From 61dbeef97168db1a1f7a351c5f95e09afd361e48 Mon Sep 17 00:00:00 2001
From: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>
Date: Fri, 13 Dec 2019 04:26:54 -0600
Subject: Fix authorization for LDAP users

Modified the code to make an asynchronous call to GetUserInfo to get
the user role for authorization.

For local users, DBus matches are used to store user role map hot in
memory. Hence, bmcweb has to know whether a user is a local user or
LDAP user to get the role. To avoid this, removed the existing DBus
matches and modified the code to call GetUserInfo to get the role of
local users as well as LDAP users.

Tested:
-   Created a local user having admin privilege and verified that he is
    able to restart the system
    /redfish/v1/Systems/system/Actions/ComputerSystem.Reset
        -d '{"ResetType": "GracefulRestart"}'
-   Created a local user having user privilege and verified that he is
    unauthorized to restart the system
    /redfish/v1/Systems/system/Actions/ComputerSystem.Reset
        -d '{"ResetType": "GracefulRestart"}'
-   Created a remote user having admin privilege and verified that he is
    able to restart the system
    /redfish/v1/Systems/system/Actions/ComputerSystem.Reset
        -d '{"ResetType": "GracefulRestart"}'
-   Created a remote user having user privilege and verified that he is
    unauthorized to restart the system
    /redfish/v1/Systems/system/Actions/ComputerSystem.Reset
        -d '{"ResetType": "GracefulRestart"}'
-   Tested Redfish ConfigureSelf privilege

Signed-off-by: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>
Change-Id: Ic3e46a0c0aff2cf456c98048350e58e302011c57
---
 redfish-core/include/node.hpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'redfish-core')

diff --git a/redfish-core/include/node.hpp b/redfish-core/include/node.hpp
index fddeaa01e5..9086f1e0ef 100644
--- a/redfish-core/include/node.hpp
+++ b/redfish-core/include/node.hpp
@@ -178,9 +178,9 @@ class Node
      */
     inline bool isAllowedWithoutConfigureSelf(const crow::Request& req)
     {
-        const std::string& userRole =
-            crow::persistent_data::UserRoleMap::getInstance().getUserRole(
-                req.session->username);
+        const std::string& userRole = req.userRole;
+        BMCWEB_LOG_DEBUG << "isAllowedWithoutConfigureSelf for the role "
+                         << req.userRole;
         Privileges effectiveUserPrivileges =
             redfish::getUserPrivileges(userRole);
         effectiveUserPrivileges.resetSinglePrivilege("ConfigureSelf");
-- 
cgit v1.2.3