1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
From 9b27d3e7c1670d53cfb1c0a88cc75155ebfba71a Mon Sep 17 00:00:00 2001
From: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
Date: Mon, 18 Oct 2021 22:58:29 +0530
Subject: [PATCH] Add Privileges to Websockets
This commit adds Privileges to Websockets.
In the current implementation, once a rule is upgraded (i.e. from
BaseRule to WebSocket), there is no provosion to add priviliges.
In this commit, WebSocket inherits PrivilegeParameterTraits to enable
privileges.
Also, in the earlier implementation, .privilege() was called after
BMCWEB_ROUTE(). This results in adding those privileges to the Base rule
that is created. By moving the privileges() below websocket(), the
privileges are applied to the websocket.
Tested:
- websocket_test.py Passed
- Admin and Operator users were able to access KVM on WebUI
- Readonly User was unable to access KVM on WebUI
Change-Id: Iff2051dbb7d363c902fd463fa446f280adc6d648
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
---
http/routing.hpp | 4 +++-
include/dbus_monitor.hpp | 3 ++-
include/kvm_websocket.hpp | 4 +++-
include/obmc_console.hpp | 4 +++-
include/vm_websocket.hpp | 4 +++-
5 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/http/routing.hpp b/http/routing.hpp
index e2a8fbb..6ea3185 100644
--- a/http/routing.hpp
+++ b/http/routing.hpp
@@ -345,7 +345,9 @@ struct PrivilegeParameterTraits
}
};
-class WebSocketRule : public BaseRule
+class WebSocketRule :
+ public BaseRule,
+ public PrivilegeParameterTraits<WebSocketRule>
{
using self_t = WebSocketRule;
diff --git a/include/dbus_monitor.hpp b/include/dbus_monitor.hpp
index a6c86c6..163f884 100644
--- a/include/dbus_monitor.hpp
+++ b/include/dbus_monitor.hpp
@@ -5,6 +5,7 @@
#include <boost/container/flat_set.hpp>
#include <dbus_singleton.hpp>
#include <openbmc_dbus_rest.hpp>
+#include <registries/privilege_registry.hpp>
#include <sdbusplus/bus/match.hpp>
#include <sdbusplus/message/types.hpp>
#include <websocket.hpp>
@@ -105,8 +106,8 @@ inline int onPropertyUpdate(sd_bus_message* m, void* userdata,
inline void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/subscribe")
- .privileges({{"Login"}})
.websocket()
+ .privileges(redfish::privileges::privilegeSetLogin)
.onopen([&](crow::websocket::Connection& conn,
const std::shared_ptr<bmcweb::AsyncResp>&) {
BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened";
diff --git a/include/kvm_websocket.hpp b/include/kvm_websocket.hpp
index a9dc8ea..3f124a2 100644
--- a/include/kvm_websocket.hpp
+++ b/include/kvm_websocket.hpp
@@ -4,6 +4,7 @@
#include <app.hpp>
#include <async_resp.hpp>
#include <boost/container/flat_map.hpp>
+#include <registries/privilege_registry.hpp>
#include <websocket.hpp>
namespace crow
@@ -159,8 +160,9 @@ inline void requestRoutes(App& app)
sessions.reserve(maxSessions);
BMCWEB_ROUTE(app, "/kvm/0")
- .privileges({{"ConfigureComponents", "ConfigureManager"}})
.websocket()
+ .privileges(redfish::privileges::
+ privilegeSetConfigureManagerOrConfigureComponents)
.onopen([](crow::websocket::Connection& conn,
const std::shared_ptr<bmcweb::AsyncResp>&) {
BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened";
diff --git a/include/obmc_console.hpp b/include/obmc_console.hpp
index ff0a51f..22a49a8 100644
--- a/include/obmc_console.hpp
+++ b/include/obmc_console.hpp
@@ -6,6 +6,7 @@
#include <boost/asio/local/stream_protocol.hpp>
#include <boost/container/flat_map.hpp>
#include <boost/container/flat_set.hpp>
+#include <registries/privilege_registry.hpp>
#include <websocket.hpp>
namespace crow
@@ -136,8 +137,9 @@ inline void connectHandler(const boost::system::error_code& ec)
inline void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/console0")
- .privileges({{"ConfigureComponents", "ConfigureManager"}})
.websocket()
+ .privileges(redfish::privileges::
+ privilegeSetConfigureManagerOrConfigureComponents)
.onopen([](crow::websocket::Connection& conn,
const std::shared_ptr<bmcweb::AsyncResp>&) {
BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened";
diff --git a/include/vm_websocket.hpp b/include/vm_websocket.hpp
index 02f958a..ebbe68f 100644
--- a/include/vm_websocket.hpp
+++ b/include/vm_websocket.hpp
@@ -3,6 +3,7 @@
#include <app.hpp>
#include <boost/beast/core/flat_static_buffer.hpp>
#include <boost/process.hpp>
+#include <registries/privilege_registry.hpp>
#include <websocket.hpp>
#include <csignal>
@@ -156,8 +157,9 @@ static std::shared_ptr<Handler> handler;
inline void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/vm/0/0")
- .privileges({{"ConfigureComponents", "ConfigureManager"}})
.websocket()
+ .privileges(redfish::privileges::
+ privilegeSetConfigureManagerOrConfigureComponents)
.onopen([](crow::websocket::Connection& conn,
const std::shared_ptr<bmcweb::AsyncResp>&) {
BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened";
--
2.17.1
|
