Add AccountTypes in POST Accounts service
This drop adds support to specify AccountTypes at the time of user
creation. Made sure that HostConsole is only supported for user with
administrator role.
Testing:
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["HostConsole"]}'
{
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The resource has been created successfully.",
"MessageArgs": [],
"MessageId": "Base.1.13.0.Created",
"MessageSeverity": "OK",
"Resolution": "None."
}
]
}
$ curl -k
https://root:0penBmc@bmc1:443/redfish/v1/AccountService/Accounts/user99
{
"@odata.id": "/redfish/v1/AccountService/Accounts/user99",
"@odata.type": "#ManagerAccount.v1_7_0.ManagerAccount",
"AccountTypes": [
"HostConsole"
],
"Description": "User Account",
"Enabled": true,
"Id": "user99",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "Administrator",
"StrictAccountTypes": true,
"UserName": "user99"
}
Also ran following testcases:
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["HostConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Operator", "AccountTypes": ["HostConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"ReadOnly", "AccountTypes": ["HostConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["ManagerConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["IPMI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish", "IPMI", "HostConsole",
"ManagerConsole", "WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish", "HostConsole",
"ManagerConsole", "WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish", "ManagerConsole",
"WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish", "HostConsole", "WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["IPMI", "HostConsole",
"ManagerConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Operator", "AccountTypes": ["Redfish", "ManagerConsole", "WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"ReadOnly", "AccountTypes": ["Redfish", "ManagerConsole", "WebUI"]}'
Change-Id: I19ff994e712bcfaf827a5f8dd02a752a6ab92214
Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 06ef008..6cbb405 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1832,19 +1832,69 @@
const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
const std::string& username, const std::string& password,
const std::optional<std::string>& roleId, std::optional<bool> enabled,
+ std::optional<std::vector<std::string>> accountTypes,
const std::vector<std::string>& allGroupsList)
-
{
std::vector<std::string> userGroups;
+ std::vector<std::string> accountTypeUserGroups;
+
+ // If user specified account types then convert them to unix user groups
+ if (accountTypes)
+ {
+ if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
+ accountTypeUserGroups))
+ {
+ // Problem in mapping Account Types to User Groups, Error already
+ // logged.
+ return;
+ }
+ }
+
for (const auto& grp : allGroupsList)
{
+ // If user specified the account type then only accept groups which are
+ // in the account types group list.
+ if (!accountTypeUserGroups.empty())
+ {
+ bool found = false;
+ for (const auto& grp1 : accountTypeUserGroups)
+ {
+ if (grp == grp1)
+ {
+ found = true;
+ break;
+ }
+ }
+ if (!found)
+ {
+ continue;
+ }
+ }
+
// Console access is provided to the user who is a member of
// hostconsole group and has a administrator role. So, set
// hostconsole group only for the administrator.
- if ((grp != "hostconsole") || (roleId == "priv-admin"))
+ if ((grp == "hostconsole") && (roleId != "priv-admin"))
{
- userGroups.emplace_back(grp);
+ if (!accountTypeUserGroups.empty())
+ {
+ BMCWEB_LOG_ERROR
+ << "Only administrator can get HostConsole access";
+ asyncResp->res.result(boost::beast::http::status::bad_request);
+ return;
+ }
+ continue;
}
+ userGroups.emplace_back(grp);
+ }
+
+ // Make sure user specified groups are valid. This is internal error because
+ // it some inconsistencies between user manager and bmcweb.
+ if (!accountTypeUserGroups.empty() &&
+ accountTypeUserGroups.size() != userGroups.size())
+ {
+ messages::internalError(asyncResp->res);
+ return;
}
crow::connections::systemBus->async_method_call(
@@ -1869,9 +1919,10 @@
std::string password;
std::optional<std::string> roleId("User");
std::optional<bool> enabled = true;
- if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
- "Password", password, "RoleId", roleId,
- "Enabled", enabled))
+ std::optional<std::vector<std::string>> accountTypes;
+ if (!json_util::readJsonPatch(
+ req, asyncResp->res, "UserName", username, "Password", password,
+ "RoleId", roleId, "Enabled", enabled, "AccountTypes", accountTypes))
{
return;
}
@@ -1889,9 +1940,9 @@
*crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
"/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager",
"AllGroups",
- [asyncResp, username, password{std::move(password)}, roleId,
- enabled](const boost::system::error_code& ec,
- const std::vector<std::string>& allGroupsList) {
+ [asyncResp, username, password{std::move(password)}, roleId, enabled,
+ accountTypes](const boost::system::error_code& ec,
+ const std::vector<std::string>& allGroupsList) {
if (ec)
{
BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
@@ -1906,7 +1957,7 @@
}
processAfterGetAllGroups(asyncResp, username, password, roleId, enabled,
- allGroupsList);
+ accountTypes, allGroupsList);
});
}