commit b31e969504645f653b58b676d56b01d632dc395c
author Ayushi Smriti <smriti.ayushi@intel.com> Wed May 15 12:06:51 2019 +0000
committer Ayushi Smriti <smriti.ayushi@linux.intel.com> Tue Jun 11 13:54:59 2019 +0000
tree 6070a4b86b1fe93d11931723387c1b44e07d1331
parent 052b7cf37411a1bb69af1e6ce541a16021fffa9f

Rakp12: Validate user lockout status, before RMCP+ session

In RAKP12, after fetching of the password, user pam authenticate
check is added

Tested:
1. Verified regular ipmitool -I lanplus works.
2. Verified the negative case, by configuring lockout for failure
attempts, and locking the user by failed login attempt through
webpage, and then trying to establish IPMI RMCP+ (as expected,
session establishment failed, till lockout timeout happens, or
user is allowed to login.

Change-Id: Idcc9e9289f570fc34a64414031f3f2c7f58e6222
Signed-off-by: Ayushi Smriti <smriti.ayushi@linux.intel.com>

command/rakp12.cpp

diff --git a/command/rakp12.cpp b/command/rakp12.cpp
index 562a450..63eb46a 100644
--- a/command/rakp12.cpp
+++ b/command/rakp12.cpp
@@ -164,6 +164,16 @@
             static_cast<uint8_t>(RAKP_ReturnCode::INACTIVE_ROLE);
         return outPayload;
     }
+    // Check whether user is already locked for failed attempts
+    if (!ipmi::ipmiUserPamAuthenticate(userName, passwd))
+    {
+        log<level::ERR>("Authentication failed - user already locked out",
+                        entry("USER-ID=%d", static_cast<uint8_t>(userId)));
+
+        response->rmcpStatusCode =
+            static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME);
+        return outPayload;
+    }
     // Get the user password for RAKP message authenticate
     passwd = ipmi::ipmiUserGetPassword(userName);
     if (passwd.empty())