Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 32c99a2e37d61b65cb56cfd1c7b22eb28ea539a6 / . / include / dbus_privileges.hpp
blob: 07a1216cdcac30b2131486d5282eae13a8baddf2 [file] [log] [blame]
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]1#pragma once
2
3#include "dbus_utility.hpp"
4#include "error_messages.hpp"
5#include "http_request.hpp"
6#include "http_response.hpp"
7#include "logging.hpp"
8#include "routing/baserule.hpp"
Ed Tanous8ed41c32021-05-09 23:51:31 -0500[diff] [blame]9#include "user_role_map.hpp"
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]10#include "utils/dbus_utils.hpp"
11
12#include <boost/url/format.hpp>
Ed Tanous8ed41c32021-05-09 23:51:31 -0500[diff] [blame]13#include <sdbusplus/bus/match.hpp>
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]14#include <sdbusplus/unpack_properties.hpp>
15
16#include <memory>
17#include <vector>
18
19namespace crow
20{
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]21
22inline bool
23 isUserPrivileged(Request& req,
24 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
25 BaseRule& rule)
26{
Ed Tanousd3dfb6e2023-07-27 09:33:49 -0700[diff] [blame]27 if (req.session == nullptr)
28 {
29 return false;
30 }
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]31 // Get the user's privileges from the role
32 redfish::Privileges userPrivileges =
33 redfish::getUserPrivileges(*req.session);
34
35 // Modify privileges if isConfigureSelfOnly.
36 if (req.session->isConfigureSelfOnly)
37 {
38 // Remove all privileges except ConfigureSelf
39 userPrivileges =
40 userPrivileges.intersection(redfish::Privileges{"ConfigureSelf"});
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]41 BMCWEB_LOG_DEBUG("Operation limited to ConfigureSelf");
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]42 }
43
44 if (!rule.checkPrivileges(userPrivileges))
45 {
46 asyncResp->res.result(boost::beast::http::status::forbidden);
47 if (req.session->isConfigureSelfOnly)
48 {
49 redfish::messages::passwordChangeRequired(
50 asyncResp->res,
51 boost::urls::format("/redfish/v1/AccountService/Accounts/{}",
52 req.session->username));
53 }
54 return false;
55 }
56
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]57 return true;
58}
59
60template <typename CallbackFn>
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]61void validatePrivilege(Request& req,
62 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
63 BaseRule& rule, CallbackFn&& callback)
64{
65 if (req.session == nullptr)
66 {
67 return;
68 }
69 std::string username = req.session->username;
Ed Tanous8ed41c32021-05-09 23:51:31 -0500[diff] [blame]70 UserFields props =
71 UserRoleMap::getInstance().getUserRole(req.session->username);
72 if (props.userRole)
73 {
74 req.session->userRole = props.userRole.value_or("");
75 }
76 if (props.passwordExpired)
77 {
78 req.session->isConfigureSelfOnly = *props.passwordExpired;
79 }
80 if (props.userGroups)
81 {
82 req.session->userGroups = std::move(*props.userGroups);
83 }
84
85 if (!isUserPrivileged(req, asyncResp, rule))
86 {
87 // User is not privileged
88 BMCWEB_LOG_WARNING("Insufficient Privilege");
89 asyncResp->res.result(boost::beast::http::status::forbidden);
90 return;
91 }
92 callback(req);
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]93}
94
95} // namespace crow