Add support for deleting authentication failure record files
Added fix for #phosphor-user-manager/issues/4
If a user account locked due to user's password with too many
failed attempts use case, password will locked out for same
name account creation. This issues is due to missing authentication
failure record files clear in the account user delete path.
Added function for deleting authentication failure record files
in the account delete api to fix this issue.
faillock command --reset option is used to clear user's failure
records. Refer https://linux.die.net/man/8/faillock for details.
Tested: Created user and perform multiple failed authentication to
lock the account. After Account delete, and recreate a user with
same name , worked as expected.
Change-Id: I63a1becafa30035ac549166a1d70ee58baee86b4
Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
diff --git a/test/user_mgr_test.cpp b/test/user_mgr_test.cpp
index 0bd5e1c..d5049a0 100644
--- a/test/user_mgr_test.cpp
+++ b/test/user_mgr_test.cpp
@@ -293,6 +293,9 @@
ON_CALL(*this, executeUserDelete).WillByDefault(testing::Return());
+ ON_CALL(*this, executeUserClearFailRecords)
+ .WillByDefault(testing::Return());
+
ON_CALL(*this, getIpmiUsersCount).WillByDefault(testing::Return(0));
ON_CALL(*this, executeUserRename).WillByDefault(testing::Return());
@@ -326,6 +329,8 @@
MOCK_METHOD(void, executeUserDelete, (const char*), (override));
+ MOCK_METHOD(void, executeUserClearFailRecords, (const char*), (override));
+
MOCK_METHOD(size_t, getIpmiUsersCount, (), (override));
MOCK_METHOD(void, executeUserRename, (const char*, const char*),
@@ -552,6 +557,23 @@
EXPECT_NO_THROW(UserMgr::deleteUser(username));
}
+TEST_F(UserMgrInTest,
+ DeleteUserThrowsInternalFailureWhenExecuteUserClearFailRecords)
+{
+ const char* username = "user";
+ EXPECT_NO_THROW(
+ UserMgr::createUser(username, {"redfish", "ssh"}, "priv-user", true));
+ EXPECT_CALL(*this, executeUserClearFailRecords(testing::StrEq(username)))
+ .WillOnce(testing::Throw(
+ sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure()))
+ .WillOnce(testing::DoDefault());
+
+ EXPECT_THROW(
+ deleteUser(username),
+ sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure);
+ EXPECT_NO_THROW(UserMgr::deleteUser(username));
+}
+
TEST_F(UserMgrInTest, ThrowForInvalidPrivilegeThrowsWhenPrivilegeIsInvalid)
{
EXPECT_THROW(
diff --git a/user_mgr.cpp b/user_mgr.cpp
index edb25f3..6d58fa8 100644
--- a/user_mgr.cpp
+++ b/user_mgr.cpp
@@ -396,6 +396,9 @@
try
{
executeUserDelete(userName.c_str());
+
+ // Clear user fail records
+ executeUserClearFailRecords(userName.c_str());
}
catch (const InternalFailure& e)
{
@@ -968,7 +971,8 @@
try
{
- executeCmd("/usr/sbin/faillock", "--user", userName.c_str(), "--reset");
+ // Clear user fail records
+ executeUserClearFailRecords(userName.c_str());
}
catch (const InternalFailure& e)
{
@@ -1607,6 +1611,11 @@
executeCmd("/usr/sbin/userdel", userName, "-r");
}
+void UserMgr::executeUserClearFailRecords(const char* userName)
+{
+ executeCmd("/usr/sbin/faillock", "--user", userName, "--reset");
+}
+
void UserMgr::executeUserRename(const char* userName, const char* newUserName)
{
std::string newHomeDir = "/home/";
diff --git a/user_mgr.hpp b/user_mgr.hpp
index 559ab8b..f182968 100644
--- a/user_mgr.hpp
+++ b/user_mgr.hpp
@@ -355,6 +355,13 @@
virtual void executeUserDelete(const char* userName);
+ /** @brief clear user's failure records
+ * method to clear user fail records and throw if failed.
+ *
+ * @param[in] userName - name of the user
+ */
+ virtual void executeUserClearFailRecords(const char* userName);
+
virtual void executeUserRename(const char* userName,
const char* newUserName);