Websocket Host console privilege set is empty when checked in router

[ninadpalsule]

Describe the bug The websocket host console access check is not working as privilege set is empty when checked in the router function

I observed this issue while unit testing hostconsole user group feature. So I added DEBUG print statement in the router handle upgrade code to check if the privilege set is empty or not. The router checkPrivileges() is returning without doing any check because the set is empty.

diff --git a/http/routing.hpp b/http/routing.hpp
index 613b54dc..e4b673f6 100644
--- a/http/routing.hpp
+++ b/http/routing.hpp
@@ -1342,6 +1342,11 @@ class Router

         req.userRole = userRole;

+        BMCWEB_LOG_ERROR << "isUserPrivileged: URL: " << rule.rule
+                         << " IsPrivelegeSetEmpty: "
+                         << rule.privilegesSet.empty()
+                         << " Username: " << req.session->username;
+

Apr 07 20:07:12 p10bmc bmcweb[751]: (2023-04-07 20:07:12) [INFO "http_connection.hpp":209] Request:  0x16643f0 HTTP/1.1 GET /console0 ::ffff:x.xx.xx.xxx

Apr 07 20:07:12 p10bmc bmcweb[751]: (2023-04-07 20:07:12) [DEBUG "routing.hpp":1444] Matched rule (upgrade) '/console0' 1 / 2
Apr 07 20:07:12 p10bmc bmcweb[751]: (2023-04-07 20:07:12) [DEBUG "routing.hpp":1283] userName = admin userRole = priv-admin
**Apr 07 20:07:12 p10bmc bmcweb[751]: (2023-04-07 20:07:12) [ERROR "routing.hpp":1345] isUserPrivileged: URL: /console0 IsPrivelegeSetEmpty: 1 Username: admin**

Environment I tested it with latest upstream bmcweb code on everest machine. $ git rev-parse HEAD 8fd333d664f87c73757e0c5e58c611dc0c3e76d7

To Reproduce

• Install openbmc with latest bmcweb code.
• Create read-only user and check if it can access console as readonly user.

Is this a regression

As per the following comment the developer tried readonly user and it worked. But as per my investigation privilege set is empty hence not checked. https://gerrit.openbmc.org/c/openbmc/bmcweb/+/46991

[edtanous]

Please take a look at and help to test/debug this: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/62275

[ninadpalsule]

ok, thanks. Let me try it.

[ninadpalsule]

With Ed fix we are seeing the privileges

Apr 10 20:26:35 p10bmc bmcweb[745]: (2023-04-10 20:26:35) [INFO "http_connection.hpp":209] Request: 0x11e3248 HTTP/1.1 GET /console0 ::ffff:X.XX.XX.XXX | Apr 10 20:26:35 p10bmc bmcweb[745]: (2023-04-10 20:26:35) [DEBUG "routing.hpp":1460] Matched rule (upgrade) '/console0' 1 / 2 Apr 10 20:26:36 p10bmc bmcweb[745]: (2023-04-10 20:26:36) [DEBUG "routing.hpp":1299] userName = admin userRole = priv-admin Apr 10 20:26:36 p10bmc bmcweb[745]: (2023-04-10 20:26:36) [DEBUG "routing.hpp":101] checkPrivileges: Active BASE priv: ConfigureManager <<<<<< Apr 10 20:26:36 p10bmc bmcweb[745]: (2023-04-10 20:26:36) [DEBUG "routing.hpp":101] checkPrivileges: Active BASE priv: ConfigureComponents <<<<<< Apr 10 20:26:36 p10bmc bmcweb[745]: (2023-04-10 20:26:36) [ERROR "routing.hpp":1361] isUserPrivileged: URL: /console0 IsPrivelegeSetEmpty: 0 Username: admin

Before fix.

Apr 10 20:05:37 p10bmc bmcweb[755]: (2023-04-10 20:05:37) [INFO "http_connection.hpp":209] Request: 0x1a1c500 HTTP/1.1 GET /console0 ::ffff:X.XX.XX.XXX | Apr 10 20:05:37 p10bmc bmcweb[755]: (2023-04-10 20:05:37) [DEBUG "routing.hpp":1459] Matched rule (upgrade) '/console0' 1 / 2 Apr 10 20:05:37 p10bmc bmcweb[755]: (2023-04-10 20:05:37) [DEBUG "routing.hpp":1298] userName = admin userRole = priv-admin Apr 10 20:05:37 p10bmc bmcweb[755]: (2023-04-10 20:05:37) [DEBUG "routing.hpp":89] checkPrivileges: Privilege set is empty Apr 10 20:05:37 p10bmc bmcweb[755]: (2023-04-10 20:05:37) [ERROR "routing.hpp":1360] isUserPrivileged: URL: /console0 IsPrivelegeSetEmpty: 1 Username: admin Apr 10 20:05:37 p10bmc bmcweb[755]: (2023-04-10 20:05:37) [DEBUG "routing.hpp":387] Websocket handles upgrade