Refactor setProperty method

SetProperty is a method we should use more, and use consistently in the
codebase, this commit makes it consistently used from the utility
namespace.

Tested: Refactor. C

Refactor setProperty method

SetProperty is a method we should use more, and use consistently in the
codebase, this commit makes it consistently used from the utility
namespace.

Tested: Refactor. Code compiles.

Signed-off-by: George Liu <liuxiwei@inspur.com>
Change-Id: I5939317d23483e16bd98a8298f53e75604ef374d

show more ...

sdbusplus: use shorter type aliases

The sdbusplus headers provide shortened aliases for many types.
Switch to using them to provide better code clarity and shorter
lines. Possible replacements are

sdbusplus: use shorter type aliases

The sdbusplus headers provide shortened aliases for many types.
Switch to using them to provide better code clarity and shorter
lines. Possible replacements are for:
* bus_t
* exception_t
* manager_t
* match_t
* message_t
* object_t
* slot_t

Change-Id: I7f26c74901de1de9268782fb3c0ebb3fc26ffcdd
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

Refactor getManagedObjects method

Since the getManagedObjects method has been implemented in
dbus_utility and this commit is to integrate all the places where the
GetManagedObjects method is obtaine

Refactor getManagedObjects method

Since the getManagedObjects method has been implemented in
dbus_utility and this commit is to integrate all the places where the
GetManagedObjects method is obtained, and use the method in
dbus_utility uniformly.

Signed-off-by: George Liu <liuxiwei@inspur.com>
Change-Id: Ic13f2bef7b30f805cd3444a75d7df17b031f2eb0

show more ...

Make propertyValueTypeError more typesafe

Similar to the prior patchset in this series, propertyValueTypeError can
be moved to safer constructs. This ensures that we are minimizing how
many places

Make propertyValueTypeError more typesafe

Similar to the prior patchset in this series, propertyValueTypeError can
be moved to safer constructs. This ensures that we are minimizing how
many places we are calling dump() from, and allows us to reduce the
amount of code written for error handling.

Tested:
PATCH /redfish/v1/SessionService {"SessionTimeout": "foo"}

Returns PropertyValueTypeError in the same behavior as prior to this
patch.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Iddff4b787f35c49bf923663d61bba156687f358c

show more ...

Make propertyValueNotInList typesafe

The error codes for this function accept a string_view, which has caused
a number of cases of users of this function to call dump() to_string()
and all manner of

Make propertyValueNotInList typesafe

The error codes for this function accept a string_view, which has caused
a number of cases of users of this function to call dump() to_string()
and all manner of other conversions. Considering that dump() is
something that's difficult to call correctly, and overly wordy, it would
be ideal if the message code just handled that for us.

Therefore, this commit changes the prototype to include a nlohmann::json
object as an argument instead of string_view, then audits the codebase
for all uses, and moves them to a more normalized usage, which allows
the calling code to call "dump" for them.

Tested: PATCH /redfish/v1/SessionService {"SessionTimeout": 1}

Returns the PropertyValueNotInList error as it did before.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: If62909072db1f067ad1f8aa590bb716c84181219

show more ...

Add AccountTypes in POST Accounts service

This drop adds support to specify AccountTypes at the time of user
creation. Made sure that HostConsole is only supported for user with
administrator role.

Add AccountTypes in POST Accounts service

This drop adds support to specify AccountTypes at the time of user
creation. Made sure that HostConsole is only supported for user with
administrator role.

Testing:
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["HostConsole"]}'
{
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The resource has been created successfully.",
"MessageArgs": [],
"MessageId": "Base.1.13.0.Created",
"MessageSeverity": "OK",
"Resolution": "None."
}
]
}
$ curl -k
https://root:0penBmc@bmc1:443/redfish/v1/AccountService/Accounts/user99
{
"@odata.id": "/redfish/v1/AccountService/Accounts/user99",
"@odata.type": "#ManagerAccount.v1_7_0.ManagerAccount",
"AccountTypes": [
"HostConsole"
],
"Description": "User Account",
"Enabled": true,
"Id": "user99",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "Administrator",
"StrictAccountTypes": true,
"UserName": "user99"
}

Also ran following testcases:
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["HostConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Operator", "AccountTypes": ["HostConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"ReadOnly", "AccountTypes": ["HostConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["ManagerConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["IPMI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish", "IPMI", "HostConsole",
"ManagerConsole", "WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish", "HostConsole",
"ManagerConsole", "WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish", "ManagerConsole",
"WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["Redfish", "HostConsole", "WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Administrator", "AccountTypes": ["IPMI", "HostConsole",
"ManagerConsole"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"Operator", "AccountTypes": ["Redfish", "ManagerConsole", "WebUI"]}'
$ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId":
"ReadOnly", "AccountTypes": ["Redfish", "ManagerConsole", "WebUI"]}'

Change-Id: I19ff994e712bcfaf827a5f8dd02a752a6ab92214
Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>

show more ...

PATCH userGroups Information ("AccountTypes")

This commit enhances the redfish API to set and unset userGroups
information for each user account.

Users with ConfigureUsers level privilege can patc

PATCH userGroups Information ("AccountTypes")

This commit enhances the redfish API to set and unset userGroups
information for each user account.

Users with ConfigureUsers level privilege can patch (Set and Unset)
AccountTypes of each user role. In addition, a user with
"ConfigureSelf" level privilege can only set or Update their password.

"Redfish" is always enabled in each user role. However,
"ConfigureUsers" can disable other user redfish services. But if
"ConfigureUsers" try to disable its redfish service, that generates an
error.

In this commit, users can enable and disable "redfish", "ssh",
"hostconsole" and "ipmi" services from each user where ssh is a special
case.

The 'web' group does not control access to the web interface, and
doesn't appear to do anything. The 'redfish' in the UserGroups is
mapped to both Redfish and WebUI AccountTypes. To enable redfish
User Group both of these account types should be specified, and none
to disable it.

Tested:
Testing was done using curl command with ConfigureUsers and
ConfigureSelf.

$ curl -k -X PATCH
https://$bmc:18080/redfish/v1/AccountService/Accounts/webuser -d
'{"AccountTypes": ["Redfish", "WebUI", "ManagerConsole",
"HostConsole"]}'
{
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The request completed successfully.",
"MessageArgs": [],
"MessageId": "Base.1.13.0.Success",
"MessageSeverity": "OK",
"Resolution": "None"
}
]
}

Also ran following cases:

$ curl -k -X PATCH
https://${bmc}/redfish/v1/AccountService/Accounts/user99
-d '{"AccountTypes": ["HostConsole"]}'

$ curl -k -X PATCH
https://${bmc}/redfish/v1/AccountService/Accounts/user99
-d '{"AccountTypes": ["IPMI"]}'

$ curl -k -X PATCH
https://${bmc}/redfish/v1/AccountService/Accounts/user99
-d '{"AccountTypes": ["Redfish", "WebUI"]}'

$ curl -k -X PATCH
https://${bmc}/redfish/v1/AccountService/Accounts/user99
-d '{"AccountTypes": ["ManagerConsole"]}'

$ curl -k -X PATCH
https://${bmc}/redfish/v1/AccountService/Accounts/user99
-d '{"AccountTypes": ["Redfish", "IPMI", "HostConsole",
"ManagerConsole", "WebUI"]}'
{
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "There are insufficient privileges for the account or
credentials associated with the current session to
perform the requested operation.",
"MessageArgs": [],
"MessageId": "Base.1.13.0.InsufficientPrivilege",
"MessageSeverity": "Critical",
"Resolution": "Either abandon the operation or change the
associated access rights and resubmit the request if the
operation failed."
}
],
"code": "Base.1.13.0.InsufficientPrivilege",
"message": "There are insufficient privileges for the account or
credentials associated with the current session to
perform the requested operation."
}

$ curl -k -H 'X-Auth-Token: IpnCBj1Lozh53Jhzxu7T' -X PATCH
https://${bmc}/redfish/v1/AccountService/Accounts/user999
-d '{"Password":"0penBmc123"}'
{
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The request completed successfully.",
"MessageArgs": [],
"MessageId": "Base.1.13.0.Success",
"MessageSeverity": "OK",
"Resolution": "None"
}
]

Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>
Signed-off-by: Abhishek Patel <Abhishek.Patel@ibm.com>
Change-Id: I1a0344ca45556b820bb77c3dcb459f27eb032501
Signed-off-by: Shantappa Teekappanavar <shantappa.teekappanavar@ibm.com>

show more ...

Handle AccountService D-bus errors

Currently LDAP configuration D-bus errors are not mapped to Redfish
Errors, so returing internalError irrespective of D-bus error.

This commit handles InvalidArgu

Handle AccountService D-bus errors

Currently LDAP configuration D-bus errors are not mapped to Redfish
Errors, so returing internalError irrespective of D-bus error.

This commit handles InvalidArgument D-bus error for LDAP config

Tested By:
Configure LDAP with various invalid arguments.

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I6adaedd936fb3d9d906750649792a4d414b54b73

show more ...

Added new pre-defined usergroup called hostconsole

The new pre-defined usergroup named "hostconsole" is added to
differentiate access between host console and manager console.
The only users allowed

Added new pre-defined usergroup called hostconsole

The new pre-defined usergroup named "hostconsole" is added to
differentiate access between host console and manager console.
The only users allowed to interact with host console are part of the
"hostconsole" group and they are in an administrator role.

Note: The changes are spread across multiple repositories listed under
"Related commits:"

The bmcweb changes to incorporate new group are as follows:
- The new user is added in the hostconsole group only if it has an
administrative role.
- The ssh usergroup is only translated to ManagerConsole redfish group
and hostconsole usergroup is translated to HostConsole redfish group.
- The following changes are made to check the privileges for host console
access
- The new OEM privilege "OpenBMCHostConsole" added for host console
access. This privilege is not shared externally hence it is not
documented.
- Updated obmc_console BMCWEB_ROUTE to use the new privilege.
- Router functions now save user role and user groups in the session
- getUserPrivileges() function now takes session reference instead
of user role. This function now also checks for the user group
"hostconsole" and add the new privilege if user is member of this
group.
- Updated all callers of the getUserPrivileges to pass session
reference.
- Added test to validate that new privilege is set correctly.

Tested:
Loaded code on the system and validated that;
- New user gets added in hostconsole group. NOTE: Prior to this commit
all groups are assigned to new user. This drop does not change that
behavior.
- Access from the web gui is only available for users in hostconsole
group. Used IBM internal simulator called simics to test this. This
simulator allows accessing openbmc from GUI.
- Checked the role collection and there is no change.
$ curl -k -H "X-Auth-Token: $TOKEN" -X GET \
https://${bmc}/redfish/v1/AccountService/Roles
$ curl -k -H "X-Auth-Token: $TOKEN" -X GET \
https://${bmc}/redfish/v1/AccountService/Roles/Administrator
$ curl -k -H "X-Auth-Token: $TOKEN" -X GET \
https://${bmc}/redfish/v1/AccountService/Roles/ReadOnly
$ curl -k -H "X-Auth-Token: $TOKEN" -X GET \
https://${bmc}/redfish/v1/AccountService/Roles/Operator

- HostConsole is in AccountType when hostconsole group is present in
UserGroups D-Bus property

$ id user99
uid=1006(user99) gid=100(users) groups=1000(priv-admin),1005(web),\
1006(redfish),1013(hostconsole),100(users)

$ curl -k https://${bmc}/redfish/v1/AccountService/Accounts/user99
{
"@odata.id": "/redfish/v1/AccountService/Accounts/user99",
"@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
"AccountTypes": [
"HostConsole",
"Redfish",
"WebUI",
"ManagerConsole"
],
"Description": "User Account",
"Enabled": true,
"Id": "user99",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "Administrator",
"UserName": "user99"

- The hostconsole group is not present for readonly or operator users
and also made sure that console access is not provided. This testing
is done one the system and console access was tried by modifying the
https://github.com/openbmc/bmcweb/blob/master/scripts/websocket_test.py

+ curl -k https://${bmc}/redfish/v1/AccountService/Accounts/user99
{
"@odata.id": "/redfish/v1/AccountService/Accounts/user99",
"@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
"AccountTypes": [
"IPMI",
"Redfish",
"WebUI",
"ManagerConsole"
],
"Description": "User Account",
"Enabled": true,
"Id": "user99",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/ReadOnly"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "ReadOnly",
"UserName": "user99"

[INFO "http_connection.hpp":209] Request: 0x150ac38 HTTP/1.1 GET /console0 ::ffff:x.x.xx.xxx
[DEBUG "routing.hpp":1265] Matched rule (upgrade) '/console0' 1 / 2
[DEBUG "routing.hpp":1084] userName = user99 userRole = priv-user
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=ipmi
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=redfish
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=ssh
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=web
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: Login
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: ConfigureSelf
[DEBUG "routing.hpp":113] checkPrivileges: OEM REQUIRED: OpenBMCHostConsole
[ERROR "routing.hpp":1192] Insufficient Privilege

+ curl -k https://${bmc}/redfish/v1/AccountService/Accounts/user99
{
"@odata.id": "/redfish/v1/AccountService/Accounts/user99",
"@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
"AccountTypes": [
"IPMI",
"Redfish",
"WebUI",
"ManagerConsole"
],
"Description": "User Account",
"Enabled": true,
"Id": "user99",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Operator"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "Operator",
"UserName": "user99"

[INFO "http_connection.hpp":209] Request: 0x21c7c38 HTTP/1.1 GET /console0 ::ffff:x.x.xx.xxx
[DEBUG "routing.hpp":1265] Matched rule (upgrade) '/console0' 1 / 2
[DEBUG "routing.hpp":1084] userName = user99 userRole = priv-operator
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=ipmi
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=redfish
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=ssh
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=web
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: Login
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: ConfigureComponents
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: ConfigureSelf
[DEBUG "routing.hpp":113] checkPrivileges: OEM REQUIRED: OpenBMCHostConsole
[ERROR "routing.hpp":1192] Insufficient Privilege

Related commits:
NOTE: docs, openbmc, obmc-console changes are already merged. bmcweb
and phosphor-user-manager will be merged together.
docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968
phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583
openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582
obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581
bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580

Change-Id: Ia5a33dafc9a76444e6a8e74e752f0f90cb0a31c8
Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>

show more ...

Move long lambda in separate function

The GetAllGroups lambda is very long and need to add somemore stuff for
hostconsole work hence moving it in the separate function.

Tested: Created user.
+ curl

Move long lambda in separate function

The GetAllGroups lambda is very long and need to add somemore stuff for
hostconsole work hence moving it in the separate function.

Tested: Created user.
+ curl -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts \
-d '{"UserName": "user99", "Password": "0penBmc0", "RoleId": "Operator"}'
{
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The resource has been created successfully.",
"MessageArgs": [],
"MessageId": "Base.1.13.0.Created",
"MessageSeverity": "OK",
"Resolution": "None."
}
]
}

Change-Id: If62fa803217e43bdecca7965d16c98d852f0b5be
Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>

show more ...

fix more push vs emplace calls

It seems like clang-tidy doesn't catch every place that an emplace could
be used instead of a push. Use a few grep/sed pairs to find and fix up
some common patterns.

fix more push vs emplace calls

It seems like clang-tidy doesn't catch every place that an emplace could
be used instead of a push. Use a few grep/sed pairs to find and fix up
some common patterns.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I93eaec26b8e3be240599e92b66cf54947073dc4c

show more ...

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository and reformat the
repository.

Change-Id: I75f89d2959b0f1338c20d72ad669fbdc1d720835
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

account_service: Don't call HEAD handler in GET handler

When If-Match header is provided, calling the HEAD handler in GET
handler will not break the execution flow if Etag does not match.
This patch

account_service: Don't call HEAD handler in GET handler

When If-Match header is provided, calling the HEAD handler in GET
handler will not break the execution flow if Etag does not match.
This patch fixes it by calling setUpRedfishRoute() in GET handlers.

Tested:
GET /redfish/v1/AccountService/Accounts/root with an invalid If-Match,
only the PreconditionFailed error message is in the respose body.

Change-Id: I0bbec820a1d62503db721d8bf620a81bd7c6a92e
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>

show more ...

Take boost error_code by reference

By convention, we should be following boost here, and passing error_code
by reference, not by value. This makes our code consistent, and removes
the need for a co

Take boost error_code by reference

By convention, we should be following boost here, and passing error_code
by reference, not by value. This makes our code consistent, and removes
the need for a copy in some cases.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Id42ea4a90b6685a84818b87d1506c11256b3b9ae

show more ...

Fix OemAccountService schema

This schema as-written broke a bunch of Redfish specification rules for
schemas, naming and other things. This commit starts to fix them.

It can be used as a starting

Fix OemAccountService schema

This schema as-written broke a bunch of Redfish specification rules for
schemas, naming and other things. This commit starts to fix them.

It can be used as a starting point for fixing the existing schemas.
This working through testing.

Tested: OpenBMCAccountService_v1.xml now passes the redfish odata schema
validator.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Id991794344b8b7d36af3c44bba7214bf025deec8

show more ...

Fix handleAccounttDelete spelling

Extra t, make the method match others like handleAccountPatch.
1ef4c3423f1f13ba6a804f72427641e6f8287dba has this wrong.

Tested: None. It builds.

Change-Id: I7e465

Fix handleAccounttDelete spelling

Extra t, make the method match others like handleAccountPatch.
1ef4c3423f1f13ba6a804f72427641e6f8287dba has this wrong.

Tested: None. It builds.

Change-Id: I7e465d525ddb3ce89567b6918933e41726a4faa4
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Remove unused variables

These were found by inspection.

Tested: Code Compiles. Dead code elimination.
Change-Id: I53455672f96faa44ad0e94146baf2d28daf8e10a
Signed-off-by: Ed Tanous <edtanous@google

Remove unused variables

These were found by inspection.

Tested: Code Compiles. Dead code elimination.
Change-Id: I53455672f96faa44ad0e94146baf2d28daf8e10a
Signed-off-by: Ed Tanous <edtanous@google.com>

show more ...

Add the GetObject method to dbus_utility

There are currently many files that use the GetObject method.
Since they are a general method, they are defined in the
dbus_utility.hpp file and refactors th

Add the GetObject method to dbus_utility

There are currently many files that use the GetObject method.
Since they are a general method, they are defined in the
dbus_utility.hpp file and refactors them.

Tested: Built bmcweb successfully and Validator passes.

Signed-off-by: George Liu <liuxiwei@inspur.com>
Change-Id: If2af77294389b023b611987252ee6149906fcd25

show more ...

Fix a boatload of #includes

Most of these missing includes were found by running clang-tidy on all
files, including headers. The existing scripts just run clang-tidy on
source files, which doesn't

Fix a boatload of #includes

Most of these missing includes were found by running clang-tidy on all
files, including headers. The existing scripts just run clang-tidy on
source files, which doesn't catch most of these.

Tested: Code compiles

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Ic741fbb2cc9e5e92955fd5a1b778a482830e80e8

show more ...

Problem with RemoteRoleMapping JSON

The current LDAP group map on /redfish/v1/AccountService is incorrect
and is creating a bad JSON response. instead of an array of objects, is
creating a nested ar

Problem with RemoteRoleMapping JSON

The current LDAP group map on /redfish/v1/AccountService is incorrect
and is creating a bad JSON response. instead of an array of objects, is
creating a nested array of objects. The problem is visible on the
website adding a new LDAP group map, it will show 2 empty rows instead
of one with the correct data.

The current JSON data is:
"RemoteRoleMapping": [
[
{
"RemoteGroup": "groupname"
}
],
[
{
"LocalRole": "Operator"
}
]
],
The correct JSON is:
"RemoteRoleMapping": [
{
"LocalRole": "Operator",
"RemoteGroup": "groupname"
}
],

The tests redfish/account_service/test_ldap_configuration crashed
BMCWEB generates around 9 core dump files.

Tested:
redfish/account_service/test_ldap_configuration passed the tests
Adding a new LDAP group map on the website, showing the correct data,

Change-Id: I5de7db372ceff1cc596da2b04f5fd730415f7216
Signed-off-by: Jorge Cisneros <jcisneros3@lenovo.com>

show more ...

Fix some use-after-move issues

This diff looks bad. The only thing that changed functionally is
changing:
password(std::move(password)), roleId(std::move(roleId))

in the labmda capture to

passwor

Fix some use-after-move issues

This diff looks bad. The only thing that changed functionally is
changing:
password(std::move(password)), roleId(std::move(roleId))

in the labmda capture to

password, roldId

because password and roleid are getting used later. Unfortunately,
clang decides to rearrange this whole lambda.

Tested: Passes cppcheck.
'''
curl -vvvv --insecure --user root:0penBmc -X PATCH -d '{"Password": "0penBmc1"}' https://192.168.7.2/redfish/v1/AccountService/Accounts/root
'''

Succeeds at patching the root password.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I97b10a40d0b271b211bf4e6c09888d3cd568a3d0

show more ...

Generate Redfish enums from schemas

OpenBMC tends to have a significant problem in doing the appropriate
lookups from the schema files, and many bugs have been injected by users
picking a bad enum,

Generate Redfish enums from schemas

OpenBMC tends to have a significant problem in doing the appropriate
lookups from the schema files, and many bugs have been injected by users
picking a bad enum, or mistyping the casing of an enum value.

At the same time, nlohmann::json has recently added first class support
for enums, https://json.nlohmann.me/features/enum_conversion/

This commit attempts to build a set of redfish includes file with all
the available Redfish enums in an easy to use enum class. This makes it
very clear which enums are supported by the schemas we produce, and adds
very little to no extra boilerplate on the human-written code we
produced previously.

Note, in the generated enum class, because of our use of the clang-tidy
check for macros, the clang-tidy check needs an exception for these
macros that don't technically follow the coding standard. This seems
like a reasonable compromise, and in this case, given that nlohmann
doesn't support a non-macro version of this.

One question that arises is what this does to the binary size.... Under
the current compiler optimizations, and with the current best practices,
it leads to an overall increase in binary size of ~1200 bytes for the
enum machinery, then approximately 200 bytes for every call site we
switch over. We should decide if this nominal increase is reasonable.

Tested: Redfish protocol validator runs with same number of failures as
previously.
Redfish Service Validator passes (one unrelated qemu-specific exception)

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I7c7ee4db0823f7c57ecaa59620b280b53a46e2c1

show more ...

Remove support for priv-noaccess role

A user created with no-access privilege is allowed to login
but can not logout. Any no-access user can create many and
many login sessions and exhaust the bmc w

Remove support for priv-noaccess role

A user created with no-access privilege is allowed to login
but can not logout. Any no-access user can create many and
many login sessions and exhaust the bmc without logging out.

No-access role was basically added to support the IPMI usecase,
where a user can be created first and then is assigned a privilege.
This is being reworked at IPMI interface and the dependency on the
no-access privilege is being removed completely. Following two
commits were added to support the priv-noaccess in user-manager
and bmcweb:
[1] https://github.com/openbmc/bmcweb/commit/e9e6d240ab85e515f8d264e39b47a75043b73374
[2] https://github.com/openbmc/phosphor-user-manager/commit/7c6e7cffaf061aabfe5489ef52442e2f7cbd0fb7

This commit removes the no-access role support at bmcweb by
reverting the commit:
[1] https://github.com/openbmc/bmcweb/commit/e9e6d240ab85e515f8d264e39b47a75043b73374

The user-manager change w.r.t this change is at:
[1] https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/52363

Tested By:
1. Create an LDAP user with priv-noaccess. Verify the login attempt
fails with accessDenied error
2. Verified the other role users can login

Signed-off-by: Asmitha Karunanithi <asmitk01@in.ibm.com>
Change-Id: I5ac8a58d9146379c9ce3be804d476ea85835bb2f

show more ...

Retrieve userGroups Information ("AccountTypes")

This commit enhances the redfish API to retrieve userGroups information
for each user account.

"Redfish" is always enabled in each user role. That's

Retrieve userGroups Information ("AccountTypes")

This commit enhances the redfish API to retrieve userGroups information
for each user account.

"Redfish" is always enabled in each user role. That's why it was
hardcoded into JSON response data in the old redfish API, where now it
gets retrieved using dbus interface xyz.openbmc_project.User.Attributes.
UserGroups.

UserGroups retrieve data are "redfish", "ssh", "web", and "ipmi", where
redfish DMTF Schema has predefined enum type as described below.

"AccountTypes": {
"enum":["Redfish", "SNMP", "OEM", "HostConsole", "ManagerConsole",
"IPMI", "KVMIP", "VirtualMedia", "WebUI"]
}

Here UserGroups ssh is mapped with two AccountTypes "HostConsole",
"ManagerConsole".

- Redfish ManagerConsole == SSH to port 22 == Phosphor User manager
Phosphor “ssh” privilege
- Redfish HostConsole == SSH to port 2200 (host console), Which
OpenBMC implements using the Phosphor User manager Phosphor “ssh”
privilege.

The 'web' group does not control access to the web interface, and
doesn't appear to do anything. The 'redfish' in the UserGroups is
mapped to both Redfish and WebUI AccountTypes even when there is
no 'web' group in the UserGroups.

Test:

Pass Redfish Service Validator

$ curl -k -X GET
https://$bmc@r5:18080/redfish/v1/AccountService/Accounts/webuser
{
...
"AccountTypes": [
"Redfish",
"WebUI"
],
...

Signed-off-by: Abhishek Patel <Abhishek.Patel@ibm.com>
Change-Id: Iaa9b6c07b3d26e8994be28a50c22437e0bc9bc8f
Signed-off-by: Shantappa Teekappanavar <shantappa.teekappanavar@ibm.com>

show more ...

Remove nlohmann brace initialization

There's a few last places (outside of tests) where we still use
nlohmann brace initialization. Per the transforms we've been doing,
move these to constructing t

Remove nlohmann brace initialization

There's a few last places (outside of tests) where we still use
nlohmann brace initialization. Per the transforms we've been doing,
move these to constructing the objects explicitly, using operator[],
nlohmann::object_t and nlohmann::array_t. Theses were found by manual
inspection grepping for all uses of nlohmann::json.

This is done to reduce binary size and reduce the number of intermediate
objects being constructed. This commit saves a trivial amount of size
(~4KB, Half a percent of total) and in addition but makes our
construction consistent.

Tested:
Redfish service validator passes.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I7478479a9fdc41b254eef325002d413c1fb411a0

show more ...