UserMgr: Fix the privilege determination
By default, all users in Active Directory have the primary group
`users`. Giving the full access to the BMC to all users from the such
group is a bad idea. And changing the primary group in
Active Directory/LDAP can be inadvisable.
This fix allows to use in the role mapping the group that isn't the
primary group. All members of the such group will get the role,
according with the role mapping.
Tested by:
- Configure LDAP
- Add non primary LDAP group to the role map
- Verify `GetUserInfo` reply for the member of the group used in the
previous step. It should contain corresponding privilege.
- Add primary LDAP group to the role map and verify `GetUserInfo` for
its member. It also should contain corresponding role.
Change-Id: I61a87a21446577c0bf059f50139c7b4c711059c7
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
diff --git a/test/user_mgr_test.cpp b/test/user_mgr_test.cpp
index ae8f35d..5db642e 100644
--- a/test/user_mgr_test.cpp
+++ b/test/user_mgr_test.cpp
@@ -17,9 +17,12 @@
{
using ::testing::Return;
+using ::testing::Throw;
using InternalFailure =
sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure;
+using UserNameDoesNotExist =
+ sdbusplus::xyz::openbmc_project::User::Common::Error::UserNameDoesNotExist;
class TestUserMgr : public testing::Test
{
@@ -91,9 +94,10 @@
std::string userName = "user";
UserInfoMap userInfo;
- EXPECT_CALL(mockManager, getLdapGroupName(userName))
- .WillRepeatedly(Return(""));
- EXPECT_THROW(userInfo = mockManager.getUserInfo(userName), InternalFailure);
+ EXPECT_CALL(mockManager, getPrimaryGroup(userName))
+ .WillRepeatedly(Throw(UserNameDoesNotExist()));
+ EXPECT_THROW(userInfo = mockManager.getUserInfo(userName),
+ UserNameDoesNotExist);
}
TEST_F(TestUserMgr, localUser)
@@ -121,13 +125,16 @@
UserInfoMap userInfo;
std::string userName = "ldapUser";
std::string ldapGroup = "ldapGroup";
+ gid_t primaryGid = 1000;
- EXPECT_CALL(mockManager, getLdapGroupName(userName))
- .WillRepeatedly(Return(ldapGroup));
+ EXPECT_CALL(mockManager, getPrimaryGroup(userName))
+ .WillRepeatedly(Return(primaryGid));
// Create privilege mapper dbus object
DbusUserObj object = createPrivilegeMapperDbusObject();
EXPECT_CALL(mockManager, getPrivilegeMapperObject())
.WillRepeatedly(Return(object));
+ EXPECT_CALL(mockManager, isGroupMember(userName, primaryGid, ldapGroup))
+ .WillRepeatedly(Return(true));
userInfo = mockManager.getUserInfo(userName);
EXPECT_EQ(true, std::get<bool>(userInfo["RemoteUser"]));
EXPECT_EQ("priv-admin", std::get<std::string>(userInfo["UserPrivilege"]));
@@ -135,16 +142,20 @@
TEST_F(TestUserMgr, ldapUserWithoutPrivMapper)
{
+ using ::testing::_;
+
UserInfoMap userInfo;
std::string userName = "ldapUser";
std::string ldapGroup = "ldapGroup";
+ gid_t primaryGid = 1000;
- EXPECT_CALL(mockManager, getLdapGroupName(userName))
- .WillRepeatedly(Return(ldapGroup));
+ EXPECT_CALL(mockManager, getPrimaryGroup(userName))
+ .WillRepeatedly(Return(primaryGid));
// Create LDAP config object without privilege mapper
DbusUserObj object = createLdapConfigObjectWithoutPrivilegeMapper();
EXPECT_CALL(mockManager, getPrivilegeMapperObject())
.WillRepeatedly(Return(object));
+ EXPECT_CALL(mockManager, isGroupMember(_, _, _)).Times(0);
userInfo = mockManager.getUserInfo(userName);
EXPECT_EQ(true, std::get<bool>(userInfo["RemoteUser"]));
EXPECT_EQ("", std::get<std::string>(userInfo["UserPrivilege"]));