diff options
author | Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> | 2018-12-06 21:35:43 +0530 |
---|---|---|
committer | Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> | 2018-12-06 21:37:10 +0530 |
commit | 99b878493c8864e284bf8970134c7847af65b05b (patch) | |
tree | 90d259c2fdc747026c7597f25b1f754d98d1dfda | |
parent | 472a37be3a4f6585fa2d30cdc69a27c38771c0bf (diff) | |
download | phosphor-net-ipmid-99b878493c8864e284bf8970134c7847af65b05b.tar.gz phosphor-net-ipmid-99b878493c8864e284bf8970134c7847af65b05b.zip |
Revert "W/A for CI test case - Accept empty user name"
This reverts commit d2563c52eea33c2e4575f34eddac564ba1a44d85.
As CI test cases are updated to work with mandatory
-U options, this commit is reverted. Going forward in order
to establish a RMCP+ session, user name with -U option is
mandatory
Change-Id: I2e1405562f0c20d34b2fcd5a2bba668c87cc7f06
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
-rw-r--r-- | command/rakp12.cpp | 143 | ||||
-rw-r--r-- | command/session_cmds.cpp | 12 |
2 files changed, 68 insertions, 87 deletions
diff --git a/command/rakp12.cpp b/command/rakp12.cpp index 5596725..5384ab3 100644 --- a/command/rakp12.cpp +++ b/command/rakp12.cpp @@ -125,84 +125,77 @@ std::vector<uint8_t> RAKP12(const std::vector<uint8_t>& inPayload, session->reqMaxPrivLevel = request->req_max_privilege_level; session->curPrivLevel = static_cast<session::Privilege>( request->req_max_privilege_level & session::reqMaxPrivMask); + if (((request->req_max_privilege_level & userNameOnlyLookupMask) != + userNameOnlyLookup) || + (request->user_name_len == 0)) + { + // Skip privilege based lookup for security purpose + response->rmcpStatusCode = + static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME); + return outPayload; + } - // TODO: W/A code added to allow CI test cases to pass. - // Once test cases are updated to add -U option, the following - // code has to be removed. - // For the time being allow "" user with 0penBmc as password - if (request->user_name_len != 0) + // Perform user name based lookup + std::string userName(request->user_name, request->user_name_len); + std::string passwd; + uint8_t userId = ipmi::ipmiUserGetUserId(userName); + if (userId == ipmi::invalidUserId) + { + response->rmcpStatusCode = + static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME); + return outPayload; + } + // check user is enabled before proceeding. + bool userEnabled = false; + ipmi::ipmiUserCheckEnabled(userId, userEnabled); + if (!userEnabled) + { + response->rmcpStatusCode = + static_cast<uint8_t>(RAKP_ReturnCode::INACTIVE_ROLE); + return outPayload; + } + // Get the user password for RAKP message authenticate + passwd = ipmi::ipmiUserGetPassword(userName); + if (passwd.empty()) + { + response->rmcpStatusCode = + static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME); + return outPayload; + } + ipmi::PrivAccess userAccess{}; + ipmi::ChannelAccess chAccess{}; + // TODO Replace with proper calls. + uint8_t chNum = static_cast<uint8_t>(ipmi::EChannelID::chanLan1); + // Get channel based access information + if ((ipmi::ipmiUserGetPrivilegeAccess(userId, chNum, userAccess) != + IPMI_CC_OK) || + (ipmi::getChannelAccessData(chNum, chAccess) != IPMI_CC_OK)) + { + response->rmcpStatusCode = + static_cast<uint8_t>(RAKP_ReturnCode::INACTIVE_ROLE); + return outPayload; + } + session->chNum = chNum; + // minimum privilege of Channel / User / requested has to be used + // as session current privilege level + uint8_t minPriv = 0; + if (chAccess.privLimit < userAccess.privilege) { - if (((request->req_max_privilege_level & userNameOnlyLookupMask) != - userNameOnlyLookup) || - (request->user_name_len == 0)) - { - // Skip privilege based lookup for security purpose - response->rmcpStatusCode = - static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME); - return outPayload; - } - - // Perform user name based lookup - std::string userName(request->user_name, request->user_name_len); - std::string passwd; - uint8_t userId = ipmi::ipmiUserGetUserId(userName); - if (userId == ipmi::invalidUserId) - { - response->rmcpStatusCode = - static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME); - return outPayload; - } - // check user is enabled before proceeding. - bool userEnabled = false; - ipmi::ipmiUserCheckEnabled(userId, userEnabled); - if (!userEnabled) - { - response->rmcpStatusCode = - static_cast<uint8_t>(RAKP_ReturnCode::INACTIVE_ROLE); - return outPayload; - } - // Get the user password for RAKP message authenticate - passwd = ipmi::ipmiUserGetPassword(userName); - if (passwd.empty()) - { - response->rmcpStatusCode = - static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME); - return outPayload; - } - ipmi::PrivAccess userAccess{}; - ipmi::ChannelAccess chAccess{}; - // TODO Replace with proper calls. - uint8_t chNum = static_cast<uint8_t>(ipmi::EChannelID::chanLan1); - // Get channel based access information - if ((ipmi::ipmiUserGetPrivilegeAccess(userId, chNum, userAccess) != - IPMI_CC_OK) || - (ipmi::getChannelAccessData(chNum, chAccess) != IPMI_CC_OK)) - { - response->rmcpStatusCode = - static_cast<uint8_t>(RAKP_ReturnCode::INACTIVE_ROLE); - return outPayload; - } - session->chNum = chNum; - // minimum privilege of Channel / User / requested has to be used - // as session current privilege level - uint8_t minPriv = 0; - if (chAccess.privLimit < userAccess.privilege) - { - minPriv = chAccess.privLimit; - } - else - { - minPriv = userAccess.privilege; - } - if (session->curPrivLevel > static_cast<session::Privilege>(minPriv)) - { - session->curPrivLevel = static_cast<session::Privilege>(minPriv); - } - - std::fill(authAlgo->userKey.data(), - authAlgo->userKey.data() + authAlgo->userKey.size(), 0); - std::copy_n(passwd.c_str(), passwd.size(), authAlgo->userKey.data()); + minPriv = chAccess.privLimit; } + else + { + minPriv = userAccess.privilege; + } + if (session->curPrivLevel > static_cast<session::Privilege>(minPriv)) + { + session->curPrivLevel = static_cast<session::Privilege>(minPriv); + } + + std::fill(authAlgo->userKey.data(), + authAlgo->userKey.data() + authAlgo->userKey.size(), 0); + std::copy_n(passwd.c_str(), passwd.size(), authAlgo->userKey.data()); + // Copy the Managed System Random Number to the Authentication Algorithm std::copy_n(iter, cipher::rakp_auth::BMC_RANDOM_NUMBER_LEN, authAlgo->bmcRandomNum.begin()); diff --git a/command/session_cmds.cpp b/command/session_cmds.cpp index bbc1459..5c74d28 100644 --- a/command/session_cmds.cpp +++ b/command/session_cmds.cpp @@ -41,18 +41,6 @@ std::vector<uint8_t> return outPayload; } - // TODO: W/A code added to allow CI test cases to pass. - // Once test cases are updated to add -U option, the following - // code has to be removed - if (session->userName.empty()) - { - // update current privilege of the session. - session->curPrivLevel = - static_cast<session::Privilege>(reqPrivilegeLevel); - response->newPrivLevel = reqPrivilegeLevel; - return outPayload; - } - uint8_t userId = ipmi::ipmiUserGetUserId(session->userName); if (userId == ipmi::invalidUserId) { |