From 031514fb7798057bbe0261a92b6c368cd5a35f66 Mon Sep 17 00:00:00 2001 From: JunLin Chen Date: Tue, 14 Dec 2021 14:33:49 +0800 Subject: Fix bmcweb crash problem when no-auth This change is similiar as https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49465 After insecure-disable-auth=enabled. it is not needed to do login and establish session before request. GET/PATCH /redfish/v1/AccountService/Accounts/. (no matter account exist or not) It won't get any status code and cause the bmcweb service crashed. Solutions: Add #ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION and [[maybe_unused]] const crow::Request& req Test: GET / PATCH with authless https:///redfish/v1/AccountService/Accounts/TestAccount Return 200 { "@odata.id": "/redfish/v1/AccountService/Accounts/TestAccount", "@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount", "AccountTypes": [ "Redfish" ], "Description": "User Account", "Enabled": true, "Id": "TestAccount", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Administrator" } }, "Locked": false, "Locked@Redfish.AllowableValues": [ "false" ], "Name": "User Account", "Password": null, "PasswordChangeRequired": false, "RoleId": "Administrator", "UserName": "TestAccount" } GET nonexistent account https:///redfish/v1/AccountService/Accounts/TestAccountsss { "error": { "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "The requested resource of type ManagerAccount named TestAccountsss was not found.", "MessageArgs": [ "ManagerAccount", "TestAccountsss" ], "MessageId": "Base.1.8.1.ResourceNotFound", "MessageSeverity": "Critical", "Resolution": "Provide a valid resource identifier and resubmit the request." } ], "code": "Base.1.8.1.ResourceNotFound", "message": "The requested resource of type ManagerAccount named TestAccountsss was not found." } } Signed-off-by: JunLin Chen Change-Id: Ic00020ac07950347973b54d49dacd44c4d4571b7 Signed-off-by: Tony Lee Signed-off-by: Ed Tanous --- redfish-core/lib/account_service.hpp | 39 +++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) (limited to 'redfish-core/lib/account_service.hpp') diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index 19352e8d57..8d537995b0 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -1708,13 +1708,26 @@ inline void requestAccountServiceRoutes(App& app) .privileges(redfish::privileges::getManagerAccount) .methods( boost::beast::http::verb:: - get)([&app](const crow::Request& req, + get)([&app]([[maybe_unused]] const crow::Request& req, const std::shared_ptr& asyncResp, const std::string& accountName) -> void { if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) { return; } +#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION + // If authentication is disabled, there are no user accounts + messages::resourceNotFound(asyncResp->res, + "#ManagerAccount.v1_4_0.ManagerAccount", + accountName); + return; + +#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION + if (req.session == nullptr) + { + messages::internalError(asyncResp->res); + return; + } if (req.session->username != accountName) { // At this point we've determined that the user is trying to @@ -1877,12 +1890,26 @@ inline void requestAccountServiceRoutes(App& app) { return; } +#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION + // If authentication is disabled, there are no user accounts + messages::resourceNotFound( + asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", + username); + return; + +#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION std::optional newUserName; std::optional password; std::optional enabled; std::optional roleId; std::optional locked; + if (req.session == nullptr) + { + messages::internalError(asyncResp->res); + return; + } + Privileges effectiveUserPrivileges = redfish::getUserPrivileges(req.userRole); Privileges configureUsers = {"ConfigureUsers"}; @@ -1907,6 +1934,7 @@ inline void requestAccountServiceRoutes(App& app) messages::insufficientPrivilege(asyncResp->res); return; } + // ConfigureSelf accounts can only modify their password if (!json_util::readJsonPatch(req, asyncResp->res, "Password", password)) @@ -1958,6 +1986,15 @@ inline void requestAccountServiceRoutes(App& app) { return; } + +#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION + // If authentication is disabled, there are no user accounts + messages::resourceNotFound( + asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", + username); + return; + +#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION sdbusplus::message::object_path tempObjPath(rootUserDbusPath); tempObjPath /= username; const std::string userPath(tempObjPath); -- cgit v1.2.3