Fix privileges on default handlers
Regardless of what privileges are allowed on a resource, we should
almost always be pulling from the PrivilegeRegistry for the information.
This corrects the handlers in redfish_v1.hpp. Namely that
JsonSchemaCollection now pulls from the generated privilege registry
files, and the 404 handler now requires a valid login to hit the route.
This allows 401 to be returned on routes that would 404. Arguably users
should not be able to see what routes bmcweb implements if they are not
authenticated. Marking the 404 route as login is largely ceremonial and
for documentation, because there is a separate check for a user being
authenticated.
Tested:
Redfish service validator passes.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I4c03b0ae05d9fb7712d6ec3b6f2feaf034ca0750
diff --git a/redfish-core/lib/redfish_v1.hpp b/redfish-core/lib/redfish_v1.hpp
index c7c5265..fa3ca36 100644
--- a/redfish-core/lib/redfish_v1.hpp
+++ b/redfish-core/lib/redfish_v1.hpp
@@ -150,19 +150,25 @@
std::bind_front(redfishGet, std::ref(app)));
BMCWEB_ROUTE(app, "/redfish/v1/JsonSchemas/<str>/")
+ .privileges(redfish::privileges::getJsonSchemaFileCollection)
.methods(boost::beast::http::verb::get)(
std::bind_front(jsonSchemaGet, std::ref(app)));
BMCWEB_ROUTE(app, "/redfish/v1/JsonSchemas/")
+ .privileges(redfish::privileges::getJsonSchemaFile)
.methods(boost::beast::http::verb::get)(
std::bind_front(jsonSchemaIndexGet, std::ref(app)));
// Note, this route must always be registered last
BMCWEB_ROUTE(app, "/redfish/<path>")
- .notFound()(std::bind_front(redfish404, std::ref(app)));
+ .notFound()
+ .privileges(redfish::privileges::privilegeSetLogin)(
+ std::bind_front(redfish404, std::ref(app)));
BMCWEB_ROUTE(app, "/redfish/<path>")
- .methodNotAllowed()(std::bind_front(redfish405, std::ref(app)));
+ .methodNotAllowed()
+ .privileges(redfish::privileges::privilegeSetLogin)(
+ std::bind_front(redfish405, std::ref(app)));
}
} // namespace redfish