Fix authorization for LDAP users
Modified the code to make an asynchronous call to GetUserInfo to get
the user role for authorization.
For local users, DBus matches are used to store user role map hot in
memory. Hence, bmcweb has to know whether a user is a local user or
LDAP user to get the role. To avoid this, removed the existing DBus
matches and modified the code to call GetUserInfo to get the role of
local users as well as LDAP users.
Tested:
- Created a local user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a local user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having admin privilege and verified that he is
able to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Created a remote user having user privilege and verified that he is
unauthorized to restart the system
/redfish/v1/Systems/system/Actions/ComputerSystem.Reset
-d '{"ResetType": "GracefulRestart"}'
- Tested Redfish ConfigureSelf privilege
Signed-off-by: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>
Change-Id: Ic3e46a0c0aff2cf456c98048350e58e302011c57
diff --git a/http/app.h b/http/app.h
index fd01340..74fc5c6 100644
--- a/http/app.h
+++ b/http/app.h
@@ -54,7 +54,7 @@
router.handleUpgrade(req, res, std::move(adaptor));
}
- void handle(const Request& req, Response& res)
+ void handle(Request& req, Response& res)
{
router.handle(req, res);
}
diff --git a/http/http_request.h b/http/http_request.h
index caae93a..ff09bf1 100644
--- a/http/http_request.h
+++ b/http/http_request.h
@@ -26,6 +26,8 @@
std::shared_ptr<crow::persistent_data::UserSession> session;
+ std::string userRole{};
+
Request(
boost::beast::http::request<boost::beast::http::string_body>& reqIn) :
req(reqIn),
diff --git a/http/routing.h b/http/routing.h
index 7846924..f194ad1 100644
--- a/http/routing.h
+++ b/http/routing.h
@@ -1177,7 +1177,7 @@
}
}
- void handle(const Request& req, Response& res)
+ void handle(Request& req, Response& res)
{
if (static_cast<size_t>(req.method()) >= perMethods.size())
return;
@@ -1250,48 +1250,61 @@
<< static_cast<uint32_t>(req.method()) << " / "
<< rules[ruleIndex]->getMethods();
- redfish::Privileges userPrivileges;
- if (req.session != nullptr)
- {
- // Get the user role from the session.
- const std::string& userRole =
- persistent_data::UserRoleMap::getInstance().getUserRole(
- req.session->username);
-
- BMCWEB_LOG_DEBUG << "USER ROLE=" << userRole;
-
- // Get the user privileges from the role
- userPrivileges = redfish::getUserPrivileges(userRole);
- }
-
- if (!rules[ruleIndex]->checkPrivileges(userPrivileges))
- {
- res.result(boost::beast::http::status::forbidden);
- res.end();
- return;
- }
-
- // any uncaught exceptions become 500s
- try
+ if (req.session == nullptr)
{
rules[ruleIndex]->handle(req, res, found.second);
- }
- catch (std::exception& e)
- {
- BMCWEB_LOG_ERROR << "An uncaught exception occurred: " << e.what();
- res.result(boost::beast::http::status::internal_server_error);
- res.end();
return;
}
- catch (...)
- {
- BMCWEB_LOG_ERROR
- << "An uncaught exception occurred. The type was unknown "
- "so no information was available.";
- res.result(boost::beast::http::status::internal_server_error);
- res.end();
- return;
- }
+
+ crow::connections::systemBus->async_method_call(
+ [&req, &res, &rules, ruleIndex, found](
+ const boost::system::error_code ec,
+ std::map<std::string, std::variant<bool, std::string,
+ std::vector<std::string>>>
+ userInfo) {
+ if (ec)
+ {
+ BMCWEB_LOG_ERROR << "GetUserInfo failed...";
+ res.result(
+ boost::beast::http::status::internal_server_error);
+ res.end();
+ return;
+ }
+
+ const std::string* userRolePtr = nullptr;
+ auto userInfoIter = userInfo.find("UserPrivilege");
+ if (userInfoIter != userInfo.end())
+ {
+ userRolePtr =
+ std::get_if<std::string>(&userInfoIter->second);
+ }
+
+ std::string userRole{};
+ if (userRolePtr != nullptr)
+ {
+ userRole = *userRolePtr;
+ BMCWEB_LOG_DEBUG << "userName = " << req.session->username
+ << " userRole = " << *userRolePtr;
+ }
+
+ // Get the user privileges from the role
+ redfish::Privileges userPrivileges =
+ redfish::getUserPrivileges(userRole);
+
+ if (!rules[ruleIndex]->checkPrivileges(userPrivileges))
+ {
+ res.result(boost::beast::http::status::forbidden);
+ res.end();
+ return;
+ }
+
+ req.userRole = userRole;
+
+ rules[ruleIndex]->handle(req, res, found.second);
+ },
+ "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
+ "xyz.openbmc_project.User.Manager", "GetUserInfo",
+ req.session->username);
}
void debugPrint()