Remove default LDAP privilege role
Currently when there is no privilege role map matching to the ldap user,
ldap user gets priv-user(read-only) privilege for redfish sessions which
is considered as security concern since by default all ldap users able
to login to BMC GUI and redfish sessions.
This commit removes default priv-user(read-only) privilege for LDAP
users when there is no matching privilege role.
Tested By:
Redfish session creation fails for ldap users when there is no matching
privilege role map
Change-Id: I5247ce53577ecdf27f41bc4e2a3d1947d093874b
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
diff --git a/test/user_mgr_test.cpp b/test/user_mgr_test.cpp
index 9e55fc8..6c8d06a 100644
--- a/test/user_mgr_test.cpp
+++ b/test/user_mgr_test.cpp
@@ -172,7 +172,7 @@
EXPECT_CALL(mockManager, isGroupMember(_, _, _)).Times(0);
userInfo = mockManager.getUserInfo(userName);
EXPECT_EQ(true, std::get<bool>(userInfo["RemoteUser"]));
- EXPECT_EQ("priv-user", std::get<std::string>(userInfo["UserPrivilege"]));
+ EXPECT_EQ("", std::get<std::string>(userInfo["UserPrivilege"]));
}
TEST(GetCSVFromVector, EmptyVectorReturnsEmptyString)
diff --git a/user_mgr.cpp b/user_mgr.cpp
index 6b31208..0029326 100644
--- a/user_mgr.cpp
+++ b/user_mgr.cpp
@@ -1310,16 +1310,11 @@
}
}
- if (!userPrivilege.empty())
+ if (userPrivilege.empty())
{
- userInfo.emplace("UserPrivilege", userPrivilege);
+ lg2::warning("LDAP group privilege mapping does not exist");
}
- else
- {
- lg2::warning("LDAP group privilege mapping does not exist, "
- "default \"priv-user\" is used");
- userInfo.emplace("UserPrivilege", "priv-user");
- }
+ userInfo.emplace("UserPrivilege", userPrivilege);
}
catch (const std::bad_variant_access& e)
{