Google Git
Sign in
gbmc / gbmcweb / 091df1ea9d3d03f72cf79c7f4b55084012e268f7 / . / redfish_authorization / redfish_authorizer.cc
blob: 3a5377ee334488f94a6d5ae76a8d6b2c4f61c614 [file] [log] [blame]
#include "redfish_authorizer.h"
#include <cstddef>
#include <cstdint>
#include <fstream>
#include <iterator>
#include <limits>
#include <memory>
#include <string>
#include <string_view>
#include <unordered_set>
#include <utility>
#include <vector>
#include "absl/container/flat_hash_map.h"
#include "absl/log/log.h"
#include "absl/status/status.h"
#include "absl/synchronization/mutex.h"
#include "authorizer_enums.h"
#include "nlohmann/json.hpp"
#include "nlohmann/json_fwd.hpp"
#include "config_parser.h"
#include "json_utils.h"
#include "override.h"
#include "pattern_to_entity_array.h"
#include "redfish_entity_trie.h"
#include "redfish_privileges.h"
#include "resource_uri_override.h"
#include "subordinate_override.h"
namespace milotic::authz {
using ::ecclesia::Operation;
using ::ecclesia::ResourceEntity;
using ::ecclesia::StringToOperation;
using ::ecclesia::StringToResourceEntity;
RedfishAuthorizer::RedfishAuthorizer()
: RedfishAuthorizer(AuthorizerOptions()) {}
RedfishAuthorizer::RedfishAuthorizer(const AuthorizerOptions& options)
: options_(options),
authz_configuration_(nlohmann::json(), options.offline_node_entities_path,
options.google_machine_identity_path) {
ResetEntityPrivilegesMappings();
LoadRedfishEntityTrie();
ReloadConfiguration();
}
void RedfishAuthorizer::LoadRedfishEntityTrie() {
for (std::size_t i = 0; i < pattern_entity_pair_array.size(); ++i) {
const auto& [pattern, entity] = pattern_entity_pair_array[i];
redfish_entity_trie_.InsertUri(pattern, entity, i);
}
// Now loads non-standard URI pattern into the trie
std::ifstream configuration_file(options_.pattern_entity_overrides_path);
if (!configuration_file.is_open()) {
LOG(WARNING) << "Pattern entity overrides file at '"
<< options_.pattern_entity_overrides_path << "' is missing.";
return;
}
std::string configuration = {
std::istreambuf_iterator<char>(configuration_file),
std::istreambuf_iterator<char>()};
constexpr bool kAllowException = false;
nlohmann::json configuration_json =
nlohmann::json::parse(configuration, nullptr, kAllowException);
if (configuration_json.is_discarded()) {
LOG(WARNING) << "Pattern entity overrides file at '"
<< options_.pattern_entity_overrides_path
<< "' is not a JSON document.";
return;
}
const nlohmann::json::array_t* pattern_entity_pairs =
GetValueAsArray(configuration_json, "pattern_entity_mappings_override");
if (pattern_entity_pairs == nullptr) {
LOG(WARNING) << "There are no pattern entity mappings.";
return;
}
for (const nlohmann::json& pattern_entity_pair : *pattern_entity_pairs) {
const std::string* pattern =
GetValueAsString(pattern_entity_pair, "pattern");
const std::string* entity_str =
GetValueAsString(pattern_entity_pair, "resource");
if (pattern == nullptr || entity_str == nullptr) {
LOG(WARNING) << "Pattern entity pair is invalid.";
return;
}
ResourceEntity entity = StringToResourceEntity(*entity_str);
// TODO(nanzhou): support indexing non-standard URI patterns
redfish_entity_trie_.InsertUri(*pattern, entity,
std::numeric_limits<std::size_t>::max());
}
}
ResourceEntity RedfishAuthorizer::GetEntityTypeFromRedfishUri(
std::string_view uri) const {
return redfish_entity_trie_.GetEntityType(uri);
}
RedfishAuthorizer::RedfishAuthorizer(const nlohmann::json& registry_json,
const nlohmann::json& configuration_json) {
ResetEntityPrivilegesMappings();
LoadRedfishEntityTrie();
ReconstructPrivilegeRegistry(
GetValueAsArray(registry_json, "Mappings"),
GetValueAsArray(configuration_json, "oem_privilege_mappings"),
GetValueAsJson(configuration_json, "additional_override_mappings"),
GetValueAsArray(registry_json, "AdditionalSubtreeMappings"),
/*platform_subtree_mappings=*/nullptr);
}
static nlohmann::json ParseJsonConfig(const std::string& configuration_path) {
std::ifstream configuration_file(configuration_path);
if (!configuration_file.is_open()) {
LOG(WARNING) << "Configuration file at '" << configuration_path
<< "' is missing.";
return nlohmann::json();
}
std::string configuration = {
std::istreambuf_iterator<char>(configuration_file),
std::istreambuf_iterator<char>()};
constexpr bool kAllowException = false;
nlohmann::json configuration_json =
nlohmann::json::parse(configuration, nullptr, kAllowException);
if (configuration_json.is_discarded()) {
LOG(WARNING) << "Configuration file at '" << configuration_path
<< "' is not a JSON document.";
return nlohmann::json();
}
return configuration_json;
}
nlohmann::json RedfishAuthorizer::ParseAuthConfig() const {
return ParseJsonConfig(options_.configuration_path);
}
void RedfishAuthorizer::ParseSubscriptionLimit(
const nlohmann::json& configuration_json) {
const int64_t* subscription_limit =
GetValueAsInt(configuration_json, "universal_subscription_limit");
if (subscription_limit == nullptr) {
LOG(WARNING) << "Subscription limit not defined in Authorization Config; a "
"default value 1 will be used";
return;
}
if (*subscription_limit < 1) {
LOG(WARNING) << "Subscription shouldn't be less than 1; a default value 1 "
"will be used";
return;
}
subscription_tracker_.SetUniversalSubscriptionLimit(*subscription_limit);
}
std::string RedfishAuthorizer::FindBasePrivilegeRegistryPath(
const nlohmann::json& configuration_json) const {
const std::string* base_privilege_registry_str =
GetValueAsString(configuration_json, "base_privilege_registry");
if (base_privilege_registry_str == nullptr) {
LOG(WARNING)
<< "Base Privilege Registry not defined in Authorization Config";
return "";
}
std::string base_privilege_registry_path =
options_.base_privileges_folder + "/" + *base_privilege_registry_str;
std::ifstream registry_file(base_privilege_registry_path);
if (!registry_file.is_open()) {
LOG(WARNING) << "Base registry file at '" << base_privilege_registry_path
<< "' is missing.";
return "";
}
return base_privilege_registry_path;
}
std::string RedfishAuthorizer::GetPeerRedfishRole(
const PeerSpiffeIdentity& peer) const {
return authz_configuration_.GetPeerRedfishRole(peer);
}
uint64_t RedfishAuthorizer::GetSampleRateLimit(
const std::string& peer_role) const {
return authz_configuration_.GetSampleRateLimit(peer_role);
}
void RedfishAuthorizer::ReloadConfiguration() {
ReloadConfiguration(options_.configuration_path);
}
void RedfishAuthorizer::ReloadConfiguration(
const std::string& configuration_path) {
nlohmann::json configuration_json = ParseJsonConfig(configuration_path);
if (configuration_json.empty()) {
return;
}
// Load subscription limit
ParseSubscriptionLimit(configuration_json);
nlohmann::json platform_configuration_json =
ParseJsonConfig(options_.platform_configuration_path);
const std::string* platform_name_str =
GetValueAsString(platform_configuration_json, "name");
if (platform_name_str != nullptr) {
LOG(WARNING) << "Loading platform configuration '" << *platform_name_str
<< "'" << " from " << options_.platform_configuration_path;
}
// Load authz config
authz_configuration_.ReloadConfig(configuration_json,
platform_configuration_json);
std::string base_privilege_registry_path =
FindBasePrivilegeRegistryPath(configuration_json);
if (base_privilege_registry_path.empty()) {
return;
}
ResetEntityPrivilegesMappings();
ReconstructPrivilegeRegistry(
base_privilege_registry_path,
GetValueAsArray(configuration_json, "oem_privilege_mappings"),
GetValueAsJson(configuration_json, "additional_override_mappings"),
platform_configuration_json);
}
void RedfishAuthorizer::SetBasePrivilegesFolder(
std::string_view base_privileges_folder) {
options_.base_privileges_folder = base_privileges_folder;
ReloadConfiguration();
}
void RedfishAuthorizer::SetPrivileges(
EntityPrivilegesMappings&& new_entity_privileges_mappings,
OverrideMappings&& new_override_mappings) {
absl::MutexLock lock(&mutex_);
entity_privileges_mappings_ = std::move(new_entity_privileges_mappings);
override_mappings_ = std::move(new_override_mappings);
}
RedfishAuthorizer::EntityPrivilegesMappings
RedfishAuthorizer::DefaultEntityPrivilegesMappings() {
return EntityPrivilegesMappings(
static_cast<int>(ResourceEntity::kUndefined) + 1,
std::vector<std::vector<RedfishPrivileges>>(
static_cast<int>(Operation::kUndefined) + 1));
}
RedfishAuthorizer::OverrideMappings
RedfishAuthorizer::DefaultOverrideMappings() {
return OverrideMappings(static_cast<int>(ResourceEntity::kUndefined) + 1);
}
void RedfishAuthorizer::ResetEntityPrivilegesMappings() {
absl::MutexLock lock(&mutex_);
entity_privileges_mappings_ = DefaultEntityPrivilegesMappings();
override_mappings_ = DefaultOverrideMappings();
}
std::vector<RedfishPrivileges> RedfishAuthorizer::GetPrivilegesArrFromJsonArr(
const nlohmann::json::array_t& operation_privilege_arr_json) const {
std::vector<RedfishPrivileges> privileges_or_arr;
for (const nlohmann::json& operation_privilege :
operation_privilege_arr_json) {
RedfishPrivileges redfish_privileges;
const nlohmann::json::array_t* privilege_arr =
GetValueAsArray(operation_privilege, "Privilege");
if (privilege_arr == nullptr) {
continue;
}
for (const nlohmann::json& privilege : *privilege_arr) {
const std::string* privilege_str =
privilege.get_ptr<const std::string*>();
if (privilege_str == nullptr) {
LOG(WARNING) << "The value of the privilege isn't a string.";
LOG(WARNING) << "|value|=" << privilege.dump(2);
continue;
}
redfish_privileges.InsertPrivilege(*privilege_str);
}
// NOTE: there won't be an empty required privilege set ever
if (redfish_privileges.GetPrivileges().empty()) {
continue;
}
privileges_or_arr.push_back(redfish_privileges);
}
return privileges_or_arr;
}
std::vector<std::string> RedfishAuthorizer::GetTargetsArrFromJsonArr(
const nlohmann::json::array_t& targets_arr_json) const {
std::vector<std::string> targets;
for (const nlohmann::json& target : targets_arr_json) {
const std::string* target_str = target.get_ptr<const std::string*>();
if (target_str == nullptr) {
continue;
}
targets.push_back(*target_str);
}
return targets;
}
absl::flat_hash_map<ecclesia::Operation, std::vector<RedfishPrivileges>>
RedfishAuthorizer::GetOperationMapFromJson(
const nlohmann::json& override_operation_map) const {
absl::flat_hash_map<ecclesia::Operation, std::vector<RedfishPrivileges>>
override_operation_privileges_map;
for (Operation operation : all_operations) {
const nlohmann::json::array_t* override_operation_privilege_arr =
GetValueAsArray(override_operation_map, OperationToString(operation));
if (override_operation_privilege_arr == nullptr) {
continue;
}
override_operation_privileges_map[operation] =
GetPrivilegesArrFromJsonArr(*override_operation_privilege_arr);
}
return override_operation_privileges_map;
}
void RedfishAuthorizer::ReconstructPrivilegeRegistry(
const std::string& base_registry_path,
const nlohmann::json::array_t* oem_mappings,
const nlohmann::json* override_mappings,
const nlohmann::json& platform_config_json) {
std::ifstream registry_file(base_registry_path);
if (!registry_file.is_open()) {
LOG(WARNING) << "Base registry file at '" << base_registry_path
<< "' is missing.";
return;
}
std::string registry = {std::istreambuf_iterator<char>(registry_file),
std::istreambuf_iterator<char>()};
constexpr bool kAllowException = false;
nlohmann::json registry_json =
nlohmann::json::parse(registry, nullptr, kAllowException);
if (registry_json.is_discarded()) {
LOG(WARNING) << "Base registry file at '" << base_registry_path
<< "' is not a JSON document.";
return;
}
const nlohmann::json::array_t* mappings =
GetValueAsArray(registry_json, "Mappings");
const nlohmann::json::array_t* additional_subtree_mappings =
GetValueAsArray(registry_json, "AdditionalSubtreeMappings");
const nlohmann::json::array_t* platform_subtree_mappings =
GetValueAsArray(platform_config_json, "AdditionalSubtreeMappings");
ReconstructPrivilegeRegistry(mappings, oem_mappings, override_mappings,
additional_subtree_mappings,
platform_subtree_mappings);
}
void RedfishAuthorizer::ReconstructPrivilegeRegistry(
const nlohmann::json::array_t* registry_mappings,
const nlohmann::json::array_t* oem_mappings,
const nlohmann::json* override_mappings,
const nlohmann::json::array_t* additional_subtree_mappings,
const nlohmann::json::array_t* platform_subtree_mappings) {
if (registry_mappings == nullptr) {
return;
}
EntityPrivilegesMappings new_entity_privileges_mappings =
DefaultEntityPrivilegesMappings();
OverrideMappings new_override_mappings = DefaultOverrideMappings();
for (const nlohmann::json& mapping : *registry_mappings) {
const std::string* entity_str = GetValueAsString(mapping, "Entity");
const nlohmann::json* operation_map =
GetValueAsJson(mapping, "OperationMap");
if (operation_map == nullptr || entity_str == nullptr) {
continue;
}
ResourceEntity entity = StringToResourceEntity(*entity_str);
if (entity == ResourceEntity::kUndefined) {
continue;
}
for (Operation operation : all_operations) {
const nlohmann::json::array_t* operation_privilege_arr =
GetValueAsArray(*operation_map, OperationToString(operation));
if (operation_privilege_arr == nullptr) {
continue;
}
new_entity_privileges_mappings[static_cast<int>(entity)][static_cast<int>(
operation)] = GetPrivilegesArrFromJsonArr(*operation_privilege_arr);
}
// Apply overrides if applicable
ApplySubordinateOverridesToEntity(
GetValueAsArray(mapping, "SubordinateOverrides"), entity,
new_override_mappings);
ApplyResourceOverridesToEntity(
GetValueAsArray(mapping, "ResourceURIOverrides"), entity,
new_override_mappings);
}
if (oem_mappings != nullptr) {
ApplyOemMappings(*oem_mappings, new_entity_privileges_mappings);
}
if (override_mappings != nullptr) {
ApplyOverrideMappings(*override_mappings, new_override_mappings);
}
std::vector<SubtreePrivilegeMapping> additional_subtree_mappings_vector;
if (additional_subtree_mappings != nullptr) {
ParseAdditionalSubtreeMappings(additional_subtree_mappings_vector,
*additional_subtree_mappings);
}
if (platform_subtree_mappings != nullptr) {
ParseAdditionalSubtreeMappings(additional_subtree_mappings_vector,
*platform_subtree_mappings);
}
redfish_entity_trie_.ReplaceSubtreePrivilegeMappings(
std::move(additional_subtree_mappings_vector));
SetPrivileges(std::move(new_entity_privileges_mappings),
std::move(new_override_mappings));
}
void RedfishAuthorizer::ApplySubordinateOverrides(
const nlohmann::json::array_t* subordinate_overrides,
OverrideMappings& new_override_mappings) {
if (subordinate_overrides == nullptr) {
return;
}
for (const nlohmann::json& subordinate_override : *subordinate_overrides) {
const std::string* entity_str =
GetValueAsString(subordinate_override, "entity");
const nlohmann::json::array_t* targets_json =
GetValueAsArray(subordinate_override, "targets");
const nlohmann::json* override_operation_map =
GetValueAsJson(subordinate_override, "operation_map");
if (entity_str == nullptr || targets_json == nullptr ||
targets_json->empty() || override_operation_map == nullptr) {
LOG(WARNING) << "Override is setup incorrectly";
LOG(WARNING) << "|json|=" << subordinate_override.dump(2);
continue;
}
ResourceEntity entity = StringToResourceEntity(*entity_str);
if (entity == ResourceEntity::kUndefined) {
LOG(WARNING) << "|entity| is unsupported; |entity|=" << *entity_str;
continue;
}
std::vector<std::string> targets = GetTargetsArrFromJsonArr(*targets_json);
if (targets.empty()) {
continue;
}
new_override_mappings[static_cast<int>(entity)].push_back(
std::make_shared<SubordinateOverride>(
std::move(targets),
GetOperationMapFromJson(*override_operation_map),
redfish_entity_trie_));
}
}
void RedfishAuthorizer::ApplySubordinateOverridesToEntity(
const nlohmann::json::array_t* subordinate_overrides, ResourceEntity entity,
OverrideMappings& new_override_mappings) {
if (subordinate_overrides == nullptr) {
return;
}
for (const nlohmann::json& subordinate_override : *subordinate_overrides) {
const nlohmann::json::array_t* targets_json =
GetValueAsArray(subordinate_override, "Targets");
const nlohmann::json* override_operation_map =
GetValueAsJson(subordinate_override, "OperationMap");
if (targets_json == nullptr || override_operation_map == nullptr) {
continue;
}
std::vector<std::string> targets = GetTargetsArrFromJsonArr(*targets_json);
if (targets.empty()) {
continue;
}
new_override_mappings[static_cast<int>(entity)].push_back(
std::make_shared<SubordinateOverride>(
std::move(targets),
GetOperationMapFromJson(*override_operation_map),
redfish_entity_trie_));
}
}
void RedfishAuthorizer::ApplyResourceOverrides(
const nlohmann::json::array_t* resource_overrides,
OverrideMappings& new_override_mappings) {
if (resource_overrides == nullptr) {
return;
}
for (const nlohmann::json& resource_override : *resource_overrides) {
const std::string* entity_str =
GetValueAsString(resource_override, "entity");
const nlohmann::json::array_t* targets_json =
GetValueAsArray(resource_override, "targets");
const nlohmann::json* override_operation_map =
GetValueAsJson(resource_override, "operation_map");
if (entity_str == nullptr || targets_json == nullptr ||
targets_json->empty() || override_operation_map == nullptr) {
LOG(WARNING) << "Override is setup incorrectly";
LOG(WARNING) << "|json|=" << resource_override.dump(2);
continue;
}
ResourceEntity entity = StringToResourceEntity(*entity_str);
if (entity == ResourceEntity::kUndefined) {
LOG(WARNING) << "|entity| is unsupported; |entity|=" << *entity_str;
continue;
}
std::vector<std::string> targets = GetTargetsArrFromJsonArr(*targets_json);
if (targets.empty()) {
continue;
}
new_override_mappings[static_cast<int>(entity)].push_back(
std::make_shared<ResourceUriOverride>(
std::move(targets),
GetOperationMapFromJson(*override_operation_map)));
}
}
void RedfishAuthorizer::ApplyResourceOverridesToEntity(
const nlohmann::json::array_t* resource_overrides, ResourceEntity entity,
OverrideMappings& new_override_mappings) {
if (resource_overrides == nullptr) {
return;
}
for (const nlohmann::json& resource_override : *resource_overrides) {
const nlohmann::json::array_t* targets_json =
GetValueAsArray(resource_override, "Targets");
const nlohmann::json* override_operation_map =
GetValueAsJson(resource_override, "OperationMap");
if (targets_json == nullptr || override_operation_map == nullptr) {
continue;
}
std::vector<std::string> targets = GetTargetsArrFromJsonArr(*targets_json);
if (targets.empty()) {
continue;
}
new_override_mappings[static_cast<int>(entity)].push_back(
std::make_shared<ResourceUriOverride>(
std::move(targets),
GetOperationMapFromJson(*override_operation_map)));
}
}
void RedfishAuthorizer::ApplyOverrideMappings(
const nlohmann::json& override_mappings_json,
OverrideMappings& new_override_mappings) {
ApplySubordinateOverrides(
GetValueAsArray(override_mappings_json, "subordinate_overrides"),
new_override_mappings);
ApplyResourceOverrides(
GetValueAsArray(override_mappings_json, "resource_overrides"),
new_override_mappings);
}
void RedfishAuthorizer::ApplyOemMappings(
const nlohmann::json::array_t& oem_mappings,
EntityPrivilegesMappings& entity_privileges_mappings) {
for (const nlohmann::json& oem_mapping : oem_mappings) {
const std::string* oem_privilege =
GetValueAsString(oem_mapping, "oem_privilege");
if (oem_privilege == nullptr) {
continue;
}
RedfishPrivileges new_privileges({*oem_privilege});
const nlohmann::json::array_t* resource_operations =
GetValueAsArray(oem_mapping, "resource_operations");
if (resource_operations == nullptr) {
continue;
}
for (const nlohmann::json& resource_operation : *resource_operations) {
const std::string* resource_entity_str =
GetValueAsString(resource_operation, "resource_entity");
if (resource_entity_str == nullptr) {
continue;
}
ResourceEntity entity = StringToResourceEntity(*resource_entity_str);
if (entity == ResourceEntity::kUndefined) {
LOG(WARNING) << "|resource_entity| is unsupported; |resource_entity|="
<< *resource_entity_str;
continue;
}
const nlohmann::json::array_t* operations =
GetValueAsArray(resource_operation, "operations");
if (operations == nullptr) {
continue;
}
for (const nlohmann::json& operation_json : *operations) {
const std::string* operation_str =
operation_json.get_ptr<const std::string*>();
if (operation_str == nullptr) {
LOG(WARNING) << "The value of the operation isn't a string.";
LOG(WARNING) << "|value|=" << operation_json;
continue;
}
Operation operation = StringToOperation(*operation_str);
if (operation == Operation::kUndefined) {
LOG(WARNING) << "|operation| is unsupported; |operation|="
<< *operation_str;
continue;
}
AppendPrivilege(new_privileges, entity, operation,
entity_privileges_mappings);
}
}
}
}
void RedfishAuthorizer::ParseAdditionalSubtreeMappings(
std::vector<SubtreePrivilegeMapping>& additional_subtree_mappings,
const nlohmann::json& additional_subtree_mappings_json) {
for (const nlohmann::json& subtree_mapping :
additional_subtree_mappings_json) {
const std::string* subtree_prefix =
GetValueAsString(subtree_mapping, "SubtreePrefix");
const nlohmann::json* operation_map_json =
GetValueAsJson(subtree_mapping, "OperationMap");
if (subtree_prefix == nullptr || operation_map_json == nullptr) {
continue;
}
for (const auto& [operation, privileges] :
GetOperationMapFromJson(*operation_map_json)) {
for (const auto& privilege : privileges) {
additional_subtree_mappings.push_back(
SubtreePrivilegeMapping{.url = *subtree_prefix,
.operation = operation,
.privileges = privilege});
}
}
}
}
void RedfishAuthorizer::AppendPrivilege(
const RedfishPrivileges& privileges, ResourceEntity resource_entity,
Operation operation, EntityPrivilegesMappings& entity_privileges_mappings) {
entity_privileges_mappings[static_cast<int>(resource_entity)]
[static_cast<int>(operation)]
.push_back(privileges);
}
std::vector<RedfishPrivileges> RedfishAuthorizer::GetRequiredPrivileges(
ResourceEntity resource_entity, Operation operation) const {
absl::MutexLock lock(&mutex_);
return entity_privileges_mappings_[static_cast<int>(resource_entity)]
[static_cast<int>(operation)];
}
std::vector<std::shared_ptr<Override>> RedfishAuthorizer::GetOverrides(
ResourceEntity resource_entity) const {
absl::MutexLock lock(&mutex_);
return override_mappings_[static_cast<int>(resource_entity)];
}
absl::Status RedfishAuthorizer::RecordNewSubscription(
const PeerSpiffeIdentity& peer) {
return subscription_tracker_.RecordNewSubscription(peer);
}
absl::Status RedfishAuthorizer::RecordNewUnsubscription(
const PeerSpiffeIdentity& peer) {
return subscription_tracker_.RecordNewUnsubscription(peer);
}
bool RedfishAuthorizer::IsPeerAuthorized(
ResourceEntity entity, Operation operation,
const RedfishPrivileges& peer_privileges) const {
if (entity == ResourceEntity::kUndefined ||
operation == Operation::kUndefined) {
return false;
}
std::vector<RedfishPrivileges> required_privilege_sets =
GetRequiredPrivileges(entity, operation);
if (required_privilege_sets.empty()) {
LOG(WARNING) << "No required privileges found for "
<< ResourceEntityToString(entity) << " and operation "
<< OperationToString(operation)
<< ". This most likely means that you are using an outdated "
"redfish authz policy.";
}
for (const RedfishPrivileges& privileges : required_privilege_sets) {
// NOTE: there won't be an empty required privilege set ever; otherwise,
// we skip this required privilege set.
if (privileges.GetPrivileges().empty()) {
LOG(WARNING)
<< "Precondition failed: required privilege set will never be "
"empty; check the base privilege registry for "
<< ResourceEntityToString(entity) << " and operation "
<< OperationToString(operation);
continue;
}
if (peer_privileges.IsSupersetOf(privileges)) {
return true;
}
}
return false;
}
bool RedfishAuthorizer::IsPeerAuthorized(
std::string_view uri, Operation operation,
const RedfishPrivileges& peer_privileges) const {
ResourceEntity entity = GetEntityTypeFromRedfishUri(uri);
if (entity == ResourceEntity::kUndefined) {
LOG(WARNING) << "Can't map |uri| to Redfish resource; |uri|=" << uri;
return false;
}
if (operation == Operation::kUndefined) {
LOG(WARNING) << "|operation| is undefined";
return false;
}
// Check Overrides
for (const std::shared_ptr<Override>& override : GetOverrides(entity)) {
// If the override is applicable, then peer must be authorized through
// override
if (override->IsApplicable(uri, operation)) {
return override->IsPeerAuthorized(uri, operation, peer_privileges);
}
}
// Check Additional Subtree Mappings
for (const auto& privileges :
redfish_entity_trie_.GetAdditionalSubtreePrivileges(uri, operation)) {
// NOTE: there won't be an empty required privilege set ever; otherwise,
// we skip this required privilege set.
if (privileges.GetPrivileges().empty()) {
LOG(WARNING)
<< "Precondition failed: required privilege set will never be "
"empty; check the additional subtree mappings for "
<< uri << " and operation " << OperationToString(operation);
continue;
}
if (peer_privileges.IsSupersetOf(privileges)) {
return true;
}
}
return IsPeerAuthorized(entity, operation, peer_privileges);
}
nlohmann::json::array_t RedfishAuthorizer::RedfishPrivilegeRegistryMappings()
const {
nlohmann::json::array_t privilege_registry_mappings;
for (size_t i = 0; i < static_cast<size_t>(ResourceEntity::kUndefined); ++i) {
nlohmann::json::object_t entity_privilege_mappings;
ResourceEntity entity = static_cast<ResourceEntity>(i);
entity_privilege_mappings["Entity"] = ResourceEntityToString(entity);
// Get OperationMap
entity_privilege_mappings["OperationMap"] = nlohmann::json::object_t();
for (size_t j = 0; j < static_cast<size_t>(Operation::kUndefined); ++j) {
nlohmann::json::array_t operation_privileges;
Operation operation = static_cast<Operation>(j);
std::vector<RedfishPrivileges> privilege_set =
GetRequiredPrivileges(entity, operation);
for (const RedfishPrivileges& privileges : privilege_set) {
operation_privileges.push_back(privileges.ToJson());
}
entity_privilege_mappings["OperationMap"][OperationToString(operation)] =
operation_privileges;
}
// Get Overrides
std::vector<std::shared_ptr<Override>> overrides = GetOverrides(entity);
nlohmann::json::array_t subordinate_overrides_json =
nlohmann::json::array_t();
nlohmann::json::array_t resource_overrides_json = nlohmann::json::array_t();
for (const std::shared_ptr<Override>& override : overrides) {
if (override->GetOverrideType() == Override::Type::kSubordinateOverride) {
subordinate_overrides_json.push_back(override->ToJson());
continue;
}
resource_overrides_json.push_back(override->ToJson());
}
if (!subordinate_overrides_json.empty()) {
entity_privilege_mappings["SubordinateOverrides"] =
subordinate_overrides_json;
}
if (!resource_overrides_json.empty()) {
entity_privilege_mappings["ResourceURIOverrides"] =
resource_overrides_json;
}
privilege_registry_mappings.push_back(entity_privilege_mappings);
}
return privilege_registry_mappings;
}
nlohmann::json::object_t RedfishAuthorizer::GetRedfishPrivilegeRegistry()
const {
nlohmann::json::object_t privilege_registry;
privilege_registry["@odata.id"] = "/redfish/v1/AccountService/PrivilegeMap";
privilege_registry["@odata.type"] =
"#PrivilegeRegistry.v1_1_4.PrivilegeRegistry";
privilege_registry["Id"] = "Redfish_1.3.1_PrivilegeRegistry";
privilege_registry["Name"] = "Privilege Mapping array collection";
privilege_registry["PrivilegesUsed"] =
authz_configuration_.GetDefaultRedfishPrivileges();
privilege_registry["OEMPrivilegesUsed"] =
authz_configuration_.GetOemPrivileges();
privilege_registry["Mappings"] = RedfishPrivilegeRegistryMappings();
return privilege_registry;
}
} // namespace milotic::authz