Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / webui-vue / 2b33526c41c23217365e8eb0523d182bcdee622a^! / .
commit2b33526c41c23217365e8eb0523d182bcdee622a[log] [tgz]
authorPaul Fertser <fercerpav@gmail.com>Thu Apr 11 10:51:41 2024 +0000
committerPaul Fertser <fercerpav@gmail.com>Thu May 02 13:32:56 2024 +0000
tree41cd050f735ccbc7503b1a8660b98d15f4ac8456
parent01492c3dcbdba6b463ecef63f4c769520432d829 [diff]
Allow to log in when using remote authentication

For accounts authenticated remotely (e.g. with LDAP or RADIUS) the API
endpoint (handled by bmcweb) can not provide any information about
RoleId currently, reporting 404 instead. This confuses the frontend and
it doesn't allow to navigate at all.

Fix this by lifting all frontend-side restrictions by assuming
'Administrator' role in this case. Since the backend verifies validity
of each and every request anyway this doesn't affect security anyhow.

Tested: logging in, out and incorrectly using local BMC and remote LDAP
users, reloading the page with an active session. In all cases frontend
behaved as expected, storing assumed RoleId after getting 404 not found
reply and using it for unrestricted routing decisions.

Change-Id: If17d06bf0b8a372acd1980f6777227e25d9c78d8
Signed-off-by: Paul Fertser <fercerpav@gmail.com>

diff --git a/src/router/routes.js b/src/router/routes.js
index eb376aa..5424cab 100644
--- a/src/router/routes.js
+++ b/src/router/routes.js

@@ -301,4 +301,4 @@
   },
 ];
 
-export default routes;
+export { routes as default, roles };

diff --git a/src/store/modules/Authentication/AuthenticanStore.js b/src/store/modules/Authentication/AuthenticanStore.js
index 5727015..2006661 100644
--- a/src/store/modules/Authentication/AuthenticanStore.js
+++ b/src/store/modules/Authentication/AuthenticanStore.js

@@ -1,6 +1,7 @@
 import api from '@/store/api';
 import Cookies from 'js-cookie';
 import router from '@/router';
+import { roles } from '@/router/routes';
 
 const AuthenticationStore = {
   namespaced: true,
@@ -68,7 +69,16 @@
           commit('global/setPrivilege', data.RoleId, { root: true });
           return data;
         })
-        .catch((error) => console.log(error));
+        .catch((error) => {
+          if (error.response?.status === 404) {
+            // We have valid credentials but user isn't known, assume remote
+            // authentication (e.g. LDAP) and do not restrict the routing
+            commit('global/setPrivilege', roles.administrator, { root: true });
+            return {};
+          } else {
+            console.log(error);
+          }
+        });
     },
     resetStoreState({ state }) {
       state.authError = false;