diff options
author | Abhishek Patel <Abhishek.Patel@ibm.com> | 2021-06-02 17:53:24 +0300 |
---|---|---|
committer | Gunnar Mills <gmills@us.ibm.com> | 2021-06-30 19:26:56 +0300 |
commit | 720487803a1890e8d4e5d91463e7ec62b4b23f74 (patch) | |
tree | 05bef46a0578cdd00a0153f0d4273f2f6a72eb94 /redfish-core/lib/certificate_service.hpp | |
parent | 7c8c4058e265f784679b9144ff33b89f50f1bf59 (diff) | |
download | bmcweb-720487803a1890e8d4e5d91463e7ec62b4b23f74.tar.xz |
Modify entityPrivileges for certificate service
DMTF published new entity privileges for certificate service classes
which modify entity privilege Certificate, CertificateCollection,
CertificateLocations, and CertificateService on bmcweb. Modification
restricts a user without "ConfigureManager" from accessing the
CertificateCollection and Certificate scehamas
Redfish is a hypermedia API where the parent URI describes sub-URI.
Thus, restricting sub-URI in a parent-URI data helps to forbidden user
access, stricken the rule. So sub-URI only gets display if a user has
access to that URI.
Restricting the link allows the Redfish Validator to pass.
These impact roles without ConfigureManager, which include operator
and read-only. No access is not impacted since it already did not
have access.
The following are bmcweb user consequences:
1. ReadOnly and Operator role users are no longer able to view
certificates or the certificate collection (LDAP, HTTPS, TrustStore)
2. Operator role users are no longer able to replace the certificates
(LDAP, HTTPS, TrustStore), Install certificates (LDAP, HTTPS,
TrustStore) or delete the Truststore Certificate. HTTPS and LDAP
certificates do not have delete methods.
Resolves openbmc/bmcweb#61
Tested: manually tested on Witherspoon system and run Redfish-Service-
Validator with all roles root, operator, read-only, and No access. Test
pass for root, operator, and read-only roles, And new errors get
introduced for no access role.
Signed-off-by: Abhishek Patel <Abhishek.Patel@ibm.com>
Change-Id: Ibc5eed7db7e224e46f8572df8bcfba2a1ff47644
Diffstat (limited to 'redfish-core/lib/certificate_service.hpp')
-rw-r--r-- | redfish-core/lib/certificate_service.hpp | 76 |
1 files changed, 42 insertions, 34 deletions
diff --git a/redfish-core/lib/certificate_service.hpp b/redfish-core/lib/certificate_service.hpp index c1861ca141..6eb66c593e 100644 --- a/redfish-core/lib/certificate_service.hpp +++ b/redfish-core/lib/certificate_service.hpp @@ -43,31 +43,39 @@ inline void requestRoutesCertificateService(App& app) { BMCWEB_ROUTE(app, "/redfish/v1/CertificateService/") .privileges({{"Login"}}) - .methods(boost::beast::http::verb::get)( - [](const crow::Request&, - const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) { - asyncResp->res.jsonValue = { - {"@odata.type", - "#CertificateService.v1_0_0.CertificateService"}, - {"@odata.id", "/redfish/v1/CertificateService"}, - {"Id", "CertificateService"}, - {"Name", "Certificate Service"}, - {"Description", - "Actions available to manage certificates"}}; + .methods( + boost::beast::http::verb:: + get)([](const crow::Request& req, + const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) { + asyncResp->res.jsonValue = { + {"@odata.type", + "#CertificateService.v1_0_0.CertificateService"}, + {"@odata.id", "/redfish/v1/CertificateService"}, + {"Id", "CertificateService"}, + {"Name", "Certificate Service"}, + {"Description", "Actions available to manage certificates"}}; + // /redfish/v1/CertificateService/CertificateLocations is something + // only ConfigureManager can access then only display when the user + // has permissions ConfigureManager + Privileges effectiveUserPrivileges = + redfish::getUserPrivileges(req.userRole); + if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, + effectiveUserPrivileges)) + { asyncResp->res.jsonValue["CertificateLocations"] = { {"@odata.id", "/redfish/v1/CertificateService/CertificateLocations"}}; - asyncResp->res - .jsonValue["Actions"] - ["#CertificateService.ReplaceCertificate"] = { - {"target", "/redfish/v1/CertificateService/Actions/" - "CertificateService.ReplaceCertificate"}, - {"CertificateType@Redfish.AllowableValues", {"PEM"}}}; - asyncResp->res - .jsonValue["Actions"]["#CertificateService.GenerateCSR"] = { - {"target", "/redfish/v1/CertificateService/Actions/" - "CertificateService.GenerateCSR"}}; - }); + } + asyncResp->res.jsonValue["Actions"] + ["#CertificateService.ReplaceCertificate"] = + {{"target", "/redfish/v1/CertificateService/Actions/" + "CertificateService.ReplaceCertificate"}, + {"CertificateType@Redfish.AllowableValues", {"PEM"}}}; + asyncResp->res + .jsonValue["Actions"]["#CertificateService.GenerateCSR"] = { + {"target", "/redfish/v1/CertificateService/Actions/" + "CertificateService.GenerateCSR"}}; + }); } // requestRoutesCertificateService /** @@ -667,7 +675,7 @@ inline void requestRoutesCertificateActionsReplaceCertificate(App& app) { BMCWEB_ROUTE(app, "/redfish/v1/CertificateService/Actions/" "CertificateService.ReplaceCertificate/") - .privileges({{"ConfigureComponents"}}) + .privileges({{"ConfigureManager"}}) .methods( boost::beast::http::verb:: post)([](const crow::Request& req, @@ -785,7 +793,7 @@ inline void requestRoutesHTTPSCertificate(App& app) BMCWEB_ROUTE( app, "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/<str>/") - .privileges({{"Login"}}) + .privileges({{"ConfigureManager"}}) .methods( boost::beast::http::verb:: get)([](const crow::Request& req, @@ -819,7 +827,7 @@ inline void requestRoutesHTTPSCertificateCollection(App& app) { BMCWEB_ROUTE(app, "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/") - .privileges({{"Login"}}) + .privileges({{"ConfigureManager"}}) .methods( boost::beast::http::verb:: get)([](const crow::Request&, @@ -864,7 +872,7 @@ inline void requestRoutesHTTPSCertificateCollection(App& app) BMCWEB_ROUTE(app, "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/") - .privileges({{"ConfigureComponents"}}) + .privileges({{"ConfigureManager"}}) .methods(boost::beast::http::verb::post)( [](const crow::Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) { @@ -971,7 +979,7 @@ void getCertificateLocations( inline void requestRoutesCertificateLocations(App& app) { BMCWEB_ROUTE(app, "/redfish/v1/CertificateService/CertificateLocations/") - .privileges({{"Login"}}) + .privileges({{"ConfigureManager"}}) .methods( boost::beast::http::verb:: get)([](const crow::Request&, @@ -1010,7 +1018,7 @@ inline void requestRoutesCertificateLocations(App& app) inline void requestRoutesLDAPCertificateCollection(App& app) { BMCWEB_ROUTE(app, "/redfish/v1/AccountService/LDAP/Certificates/") - .privileges({{"Login"}}) + .privileges({{"ConfigureManager"}}) .methods(boost::beast::http::verb::get)( [](const crow::Request&, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) { @@ -1056,7 +1064,7 @@ inline void requestRoutesLDAPCertificateCollection(App& app) }); BMCWEB_ROUTE(app, "/redfish/v1/AccountService/LDAP/Certificates/") - .privileges({{"ConfigureComponents"}}) + .privileges({{"ConfigureManager"}}) .methods(boost::beast::http::verb::post)( [](const crow::Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) { @@ -1113,7 +1121,7 @@ inline void requestRoutesLDAPCertificateCollection(App& app) inline void requestRoutesLDAPCertificate(App& app) { BMCWEB_ROUTE(app, "/redfish/v1/AccountService/LDAP/Certificates/<str>/") - .privileges({{"Login"}}) + .privileges({{"ConfigureManager"}}) .methods(boost::beast::http::verb::get)( [](const crow::Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, @@ -1144,7 +1152,7 @@ inline void requestRoutesLDAPCertificate(App& app) inline void requestRoutesTrustStoreCertificateCollection(App& app) { BMCWEB_ROUTE(app, "/redfish/v1/Managers/bmc/Truststore/Certificates/") - .privileges({{"Login"}}) + .privileges({{"ConfigureManager"}}) .methods(boost::beast::http::verb::get)( [](const crow::Request&, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) { @@ -1188,7 +1196,7 @@ inline void requestRoutesTrustStoreCertificateCollection(App& app) }); BMCWEB_ROUTE(app, "/redfish/v1/Managers/bmc/Truststore/Certificates/") - .privileges({{"ConfigureComponents"}}) + .privileges({{"ConfigureManager"}}) .methods(boost::beast::http::verb::post)( [](const crow::Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) { @@ -1246,7 +1254,7 @@ inline void requestRoutesTrustStoreCertificateCollection(App& app) inline void requestRoutesTrustStoreCertificate(App& app) { BMCWEB_ROUTE(app, "/redfish/v1/Managers/bmc/Truststore/Certificates/<str>/") - .privileges({{"Loign"}}) + .privileges({{"ConfigureManager"}}) .methods(boost::beast::http::verb::get)( [](const crow::Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, @@ -1272,7 +1280,7 @@ inline void requestRoutesTrustStoreCertificate(App& app) }); BMCWEB_ROUTE(app, "/redfish/v1/Managers/bmc/Truststore/Certificates/<str>/") - .privileges({{"ConfigureComponents"}}) + .privileges({{"ConfigureManager"}}) .methods(boost::beast::http::verb::delete_)( [](const crow::Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, |