Implement createGroup/deleteGroup
This commit adds the implementation for CreateGroup and DeleteGroup.
These interfaces give the possibility to create OEMRole and OEMPrivilege
as proposed in the Dynamic Redfish Authz design.
[1] https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md
Since now secondary groups will change at runtime, this commit made the
|groupsMgr| non-constant. When the service starts up, it will load all
the groups in the system, and recover its |groupsMgr| in memory.
Currently, only groups with certain prefixes are allowed to change
(creation or deletion). The only use case now is Redfish previleges and
roles so the current prefixes only cover that.
Similar to user creation, this commit also added limits and checks to
make sure these interfaces are safe.
Coverage:
lines......: 84.1% (2197 of 2613 lines)
functions..: 94.3% (492 of 522 functions)
branches...: 31.1% (3506 of 11263 branches)
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I245017afda909a0bfa594ef112d7b0d40045f80d
diff --git a/user_mgr.cpp b/user_mgr.cpp
index bd63aac..f4a90ec 100644
--- a/user_mgr.cpp
+++ b/user_mgr.cpp
@@ -38,6 +38,7 @@
#include <xyz/openbmc_project/User/Common/error.hpp>
#include <algorithm>
+#include <array>
#include <ctime>
#include <fstream>
#include <numeric>
@@ -99,8 +100,52 @@
sdbusplus::xyz::openbmc_project::User::Common::Error::UserNameGroupFail;
using NoResource =
sdbusplus::xyz::openbmc_project::User::Common::Error::NoResource;
-
using Argument = xyz::openbmc_project::Common::InvalidArgument;
+using GroupNameExists =
+ sdbusplus::xyz::openbmc_project::User::Common::Error::GroupNameExists;
+using GroupNameDoesNotExists =
+ sdbusplus::xyz::openbmc_project::User::Common::Error::GroupNameDoesNotExist;
+
+namespace
+{
+
+// The hardcoded groups in OpenBMC projects
+constexpr std::array<const char*, 4> predefinedGroups = {"web", "redfish",
+ "ipmi", "ssh"};
+
+// These prefixes are for Dynamic Redfish authorization. See
+// https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md
+
+// Base role and base privileges are added by Redfish implementation (e.g.,
+// BMCWeb) at compile time
+constexpr std::array<const char*, 4> allowedGroupPrefix = {
+ "openbmc_rfr_", // OpenBMC Redfish Base Role
+ "openbmc_rfp_", // OpenBMC Redfish Base Privileges
+ "openbmc_orfr_", // OpenBMC Redfish OEM Role
+ "openbmc_orfp_", // OpenBMC Redfish OEM Privileges
+};
+
+void checkAndThrowsForGroupChangeAllowed(const std::string& groupName)
+{
+ bool allowed = false;
+ for (std::string_view prefix : allowedGroupPrefix)
+ {
+ if (groupName.starts_with(prefix))
+ {
+ allowed = true;
+ break;
+ }
+ }
+ if (!allowed)
+ {
+ log<level::ERR>("Invalid group name; not in the allowed list",
+ entry("GroupName=%s", groupName.c_str()));
+ elog<InvalidArgument>(Argument::ARGUMENT_NAME("Group Name"),
+ Argument::ARGUMENT_VALUE(groupName.c_str()));
+ }
+}
+
+} // namespace
std::string getCSVFromVector(std::span<const std::string> vec)
{
@@ -160,6 +205,21 @@
}
}
+void UserMgr::checkAndThrowForDisallowedGroupCreation(
+ const std::string& groupName)
+{
+ if (groupName.size() > maxSystemGroupNameLength ||
+ !std::regex_match(groupName.c_str(),
+ std::regex("[a-zA-z_][a-zA-Z_0-9]*")))
+ {
+ log<level::ERR>("Invalid group name",
+ entry("GroupName=%s", groupName.c_str()));
+ elog<InvalidArgument>(Argument::ARGUMENT_NAME("Group Name"),
+ Argument::ARGUMENT_VALUE(groupName.c_str()));
+ }
+ checkAndThrowsForGroupChangeAllowed(groupName);
+}
+
void UserMgr::throwForUserExists(const std::string& userName)
{
if (isUserExist(userName))
@@ -255,6 +315,30 @@
}
}
+std::vector<std::string> UserMgr::readAllGroupsOnSystem()
+{
+ std::vector<std::string> allGroups = {predefinedGroups.begin(),
+ predefinedGroups.end()};
+ // rewinds to the beginning of the group database
+ setgrent();
+ struct group* gr = getgrent();
+ while (gr != nullptr)
+ {
+ std::string group(gr->gr_name);
+ for (std::string_view prefix : allowedGroupPrefix)
+ {
+ if (group.starts_with(prefix))
+ {
+ allGroups.push_back(gr->gr_name);
+ }
+ }
+ gr = getgrent();
+ }
+ // close the group database
+ endgrent();
+ return allGroups;
+}
+
void UserMgr::createUser(std::string userName,
std::vector<std::string> groupNames, std::string priv,
bool enabled)
@@ -327,6 +411,73 @@
return;
}
+void UserMgr::checkDeleteGroupConstraints(const std::string& groupName)
+{
+ if (std::find(groupsMgr.begin(), groupsMgr.end(), groupName) ==
+ groupsMgr.end())
+ {
+ log<level::ERR>("Group already exists",
+ entry("GROUP_NAME=%s", groupName.c_str()));
+ elog<GroupNameDoesNotExists>();
+ }
+ checkAndThrowsForGroupChangeAllowed(groupName);
+}
+
+void UserMgr::deleteGroup(std::string groupName)
+{
+ checkDeleteGroupConstraints(groupName);
+ try
+ {
+ executeGroupDeletion(groupName.c_str());
+ }
+ catch (const InternalFailure& e)
+ {
+ log<level::ERR>("Group delete failed",
+ entry("GROUP_NAME=%s", groupName.c_str()));
+ elog<InternalFailure>();
+ }
+
+ groupsMgr.erase(std::find(groupsMgr.begin(), groupsMgr.end(), groupName));
+ UserMgrIface::allGroups(groupsMgr);
+ log<level::INFO>("Group deleted successfully",
+ entry("GROUP_NAME=%s", groupName.c_str()));
+}
+
+void UserMgr::checkCreateGroupConstraints(const std::string& groupName)
+{
+ if (std::find(groupsMgr.begin(), groupsMgr.end(), groupName) !=
+ groupsMgr.end())
+ {
+ log<level::ERR>("Group already exists",
+ entry("GROUP_NAME=%s", groupName.c_str()));
+ elog<GroupNameExists>();
+ }
+ checkAndThrowForDisallowedGroupCreation(groupName);
+ if (groupsMgr.size() >= maxSystemGroupCount)
+ {
+ log<level::ERR>("Group limit reached");
+ elog<NoResource>(xyz::openbmc_project::User::Common::NoResource::REASON(
+ "Group limit reached"));
+ }
+}
+
+void UserMgr::createGroup(std::string groupName)
+{
+ checkCreateGroupConstraints(groupName);
+ try
+ {
+ executeGroupCreation(groupName.c_str());
+ }
+ catch (const InternalFailure& e)
+ {
+ log<level::ERR>("Group create failed",
+ entry("GROUP_NAME=%s", groupName.c_str()));
+ elog<InternalFailure>();
+ }
+ groupsMgr.push_back(groupName);
+ UserMgrIface::allGroups(groupsMgr);
+}
+
void UserMgr::renameUser(std::string userName, std::string newUserName)
{
// All user management lock has to be based on /etc/shadow
@@ -668,7 +819,6 @@
boost::algorithm::split(splitWords, output[t2OutputIndex],
boost::algorithm::is_any_of("\t "),
boost::token_compress_on);
-
uint16_t failAttempts = 0;
try
{
@@ -1056,6 +1206,16 @@
return false;
}
+void UserMgr::executeGroupCreation(const char* groupName)
+{
+ executeCmd("/usr/sbin/groupadd", groupName);
+}
+
+void UserMgr::executeGroupDeletion(const char* groupName)
+{
+ executeCmd("/usr/sbin/groupdel", groupName);
+}
+
UserInfoMap UserMgr::getUserInfo(std::string userName)
{
UserInfoMap userInfo;
@@ -1280,7 +1440,9 @@
if (!userNameList.empty())
{
std::map<std::string, std::vector<std::string>> groupLists;
- for (auto& grp : groupsMgr)
+ // We only track users that are in the |predefinedGroups|
+ // The other groups don't contain real BMC users.
+ for (const char* grp : predefinedGroups)
{
if (grp == grpSsh)
{
@@ -1337,6 +1499,7 @@
pamAuthConfigFile(defaultPamAuthConfigFile)
{
UserMgrIface::allPrivileges(privMgr);
+ groupsMgr = readAllGroupsOnSystem();
std::sort(groupsMgr.begin(), groupsMgr.end());
UserMgrIface::allGroups(groupsMgr);
initializeAccountPolicy();
@@ -1389,17 +1552,5 @@
return executeCmd("/usr/sbin/pam_tally2", "-u", userName);
}
-void UserMgr::createGroup(std::string /*groupName*/)
-{
- log<level::ERR>("Not implemented yet");
- elog<InternalFailure>();
-}
-
-void UserMgr::deleteGroup(std::string /*groupName*/)
-{
- log<level::ERR>("Not implemented yet");
- elog<InternalFailure>();
-}
-
} // namespace user
} // namespace phosphor