16c2b681 | 16-Aug-2024 |
Patrick Williams <patrick@stwcx.xyz> |
clang-format: re-format for clang-18
clang-format-18 isn't compatible with the clang-format-17 output, so we need to reformat the code with the latest version. The way clang-18 handles lambda forma
clang-format: re-format for clang-18
clang-format-18 isn't compatible with the clang-format-17 output, so we need to reformat the code with the latest version. The way clang-18 handles lambda formatting also changed, so we have made changes to the organization default style format to better handle lambda formatting.
See I5e08687e696dd240402a2780158664b7113def0e for updated style. See Iea0776aaa7edd483fa395e23de25ebf5a6288f71 for clang-18 enablement.
Change-Id: I75bbf0de40859a5e507455a52ceaef9be5b686c7 Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
show more ...
|
4e2c06e7 | 20-Apr-2024 |
Ravi Teja <raviteja28031990@gmail.com> |
Remove web user group
This 'web' group is currently not doing anything and is considered to be equivalent to 'redfish'.
Change-Id: I20a0a7e3a0bff3128e8e391317045a71038d119b Signed-off-by: Ravi Teja
Remove web user group
This 'web' group is currently not doing anything and is considered to be equivalent to 'redfish'.
Change-Id: I20a0a7e3a0bff3128e8e391317045a71038d119b Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
show more ...
|
d9adc73a | 17-Jan-2024 |
nichanghao.nch <nichanghao@linux.alibaba.com> |
BugFix: user name contains invalid characters
There is an typo in the policy "[a-zA-z_]" configuration. It it should be "[a-zA-Z_]" BTW: Group name has the same issue, fix it by the way.
Tested: Cr
BugFix: user name contains invalid characters
There is an typo in the policy "[a-zA-z_]" configuration. It it should be "[a-zA-Z_]" BTW: Group name has the same issue, fix it by the way.
Tested: Create a username contains invalid characters like: ^, [, or ].
Before: invalid character can be added as username ipmitool user list 1 ID Name Callin 4 ^test true 5 [test true 7 ]test true 8 _test true
After: error will be returned once user name has invalid character. ipmitool user set name 4 ^test4 Set User Name command failed (user 4, name ^test4): Unspecified error
UnitTest is added.
Change-Id: I86b062faea84906dde7cf37a0d51631d78526cb1 Signed-off-by: nichanghao.nch <nichanghao@linux.alibaba.com> Signed-off-by: Kwin Wang <wangkuiying.wky@alibaba-inc.com>
show more ...
|
90b84ad9 | 29-Nov-2023 |
Patrick Williams <patrick@stwcx.xyz> |
build: use allowed over enabled
Meson feature options are typically in a tri-state of enabled, disabled, or auto. The enabled and disabled functions on an option (from `get_option`) no longer retur
build: use allowed over enabled
Meson feature options are typically in a tri-state of enabled, disabled, or auto. The enabled and disabled functions on an option (from `get_option`) no longer return true for auto features. Instead, the expectation is to use `allowed()` which is true for both enabled and auto.
Switch all uses of `enabled` to `allowed`.
Change-Id: I50f949d6323c4ff17e48901a56f7e34a76ca46db Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
show more ...
|
cb20ea83 | 20-Oct-2023 |
Patrick Williams <patrick@stwcx.xyz> |
clang-format: copy latest and re-format
clang-format-17 has some backwards incompatible changes that require additional settings for best compatibility and re-running the formatter. Copy the latest
clang-format: copy latest and re-format
clang-format-17 has some backwards incompatible changes that require additional settings for best compatibility and re-running the formatter. Copy the latest .clang-format from the docs repository and reformat the repository.
Change-Id: I094854676307faf5395459925ff0750f1402e578 Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
show more ...
|
e8edab57 | 06-Sep-2023 |
Denis Zlobin <zlobin.d.al@gmail.com> |
Fix user account status for manually blocked users
User account status in web interface is displayed incorrectly if account is disabled (or enabled) via ssh.
Test manually: 1. Create new user using
Fix user account status for manually blocked users
User account status in web interface is displayed incorrectly if account is disabled (or enabled) via ssh.
Test manually: 1. Create new user using web interface 2. Change user account expiration date via ssh chage -E 1970-01-01 <new user> User account is blocked 3. Check user status in web interface. Blocked user account status should be displayed as "Disabled".
Change-Id: I15e93a87653289b5ba76313895da0cf7e5dd2c7c Signed-off-by: Denis Zlobin <zlobin.d.al@gmail.com>
show more ...
|
3b280ec7 | 15-Aug-2023 |
Jason M. Bills <jason.m.bills@intel.com> |
Update pam_pwhistory to use pwhistory.conf
With libpam 1.5.3, pam_pwhistory added support to get configuration options from pwhistory.conf similar to faillock and pwquality.
This updates pam_pwhist
Update pam_pwhistory to use pwhistory.conf
With libpam 1.5.3, pam_pwhistory added support to get configuration options from pwhistory.conf similar to faillock and pwquality.
This updates pam_pwhistory to use pwhistory.conf for the remember setting.
pwhistory remember was the last setting directly using the common-password file, so this also removes the two functions to get and set PAM module arg values which resolves #16.
Tested: Confirmed that getting and setting the RememberOldPasswordTimes D-Bus property gets and sets the remember value in pwhistory.conf.
Change-Id: If8f90720c120c5c49e2b8b4a840a427d46ffc7d9 Signed-off-by: Jason M. Bills <jason.m.bills@intel.com>
show more ...
|
17b88278 | 22-May-2023 |
Jason M. Bills <jason.m.bills@intel.com> |
Remove temp file on failure
If the parameter is not found, the temp file is left in the file system since it isn't renamed. This deletes the temp file in that case.
If the source file is not found,
Remove temp file on failure
If the parameter is not found, the temp file is left in the file system since it isn't renamed. This deletes the temp file in that case.
If the source file is not found, the temp file is left in the file system. This deletes the temp file in that case.
This updates the tests to cover these two conditions and confirm that the temp file is not present.
Tested: Corrupted the faillock.conf deny parameter and the pwquality.conf minlen parameter and confirmed that after attempting to modify them through Redfish, the _tmp files are not left in the /etc/security folder.
Change-Id: I59e543d12f7e509533182339d224c4e8dc9b580d Signed-off-by: Jason M. Bills <jason.m.bills@intel.com>
show more ...
|
ac921a5e | 21-Jul-2023 |
Jayanth Othayoth <ojayanth@in.ibm.com> |
Add support for deleting authentication failure record files
Added fix for #phosphor-user-manager/issues/4
If a user account locked due to user's password with too many failed attempts use case, pa
Add support for deleting authentication failure record files
Added fix for #phosphor-user-manager/issues/4
If a user account locked due to user's password with too many failed attempts use case, password will locked out for same name account creation. This issues is due to missing authentication failure record files clear in the account user delete path.
Added function for deleting authentication failure record files in the account delete api to fix this issue.
faillock command --reset option is used to clear user's failure records. Refer https://linux.die.net/man/8/faillock for details.
Tested: Created user and perform multiple failed authentication to lock the account. After Account delete, and recreate a user with same name , worked as expected.
Change-Id: I63a1becafa30035ac549166a1d70ee58baee86b4 Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
show more ...
|
601d3db4 | 09-Mar-2023 |
Ninad Palsule <ninadpalsule@us.ibm.com> |
Added new pre-defined usergroup hostconsole
The new pre-defined usergroup named "hostconsole" is added to differentiate access between host console and manager console. The only users allowed to int
Added new pre-defined usergroup hostconsole
The new pre-defined usergroup named "hostconsole" is added to differentiate access between host console and manager console. The only users allowed to interact with host console are part of the "hostconsole" group.
Note: The changes are spread across multiple repositories listed under "Related commits:"
The phosphor-user-manager changes are as follows: - Added new pre-defined user group called "hostconsole" - Added CI tests to validate the new group.
Tested: Loaded on system and qemu eumulator. Made sure that user is only allowed to access host console if it is member of hostconsole group.
Related commits: docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968 phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583 openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582 obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581 bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580
Change-Id: I700a295c99c429b42e6db667c9726792a351e71d Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>
show more ...
|
2d042d14 | 28-Mar-2023 |
Jason M. Bills <jason.m.bills@intel.com> |
Change to pam_faillock and pam pwquality
pam_tally2 is being replaced by pam_faillock. The parameters in common-auth have moved to faillock.conf, so this commit adds a new method to modify paramters
Change to pam_faillock and pam pwquality
pam_tally2 is being replaced by pam_faillock. The parameters in common-auth have moved to faillock.conf, so this commit adds a new method to modify paramters in a given configuration file.
The output from the 'faillock' command differs from 'pam_tally2', so this commit adds a new function to parse the output from 'faillock' to determine if the user is currently locked.
pam_cracklib is being replaced by pam_pwquality. The parameters in common-password have moved to pwquality.conf.
I referenced the work done by Joseph Reynolds in this commit [1] to know what changes were required.
[1]: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/39853
Tested: Confirmed that the AccountLockoutDuration and AccountLockoutThreshold parameters under /redfish/v1/AccountService both return the correct value from common-auth.
Set deny to 10 and unlock_time to 30 seconds and confirmed that a user account will correctly show as locked after 10 failed login attempts, and that user will show as unlocked 30 seconds later.
Used Redfish to PATCH both AccountLockoutDuration and AccountLockoutThreshold and confirmed that the updated values are correctly reported in Redfish and that the correct lines in faillock.conf are modified.
Confirmed that the MinPasswordLength parameter under /redfish/v1/AccountService returns the correct value from common-password.
Set minlen to 9 and confirmed that a user password could not be set with a length of 8.
Used Redfish to PATCH MinPasswordLength and confirmed that the updated value is correctly reported in Redfish and that the correct line in pwquality.conf is modified.
Change-Id: I0701e4148c0b8333c6b8889d4695e61ce7f5366d Signed-off-by: Jason M. Bills <jason.m.bills@intel.com>
show more ...
|
b7043047 | 10-May-2023 |
Patrick Williams <patrick@stwcx.xyz> |
clang-format: copy latest and re-format
clang-format-16 has some backwards incompatible changes that require additional settings for best compatibility and re-running the formatter. Copy the latest
clang-format: copy latest and re-format
clang-format-16 has some backwards incompatible changes that require additional settings for best compatibility and re-running the formatter. Copy the latest .clang-format from the docs repository and reformat the repository.
Change-Id: I913685cddaf9a2256b3edcd3ced8e89a32386394 Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
show more ...
|
e8d664d1 | 05-Jul-2022 |
Jiaqing Zhao <jiaqing.zhao@intel.com> |
ldap-config: Include phosphor-logging in source files
It is recommendded to include the phosphor-logging and related headers in source files instead of header files.
Tested: Build and unit test pas
ldap-config: Include phosphor-logging in source files
It is recommendded to include the phosphor-logging and related headers in source files instead of header files.
Tested: Build and unit test pass.
Change-Id: I880d8a3bf8dd850af300806da0d17357407632fd Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>
show more ...
|
11ec666b | 05-Jul-2022 |
Jiaqing Zhao <jiaqing.zhao@intel.com> |
Switch to lg2 for logging
After enabling C++20, lg2 is preferred for logging. This patch replaces all phosphor::logging::log calls to lg2 calls.
Tested: Build pass.
Change-Id: Ic37bc36f43c2b3a1c61
Switch to lg2 for logging
After enabling C++20, lg2 is preferred for logging. This patch replaces all phosphor::logging::log calls to lg2 calls.
Tested: Build pass.
Change-Id: Ic37bc36f43c2b3a1c61b1328af95e3a41c8d6d40 Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>
show more ...
|
56862061 | 31-May-2022 |
Jiaqing Zhao <jiaqing.zhao@intel.com> |
Implement default LDAP privilege role
According to OpenBMC documentation[1], "if there is no mapping for group name to privilege role, default to user privilege role for the session", meaning that L
Implement default LDAP privilege role
According to OpenBMC documentation[1], "if there is no mapping for group name to privilege role, default to user privilege role for the session", meaning that LDAP users should have "priv-user" assigned when there is no mapping entry matched.
[1] https://github.com/openbmc/docs/blob/master/architecture/user-management.md#authorization-flow
Tested: * Configure LDAP with empty RemoteRoleMapping in redfish, then login BMC with an LDAP account, verified it has User privilege. * Change the primary group of user from a grop without mapping to one mapped to Admin privilege on remote LDAP server, confirmed the user is mapped to priv-admin in BMC.
Change-Id: I374732f2895f40a671225ec0d1fafd7e4ae27dea Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>
show more ...
|
da401fe5 | 24-Oct-2022 |
Nan Zhou <nanzhoumails@gmail.com> |
Implement createGroup/deleteGroup
This commit adds the implementation for CreateGroup and DeleteGroup.
These interfaces give the possibility to create OEMRole and OEMPrivilege as proposed in the Dy
Implement createGroup/deleteGroup
This commit adds the implementation for CreateGroup and DeleteGroup.
These interfaces give the possibility to create OEMRole and OEMPrivilege as proposed in the Dynamic Redfish Authz design. [1] https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md
Since now secondary groups will change at runtime, this commit made the |groupsMgr| non-constant. When the service starts up, it will load all the groups in the system, and recover its |groupsMgr| in memory. Currently, only groups with certain prefixes are allowed to change (creation or deletion). The only use case now is Redfish previleges and roles so the current prefixes only cover that.
Similar to user creation, this commit also added limits and checks to make sure these interfaces are safe.
Coverage: lines......: 84.1% (2197 of 2613 lines) functions..: 94.3% (492 of 522 functions) branches...: 31.1% (3506 of 11263 branches)
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I245017afda909a0bfa594ef112d7b0d40045f80d
show more ...
|
7562658e | 09-Feb-2022 |
Alexander Filippov <a.filippov@yadro.com> |
UserMgr: Fix the privilege determination
By default, all users in Active Directory have the primary group `users`. Giving the full access to the BMC to all users from the such group is a bad idea. A
UserMgr: Fix the privilege determination
By default, all users in Active Directory have the primary group `users`. Giving the full access to the BMC to all users from the such group is a bad idea. And changing the primary group in Active Directory/LDAP can be inadvisable.
This fix allows to use in the role mapping the group that isn't the primary group. All members of the such group will get the role, according with the role mapping.
Tested by: - Configure LDAP - Add non primary LDAP group to the role map - Verify `GetUserInfo` reply for the member of the group used in the previous step. It should contain corresponding privilege. - Add primary LDAP group to the role map and verify `GetUserInfo` for its member. It also should contain corresponding role.
Change-Id: I61a87a21446577c0bf059f50139c7b4c711059c7 Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
show more ...
|
90a120bc | 17-Nov-2022 |
Nan Zhou <nanzhoumails@gmail.com> |
user manager test: remove no-access
The change [1] was submitted without rebasing to the master, which causes test failures at HEAD. [1] https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/
user manager test: remove no-access
The change [1] was submitted without rebasing to the master, which causes test failures at HEAD. [1] https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/52363
This commit fixed the issue.
Tested: unit test passed
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I5b71e3a3dfe70448c1741f21a06ad3486b84863e
show more ...
|
a295303b | 11-Nov-2022 |
Nan Zhou <nanzhoumails@gmail.com> |
userLockedForFailedAttempt: add unit test
This commit adds unit test for the |userLockedForFailedAttempt| function. In order to do so, this commits adds a new virtual function which reads the failed
userLockedForFailedAttempt: add unit test
This commit adds unit test for the |userLockedForFailedAttempt| function. In order to do so, this commits adds a new virtual function which reads the failed attempt. The function is overridden in unit test.
Tested: unit test passed.
Coverage: lines......: 83.1% (2007 of 2415 lines) functions..: 94.1% (430 of 457 functions) branches...: 32.3% (3181 of 9855 branches)
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I940ec42936c8b1c387fc0f19db13bc90a61c9852
show more ...
|
6b6f2d80 | 24-Oct-2022 |
Nan Zhou <nanzhoumails@gmail.com> |
userEnable: fix bug and add unit test
This commit adds unit tests for the |userEnable| function. To make it happen, a new overload of |executeUserModify| is introduced. The idea is the same as previ
userEnable: fix bug and add unit test
This commit adds unit tests for the |userEnable| function. To make it happen, a new overload of |executeUserModify| is introduced. The idea is the same as previous commits where we add sudo in unit tests.
Thanks to this unit test, this commit fixes an existing bug where the corresponding user's |userEnabled| attribute isn't updated.
Tested: unit test passed
Coverage: lines......: 81.3% (1918 of 2359 lines) functions..: 93.9% (400 of 426 functions) branches...: 32.0% (3029 of 9469 branches)
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I89752e5fcfc1aabb4090b0b2e8faf5f1b5ee5e76
show more ...
|
784aecd4 | 24-Oct-2022 |
Nan Zhou <nanzhoumails@gmail.com> |
accountUnlockTimeout: add unit test
This commit added several unit tests for the |accountUnlockTimeout| function.
Tested: unit test passed
Coverage: lines......: 80.7% (1874 of 2323 lines) fun
accountUnlockTimeout: add unit test
This commit added several unit tests for the |accountUnlockTimeout| function.
Tested: unit test passed
Coverage: lines......: 80.7% (1874 of 2323 lines) functions..: 93.7% (387 of 413 functions) branches...: 32.2% (2930 of 9096 branches)
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I1dfb134d54f4086920f41c9020104e64af71f1f9
show more ...
|
cfabe6b3 | 24-Oct-2022 |
Nan Zhou <nanzhoumails@gmail.com> |
MaxLoginAttemptBeforeLockout: add unit test
This commit adds the unit test for |maxLoginAttemptBeforeLockout|.
Tested: unit test passed.
Coverage: lines......: 80.0% (1843 of 2304 lines) funct
MaxLoginAttemptBeforeLockout: add unit test
This commit adds the unit test for |maxLoginAttemptBeforeLockout|.
Tested: unit test passed.
Coverage: lines......: 80.0% (1843 of 2304 lines) functions..: 93.3% (374 of 401 functions) branches...: 32.3% (2893 of 8961 branches)
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I840dc472d6ac9d58273aaf754195e33276ea139f
show more ...
|
a6ce1faa | 24-Oct-2022 |
Nan Zhou <nanzhoumails@gmail.com> |
rememberOldPasswordTimes: add unit test
This commit adds several test cases for |rememberOldPasswordTimes|.
Tested: unit test passed.
Overall coverage rate: lines......: 79.2% (1809 of 2283 line
rememberOldPasswordTimes: add unit test
This commit adds several test cases for |rememberOldPasswordTimes|.
Tested: unit test passed.
Overall coverage rate: lines......: 79.2% (1809 of 2283 lines) functions..: 92.8% (361 of 389 functions) branches...: 32.4% (2852 of 8814 branches)
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: Iea033026b79a81d67dfb3d513eb951b0b6cb21b6
show more ...
|
1803101c | 10-Nov-2022 |
Nan Zhou <nanzhoumails@gmail.com> |
MinPasswordLength: add unit test
Add unit test for the |minPasswordLength| function.
It can be shown that the test coverage increased.
Tested: unit test passed.
Coverage data: lines......: 78.7
MinPasswordLength: add unit test
Add unit test for the |minPasswordLength| function.
It can be shown that the test coverage increased.
Tested: unit test passed.
Coverage data: lines......: 78.7% (1779 of 2261 lines) functions..: 92.3% (348 of 377 functions) branches...: 32.5% (2812 of 8655 branches)
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I85d309ac2cf1467ee1c56c6ecb076d82c5082e28
show more ...
|
fef63038 | 24-Oct-2022 |
Nan Zhou <nanzhoumails@gmail.com> |
updateGroupsAndPriv: fix bugs and add tests
This commit adds a unit test for the |updateGroupsAndPriv| function. Thanks to the test case, I found a bug that the exsting codes don't updat the groups
updateGroupsAndPriv: fix bugs and add tests
This commit adds a unit test for the |updateGroupsAndPriv| function. Thanks to the test case, I found a bug that the exsting codes don't updat the groups and privilege of the user after updating.
Added several neccessary functions to add unit test and fix bugs.
Tested: unit test passed.
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: Ifcf88505f10b6bfdcca2de31a29ce055153463e8
show more ...
|