Skip to content

Commit

Permalink
AccountLockoutThreshold set to the value larger than compile time limit
Browse files Browse the repository at this point in the history 
Changes added: Added code to handle value larger than compile time limit

Problem: Currently user not able set value larger than compile time value

Solution : Modified case to allow user to set set value larger than compile time value.

TEST :
curl -k -H X-Auth-Token: YuocwiA53jwAzwoj3cGT  -X GET https://127.0.0.1:2443/redfish/v1/AccountService
{
  "@odata.id": "/redfish/v1/AccountService",
  "@odata.type": "#AccountService.v1_5_0.AccountService",
  "AccountLockoutDuration": 600,
  "AccountLockoutThreshold": 3,
  "Accounts": {
    "@odata.id": "/redfish/v1/AccountService/Accounts"
  },
  "Description": "Account Service",
  "Id": "AccountService",
  "LDAP": {
    "Certificates": {
      "@odata.id": "/redfish/v1/AccountService/LDAP/Certificates"
    }
  },
  "MaxPasswordLength": 20,
  "MinPasswordLength": 13,
  "Name": "Account Service",
  "Oem": {
    "OpenBMC": {
      "@odata.id": "/redfish/v1/AccountService#/Oem/OpenBMC",
      "@odata.type": "#OemAccountService.v1_0_0.AccountService",
      "AuthMethods": {
        "BasicAuth": true,
        "Cookie": true,
        "SessionToken": true,
        "TLS": true,
        "XToken": true
      }
    }
  },
  "Roles": {
    "@odata.id": "/redfish/v1/AccountService/Roles"
  },
  "ServiceEnabled": true
}
curl -k -H X-Auth-Token:YuocwiA53jwAzwoj3cGT -X PATCH https://127.0.0.1:2443/redfish/v1/AccountService -d '{AccountLockoutThreshold:10}'
{
  "@Message.ExtendedInfo": [
    {
      "@odata.type": "#Message.v1_1_1.Message",
      "Message": "Successfully Completed Request",
      "MessageArgs": [],
      "MessageId": "Base.1.8.1.Success",
      "MessageSeverity": "OK",
      "Resolution": "None"
    }
  ]
}curl -k -H X-Auth-Token: YuocwiA53jwAzwoj3cGT  -X GET https://127.0.0.1:2443/redfish/v1/AccountService
{
  "@odata.id": "/redfish/v1/AccountService",
  "@odata.type": "#AccountService.v1_5_0.AccountService",
  "AccountLockoutDuration": 600,
  "AccountLockoutThreshold": 10,
  "Accounts": {
    "@odata.id": "/redfish/v1/AccountService/Accounts"
  },
  "Description": "Account Service",
  "Id": "AccountService",
  "LDAP": {
    "Certificates": {
      "@odata.id": "/redfish/v1/AccountService/LDAP/Certificates"
    }
  },
  "MaxPasswordLength": 20,
  "MinPasswordLength": 13,
  "Name": "Account Service",
  "Oem": {
    "OpenBMC": {
      "@odata.id": "/redfish/v1/AccountService#/Oem/OpenBMC",
      "@odata.type": "#OemAccountService.v1_0_0.AccountService",
      "AuthMethods": {
        "BasicAuth": true,
        "Cookie": true,
        "SessionToken": true,
        "TLS": true,
        "XToken": true
      }
    }
  },
  "Roles": {
    "@odata.id": "/redfish/v1/AccountService/Roles"
  },
  "ServiceEnabled": true
}
curl -k -H X-Auth-Token:YuocwiA53jwAzwoj3cGT -X PATCH https://127.0.0.1:2443/redfish/v1/AccountService -d '{AccountLockoutThreshold:1}'
{
  "error": {
    "@Message.ExtendedInfo": [
      {
        "@odata.type": "#Message.v1_1_1.Message",
        "Message": "The request failed due to an internal service error.  The service is still operational.",
        "MessageArgs": [],
        "MessageId": "Base.1.8.1.InternalError",
        "MessageSeverity": "Critical",
        "Resolution": "Resubmit the request.  If the problem persists, consider resetting the service."
      }
    ],
    "code": "Base.1.8.1.InternalError",
    "message": "The request failed due to an internal service error.  The service is still operational."
  }
}
curl -k -H X-Auth-Token: YuocwiA53jwAzwoj3cGT  -X GET https://127.0.0.1:2443/redfish/v1/AccountService
{
  "@odata.id": "/redfish/v1/AccountService",
  "@odata.type": "#AccountService.v1_5_0.AccountService",
  "AccountLockoutDuration": 600,
  "AccountLockoutThreshold": 10,
  "Accounts": {
    "@odata.id": "/redfish/v1/AccountService/Accounts"
  },
  "Description": "Account Service",
  "Id": "AccountService",
  "LDAP": {
    "Certificates": {
      "@odata.id": "/redfish/v1/AccountService/LDAP/Certificates"
    }
  },
  "MaxPasswordLength": 20,
  "MinPasswordLength": 13,
  "Name": "Account Service",
  "Oem": {
    "OpenBMC": {
      "@odata.id": "/redfish/v1/AccountService#/Oem/OpenBMC",
      "@odata.type": "#OemAccountService.v1_0_0.AccountService",
      "AuthMethods": {
        "BasicAuth": true,
        "Cookie": true,
        "SessionToken": true,
        "TLS": true,
        "XToken": true
      }
    }
  },
  "Roles": {
    "@odata.id": "/redfish/v1/AccountService/Roles"
  },
  "ServiceEnabled": true
}

JOURNALCTL LOGS:
root@hgx:~# journalctl | grep user
Jan 01 00:00:08 hgx kernel: Linux version 5.10.36-adadea5 (oe-user@oe-host) (arm-openbmc-linux-gnueabi-gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37.20210721) openbmc#1 SMP Thu Mar 16 10:49:02 UTC 2023
Jan 01 00:00:09 hgx systemd-sysusers[168]: Creating group wheel with gid 990.
Jan 01 00:00:09 hgx systemd-sysusers[168]: Creating group render with gid 989.
Jan 01 00:00:09 hgx systemd-sysusers[168]: Creating group sgx with gid 988.
Jan 01 00:00:09 hgx systemd-sysusers[168]: Creating group nobody with gid 987.
Mar 17 05:54:44 hgx kernel[218]: [    0.000000] Linux version 5.10.36-adadea5 (oe-user@oe-host) (arm-openbmc-linux-gnueabi-gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37.20210721) openbmc#1 SMP Thu Mar 16 10:49:02 UTC 2023
Mar 17 05:54:48 hgx phosphor-user-manager[265]: Group not found
Mar 17 05:54:48 hgx phosphor-user-manager[265]: Group not found
Mar 17 05:54:52 hgx ipmid[311]: Error in reading IPMI user data file
Mar 17 05:54:53 hgx phosphor-discover-system-state[330]: One time not set, check user setting of power policy
Mar 17 05:55:07 hgx systemd-coredump[327]: Process 224 (mctp-demux-daem) of user 0 dumped core.
Mar 17 05:55:19 hgx systemd-coredump[473]: Process 419 (mctp-demux-daem) of user 0 dumped core.
Mar 17 05:55:25 hgx bmcweb[478]: (2023-03-17 05:55:25) [DEBUG "routing.hpp":1439] userName = root userRole = priv-admin
Mar 17 05:55:25 hgx bmcweb[478]: (2023-03-17 05:55:25) [DEBUG "routing.hpp":1439] userName = root userRole = priv-admin
Mar 17 05:55:25 hgx bmcweb[478]: (2023-03-17 05:55:25) [DEBUG "routing.hpp":1439] userName = root userRole = priv-admin
Mar 17 05:55:25 hgx bmcweb[478]: (2023-03-17 05:55:25) [DEBUG "routing.hpp":1439] userName = root userRole = priv-admin
Mar 17 05:55:25 hgx phosphor-user-manager[265]: Setting value lesser than threashold MAX_FAILED_LOGIN_ATTEMPTS is not allowed
Mar 17 05:55:25 hgx phosphor-user-manager[265]: The operation is not allowed
Mar 17 05:55:26 hgx bmcweb[478]: (2023-03-17 05:55:26) [DEBUG "routing.hpp":1439] userName = root userRole = priv-admin
Mar 17 05:55:28 hgx systemd-coredump[580]: Process 555 (mctp-demux-daem) of user 0 dumped core.
Mar 17 05:55:32 hgx systemd-coredump[743]: Process 710 (mctp-demux-daem) of user 0 dumped core.
root@hgx:~# [  OK  ] Started NVIDIA OOB Active Monitoring Logging.

Fixes nvbug https://nvbugs/4029569
  • Loading branch information
Chandramohan Harkude committed Mar 17, 2023
1 parent 02a93c5 commit ce92aff
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions user_mgr.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -533,9 +533,13 @@ uint8_t UserMgr::rememberOldPasswordTimes(uint8_t value)

uint16_t UserMgr::maxLoginAttemptBeforeLockout(uint16_t value)
{
if (maxFailedAttempts != 0 && (value == 0 || value > maxFailedAttempts))
if (maxFailedAttempts != 0 && (value < maxFailedAttempts))
{
value = maxFailedAttempts;
log<level::ERR>("Setting value lesser than threashold "
"MAX_FAILED_LOGIN_ATTEMPTS is not allowed");
elog<NotAllowed>(Reason("Setting value lesser than threshold "
"MAX_FAILED_LOGIN_ATTEMPTS value"
"is not allowed"));
}
if (value == AccountPolicyIface::maxLoginAttemptBeforeLockout())
{
Expand Down Expand Up @@ -1272,7 +1276,7 @@ void UserMgr::initUserObjects(void)

for (auto& user : userNameList)
{
if(user == "service")
if (user == "service")
{
continue;
}
Expand Down

0 comments on commit ce92aff

Please sign in to comment.