Add "requires" handlers to all non-trivial routes
This commit is the result of an audit to add user levels to the various
components that need them. As written:
KVM requires admin privilege
Virtual media requires admin privilege
image upload requires admin privilege
/subscribe API requies Login privilege
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I6384f23769a5ac23f653519656721da7373f088f
diff --git a/include/dbus_monitor.hpp b/include/dbus_monitor.hpp
index 662d3c6..0543c7b 100644
--- a/include/dbus_monitor.hpp
+++ b/include/dbus_monitor.hpp
@@ -114,6 +114,7 @@
template <typename... Middlewares> void requestRoutes(Crow<Middlewares...>& app)
{
BMCWEB_ROUTE(app, "/subscribe")
+ .requires({"Login"})
.websocket()
.onopen([&](crow::websocket::Connection& conn) {
BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened";
diff --git a/include/image_upload.hpp b/include/image_upload.hpp
index ba9c403..69e5637 100644
--- a/include/image_upload.hpp
+++ b/include/image_upload.hpp
@@ -111,6 +111,7 @@
template <typename... Middlewares> void requestRoutes(Crow<Middlewares...>& app)
{
BMCWEB_ROUTE(app, "/upload/image/<str>")
+ .requires({"ConfigureComponents", "ConfigureManager"})
.methods("POST"_method,
"PUT"_method)([](const crow::Request& req, crow::Response& res,
const std::string& filename) {
@@ -118,6 +119,7 @@
});
BMCWEB_ROUTE(app, "/upload/image")
+ .requires({"ConfigureComponents", "ConfigureManager"})
.methods("POST"_method, "PUT"_method)(
[](const crow::Request& req, crow::Response& res) {
uploadImageHandler(req, res, "");
diff --git a/include/kvm_websocket.hpp b/include/kvm_websocket.hpp
index 817f7c4..d97b03e 100644
--- a/include/kvm_websocket.hpp
+++ b/include/kvm_websocket.hpp
@@ -159,6 +159,7 @@
sessions.reserve(maxSessions);
BMCWEB_ROUTE(app, "/kvm/0")
+ .requires({"ConfigureComponents", "ConfigureManager"})
.websocket()
.onopen([](crow::websocket::Connection& conn) {
BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened";
diff --git a/include/obmc_console.hpp b/include/obmc_console.hpp
index b8afba6..b545f96 100644
--- a/include/obmc_console.hpp
+++ b/include/obmc_console.hpp
@@ -104,6 +104,7 @@
void requestRoutes(CrowApp& app)
{
BMCWEB_ROUTE(app, "/console0")
+ .requires({"ConfigureComponents", "ConfigureManager"})
.websocket()
.onopen([](crow::websocket::Connection& conn) {
BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened";
diff --git a/include/openbmc_dbus_rest.hpp b/include/openbmc_dbus_rest.hpp
index 93c198e..a4cccb1 100644
--- a/include/openbmc_dbus_rest.hpp
+++ b/include/openbmc_dbus_rest.hpp
@@ -2233,6 +2233,7 @@
});
BMCWEB_ROUTE(app, "/bus/system/<str>/<path>")
+ .requires({"ConfigureComponents", "ConfigureManager"})
.methods("GET"_method,
"POST"_method)([](const crow::Request &req,
crow::Response &res,
diff --git a/include/vm_websocket.hpp b/include/vm_websocket.hpp
index 57a690c..d1127a4 100644
--- a/include/vm_websocket.hpp
+++ b/include/vm_websocket.hpp
@@ -160,6 +160,7 @@
template <typename... Middlewares> void requestRoutes(Crow<Middlewares...>& app)
{
BMCWEB_ROUTE(app, "/vm/0/0")
+ .requires({"ConfigureComponents", "ConfigureManager"})
.websocket()
.onopen([](crow::websocket::Connection& conn) {
BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened";