diff options
Diffstat (limited to 'meta-ibs/meta-common/recipes-phosphor/interfaces/bmcweb/0010-Added-check-user-priv-before-creating-KVM-and-SOL.patch')
| -rw-r--r-- | meta-ibs/meta-common/recipes-phosphor/interfaces/bmcweb/0010-Added-check-user-priv-before-creating-KVM-and-SOL.patch | 203 |
1 files changed, 203 insertions, 0 deletions
diff --git a/meta-ibs/meta-common/recipes-phosphor/interfaces/bmcweb/0010-Added-check-user-priv-before-creating-KVM-and-SOL.patch b/meta-ibs/meta-common/recipes-phosphor/interfaces/bmcweb/0010-Added-check-user-priv-before-creating-KVM-and-SOL.patch new file mode 100644 index 0000000000..ef29193670 --- /dev/null +++ b/meta-ibs/meta-common/recipes-phosphor/interfaces/bmcweb/0010-Added-check-user-priv-before-creating-KVM-and-SOL.patch @@ -0,0 +1,203 @@ +From 6c7424970da146290ea9fe0aacb3d75bc43bf063 Mon Sep 17 00:00:00 2001 +From: Nikita Kosenkov <NKosenkov@IBS.RU> +Date: Tue, 6 Sep 2022 15:43:17 +0300 +Subject: [PATCH] Added check the user priv before creating KVM and SOL + +--- + include/kvm_websocket.hpp | 72 ++++++++++++++++++++++++++++---- + include/obmc_console.hpp | 86 ++++++++++++++++++++++++++++++++------- + 2 files changed, 136 insertions(+), 22 deletions(-) + +diff --git a/include/kvm_websocket.hpp b/include/kvm_websocket.hpp +index 79975d2c..186b8271 100644 +--- a/include/kvm_websocket.hpp ++++ b/include/kvm_websocket.hpp +@@ -4,7 +4,9 @@ + #include <app.hpp> + #include <async_resp.hpp> + #include <boost/container/flat_map.hpp> ++#include <registries/privilege_registry.hpp> + #include <websocket.hpp> ++#include <iostream> + + namespace crow + { +@@ -162,15 +164,71 @@ inline void requestRoutes(App& app) + .privileges({{"ConfigureComponents", "ConfigureManager"}}) + .websocket() + .onopen([](crow::websocket::Connection& conn) { +- BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened"; ++ // Check the user info before creating session ++ crow::connections::systemBus->async_method_call( ++ [&conn](const boost::system::error_code ec, ++ std::map<std::string, ++ std::variant<bool, std::string, ++ std::vector<std::string>>> userInfo) { + +- if (sessions.size() == maxSessions) +- { +- conn.close("Max sessions are already connected"); +- return; +- } ++ if (ec) ++ { ++ BMCWEB_LOG_ERROR << "GetUserInfo failed..."; ++ conn.close("Failed to get user information"); ++ return; ++ } ++ ++ const std::string* userRolePtr = nullptr; ++ auto userInfoIter = userInfo.find("UserPrivilege"); ++ if (userInfoIter != userInfo.end()) ++ { ++ userRolePtr = ++ std::get_if<std::string>(&userInfoIter->second); ++ } ++ ++ std::string userRole{}; ++ if (userRolePtr != nullptr) ++ { ++ userRole = *userRolePtr; ++ BMCWEB_LOG_ERROR << "userName = " << conn.getUserName() ++ << " userRole = " << *userRolePtr; ++ ++ redfish::Privileges userPrivileges = ++ redfish::getUserPrivileges(userRole); ++ ++ const ::redfish::Privileges requiredPrivileges{ ++ {"ConfigureComponents", "ConfigureManager"}}; ++ ++ if (!userPrivileges.isSupersetOf(requiredPrivileges)) ++ { ++ BMCWEB_LOG_ERROR ++ << "Create session failed. User: " ++ << conn.getUserName() ++ << " has prev: " << *userRolePtr; ++ ++ BMCWEB_LOG_DEBUG << "User " << conn.getUserName() ++ << " not authorized for kvm connection"; ++ ++ conn.close("Unathourized access"); ++ ++ return; ++ } ++ ++ BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened"; ++ ++ if (sessions.size() == maxSessions) ++ { ++ conn.close("Max sessions are already connected"); ++ return; ++ } ++ sessions[&conn] = std::make_unique<KvmSession>(conn); ++ } + +- sessions[&conn] = std::make_unique<KvmSession>(conn); ++ }, ++ "xyz.openbmc_project.User.Manager", ++ "/xyz/openbmc_project/user", ++ "xyz.openbmc_project.User.Manager", "GetUserInfo", ++ conn.getUserName()); + }) + .onclose([](crow::websocket::Connection& conn, const std::string&) { + sessions.erase(&conn); +diff --git a/include/obmc_console.hpp b/include/obmc_console.hpp +index d5eaf819..84115b4f 100644 +--- a/include/obmc_console.hpp ++++ b/include/obmc_console.hpp +@@ -117,21 +117,77 @@ inline void requestRoutes(App& app) + BMCWEB_ROUTE(app, "/console0") + .privileges({{"ConfigureComponents", "ConfigureManager"}}) + .websocket() +- .onopen( +- [](crow::websocket::Connection& conn) { +- BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened"; +- +- sessions.insert(&conn); +- if (hostSocket == nullptr) +- { +- const std::string consoleName("\0obmc-console", 13); +- boost::asio::local::stream_protocol::endpoint ep(consoleName); +- +- hostSocket = +- std::make_unique<boost::asio::local::stream_protocol::socket>( +- conn.getIoContext()); +- hostSocket->async_connect(ep, connectHandler); +- } ++ .onopen([](crow::websocket::Connection& conn) { ++ // Check the user info before creating session ++ crow::connections::systemBus->async_method_call( ++ [&conn](const boost::system::error_code ec, ++ std::map<std::string, ++ std::variant<bool, std::string, ++ std::vector<std::string>>> userInfo) { ++ ++ if (ec) ++ { ++ BMCWEB_LOG_ERROR << "GetUserInfo failed..."; ++ conn.close("Failed to get user information"); ++ return; ++ } ++ ++ const std::string* userRolePtr = nullptr; ++ auto userInfoIter = userInfo.find("UserPrivilege"); ++ if (userInfoIter != userInfo.end()) ++ { ++ userRolePtr = ++ std::get_if<std::string>(&userInfoIter->second); ++ } ++ ++ std::string userRole{}; ++ if (userRolePtr != nullptr) ++ { ++ userRole = *userRolePtr; ++ BMCWEB_LOG_ERROR << "userName = " << conn.getUserName() ++ << " userRole = " << *userRolePtr; ++ ++ redfish::Privileges userPrivileges = ++ redfish::getUserPrivileges(userRole); ++ ++ const ::redfish::Privileges requiredPrivileges{ ++ {"ConfigureComponents", "ConfigureManager"}}; ++ ++ if (!userPrivileges.isSupersetOf(requiredPrivileges)) ++ { ++ BMCWEB_LOG_ERROR ++ << "Create session failed. User: " ++ << conn.getUserName() ++ << " has prev: " << *userRolePtr; ++ ++ BMCWEB_LOG_DEBUG << "User " << conn.getUserName() ++ << " not authorized for obmc console connection"; ++ ++ conn.close("Unathourized access"); ++ ++ return; ++ } ++ ++ BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened"; ++ ++ sessions.insert(&conn); ++ if (hostSocket == nullptr) ++ { ++ const std::string consoleName("\0obmc-console", 13); ++ boost::asio::local::stream_protocol::endpoint ep(consoleName); ++ ++ hostSocket = ++ std::make_unique<boost::asio::local::stream_protocol::socket>( ++ conn.getIoContext()); ++ hostSocket->async_connect(ep, connectHandler); ++ } ++ } ++ ++ }, ++ "xyz.openbmc_project.User.Manager", ++ "/xyz/openbmc_project/user", ++ "xyz.openbmc_project.User.Manager", "GetUserInfo", ++ conn.getUserName()); + }) + .onclose([](crow::websocket::Connection& conn, + [[maybe_unused]] const std::string& reason) { +-- +2.35.1 + |