diff options
author | JunLin Chen <Jun-Lin.Chen@quantatw.com> | 2021-12-14 09:33:49 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2022-05-04 21:13:11 +0300 |
commit | 031514fb7798057bbe0261a92b6c368cd5a35f66 (patch) | |
tree | 035c5e71f0b46727d8f0dab5497ff1e491d807df /redfish-core/lib/account_service.hpp | |
parent | 19ace2b2303d5908252f6ea984def84c7efcac6a (diff) | |
download | bmcweb-031514fb7798057bbe0261a92b6c368cd5a35f66.tar.xz |
Fix bmcweb crash problem when no-auth
This change is similiar as
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49465
After insecure-disable-auth=enabled. it is not needed to do login and
establish session before request.
GET/PATCH /redfish/v1/AccountService/Accounts/<accountname>.
(no matter account exist or not)
It won't get any status code and cause the bmcweb service crashed.
Solutions:
Add #ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION and
[[maybe_unused]] const crow::Request& req
Test:
GET / PATCH with authless
https://<bmcip>/redfish/v1/AccountService/Accounts/TestAccount
Return 200
{
"@odata.id": "/redfish/v1/AccountService/Accounts/TestAccount",
"@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
"AccountTypes": [
"Redfish"
],
"Description": "User Account",
"Enabled": true,
"Id": "TestAccount",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "Administrator",
"UserName": "TestAccount"
}
GET nonexistent account
https://<bmcip>/redfish/v1/AccountService/Accounts/TestAccountsss
{
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The requested resource of type ManagerAccount named
TestAccountsss was not found.",
"MessageArgs": [
"ManagerAccount",
"TestAccountsss"
],
"MessageId": "Base.1.8.1.ResourceNotFound",
"MessageSeverity": "Critical",
"Resolution": "Provide a valid resource identifier and resubmit
the request."
}
],
"code": "Base.1.8.1.ResourceNotFound",
"message": "The requested resource of type ManagerAccount named
TestAccountsss was not found."
}
}
Signed-off-by: JunLin Chen <Jun-Lin.Chen@quantatw.com>
Change-Id: Ic00020ac07950347973b54d49dacd44c4d4571b7
Signed-off-by: Tony Lee <tony.lee@quantatw.com>
Signed-off-by: Ed Tanous <edtanous@google.com>
Diffstat (limited to 'redfish-core/lib/account_service.hpp')
-rw-r--r-- | redfish-core/lib/account_service.hpp | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index 19352e8d57..8d537995b0 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -1708,13 +1708,26 @@ inline void requestAccountServiceRoutes(App& app) .privileges(redfish::privileges::getManagerAccount) .methods( boost::beast::http::verb:: - get)([&app](const crow::Request& req, + get)([&app]([[maybe_unused]] const crow::Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, const std::string& accountName) -> void { if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) { return; } +#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION + // If authentication is disabled, there are no user accounts + messages::resourceNotFound(asyncResp->res, + "#ManagerAccount.v1_4_0.ManagerAccount", + accountName); + return; + +#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION + if (req.session == nullptr) + { + messages::internalError(asyncResp->res); + return; + } if (req.session->username != accountName) { // At this point we've determined that the user is trying to @@ -1877,12 +1890,26 @@ inline void requestAccountServiceRoutes(App& app) { return; } +#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION + // If authentication is disabled, there are no user accounts + messages::resourceNotFound( + asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", + username); + return; + +#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION std::optional<std::string> newUserName; std::optional<std::string> password; std::optional<bool> enabled; std::optional<std::string> roleId; std::optional<bool> locked; + if (req.session == nullptr) + { + messages::internalError(asyncResp->res); + return; + } + Privileges effectiveUserPrivileges = redfish::getUserPrivileges(req.userRole); Privileges configureUsers = {"ConfigureUsers"}; @@ -1907,6 +1934,7 @@ inline void requestAccountServiceRoutes(App& app) messages::insufficientPrivilege(asyncResp->res); return; } + // ConfigureSelf accounts can only modify their password if (!json_util::readJsonPatch(req, asyncResp->res, "Password", password)) @@ -1958,6 +1986,15 @@ inline void requestAccountServiceRoutes(App& app) { return; } + +#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION + // If authentication is disabled, there are no user accounts + messages::resourceNotFound( + asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", + username); + return; + +#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION sdbusplus::message::object_path tempObjPath(rootUserDbusPath); tempObjPath /= username; const std::string userPath(tempObjPath); |