DENIED : Incorrect asset key for node: node1

I think this is the go-smbios library you're using: https://github.com/siderolabs/go-smbios/ (redirected there from github.com/talos-systems/go-smbios/smbios) and it kinda looks like they define AssetTagNumber in the struct but there is no call to actually set the value of it in the subsequent NewSystemEnclosure function call here: https://github.com/siderolabs/go-smbios/blob/c5267640be317efd9cbbe936ab78b2a49c757edf/smbios/system_enclosure.go#L33

I assume system_enclosure.go in that library is the right place to look since the ww code here appears to call a function named SystemEnclosure here to gather the asset tag info:

warewulf/internal/app/wwclient/root.go

Line 127 in 911dab2

x := smbiosDump.SystemEnclosure()

[anderbubble]

@rthomson thanks for the deep dive. I have taken a note to look more holistically on auditing Warewulf's security model, and I've tagged this issue for that.