Permit assignment the IPMI management channel via JSON

phosphor-ipmi-host hard codes Channel 1 as the LAN NIC responsible for
managing and updating IPMI, Redfish, and web server access
permissions.

Permit assignment the IPMI management channel via JSON

phosphor-ipmi-host hard codes Channel 1 as the LAN NIC responsible for
managing and updating IPMI, Redfish, and web server access
permissions. Systems that do not have an lan-802.3 channel type
configured for IPMI Channel 1 have no way of assigning permissions
that flow to phosphor-user-manager. The inability to update
permissions within phosphor-user-manaager ultimaltely flows to Redfish
and HTTPS access.

The changes in this commit provide flexibility in assigning the IPMI
channel used to propagate permission changes to
phosphor-user-manager. A new boolean keyword, is_managment_nic, is
added. This entry is added to the JSON file, channel_config.json by
default, to announce which lan-802.3 IPMI channel is to be used to
assign IPMI permissions used by phosphor-user-manager. Only one
channel can have this ability. If the keyword is missing in the JSON
file, the code falls back to using Channel 1.

Tested:
Fully testing this change requires using code that dynamically
disables Channel 1. The SUT only has a single NIC, which is not
assigned to Channel 1.

Fully reprogrammed SPI to enter a pristine state.
Created a new user, channel 3, id 2, privilege=4

Confirmed LAN "ipmitool raw 6 1" succeeds
Confirmed Web access to new user account
Confirmed Redfish acess to new user account
Confirmed BMC console "ipmitool raw 6 1" succeeds

Used BMC console ipmitool to change user permissions from 4 to
15 (i.e. no access)

Confirmed LAN "ipmitool raw 6 1" succeeds
Confirmed Web access to new user account fails
Confirmed Redfish acess to new user account fails
Confirmed BMC console "ipmitool raw 6 1" fails

Used BMC console ipmitool to change user permissions from 15 to
4 (i.e. admin)

All of the prior tests work as expected.

Change-Id: I5f6941fefc4f80742e404de1f22ba10cbedf5d5d
Signed-off-by: Johnathan Mantey <johnathanx.mantey@intel.com>

show more ...

Clear security sensitive data

As password is sensitive data Clear after use.

Tested:
Verified using ipmitool commands
Command: ipmitool user set password 5 asdf1234 //Set user password
Response: Se

Clear security sensitive data

As password is sensitive data Clear after use.

Tested:
Verified using ipmitool commands
Command: ipmitool user set password 5 asdf1234 //Set user password
Response: Set User Password command successful (user 5)
Command: ipmitool raw 6 0x47 5 2 0x30 0x70 0x65 0x6e 0x42 0x6d 0x63
0x31 0 0 0 0 0 0 0 0 //set user password - set password
Response: //Success
Command: ipmitool raw 6 0x47 5 3 0x30 0x70 0x65 0x6e 0x42 0x6d 0x63
0x31 0 0 0 0 0 0 0 0 //set user password - test password
Response: //Success

Signed-off-by: Jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: I06196233ac5468534bd10fd34f99f7d35fd7b971

show more ...

user_channel: Rewriting ipmiUserSetUserName API

Rewriting ipmiUserSetUserName API

Tested:
Verified using ipmitool commands.
Command: ipmitool user set name 4 user4
Response: //Success
Command: i

user_channel: Rewriting ipmiUserSetUserName API

Rewriting ipmiUserSetUserName API

Tested:
Verified using ipmitool commands.
Command: ipmitool user set name 4 user4
Response: //Success
Command: ipmitool user set password 4 asdf1234
Response: Set User Password command successful (user 4)
Command: ipmitool user priv 4 0x03 1
Response: Set Privilege Level command successful (user 4)
Command: ipmitool user set name 14 user13asdfghkjlqwert
Response: Username is too long (> 16 bytes)
Command: ipmitool -I lanplus -C 3 -p 623 -U root -P <password> -H
<BMC-IP> user set name 8 WIJGueNKd
Response: //Success
Command: ipmitool user list 1 //User list for channel 1
1 root false true true ADMINISTRATOR
2 user2 true false false USER
3 user3 true false false NO ACCESS
4 user4 true false false OPERATOR
5 WIJGueNK true false false NO ACCESS
6 WIJGueNKb true false false NO ACCESS
7 WIJGueNKc true false false NO ACCESS
8 WIJGueNKd true false false NO ACCESS
9 true false false NO ACCESS
10 true false false NO ACCESS

Signed-off-by: jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: I41c091f6d9aaf54326295d1e80e16db521b2e23d

show more ...

Fix for Callback privilege

Issue: Not returning proper error when user privilege is Callback

Returning proper error codes.

Tested:
Command: ipmitool raw 0x06 0x40 0x3 0x42 0x41 //SetChannelAcce

Fix for Callback privilege

Issue: Not returning proper error when user privilege is Callback

Returning proper error codes.

Tested:
Command: ipmitool raw 0x06 0x40 0x3 0x42 0x41 //SetChannelAccess
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x40 rsp=0xcc): Invalid data field in request
Command: ipmitool raw 0x06 0x40 0x3 0x42 0xc2 //SetChannelAccess
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x40 rsp=0x83): Unknown (0x83)
Command: ipmitool user priv 2 0x01 1
Response: IPMI command failed: Invalid data field in request
Set Privilege Level command failed (user 2)
Command: ipmitool raw 0x06 0x38 1 1 //Get Channel Auth Capabilities
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x38 rsp=0xcc): Invalid data field in request
Command: ipmitool raw 0x06 0x40 0x1 0x42 0x81 //SetChannelAccess
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x40 rsp=0xcc): Invalid data field in request
Command: ipmitool raw 0x06 0x43 0x1 2 1 0 //Set User Access Command
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x43 rsp=0xcc): Invalid data field in request
Command: ipmitool raw 0x06 0x43 0x2 1 2 0 //Set User Access Command
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x43 rsp=0xff): Unspecified error
Command: ipmitool raw 0x06 0x42 0x02 //Get Channel Info Command
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x42 rsp=0x82): Unknown (0x82)
Command: ipmitool raw 0x06 0x4E 0x02 //Get Channel Payload Support
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x4e rsp=0xff): Unspecified error
Command: ipmitool raw 0x06 0x4E 0x0F //Get Channel Payload Support
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x4e rsp=0xcc): Invalid data field in request
Command: ipmitool raw 0x06 0x4F 0x02 0x00 //Get Channel Payload Version
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x4f rsp=0xcc): Invalid data field in request
Command: ipmitool raw 0x06 0x4C 0x02 0x01 0x02 0x00 0x00 0x00
//Set User Payload Access
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x4c rsp=0xcc): Invalid data field in request
Command: ipmitool raw 0x06 0x44 0x02 0x02 //Get User Access Command
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x44 rsp=0xcc): Invalid data field in request
Command: ipmitool raw 0x06 0x44 0x01 0x11 //Get User Access Command
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x44 rsp=0xc9): Parameter out of range
Command: ipmitool raw 0x06 0x4D 0x02 0x02 //Get User Payload Access
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x4d rsp=0xcc): Invalid data field in request
Command: ipmitool raw 0x06 0x40 0x3 0x44 0x43
// set channel access for Non-volatile priv limit
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x40 rsp=0x83): Unknown (0x83)
Command: ipmitool raw 0x06 0x40 0x1 0x85 0x82
// set channel access for volatile priv limit
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
cmd=0x40 rsp=0x83): Unknown (0x83)

Signed-off-by: jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: I4ff6fb5ae9a604e6b38fb92c249416605ec27cb5

show more ...

user_channel:Change fun ret&cmd cc as per New Std

Modified ipmi function return status code and
command completion codes as per new standard.

Tested:
verified using ipmitool commands.
1. create new

user_channel:Change fun ret&cmd cc as per New Std

Modified ipmi function return status code and
command completion codes as per new standard.

Tested:
verified using ipmitool commands.
1. create new user
Command : ipmitool user set name 5 user5
Response: //user created successfully
Command: ipmitool user set password 5 0penBmc\' //set password
Response: Set User Password command successful (user 5)

2. Set password
Command : ipmitool user set password 5 0penBmc\'
Response: Set User Password command successful (user 5)

3. set channel access
Command: ipmitool channel setaccess 1 5 callin=on ipmi=on link=on
privilege=4
Response: Set User Access (channel 1 id 5) successful.

4. get channel access
Command: ipmitool channel getaccess 1 5
Response:
Maximum User IDs : 15
Enabled User IDs : 5

User ID : 5
User Name : user5
Fixed Name : No
Access Available : call-in / callback
Link Authentication : enabled
IPMI Messaging : enabled
Privilege Level : ADMINISTRATOR
Enable Status : disabled

5. User list
Command: ipmitool user list 1
Response:
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
1 root false true true ADMINISTRATOR
2 putty_operator true true true OPERATOR
3 ipmi_admin true true true ADMINISTRATOR
4 user2 false true true OPERATOR
5 user5 true true true ADMINISTRATOR
6 true false false NO ACCESS
7 true false false NO ACCESS
8 true false false NO ACCESS
9 true false false NO ACCESS
10 true false false NO ACCESS
11 true false false NO ACCESS
12 true false false NO ACCESS
13 true false false NO ACCESS
14 true false false NO ACCESS
15 true false false NO ACCESS

Signed-off-by: jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Signed-off-by: NITIN SHARMA <nitin1x.sharma@intel.com>
Change-Id: I5f2c32f50edc2de204ac361364e21a61a4bcf237

show more ...

[user-mgmt]: Handle out of range error in path

Function must assume that object path without user name may exist,
and must handle the condition accordingly.

Tested:
1. Verified when InterfacesAdded

[user-mgmt]: Handle out of range error in path

Function must assume that object path without user name may exist,
and must handle the condition accordingly.

Tested:
1. Verified when InterfacesAdded signal sent out from Phosphor-user-manager
under base user object for global attributes, ipmid is not crashed.

Resolves openbmc/phosphor-net-ipmid#10

Change-Id: Ib19af7ca8f05fd9f4553010caf347c677d9897e2
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

[Fix]: Check ipmi groups list before creating user

When phosphor-user-manager is started later than ipmid,
then ipmid misses to get the AvailableGroups list from
phosphor-user-manager. Further creat

[Fix]: Check ipmi groups list before creating user

When phosphor-user-manager is started later than ipmid,
then ipmid misses to get the AvailableGroups list from
phosphor-user-manager. Further creation of user through ipmi
will end up creating user which doesn't belong to any group
at all. This fixes, by making sure, ipmi creates user only
if ipmi group is in available groups lists, and will do
re-query if it is empty.

Tested:
1. Verified the user creation behaviour with having dependency to
phosphor-user-manager and without.
2. Manually tested the following.
a. Stopped phosphor-user-manager & all ipmi
b. Started phosphor-host-ipmid
c. started phosphor-user-manager
d. using ipmitool user set name created user and verified that it
belongs to proper group as expected.

Change-Id: I5810babda0e70eb7b6bca577af2031da90dbb068
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

[user-mgmt]: Rearrange signal handler registration

Currently, signal handler are registered after the GetManagedObjects
query. This may miss any signals generated in-between this time. Correct
flow

[user-mgmt]: Rearrange signal handler registration

Currently, signal handler are registered after the GetManagedObjects
query. This may miss any signals generated in-between this time. Correct
flow must be to register for the signal first, followed by
GetManagedObjects query.

Tested:
1. Verified that user list are properly listed after this change.
Note: Also, performed following tests to determine the order didn't cause any
problem. Verified with both ipmi_user.json deleted and preserved.
2. Started phosphor-user-manager after host-ipmid.
3. Re-started phosphor-user-manager.
4. Started phosphor-host-ipmid after phosphor-user-manager.
5. Restarted phosphor-host-ipmid.

Change-Id: I124b5e96672e0456289bca7a2b889e4b897c0545
Signed-off-by: arun-pm <arun.p.m@linux.intel.com>

show more ...

user_mgmt:password authentication/update by PAM

Allowed password characters will be handled by password management,
instead of set user password command. This makes the checking to be
moved from set

user_mgmt:password authentication/update by PAM

Allowed password characters will be handled by password management,
instead of set user password command. This makes the checking to be
moved from set user password command to pam layer and accordingly
throw error, when the same is not valid.

Fix: So modified the code to handle with pam module itself.

Tested:
ipmitool user set password 6 0penBmc1\'
Set User Password command successful (user 6)

ipmitool user set password 6 0penBmc1\"
Set User Password command successful (user 6)

ipmitool user set password 6 12345678 //invalid password
IPMI command failed: Invalid data field in request
Set User Password command failed (user 6)

ipmitool user set password 3 asdf1234 //user id does not exit
IPMI command failed: Unspecified error
Set User Password command failed (user 3)

Signed-off-by: jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: Iba6e2c29a927d53e6ebdb5d32e83ecc7cbbd2fd0

show more ...

Clean-up: entry code msgs in user_channel cpp files

Cleaning up phosphor logging entry messages from
the usage of ':' to '=' in the whole user_channel
dir cpp files.

Signed-off-by: Ayushi Smriti <s

Clean-up: entry code msgs in user_channel cpp files

Cleaning up phosphor logging entry messages from
the usage of ':' to '=' in the whole user_channel
dir cpp files.

Signed-off-by: Ayushi Smriti <smriti.ayushi@linux.intel.com>
Change-Id: Ifa8eb35751279cf6bebd876105b7a4d24deb98a0

show more ...

Static code analysis scan issue fix

Fix the issues found during code static scan

Tested:
test in board, function works fine.
1. busctl set-property for watchdog, it works fine.
2. It works by runni

Static code analysis scan issue fix

Fix the issues found during code static scan

Tested:
test in board, function works fine.
1. busctl set-property for watchdog, it works fine.
2. It works by running "ipmitool chassis power soft".
3. run "ipmitool raw 0x6 0x46 1", get expected user information.

Change-Id: I7a2cc3c934db6a7531f8a8ea05956cb6d6337633
Signed-off-by: Chen,Yugang <yugang.chen@linux.intel.com>

show more ...

user_channel: user_mgmt: minor cleanup from cppcheck

[user_channel/user_mgmt.cpp:1628]: (style) The scope
of the variable 'usrEnabled' can be reduced.
[user_channel/user_mgmt.cpp:310]: (style) Unuse

user_channel: user_mgmt: minor cleanup from cppcheck

[user_channel/user_mgmt.cpp:1628]: (style) The scope
of the variable 'usrEnabled' can be reduced.
[user_channel/user_mgmt.cpp:310]: (style) Unused variable: update

Tested: Not tested.
Signed-off-by: Patrick Venture <venture@google.com>
Change-Id: Id38469ab5d5b0fa9c512f5a77fff1f1372e794c2

show more ...

user_mgmt: update default ipmi_user.json file.

By default, Serial Over LAN (SOL) payload access should be enabled
for all users in all channels. Ensure that this clause is met when
default ipmi_use

user_mgmt: update default ipmi_user.json file.

By default, Serial Over LAN (SOL) payload access should be enabled
for all users in all channels. Ensure that this clause is met when
default ipmi_user.json file is created, usually because of BMC
re-flashing.

Tested-by:
1. Check SOL payload access values in ipmi_user.json after reflashing.

// Command - grep "std_payload1" /var/lib/ipmi/ipmi_user.json
// Response - OK.
...
"payload_enabled":{..."std_payload1":[true,true,...]...},
...

2. Check SOL payload access values in ipmi_user.json after BMC FW update
// Command and Response same as (1.). OK.
// ipmi_user.json file is updated upon its first write after FW update.

Signed-off-by: Saravanan Palanisamy <saravanan.palanisamy@linux.intel.com>
Change-Id: I604aac6d000eac40a3a3460ea46c6fe81d285dee

show more ...

user_mgmt: Enable SOL payload access by default.

Enabling SOL payload access for all users in all channels, by default.
It is not mandated by IPMI spec, but needed for backward-compatibility.

Teste

user_mgmt: Enable SOL payload access by default.

Enabling SOL payload access for all users in all channels, by default.
It is not mandated by IPMI spec, but needed for backward-compatibility.

Tested-by:
1. Run Get User Payload Access Command for random user on LAN channel.
// Command - (channel 3 is of LAN channel type)
ipmitool -I lanplus...raw 0x06 0x4D 3 7
02 00 00 00 // Response

2. Disable SOL payload and rerun Get User Payload Access Command.
// Command
ipmitool -I lanplus...raw 0x06 0x4C 3 0x48 0x02 0 0x00 0
ipmitool -I lanplus...raw 0x06 0x4D 3 8
00 00 00 00 // Response

3. Run Get User Payload Access on non-LAN, session-less channel.
// Command - (channel 7 is KCS channel type)
ipmitool -I lanplus...raw 0x06 0x4D 7 7
Error:(...rsp=0xcc): Invalid data field in request // Response

4. Check SOL session activation and 'ipmi_user.json' file contents.

Change-Id: I48c50e6366a0025d5ae066c8a8f3694d2f710732
Signed-off-by: Saravanan Palanisamy <saravanan.palanisamy@linux.intel.com>

show more ...

user_layer: Add get/set user payload access.

IPMI Spec reference: Section 24.6, 24.7.
Support is added to get/set user access details for the
unreserved, supported payload types defined by Spec.
SOL

user_layer: Add get/set user payload access.

IPMI Spec reference: Section 24.6, 24.7.
Support is added to get/set user access details for the
unreserved, supported payload types defined by Spec.
SOL is the only unreserved, supported payload currently.
If support is needed for unreserved std/oem payload
types in future, they can be enabled with minor source code
changes to this implementation.

All payload types are packed in a JSON object
"payload_enabled" in ipmi_user.json file.

Tested-by:
1. For user 8 in channel 3, Enable SOL payload.

// Command - (channel 3 is of LAN channel type)
ipmitool -I lanplus...raw 0x06 0x4C 3 0x8 0x02 0 0 0
// Verify it with Get User Payload Access Command
ipmitool -I lanplus...raw 0x06 0x4D 3 8
02 00 00 00 // Response

2. Disable SOL payload.

// Command
ipmitool -I lanplus...raw 0x06 0x4C 3 0x48 0x02 0 0x00 0
// Verify it with Get User Payload Access Command
ipmitool -I lanplus...raw 0x06 0x4D 3 8
00 00 00 00 // Response

3. Enable unsupported payload stdPayload7.

// Command
ipmitool -I lanplus...raw 0x06 0x4C 3 0x8 0x80 0 0 0
Error: Invalid data field in request // Response

Change-Id: Idc57b04a747e55666407d928d8b2169223501e5b
Signed-off-by: Saravanan Palanisamy <saravanan.palanisamy@linux.intel.com>

show more ...

User-mgmt: Add IPMI user pam authenticate check API

PAM user authentication check must be performed, before any RMCP+
session establishment, as this will be able to check whether user
is already loc

User-mgmt: Add IPMI user pam authenticate check API

PAM user authentication check must be performed, before any RMCP+
session establishment, as this will be able to check whether user
is already locked out, due to failed attempt.
This patch introduces the pam user check API, which will be used by
netipmid daemon.

Tested:
Verified the API call check and making sure it works.
Real testing is performed by including the same in
phosphor-ipmi-net for RMCP+ session establishment both
for user locked for failed attempt and normal case.

Commands used-
Created new user using ipmitool

ipmitool user set name 2 testuser
ipmitool user enable 2
ipmitool user set password 2 pas1tes2
ipmitool user priv 2 4 3

ipmitool user list 3 //New user entry can be seen listed

ipmitool channel getaccess 3 2 //For getting channel access
ipmitool channel setaccess 3 2 ipmi=on priviledge=4

Normal Case:
ipmitool -I lanplus -U testuser -P pas1tes2 -H <bmc ip> raw 6 1
//Command
23 00 00 00 02 bf 57 01 00 7b 00 00 00 00 00 //Response

Negative Case:
busctl set-property xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user xyz.openbmc_project.User.AccountPolicy
MaxLoginAttemptBeforeLockout q 3

Tried 3 failed login attempts from webpage, and then tried to
establish IPMI RMCP+ as expected, session establishment failed.

wait for the timeout or unlock the user using-
busctl set-property xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user/sayushi xyz.openbmc_project.User.Attributes
UserLockedForFailedAttempt b false

busctl get-property xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user/sayushi xyz.openbmc_project.User.Attributes
UserLockedForFailedAttempt b false //Command
b false //Response

After this RMCP+ session will be established as usual.

Change-Id: I5ee2dc0848944a12f682f0775930091d32508bde
Signed-off-by: Ayushi Smriti <smriti.ayushi@linux.intel.com>

show more ...

user-mgmt: Update user data file, only for sync.

IPMI user configuration is cross synced with
phosphor-user-manager and written to the non-volatile data
on every boot. This commit limits the write o

user-mgmt: Update user data file, only for sync.

IPMI user configuration is cross synced with
phosphor-user-manager and written to the non-volatile data
on every boot. This commit limits the write only when
there is real sync issue, and update required.

Tested:
1. Verified the ipmitool user list & commands
2. Verified that file write happens only when there is
real sync update with phosphor-user-manager

Change-Id: Ia40be91f281656288ca96ca44bc9699daee7c3b4
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

remove usage of sdbusplus::message::variant

sdbusplus has had its alias of std::variant in place for long
enough. This changes all ipmid references to use std::variant
directly instead of the sdbusp

remove usage of sdbusplus::message::variant

sdbusplus has had its alias of std::variant in place for long
enough. This changes all ipmid references to use std::variant
directly instead of the sdbusplus alias.

Tested-by: building and running ipmid

Change-Id: Id5b4136d4589aa598815edd3ef4202e64a7698e2
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>

show more ...

user-mgmt: sync ipmi user & channel conf file

ipmi_user.json file is stored in non-volatile memory, and it is
necessary to make sure that file is properly synced to the storage
device, to avoid any

user-mgmt: sync ipmi user & channel conf file

ipmi_user.json file is stored in non-volatile memory, and it is
necessary to make sure that file is properly synced to the storage
device, to avoid any corruption issue related to power
loss. This fix makes sure that temporary file is fully synced with
storage device and then renamed, such that the file is either
in old state or in new updated state.
Same is also performed for channel configuration file too.

Tested:
1. Verified regular ipmi user list & channel works without
any issue
2. Verifid that any power loss, immediately, once the file
is written doesn't corrupt the entries.

Change-Id: I9ef84573947ab6f85f66530ac4a20e9eeaddf283
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

API support to update password for special user

Provide API support to update password for special user.
This API will be used by OEM Command to update the special
user password - linux uid 0 (root

API support to update password for special user

Provide API support to update password for special user.
This API will be used by OEM Command to update the special
user password - linux uid 0 (root user).
More details can be referred from
https://github.com/openbmc/docs/blob/master/user_management.md#deployment---out-of-factory

Tested:
1. Verified the API with OEM command implementation, and able to
configure the password for user exists in the system /etc/passwd.
2. Verified the negative case for failure

Change-Id: I3c2a7007587e52c7e713f0cd976f249dd84a5f75
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

move variant to std namespace

sdbusplus::message::variant_ns has been std for a while now. This moves
ipmid away from sdbusplus::message::variant_ns to directly use
std::variant.

Tested-by: built,

move variant to std namespace

sdbusplus::message::variant_ns has been std for a while now. This moves
ipmid away from sdbusplus::message::variant_ns to directly use
std::variant.

Tested-by: built, compiles, and runs the same as before.

Change-Id: I8caa945f31c926c2721319f001b9d7f83fd3f1b7
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>

show more ...

Adding Set Password API support in Userlayer

Moved the pam function from libusercommand to libuserlayer
Added the setPassword API in user layer.

There are modules which requires to use set password

Adding Set Password API support in Userlayer

Moved the pam function from libusercommand to libuserlayer
Added the setPassword API in user layer.

There are modules which requires to use set password functionality
(other ipmi providers-OEM),so it's better to keep the set-password
abstracted in user-layer instead of user-commands.

LIBS macro hold libpam and libmapper.
we want to separate the libpam from lib usercommand.
so,replaced LIBS with libmapper alone.

Tested:Able to set the password in ipmi using userlayer.
ex: ipmitool user set password <userid> <password>
user password should set properly.

Change-Id: I32d55ff5c042613c89805c6b9393d18cbf880461
Signed-off-by: Suryakanth Sekar <suryakanth.sekar@linux.intel.com>

show more ...

[User Mgmt]: Update local user enabled state cache

Added missing user enabled state update, to reflect the
enabled state immediately.

Tested-by:
1.verified updated user enabled state is reflected i

[User Mgmt]: Update local user enabled state cache

Added missing user enabled state update, to reflect the
enabled state immediately.

Tested-by:
1.verified updated user enabled state is reflected immediately
by querying getaccess for the user id

Change-Id: I42f7cbbe5a1bec9ffaafa61d5c550ea914bddc9c
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

user_mgmt: drop c_str() when param is std::string

Do not use c_str() when parameter is std::string.

Caught via cppcheck.

Change-Id: Iad7c1296d8be363df10ccf9278231187d7d29052
Signed-off-by: Patrick

user_mgmt: drop c_str() when param is std::string

Do not use c_str() when parameter is std::string.

Caught via cppcheck.

Change-Id: Iad7c1296d8be363df10ccf9278231187d7d29052
Signed-off-by: Patrick Venture <venture@google.com>

show more ...

Set init_priority attribute for global variables in shared lib

The code gets unspecified initializatio order for the global/static
variables in a shared library.

If unluck, a global/static variable

Set init_priority attribute for global variables in shared lib

The code gets unspecified initializatio order for the global/static
variables in a shared library.

If unluck, a global/static variable may be initialized in *constructor*
function, and then initialized by the default contructor.
For exmaple, if `std::unique_ptr<xxx> var{nullptr};` is initialized in
constructor function, below init order may occur:
1. It is initialized in constructor;
2. Then it is initialized as nullptr;
And eventually when the code is to use the variable, we got nullptr.

We met such issues before on openbmc/openbmc#1581, and the technical
details could be found at [this SO question][1] and [this gcc email][2]

The solution is to specify the init_priority attribute, to make the
global/staic variables inititalize earlier than the contructors.

[1]: https://stackoverflow.com/questions/43941159/global-static-variables-initialization-issue-with-attribute-constructor-i
[2]: https://gcc.gnu.org/ml/gcc-patches/2017-03/msg00863.html

Change-Id: I901a6a5cddec12aec9512fe58b16735fa2ad90d7
Signed-off-by: Lei YU <mine260309@gmail.com>

show more ...