#pragma once #include "logging.hpp" #include "ossl_random.hpp" #include "utility.hpp" #include "utils/ip_utils.hpp" #include #include #include #include #include #include #include #include namespace persistent_data { // entropy: 20 characters, 62 possibilities. log2(62^20) = 119 bits of // entropy. OWASP recommends at least 64 // https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-entropy constexpr std::size_t sessionTokenSize = 20; enum class SessionType { None, Basic, Session, Cookie, MutualTLS }; struct UserSession { std::string uniqueId; std::string sessionToken; std::string username; std::string csrfToken; std::optional clientId; std::string clientIp; std::chrono::time_point lastUpdated; SessionType sessionType{SessionType::None}; bool cookieAuth = false; bool isConfigureSelfOnly = false; std::string userRole; std::vector userGroups; // There are two sources of truth for isConfigureSelfOnly: // 1. When pamAuthenticateUser() returns PAM_NEW_AUTHTOK_REQD. // 2. D-Bus User.Manager.GetUserInfo property UserPasswordExpired. // These should be in sync, but the underlying condition can change at any // time. For example, a password can expire or be changed outside of // bmcweb. The value stored here is updated at the start of each // operation and used as the truth within bmcweb. /** * @brief Fills object with data from UserSession's JSON representation * * This replaces nlohmann's from_json to ensure no-throw approach * * @param[in] j JSON object from which data should be loaded * * @return a shared pointer if data has been loaded properly, nullptr * otherwise */ static std::shared_ptr fromJson(const nlohmann::json::object_t& j) { std::shared_ptr userSession = std::make_shared(); for (const auto& element : j) { const std::string* thisValue = element.second.get_ptr(); if (thisValue == nullptr) { BMCWEB_LOG_ERROR( "Error reading persistent store. Property {} was not of type string", element.first); continue; } if (element.first == "unique_id") { userSession->uniqueId = *thisValue; } else if (element.first == "session_token") { userSession->sessionToken = *thisValue; } else if (element.first == "csrf_token") { userSession->csrfToken = *thisValue; } else if (element.first == "username") { userSession->username = *thisValue; } else if (element.first == "client_id") { userSession->clientId = *thisValue; } else if (element.first == "client_ip") { userSession->clientIp = *thisValue; } else { BMCWEB_LOG_ERROR( "Got unexpected property reading persistent file: {}", element.first); continue; } } // If any of these fields are missing, we can't restore the session, as // we don't have enough information. These 4 fields have been present // in every version of this file in bmcwebs history, so any file, even // on upgrade, should have these present if (userSession->uniqueId.empty() || userSession->username.empty() || userSession->sessionToken.empty() || userSession->csrfToken.empty()) { BMCWEB_LOG_DEBUG("Session missing required security " "information, refusing to restore"); return nullptr; } // For now, sessions that were persisted through a reboot get their idle // timer reset. This could probably be overcome with a better // understanding of wall clock time and steady timer time, possibly // persisting values with wall clock time instead of steady timer, but // the tradeoffs of all the corner cases involved are non-trivial, so // this is done temporarily userSession->lastUpdated = std::chrono::steady_clock::now(); userSession->sessionType = SessionType::Session; return userSession; } }; enum class MTLSCommonNameParseMode { Invalid = 0, // This section approximately matches Redfish AccountService // CertificateMappingAttribute, plus bmcweb defined OEM ones. // Note, IDs in this enum must be maintained between versions, as they are // persisted to disk Whole = 1, CommonName = 2, UserPrincipalName = 3, // Intentional gap for future DMTF-defined enums // OEM parsing modes for various OEMs Meta = 100, }; inline MTLSCommonNameParseMode getMTLSCommonNameParseMode(std::string_view name) { if (name == "CommonName") { return MTLSCommonNameParseMode::CommonName; } if (name == "Whole") { // Not yet supported // return MTLSCommonNameParseMode::Whole; } if (name == "UserPrincipalName") { // Not yet supported // return MTLSCommonNameParseMode::UserPrincipalName; } if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING) { if (name == "Meta") { return MTLSCommonNameParseMode::Meta; } } return MTLSCommonNameParseMode::Invalid; } struct AuthConfigMethods { // Authentication paths bool basic = BMCWEB_BASIC_AUTH; bool sessionToken = BMCWEB_SESSION_AUTH; bool xtoken = BMCWEB_XTOKEN_AUTH; bool cookie = BMCWEB_COOKIE_AUTH; bool tls = BMCWEB_MUTUAL_TLS_AUTH; // Whether or not unauthenticated TLS should be accepted // true = reject connections if mutual tls is not provided // false = allow connection, and allow user to use other auth method // Always default to false, because root certificates will not // be provisioned at startup bool tlsStrict = false; MTLSCommonNameParseMode mTLSCommonNameParsingMode = getMTLSCommonNameParseMode( BMCWEB_MUTUAL_TLS_COMMON_NAME_PARSING_DEFAULT); void fromJson(const nlohmann::json::object_t& j) { for (const auto& element : j) { const bool* value = element.second.get_ptr(); if (value != nullptr) { if (element.first == "XToken") { xtoken = *value; } else if (element.first == "Cookie") { cookie = *value; } else if (element.first == "SessionToken") { sessionToken = *value; } else if (element.first == "BasicAuth") { basic = *value; } else if (element.first == "TLS") { tls = *value; } else if (element.first == "TLSStrict") { tlsStrict = *value; } } const uint64_t* intValue = element.second.get_ptr(); if (intValue != nullptr) { if (element.first == "MTLSCommonNameParseMode") { if (*intValue <= 2 || *intValue == 100) { mTLSCommonNameParsingMode = static_cast(*intValue); } else { BMCWEB_LOG_ERROR( "Json value of {} was out of range of the enum. Ignoring", *intValue); } } } } } }; class SessionStore { public: std::shared_ptr generateUserSession( std::string_view username, const boost::asio::ip::address& clientIp, const std::optional& clientId, SessionType sessionType, bool isConfigureSelfOnly = false) { // Only need csrf tokens for cookie based auth, token doesn't matter std::string sessionToken = bmcweb::getRandomIdOfLength(sessionTokenSize); std::string csrfToken = bmcweb::getRandomIdOfLength(sessionTokenSize); std::string uniqueId = bmcweb::getRandomIdOfLength(10); // if (sessionToken.empty() || csrfToken.empty() || uniqueId.empty()) { BMCWEB_LOG_ERROR("Failed to generate session tokens"); return nullptr; } auto session = std::make_shared(UserSession{ uniqueId, sessionToken, std::string(username), csrfToken, clientId, redfish::ip_util::toString(clientIp), std::chrono::steady_clock::now(), sessionType, false, isConfigureSelfOnly, "", {}}); auto it = authTokens.emplace(sessionToken, session); // Only need to write to disk if session isn't about to be destroyed. needWrite = sessionType != SessionType::Basic && sessionType != SessionType::MutualTLS; return it.first->second; } std::shared_ptr loginSessionByToken(std::string_view token) { applySessionTimeouts(); if (token.size() != sessionTokenSize) { return nullptr; } auto sessionIt = authTokens.find(std::string(token)); if (sessionIt == authTokens.end()) { return nullptr; } std::shared_ptr userSession = sessionIt->second; userSession->lastUpdated = std::chrono::steady_clock::now(); return userSession; } std::shared_ptr getSessionByUid(std::string_view uid) { applySessionTimeouts(); // TODO(Ed) this is inefficient auto sessionIt = authTokens.begin(); while (sessionIt != authTokens.end()) { if (sessionIt->second->uniqueId == uid) { return sessionIt->second; } sessionIt++; } return nullptr; } void removeSession(const std::shared_ptr& session) { authTokens.erase(session->sessionToken); needWrite = true; } std::vector getAllUniqueIds() { applySessionTimeouts(); std::vector ret; ret.reserve(authTokens.size()); for (auto& session : authTokens) { ret.push_back(session.second->uniqueId); } return ret; } std::vector getUniqueIdsBySessionType(SessionType type) { applySessionTimeouts(); std::vector ret; ret.reserve(authTokens.size()); for (auto& session : authTokens) { if (type == session.second->sessionType) { ret.push_back(session.second->uniqueId); } } return ret; } std::vector> getSessions() { std::vector> sessions; sessions.reserve(authTokens.size()); for (auto& session : authTokens) { sessions.push_back(session.second); } return sessions; } void removeSessionsByUsername(std::string_view username) { std::erase_if(authTokens, [username](const auto& value) { if (value.second == nullptr) { return false; } return value.second->username == username; }); } void removeSessionsByUsernameExceptSession( std::string_view username, const std::shared_ptr& session) { std::erase_if(authTokens, [username, session](const auto& value) { if (value.second == nullptr) { return false; } return value.second->username == username && value.second->uniqueId != session->uniqueId; }); } void updateAuthMethodsConfig(const AuthConfigMethods& config) { bool isTLSchanged = (authMethodsConfig.tls != config.tls); authMethodsConfig = config; needWrite = true; if (isTLSchanged) { // recreate socket connections with new settings std::raise(SIGHUP); } } AuthConfigMethods& getAuthMethodsConfig() { return authMethodsConfig; } bool needsWrite() const { return needWrite; } int64_t getTimeoutInSeconds() const { return std::chrono::seconds(timeoutInSeconds).count(); } void updateSessionTimeout(std::chrono::seconds newTimeoutInSeconds) { timeoutInSeconds = newTimeoutInSeconds; needWrite = true; } static SessionStore& getInstance() { static SessionStore sessionStore; return sessionStore; } void applySessionTimeouts() { auto timeNow = std::chrono::steady_clock::now(); if (timeNow - lastTimeoutUpdate > std::chrono::seconds(1)) { lastTimeoutUpdate = timeNow; auto authTokensIt = authTokens.begin(); while (authTokensIt != authTokens.end()) { if (timeNow - authTokensIt->second->lastUpdated >= timeoutInSeconds) { authTokensIt = authTokens.erase(authTokensIt); needWrite = true; } else { authTokensIt++; } } } } SessionStore(const SessionStore&) = delete; SessionStore& operator=(const SessionStore&) = delete; SessionStore(SessionStore&&) = delete; SessionStore& operator=(const SessionStore&&) = delete; ~SessionStore() = default; std::unordered_map, std::hash, bmcweb::ConstantTimeCompare> authTokens; std::chrono::time_point lastTimeoutUpdate; bool needWrite{false}; std::chrono::seconds timeoutInSeconds; AuthConfigMethods authMethodsConfig; private: SessionStore() : timeoutInSeconds(1800) {} }; } // namespace persistent_data