diff options
| author | Abhishek Patel <Abhishek.Patel@ibm.com> | 2021-06-02 17:53:24 +0300 |
|---|---|---|
| committer | Gunnar Mills <gmills@us.ibm.com> | 2021-06-30 19:26:56 +0300 |
| commit | 720487803a1890e8d4e5d91463e7ec62b4b23f74 (patch) | |
| tree | 05bef46a0578cdd00a0153f0d4273f2f6a72eb94 /redfish-core/lib/account_service.hpp | |
| parent | 7c8c4058e265f784679b9144ff33b89f50f1bf59 (diff) | |
| download | bmcweb-720487803a1890e8d4e5d91463e7ec62b4b23f74.tar.xz | |
Modify entityPrivileges for certificate service
DMTF published new entity privileges for certificate service classes
which modify entity privilege Certificate, CertificateCollection,
CertificateLocations, and CertificateService on bmcweb. Modification
restricts a user without "ConfigureManager" from accessing the
CertificateCollection and Certificate scehamas
Redfish is a hypermedia API where the parent URI describes sub-URI.
Thus, restricting sub-URI in a parent-URI data helps to forbidden user
access, stricken the rule. So sub-URI only gets display if a user has
access to that URI.
Restricting the link allows the Redfish Validator to pass.
These impact roles without ConfigureManager, which include operator
and read-only. No access is not impacted since it already did not
have access.
The following are bmcweb user consequences:
1. ReadOnly and Operator role users are no longer able to view
certificates or the certificate collection (LDAP, HTTPS, TrustStore)
2. Operator role users are no longer able to replace the certificates
(LDAP, HTTPS, TrustStore), Install certificates (LDAP, HTTPS,
TrustStore) or delete the Truststore Certificate. HTTPS and LDAP
certificates do not have delete methods.
Resolves openbmc/bmcweb#61
Tested: manually tested on Witherspoon system and run Redfish-Service-
Validator with all roles root, operator, read-only, and No access. Test
pass for root, operator, and read-only roles, And new errors get
introduced for no access role.
Signed-off-by: Abhishek Patel <Abhishek.Patel@ibm.com>
Change-Id: Ibc5eed7db7e224e46f8572df8bcfba2a1ff47644
Diffstat (limited to 'redfish-core/lib/account_service.hpp')
| -rw-r--r-- | redfish-core/lib/account_service.hpp | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index 835fae39d6..364d5e2989 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -1258,7 +1258,7 @@ inline void requestAccountServiceRoutes(App& app) BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") .privileges({{"Login"}}) .methods( - boost::beast::http::verb::get)([](const crow::Request& /* req */, + boost::beast::http::verb::get)([](const crow::Request& req, const std::shared_ptr< bmcweb::AsyncResp>& asyncResp) -> void { @@ -1288,11 +1288,21 @@ inline void requestAccountServiceRoutes(App& app) {"XToken", authMethodsConfig.xtoken}, {"Cookie", authMethodsConfig.cookie}, {"TLS", authMethodsConfig.tls}, - }}}}}}, - {"LDAP", - {{"Certificates", - {{"@odata.id", - "/redfish/v1/AccountService/LDAP/Certificates"}}}}}}; + }}}}}}}; + // /redfish/v1/AccountService/LDAP/Certificates is something only + // ConfigureManager can access then only display when the user has + // permissions ConfigureManager + Privileges effectiveUserPrivileges = + redfish::getUserPrivileges(req.userRole); + + if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, + effectiveUserPrivileges)) + { + asyncResp->res.jsonValue["LDAP"] = { + {"Certificates", + {{"@odata.id", + "/redfish/v1/AccountService/LDAP/Certificates"}}}}; + } crow::connections::systemBus->async_method_call( [asyncResp]( const boost::system::error_code ec, |