Fix bmcweb crash problem when no-auth

This change is similiar as
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49465
After insecure-disable-auth=enabled. it is not needed to do login and
establish session before request.
GET/PATCH /redfish/v1/AccountService/Accounts/<accountname>.
(no matter account exist or not)
It won't get any status code and cause the bmcweb service crashed.

Solutions:
Add #ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION and
[[maybe_unused]] const crow::Request& req

Test:

GET / PATCH with authless
https://<bmcip>/redfish/v1/AccountService/Accounts/TestAccount
Return 200

{
  "@odata.id": "/redfish/v1/AccountService/Accounts/TestAccount",
  "@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
  "AccountTypes": [
    "Redfish"
  ],
  "Description": "User Account",
  "Enabled": true,
  "Id": "TestAccount",
  "Links": {
    "Role": {
      "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
    }
  },
  "Locked": false,
  "Locked@Redfish.AllowableValues": [
    "false"
  ],
  "Name": "User Account",
  "Password": null,
  "PasswordChangeRequired": false,
  "RoleId": "Administrator",
  "UserName": "TestAccount"
}

GET nonexistent account
https://<bmcip>/redfish/v1/AccountService/Accounts/TestAccountsss
{
  "error": {
    "@Message.ExtendedInfo": [
      {
        "@odata.type": "#Message.v1_1_1.Message",
        "Message": "The requested resource of type ManagerAccount named
        TestAccountsss was not found.",
        "MessageArgs": [
          "ManagerAccount",
          "TestAccountsss"
        ],
        "MessageId": "Base.1.8.1.ResourceNotFound",
        "MessageSeverity": "Critical",
        "Resolution": "Provide a valid resource identifier and resubmit
        the request."
      }
    ],
    "code": "Base.1.8.1.ResourceNotFound",
    "message": "The requested resource of type ManagerAccount named
    TestAccountsss was not found."
  }
}

Signed-off-by: JunLin Chen <Jun-Lin.Chen@quantatw.com>
Change-Id: Ic00020ac07950347973b54d49dacd44c4d4571b7
Signed-off-by: Tony Lee <tony.lee@quantatw.com>
Signed-off-by: Ed Tanous <edtanous@google.com>

1 files changed, 38 insertions, 1 deletions

diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 19352e8d57..8d537995b0 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1708,13 +1708,26 @@ inline void requestAccountServiceRoutes(App& app)
         .privileges(redfish::privileges::getManagerAccount)
         .methods(
             boost::beast::http::verb::
-                get)([&app](const crow::Request& req,
+                get)([&app]([[maybe_unused]] const crow::Request& req,
                             const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
                             const std::string& accountName) -> void {
             if (!redfish::setUpRedfishRoute(app, req, asyncResp->res))
             {
                 return;
             }
+#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+            // If authentication is disabled, there are no user accounts
+            messages::resourceNotFound(asyncResp->res,
+                                       "#ManagerAccount.v1_4_0.ManagerAccount",
+                                       accountName);
+            return;
+
+#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+            if (req.session == nullptr)
+            {
+                messages::internalError(asyncResp->res);
+                return;
+            }
             if (req.session->username != accountName)
             {
                 // At this point we've determined that the user is trying to
@@ -1877,12 +1890,26 @@ inline void requestAccountServiceRoutes(App& app)
                 {
                     return;
                 }
+#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+                // If authentication is disabled, there are no user accounts
+                messages::resourceNotFound(
+                    asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
+                    username);
+                return;
+
+#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
                 std::optional<std::string> newUserName;
                 std::optional<std::string> password;
                 std::optional<bool> enabled;
                 std::optional<std::string> roleId;
                 std::optional<bool> locked;
 
+                if (req.session == nullptr)
+                {
+                    messages::internalError(asyncResp->res);
+                    return;
+                }
+
                 Privileges effectiveUserPrivileges =
                     redfish::getUserPrivileges(req.userRole);
                 Privileges configureUsers = {"ConfigureUsers"};
@@ -1907,6 +1934,7 @@ inline void requestAccountServiceRoutes(App& app)
                         messages::insufficientPrivilege(asyncResp->res);
                         return;
                     }
+
                     // ConfigureSelf accounts can only modify their password
                     if (!json_util::readJsonPatch(req, asyncResp->res,
                                                   "Password", password))
@@ -1958,6 +1986,15 @@ inline void requestAccountServiceRoutes(App& app)
                 {
                     return;
                 }
+
+#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+                // If authentication is disabled, there are no user accounts
+                messages::resourceNotFound(
+                    asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
+                    username);
+                return;
+
+#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
                 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
                 tempObjPath /= username;
                 const std::string userPath(tempObjPath);