diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2019-09-19 21:53:50 +0300 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2019-10-02 23:16:04 +0300 |
| commit | ca0c93bb09587903a6dd43926799a967f10bafcd (patch) | |
| tree | acf23dd8bb3fc8a413152a8fd9233233fa0d5c2c /include | |
| parent | e56c7b7092298c609831a65bcc8c21e62d422ba7 (diff) | |
| download | bmcweb-ca0c93bb09587903a6dd43926799a967f10bafcd.tar.xz | |
Fix role map persistence
Now that we have a live role map, there's no need to track the users
role in the session object, we have the ability to get it every time.
This issue manifests itself in a fairly nefarious situation:
1. Log in, user is assigned a session, with role
2. BMC reboots. Session is persisted and restored, but role is removed.
3. User now has a valid session, but isn't authorized to do anything,
which results in a 403. In the webui, this results in an inability to
log out.
Tested (TODO):
Log in and log out functions. Reboot BMC, verify that webui doesn't log
back out or return 403.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I9bbf682d062150aa1c877217f037221471e58e9f
Diffstat (limited to 'include')
| -rw-r--r-- | include/sessions.hpp | 10 |
1 files changed, 1 insertions, 9 deletions
diff --git a/include/sessions.hpp b/include/sessions.hpp index c7c92ce38f..2900cd5a85 100644 --- a/include/sessions.hpp +++ b/include/sessions.hpp @@ -29,8 +29,6 @@ constexpr char const* userObjPath = "/xyz/openbmc_project/user"; constexpr char const* userAttrIface = "xyz.openbmc_project.User.Attributes"; constexpr char const* dbusPropertiesIface = "org.freedesktop.DBus.Properties"; -class SessionStore; - struct UserRoleMap { using GetManagedPropertyType = @@ -275,7 +273,6 @@ struct UserSession std::string uniqueId; std::string sessionToken; std::string username; - std::string userRole; std::string csrfToken; std::chrono::time_point<std::chrono::steady_clock> lastUpdated; PersistenceType persistence; @@ -385,13 +382,8 @@ class SessionStore uniqueId[i] = alphanum[dist(rd)]; } - // Get the User Privilege - const std::string& role = - UserRoleMap::getInstance().getUserRole(username); - - BMCWEB_LOG_DEBUG << "user name=\"" << username << "\" role = " << role; auto session = std::make_shared<UserSession>(UserSession{ - uniqueId, sessionToken, std::string(username), role, csrfToken, + uniqueId, sessionToken, std::string(username), csrfToken, std::chrono::steady_clock::now(), persistence}); auto it = authTokens.emplace(std::make_pair(sessionToken, session)); // Only need to write to disk if session isn't about to be destroyed. |