Make bmcweb Find Privilege Registry Folder on SIGHUP
Logic is hard to refactor without some code duplication because
authorizer must be intialized before using and the cases for
SIGHUP and startup are different.
On startup we know for sure that we can initialize with
/var/google because we check there first.
For SIGHUP, we dont neccesarily know where the filepath is pointing
to, so we have to check both anyways.
Change-Id: Iac51b6f89b2f7ad305a8f0d47dd1a4c324f8c3b1
Signed-off-by: Edward Lee <edwarddl@google.com>
(cherry picked from commit 1b94a387ef756b079762cdfa3d7f1c6c101f8df2)
diff --git a/recipes-phosphor/interfaces/bmcweb/0023-gRPC-redfish.patch b/recipes-phosphor/interfaces/bmcweb/0023-gRPC-redfish.patch
index 95c924a..1e8a97e 100644
--- a/recipes-phosphor/interfaces/bmcweb/0023-gRPC-redfish.patch
+++ b/recipes-phosphor/interfaces/bmcweb/0023-gRPC-redfish.patch
@@ -25,7 +25,7 @@
config/meson.build | 5 ++-
grpc-redfish/meson.build | 45 ++++++++++++++++++++
http/http_request.hpp | 6 +++
- http/http_server.hpp | 6 +++
+ http/http_server.hpp | 25 +++++++++++
http/routing.hpp | 27 +++++++++++-
meson.build | 8 ++++
meson_options.txt | 43 +++++++++++++++++++
@@ -33,7 +33,7 @@
redfish-core/include/utils/query_param.hpp | 27 ++++++++----
redfish-core/lib/account_service.hpp | 18 ++++++++
src/webserver_main.cpp | 48 ++++++++++++++++++++++
- 12 files changed, 232 insertions(+), 13 deletions(-)
+ 12 files changed, 251 insertions(+), 13 deletions(-)
create mode 100644 grpc-redfish/meson.build
diff --git a/config/bmcweb_config.h.in b/config/bmcweb_config.h.in
@@ -42,7 +42,7 @@
+++ b/config/bmcweb_config.h.in
@@ -14,4 +14,7 @@ constexpr const size_t bmcwebHttpReqBodyLimitMb = @BMCWEB_HTTP_REQ_BODY_LIMIT_MB
constexpr const char* mesonInstallPrefix = "@MESON_INSTALL_PREFIX@";
-
+
constexpr const bool bmcwebInsecureEnableHttpPushStyleEventing = @BMCWEB_INSECURE_ENABLE_HTTP_PUSH_STYLE_EVENTING@ == 1;
+constexpr int mTlsGrpcPort = @MTLS_GRPC_PORT@;
+constexpr int insecureGrpcPort = @INSECURE_GRPC_PORT@;
@@ -59,7 +59,7 @@
+conf_data.set('MTLS_GRPC_PORT', get_option('mtls-grpc-port'))
+conf_data.set('INSECURE_GRPC_PORT', get_option('insecure-grpc-port'))
+conf_data.set10('INSECURE_DISABLE_REDFISH_AUTHZ', get_option('insecure-disable-grpc-redfish-authz').enabled())
-
+
conf_h_dep = declare_dependency(
include_directories: include_directories('.'),
@@ -41,4 +44,4 @@ configure_file(input : 'pam-webserver',
@@ -126,16 +126,16 @@
+++ b/http/http_request.hpp
@@ -1,5 +1,7 @@
#pragma once
-
+
+#include "bmcweb_authorizer_singleton.h"
+
#include "common.hpp"
#include "sessions.hpp"
-
+
@@ -32,6 +34,10 @@ struct Request
-
+
std::shared_ptr<persistent_data::UserSession> session;
-
+
+ // Dynamic fine grained authorization
+ bool fromGrpc = false;
+ ::milotic::authz::BmcWebAuthorizerSingleton::RequestState authzState;
@@ -144,24 +144,43 @@
Request(boost::beast::http::request<boost::beast::http::string_body> reqIn,
std::error_code& ec) :
diff --git a/http/http_server.hpp b/http/http_server.hpp
-index 3949a46a..dc82d84d 100644
+index 3949a46a..1c8dd7a6 100644
--- a/http/http_server.hpp
+++ b/http/http_server.hpp
-@@ -1,5 +1,7 @@
+@@ -1,5 +1,8 @@
#pragma once
-
+
++#include "absl/log/log.h"
+#include "bmcweb_authorizer_singleton.h"
+
#include "http_connection.hpp"
#include "logging.hpp"
#include "ssl_key_handler.hpp"
-@@ -137,6 +139,10 @@ class Server
+@@ -137,6 +140,28 @@ class Server
if (signalNo == SIGHUP)
{
BMCWEB_LOG_INFO << "Receivied reload signal";
++ constexpr char persistentBasePrivilegesFolder[] =
++ "/var/google/authz_policies";
++ constexpr char rofsBasePrivilegesFolder[] =
++ "/usr/share/redfish_privileges";
++ ::milotic::authz::BmcWebAuthorizerSingleton& authorizer =
++ ::milotic::authz::BmcWebAuthorizerSingleton::
++ GetInstance();
++ // Check persistent data first
++ authorizer.SetBasePrivilegesFolder(
++ persistentBasePrivilegesFolder);
++ // If privilege registry dosent exist, check rofs
++ if (!authorizer.IsBasePrivilegeRegistryFound())
++ {
++ LOG(WARNING)
++ << "Could not find Privilege Registry at /var/google/authz_policies";
++ authorizer.SetBasePrivilegesFolder(
++ rofsBasePrivilegesFolder);
++ }
++
+ // reload authz config
-+ ::milotic::authz::BmcWebAuthorizerSingleton::GetInstance()
-+ .ReloadConfiguration();
++ authorizer.ReloadConfiguration();
+
loadCertificate();
boost::system::error_code ec2;
@@ -172,7 +191,7 @@
+++ b/http/routing.hpp
@@ -1,5 +1,11 @@
#pragma once
-
+
+#include "absl/log/log.h"
+#include "authorizer_enums.h"
+#include "bmcweb_authorizer_singleton.h"
@@ -185,7 +204,7 @@
@@ -1509,11 +1515,30 @@ class Router
<< static_cast<uint32_t>(*verb) << " / "
<< rule.getMethods();
-
+
- if (req.session == nullptr)
+ if (!req.fromGrpc || (insecureDisableGrpcRedfishAuthz &&
+ req.authzState.peer_authenticated))
@@ -221,18 +240,18 @@
@@ -93,6 +93,10 @@ feature_map = {
#'vm-nbdproxy' : '-DBMCWEB_ENABLE_VM_NBDPROXY',
}
-
+
+# gRPC Features
+feature_map += {'mtls-grpc' : '-DBMCWEB_ENABLE_GRPC'}
+feature_map += {'insecure-grpc' : '-DBMCWEB_ENABLE_INSECURE_GRPC'}
+
# Get the options status and build a project summary to show which flags are
# being enabled during the configuration time.
-
+
@@ -343,6 +347,10 @@ bmcweblib = static_library(
dependencies: bmcweb_dependencies,
)
-
+
+if get_option('mtls-grpc').enabled()
+ subdir('grpc-redfish')
+endif
@@ -298,7 +317,7 @@
@@ -159,10 +159,13 @@ inline bool handleIfMatch(crow::App& app, const crow::Request& req,
std::function<void(crow::Response&)> handler =
asyncResp->res.releaseCompleteRequestHandler();
-
+
+ auto authzState = req.authzState;
+ bool fromGrpc = req.fromGrpc;
asyncResp->res.setCompleteRequestHandler(
@@ -310,7 +329,7 @@
+ fromGrpc(fromGrpc)](crow::Response& resIn) mutable {
+ processAllParams(app, query, authzState, fromGrpc, handler, resIn);
});
-
+
return needToCallHandlers;
diff --git a/redfish-core/include/utils/query_param.hpp b/redfish-core/include/utils/query_param.hpp
index 96885ebb..a603848f 100644
@@ -320,7 +339,7 @@
#pragma once
+#include "bmcweb_authorizer_singleton.h"
#include "bmcweb_config.h"
-
+
#include "app.hpp"
@@ -768,10 +769,14 @@ class MultiAsyncResp : public std::enable_shared_from_this<MultiAsyncResp>
// allows callers to attach sub-responses within the json tree that need
@@ -338,7 +357,7 @@
+ finalRes(std::move(finalResIn)), authzState(stateIn),
+ fromGrpc(fromGrpcIn)
{}
-
+
void addAwaitingResponse(
@@ -820,6 +825,8 @@ class MultiAsyncResp : public std::enable_shared_from_this<MultiAsyncResp>
messages::internalError(finalRes->res);
@@ -346,22 +365,22 @@
}
+ newReq.authzState = authzState;
+ newReq.fromGrpc = fromGrpc;
-
+
auto asyncResp = std::make_shared<bmcweb::AsyncResp>();
BMCWEB_LOG_DEBUG << "setting completion handler on "
@@ -841,6 +848,8 @@ class MultiAsyncResp : public std::enable_shared_from_this<MultiAsyncResp>
-
+
crow::App& app;
std::shared_ptr<bmcweb::AsyncResp> finalRes;
+ ::milotic::authz::BmcWebAuthorizerSingleton::RequestState authzState;
+ bool fromGrpc;
};
-
+
inline void processTopAndSkip(const Query& query, crow::Response& res)
@@ -961,10 +970,11 @@ inline void processSelect(crow::Response& intermediateResponse,
recursiveSelect(intermediateResponse.jsonValue, trieRoot);
}
-
+
-inline void
- processAllParams(crow::App& app, const Query& query,
- std::function<void(crow::Response&)>& completionHandler,
@@ -376,7 +395,7 @@
{
@@ -999,7 +1009,8 @@ inline void
std::move(intermediateResponse));
-
+
asyncResp->res.setCompleteRequestHandler(std::move(completionHandler));
- auto multi = std::make_shared<MultiAsyncResp>(app, asyncResp);
+ auto multi = std::make_shared<MultiAsyncResp>(app, asyncResp,
@@ -391,7 +410,7 @@
@@ -15,6 +15,8 @@
*/
#pragma once
-
+
+#include "bmcweb_authorizer_singleton.h"
+
#include "app.hpp"
@@ -425,16 +444,16 @@
+ .GetRedfishPrivilegeRegistry();
+ });
}
-
+
} // namespace redfish
diff --git a/src/webserver_main.cpp b/src/webserver_main.cpp
index b13ab270..6fbc0212 100644
--- a/src/webserver_main.cpp
+++ b/src/webserver_main.cpp
@@ -22,6 +22,26 @@
-
+
#include <systemd/sd-daemon.h>
-
+
+#ifdef BMCWEB_ENABLE_GRPC
+#include "absl/flags/flag.h"
+#include "absl/flags/parse.h"
@@ -459,9 +478,9 @@
#include <google/google_service_root.hpp>
#include <sdbusplus/asio/connection.hpp>
@@ -147,16 +167,44 @@ static int run()
-
+
bmcweb::registerUserRemovedSignal();
-
+
+#ifdef BMCWEB_ENABLE_GRPC
+ absl::InitializeLog();
+ GRPCRedfishService grpc_service(app, io);
@@ -473,7 +492,7 @@
+#endif
app.run();
io->run();
-
+
+#ifdef BMCWEB_ENABLE_GRPC
+ grpc_service.shutdown();
+
@@ -484,10 +503,10 @@
+#endif
+
crow::connections::systemBus = nullptr;
-
+
return 0;
}
-
+
+#ifdef BMCWEB_ENABLE_GRPC
+int main(int argc, char** argv)
+{
@@ -503,6 +522,6 @@
try
{
return run();
---
-2.40.0.634.g4ca3ef3211-goog
+--
+2.40.1.606.ga4b1b128d6-goog
