diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/http_routing/0004-Add-Privileges-to-Websockets.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/http_routing/0004-Add-Privileges-to-Websockets.patch | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/http_routing/0004-Add-Privileges-to-Websockets.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/http_routing/0004-Add-Privileges-to-Websockets.patch new file mode 100644 index 000000000..64e235ce3 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/http_routing/0004-Add-Privileges-to-Websockets.patch @@ -0,0 +1,140 @@ +From 9b27d3e7c1670d53cfb1c0a88cc75155ebfba71a Mon Sep 17 00:00:00 2001 +From: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> +Date: Mon, 18 Oct 2021 22:58:29 +0530 +Subject: [PATCH] Add Privileges to Websockets + +This commit adds Privileges to Websockets. +In the current implementation, once a rule is upgraded (i.e. from +BaseRule to WebSocket), there is no provosion to add priviliges. +In this commit, WebSocket inherits PrivilegeParameterTraits to enable +privileges. + +Also, in the earlier implementation, .privilege() was called after +BMCWEB_ROUTE(). This results in adding those privileges to the Base rule +that is created. By moving the privileges() below websocket(), the +privileges are applied to the websocket. + +Tested: + - websocket_test.py Passed + - Admin and Operator users were able to access KVM on WebUI + - Readonly User was unable to access KVM on WebUI + +Change-Id: Iff2051dbb7d363c902fd463fa446f280adc6d648 +Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> +--- + http/routing.hpp | 4 +++- + include/dbus_monitor.hpp | 3 ++- + include/kvm_websocket.hpp | 4 +++- + include/obmc_console.hpp | 4 +++- + include/vm_websocket.hpp | 4 +++- + 5 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/http/routing.hpp b/http/routing.hpp +index e2a8fbb..6ea3185 100644 +--- a/http/routing.hpp ++++ b/http/routing.hpp +@@ -345,7 +345,9 @@ struct PrivilegeParameterTraits + } + }; + +-class WebSocketRule : public BaseRule ++class WebSocketRule : ++ public BaseRule, ++ public PrivilegeParameterTraits<WebSocketRule> + { + using self_t = WebSocketRule; + +diff --git a/include/dbus_monitor.hpp b/include/dbus_monitor.hpp +index a6c86c6..163f884 100644 +--- a/include/dbus_monitor.hpp ++++ b/include/dbus_monitor.hpp +@@ -5,6 +5,7 @@ + #include <boost/container/flat_set.hpp> + #include <dbus_singleton.hpp> + #include <openbmc_dbus_rest.hpp> ++#include <registries/privilege_registry.hpp> + #include <sdbusplus/bus/match.hpp> + #include <sdbusplus/message/types.hpp> + #include <websocket.hpp> +@@ -105,8 +106,8 @@ inline int onPropertyUpdate(sd_bus_message* m, void* userdata, + inline void requestRoutes(App& app) + { + BMCWEB_ROUTE(app, "/subscribe") +- .privileges({{"Login"}}) + .websocket() ++ .privileges(redfish::privileges::privilegeSetLogin) + .onopen([&](crow::websocket::Connection& conn, + const std::shared_ptr<bmcweb::AsyncResp>&) { + BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened"; +diff --git a/include/kvm_websocket.hpp b/include/kvm_websocket.hpp +index a9dc8ea..3f124a2 100644 +--- a/include/kvm_websocket.hpp ++++ b/include/kvm_websocket.hpp +@@ -4,6 +4,7 @@ + #include <app.hpp> + #include <async_resp.hpp> + #include <boost/container/flat_map.hpp> ++#include <registries/privilege_registry.hpp> + #include <websocket.hpp> + + namespace crow +@@ -159,8 +160,9 @@ inline void requestRoutes(App& app) + sessions.reserve(maxSessions); + + BMCWEB_ROUTE(app, "/kvm/0") +- .privileges({{"ConfigureComponents", "ConfigureManager"}}) + .websocket() ++ .privileges(redfish::privileges:: ++ privilegeSetConfigureManagerOrConfigureComponents) + .onopen([](crow::websocket::Connection& conn, + const std::shared_ptr<bmcweb::AsyncResp>&) { + BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened"; +diff --git a/include/obmc_console.hpp b/include/obmc_console.hpp +index ff0a51f..22a49a8 100644 +--- a/include/obmc_console.hpp ++++ b/include/obmc_console.hpp +@@ -6,6 +6,7 @@ + #include <boost/asio/local/stream_protocol.hpp> + #include <boost/container/flat_map.hpp> + #include <boost/container/flat_set.hpp> ++#include <registries/privilege_registry.hpp> + #include <websocket.hpp> + + namespace crow +@@ -136,8 +137,9 @@ inline void connectHandler(const boost::system::error_code& ec) + inline void requestRoutes(App& app) + { + BMCWEB_ROUTE(app, "/console0") +- .privileges({{"ConfigureComponents", "ConfigureManager"}}) + .websocket() ++ .privileges(redfish::privileges:: ++ privilegeSetConfigureManagerOrConfigureComponents) + .onopen([](crow::websocket::Connection& conn, + const std::shared_ptr<bmcweb::AsyncResp>&) { + BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened"; +diff --git a/include/vm_websocket.hpp b/include/vm_websocket.hpp +index 02f958a..ebbe68f 100644 +--- a/include/vm_websocket.hpp ++++ b/include/vm_websocket.hpp +@@ -3,6 +3,7 @@ + #include <app.hpp> + #include <boost/beast/core/flat_static_buffer.hpp> + #include <boost/process.hpp> ++#include <registries/privilege_registry.hpp> + #include <websocket.hpp> + + #include <csignal> +@@ -156,8 +157,9 @@ static std::shared_ptr<Handler> handler; + inline void requestRoutes(App& app) + { + BMCWEB_ROUTE(app, "/vm/0/0") +- .privileges({{"ConfigureComponents", "ConfigureManager"}}) + .websocket() ++ .privileges(redfish::privileges:: ++ privilegeSetConfigureManagerOrConfigureComponents) + .onopen([](crow::websocket::Connection& conn, + const std::shared_ptr<bmcweb::AsyncResp>&) { + BMCWEB_LOG_DEBUG << "Connection " << &conn << " opened"; +-- +2.17.1 + |