Check LDAP group name after PrivilegeMapperEntry fully parsed
Current code checks if the LDAP group name matches when looping through
the PrivilegeMapperEntry interface. When GroupName is parsed first, it
may assign a wrong Privilege value to the group. This patch fixes such
issue by checking the LDAP group name after a mapping entry is fully
parsed, and also exits the loop after match to improve performance.
Tested:
Verified correct group privilege is returned when multiple mapping
entries are configured.
Change-Id: I4795e3f1f974624bb2b46c40ccd729e259512ce4
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>
diff --git a/user_mgr.cpp b/user_mgr.cpp
index 61ffc05..4a44b32 100644
--- a/user_mgr.cpp
+++ b/user_mgr.cpp
@@ -1080,9 +1080,8 @@
DbusUserObj objects = getPrivilegeMapperObject();
- std::string privilege;
- std::string groupName;
std::string ldapConfigPath;
+ std::string userPrivilege;
try
{
@@ -1125,6 +1124,8 @@
(obj.first.str.find(ldapConfigPath) !=
std::string::npos))
{
+ std::string privilege;
+ std::string groupName;
for (const auto& property : interface.second)
{
@@ -1137,20 +1138,25 @@
{
privilege = value;
}
- if (groupName == ldapGroupName)
- {
- userInfo["UserPrivilege"] = privilege;
- }
+ }
+ if (groupName == ldapGroupName)
+ {
+ userPrivilege = privilege;
+ break;
}
}
}
+ if (!userPrivilege.empty())
+ {
+ break;
+ }
}
- auto priv = std::get<std::string>(userInfo["UserPrivilege"]);
- if (priv.empty())
+ if (userPrivilege.empty())
{
log<level::ERR>("LDAP group privilege mapping does not exist");
}
+ userInfo.emplace("UserPrivilege", userPrivilege);
}
catch (const std::bad_variant_access& e)
{