commit 6cbd6c41ab77ac60b8b902040e023ecf3f1391e1
author Ed Tanous <etanous@nvidia.com> Thu Jul 10 09:30:15 2025 -0700
committer Ed Tanous <ed@tanous.net> Mon Nov 10 14:53:53 2025 +0000
tree aebbfb17cad9f992908d6452d0fcbc2b9064c6c4
parent 84153eddf2bf743d7e3382490d7ac69a0741fa23

fix: add account checking inside verifyMtls

Currently if we don't have account in bmcweb but have valid format
certificate, we will have 500 internal server error when we send request
to bmcweb. But, if we don't have valid format certificate, we will get
401 unauthorized. This is not ideal as the http code is not appropriate.
Also, this might introduce some security risk as the user can deduce
whether their certificate format is valid or not based on the http code.

This patch is intended to solve this issue by checking whether the
username exists in the system. If not, we will return nullptr inside
verifyMtls function, which result in 401 unauthorized response if the
user have valid format of certificate, but there is no related username
inside the system

Change-Id: I479a10ed2bcce2c9969e19fa3aab9686ba4c71be
Signed-off-by: Malik Akbar Hashemi Rafsanjani <malikrafsan@meta.com>
Signed-off-by: Ed Tanous <etanous@nvidia.com>

include/dbus_privileges.hpp

diff --git a/include/dbus_privileges.hpp b/include/dbus_privileges.hpp
index 524ff1b..eb6b13b 100644
--- a/include/dbus_privileges.hpp
+++ b/include/dbus_privileges.hpp
@@ -132,6 +132,40 @@
     return true;
 }
 
+inline void handleRequestUserInfo(
+    const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
+    const boost::system::error_code& ec,
+    std::move_only_function<void(const dbus::utility::DBusPropertiesMap&)>
+        callback,
+    const dbus::utility::DBusPropertiesMap& userInfoMap)
+{
+    if (ec)
+    {
+        BMCWEB_LOG_WARNING("GetUserInfo failed with error of {}", ec);
+        if (ec.value() == boost::system::errc::io_error)
+        {
+            BMCWEB_LOG_WARNING(
+                "There is io error when calling the user manager service, this suggests the user doesn't have permission to access");
+            asyncResp->res.result(boost::beast::http::status::unauthorized);
+            return;
+        }
+        if (ec.value() == boost::system::errc::host_unreachable)
+        {
+            BMCWEB_LOG_ERROR(
+                "User manager service not reachable, this suggests the user manager service is not healthy");
+            asyncResp->res.result(
+                boost::beast::http::status::internal_server_error);
+            return;
+        }
+
+        BMCWEB_LOG_ERROR("Unhandled error code {} for GetUserInfo", ec.value());
+        asyncResp->res.result(
+            boost::beast::http::status::internal_server_error);
+        return;
+    }
+    callback(userInfoMap);
+}
+
 inline void requestUserInfo(
     const std::string& username,
     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
@@ -143,14 +177,8 @@
         [asyncResp, callback = std::move(callback)](
             const boost::system::error_code& ec,
             const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
-            if (ec)
-            {
-                BMCWEB_LOG_ERROR("GetUserInfo failed...");
-                asyncResp->res.result(
-                    boost::beast::http::status::internal_server_error);
-                return;
-            }
-            callback(userInfoMap);
+            handleRequestUserInfo(asyncResp, ec, std::move(callback),
+                                  userInfoMap);
         },
         "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
         "xyz.openbmc_project.User.Manager", "GetUserInfo", username);