blob: 07a1216cdcac30b2131486d5282eae13a8baddf2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
#pragma once
#include "dbus_utility.hpp"
#include "error_messages.hpp"
#include "http_request.hpp"
#include "http_response.hpp"
#include "logging.hpp"
#include "routing/baserule.hpp"
#include "user_role_map.hpp"
#include "utils/dbus_utils.hpp"
#include <boost/url/format.hpp>
#include <sdbusplus/bus/match.hpp>
#include <sdbusplus/unpack_properties.hpp>
#include <memory>
#include <vector>
namespace crow
{
inline bool
isUserPrivileged(Request& req,
const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
BaseRule& rule)
{
if (req.session == nullptr)
{
return false;
}
// Get the user's privileges from the role
redfish::Privileges userPrivileges =
redfish::getUserPrivileges(*req.session);
// Modify privileges if isConfigureSelfOnly.
if (req.session->isConfigureSelfOnly)
{
// Remove all privileges except ConfigureSelf
userPrivileges =
userPrivileges.intersection(redfish::Privileges{"ConfigureSelf"});
BMCWEB_LOG_DEBUG("Operation limited to ConfigureSelf");
}
if (!rule.checkPrivileges(userPrivileges))
{
asyncResp->res.result(boost::beast::http::status::forbidden);
if (req.session->isConfigureSelfOnly)
{
redfish::messages::passwordChangeRequired(
asyncResp->res,
boost::urls::format("/redfish/v1/AccountService/Accounts/{}",
req.session->username));
}
return false;
}
return true;
}
template <typename CallbackFn>
void validatePrivilege(Request& req,
const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
BaseRule& rule, CallbackFn&& callback)
{
if (req.session == nullptr)
{
return;
}
std::string username = req.session->username;
UserFields props =
UserRoleMap::getInstance().getUserRole(req.session->username);
if (props.userRole)
{
req.session->userRole = props.userRole.value_or("");
}
if (props.passwordExpired)
{
req.session->isConfigureSelfOnly = *props.passwordExpired;
}
if (props.userGroups)
{
req.session->userGroups = std::move(*props.userGroups);
}
if (!isUserPrivileged(req, asyncResp, rule))
{
// User is not privileged
BMCWEB_LOG_WARNING("Insufficient Privilege");
asyncResp->res.result(boost::beast::http::status::forbidden);
return;
}
callback(req);
}
} // namespace crow
|
