diff options
author | Ed Tanous <edtanous@google.com> | 2023-02-28 01:19:07 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2023-03-23 00:09:03 +0300 |
commit | e551b5fa48a78c06441456106e35d4b2ac8642b6 (patch) | |
tree | ead133639e163f39ba0344eeb970a1a2b5842cfb | |
parent | 2661b72c84fc0c04b4d0acc7bca2e5a4d05cfaea (diff) | |
download | bmcweb-e551b5fa48a78c06441456106e35d4b2ac8642b6.tar.xz |
Remove authorization checks in nbd_proxy
nbd proxy should not have its own authorization checks, as these are
now handled in the core as of 7e9093e625961f533250a6c193c1a474e98007c4
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I8874d8a09278ba21d2acfdf076cb76dee718ecf4
-rw-r--r-- | http/websocket.hpp | 29 | ||||
-rw-r--r-- | include/nbd_proxy.hpp | 164 |
2 files changed, 59 insertions, 134 deletions
diff --git a/http/websocket.hpp b/http/websocket.hpp index f17ee5e7d0..216e96fef6 100644 --- a/http/websocket.hpp +++ b/http/websocket.hpp @@ -20,12 +20,7 @@ namespace websocket struct Connection : std::enable_shared_from_this<Connection> { public: - explicit Connection(const crow::Request& reqIn) : - req(reqIn.req), userdataPtr(nullptr) - {} - - explicit Connection(const crow::Request& reqIn, std::string user) : - req(reqIn.req), userName{std::move(user)}, userdataPtr(nullptr) + explicit Connection(const crow::Request& reqIn) : req(reqIn.req) {} Connection(const Connection&) = delete; @@ -41,26 +36,7 @@ struct Connection : std::enable_shared_from_this<Connection> virtual boost::asio::io_context& getIoContext() = 0; virtual ~Connection() = default; - void userdata(void* u) - { - userdataPtr = u; - } - void* userdata() - { - return userdataPtr; - } - - const std::string& getUserName() const - { - return userName; - } - boost::beast::http::request<boost::beast::http::string_body> req; - crow::Response res; - - private: - std::string userName{}; - void* userdataPtr; }; template <typename Adaptor> @@ -74,8 +50,7 @@ class ConnectionImpl : public Connection messageHandlerIn, std::function<void(Connection&, const std::string&)> closeHandlerIn, std::function<void(Connection&)> errorHandlerIn) : - Connection(reqIn, reqIn.session == nullptr ? std::string{} - : reqIn.session->username), + Connection(reqIn), ws(std::move(adaptorIn)), inBuffer(inString, 131088), openHandler(std::move(openHandlerIn)), messageHandler(std::move(messageHandlerIn)), diff --git a/include/nbd_proxy.hpp b/include/nbd_proxy.hpp index fbbf3cce13..75cb2d2ac0 100644 --- a/include/nbd_proxy.hpp +++ b/include/nbd_proxy.hpp @@ -257,141 +257,91 @@ inline void onOpen(crow::websocket::Connection& conn) { BMCWEB_LOG_DEBUG << "nbd-proxy.onopen(" << &conn << ")"; - auto getUserInfoHandler = - [&conn](const boost::system::error_code& ec, - const dbus::utility::DBusPropertiesMap& userInfo) { - if (ec) + auto openHandler = + [&conn](const boost::system::error_code& ec2, + const dbus::utility::ManagedObjectType& objects) { + const std::string* socketValue = nullptr; + const std::string* endpointValue = nullptr; + const std::string* endpointObjectPath = nullptr; + + if (ec2) { - BMCWEB_LOG_ERROR << "GetUserInfo failed..."; - conn.close("Failed to get user information"); + BMCWEB_LOG_ERROR << "DBus error: " << ec2.message(); + conn.close("Failed to create mount point"); return; } - const std::string* userRolePtr = nullptr; - auto userInfoIter = - std::find_if(userInfo.begin(), userInfo.end(), [](const auto& p) { - return p.first == "UserPrivilege"; - }); - if (userInfoIter != userInfo.end()) - { - userRolePtr = std::get_if<std::string>(&userInfoIter->second); - } - - std::string userRole{}; - if (userRolePtr != nullptr) + for (const auto& [objectPath, interfaces] : objects) { - userRole = *userRolePtr; - BMCWEB_LOG_DEBUG << "userName = " << conn.getUserName() - << " userRole = " << *userRolePtr; - } - - // Get the user privileges from the role - ::redfish::Privileges userPrivileges = - ::redfish::getUserPrivileges(userRole); - - const ::redfish::Privileges requiredPrivileges{requiredPrivilegeString}; - - if (!userPrivileges.isSupersetOf(requiredPrivileges)) - { - BMCWEB_LOG_DEBUG << "User " << conn.getUserName() - << " not authorized for nbd connection"; - conn.close("Unathourized access"); - return; - } - - auto openHandler = - [&conn](const boost::system::error_code& ec2, - const dbus::utility::ManagedObjectType& objects) { - const std::string* socketValue = nullptr; - const std::string* endpointValue = nullptr; - const std::string* endpointObjectPath = nullptr; - - if (ec2) + for (const auto& [interface, properties] : interfaces) { - BMCWEB_LOG_ERROR << "DBus error: " << ec2.message(); - conn.close("Failed to create mount point"); - return; - } + if (interface != "xyz.openbmc_project.VirtualMedia.MountPoint") + { + continue; + } - for (const auto& [objectPath, interfaces] : objects) - { - for (const auto& [interface, properties] : interfaces) + for (const auto& [name, value] : properties) { - if (interface != - "xyz.openbmc_project.VirtualMedia.MountPoint") + if (name == "EndpointId") { - continue; - } + endpointValue = std::get_if<std::string>(&value); - for (const auto& [name, value] : properties) - { - if (name == "EndpointId") + if (endpointValue == nullptr) { - endpointValue = std::get_if<std::string>(&value); - - if (endpointValue == nullptr) - { - BMCWEB_LOG_ERROR - << "EndpointId property value is null"; - } + BMCWEB_LOG_ERROR + << "EndpointId property value is null"; } - if (name == "Socket") + } + if (name == "Socket") + { + socketValue = std::get_if<std::string>(&value); + if (socketValue == nullptr) { - socketValue = std::get_if<std::string>(&value); - if (socketValue == nullptr) - { - BMCWEB_LOG_ERROR - << "Socket property value is null"; - } + BMCWEB_LOG_ERROR << "Socket property value is null"; } } } - - if ((endpointValue != nullptr) && (socketValue != nullptr) && - *endpointValue == conn.req.target()) - { - endpointObjectPath = &objectPath.str; - break; - } } - if (objects.empty() || endpointObjectPath == nullptr) + if ((endpointValue != nullptr) && (socketValue != nullptr) && + *endpointValue == conn.req.target()) { - BMCWEB_LOG_ERROR << "Cannot find requested EndpointId"; - conn.close("Failed to match EndpointId"); - return; + endpointObjectPath = &objectPath.str; + break; } + } + + if (objects.empty() || endpointObjectPath == nullptr) + { + BMCWEB_LOG_ERROR << "Cannot find requested EndpointId"; + conn.close("Failed to match EndpointId"); + return; + } - for (const auto& session : sessions) + for (const auto& session : sessions) + { + if (session.second->getEndpointId() == conn.req.target()) { - if (session.second->getEndpointId() == conn.req.target()) - { - BMCWEB_LOG_ERROR - << "Cannot open new connection - socket is in use"; - conn.close("Slot is in use"); - return; - } + BMCWEB_LOG_ERROR + << "Cannot open new connection - socket is in use"; + conn.close("Slot is in use"); + return; } + } - // If the socket file exists (i.e. after bmcweb crash), - // we cannot reuse it. - std::remove((*socketValue).c_str()); + // If the socket file exists (i.e. after bmcweb crash), + // we cannot reuse it. + std::remove((*socketValue).c_str()); - sessions[&conn] = std::make_shared<NbdProxyServer>( - conn, *socketValue, *endpointValue, *endpointObjectPath); + sessions[&conn] = std::make_shared<NbdProxyServer>( + conn, *socketValue, *endpointValue, *endpointObjectPath); - sessions[&conn]->run(); - }; - crow::connections::systemBus->async_method_call( - std::move(openHandler), "xyz.openbmc_project.VirtualMedia", - "/xyz/openbmc_project/VirtualMedia", - "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); + sessions[&conn]->run(); }; - crow::connections::systemBus->async_method_call( - std::move(getUserInfoHandler), "xyz.openbmc_project.User.Manager", - "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager", - "GetUserInfo", conn.getUserName()); + std::move(openHandler), "xyz.openbmc_project.VirtualMedia", + "/xyz/openbmc_project/VirtualMedia", + "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); } inline void onClose(crow::websocket::Connection& conn, |