Fix bmcweb crash problem when no-auth
This change is similiar as
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49465
After insecure-disable-auth=enabled. it is not needed to do login and
establish session before request.
GET/PATCH /redfish/v1/AccountService/Accounts/<accountname>.
(no matter account exist or not)
It won't get any status code and cause the bmcweb service crashed.
Solutions:
Add #ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION and
[[maybe_unused]] const crow::Request& req
Test:
GET / PATCH with authless
https://<bmcip>/redfish/v1/AccountService/Accounts/TestAccount
Return 200
{
"@odata.id": "/redfish/v1/AccountService/Accounts/TestAccount",
"@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
"AccountTypes": [
"Redfish"
],
"Description": "User Account",
"Enabled": true,
"Id": "TestAccount",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "Administrator",
"UserName": "TestAccount"
}
GET nonexistent account
https://<bmcip>/redfish/v1/AccountService/Accounts/TestAccountsss
{
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The requested resource of type ManagerAccount named
TestAccountsss was not found.",
"MessageArgs": [
"ManagerAccount",
"TestAccountsss"
],
"MessageId": "Base.1.8.1.ResourceNotFound",
"MessageSeverity": "Critical",
"Resolution": "Provide a valid resource identifier and resubmit
the request."
}
],
"code": "Base.1.8.1.ResourceNotFound",
"message": "The requested resource of type ManagerAccount named
TestAccountsss was not found."
}
}
Signed-off-by: JunLin Chen <Jun-Lin.Chen@quantatw.com>
Change-Id: Ic00020ac07950347973b54d49dacd44c4d4571b7
Signed-off-by: Tony Lee <tony.lee@quantatw.com>
Signed-off-by: Ed Tanous <edtanous@google.com>
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 19352e8..8d53799 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1708,13 +1708,26 @@
.privileges(redfish::privileges::getManagerAccount)
.methods(
boost::beast::http::verb::
- get)([&app](const crow::Request& req,
+ get)([&app]([[maybe_unused]] const crow::Request& req,
const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
const std::string& accountName) -> void {
if (!redfish::setUpRedfishRoute(app, req, asyncResp->res))
{
return;
}
+#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+ // If authentication is disabled, there are no user accounts
+ messages::resourceNotFound(asyncResp->res,
+ "#ManagerAccount.v1_4_0.ManagerAccount",
+ accountName);
+ return;
+
+#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+ if (req.session == nullptr)
+ {
+ messages::internalError(asyncResp->res);
+ return;
+ }
if (req.session->username != accountName)
{
// At this point we've determined that the user is trying to
@@ -1877,12 +1890,26 @@
{
return;
}
+#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+ // If authentication is disabled, there are no user accounts
+ messages::resourceNotFound(
+ asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
+ username);
+ return;
+
+#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
std::optional<std::string> newUserName;
std::optional<std::string> password;
std::optional<bool> enabled;
std::optional<std::string> roleId;
std::optional<bool> locked;
+ if (req.session == nullptr)
+ {
+ messages::internalError(asyncResp->res);
+ return;
+ }
+
Privileges effectiveUserPrivileges =
redfish::getUserPrivileges(req.userRole);
Privileges configureUsers = {"ConfigureUsers"};
@@ -1907,6 +1934,7 @@
messages::insufficientPrivilege(asyncResp->res);
return;
}
+
// ConfigureSelf accounts can only modify their password
if (!json_util::readJsonPatch(req, asyncResp->res,
"Password", password))
@@ -1958,6 +1986,15 @@
{
return;
}
+
+#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+ // If authentication is disabled, there are no user accounts
+ messages::resourceNotFound(
+ asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
+ username);
+ return;
+
+#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
tempObjPath /= username;
const std::string userPath(tempObjPath);