1 // SPDX-License-Identifier: Apache-2.0 2 // SPDX-FileCopyrightText: Copyright OpenBMC Authors 3 #pragma once 4 5 #include "bmcweb_config.h" 6 7 #include "logging.hpp" 8 #include "ossl_random.hpp" 9 #include "utils/ip_utils.hpp" 10 11 #include <boost/asio/ip/address.hpp> 12 #include <nlohmann/json.hpp> 13 14 #include <chrono> 15 #include <csignal> 16 #include <cstddef> 17 #include <cstdint> 18 #include <functional> 19 #include <memory> 20 #include <optional> 21 #include <string> 22 #include <string_view> 23 #include <unordered_map> 24 #include <vector> 25 26 namespace persistent_data 27 { 28 29 // entropy: 20 characters, 62 possibilities. log2(62^20) = 119 bits of 30 // entropy. OWASP recommends at least 64 31 // https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-entropy 32 constexpr std::size_t sessionTokenSize = 20; 33 34 enum class SessionType 35 { 36 None, 37 Basic, 38 Session, 39 Cookie, 40 MutualTLS 41 }; 42 43 struct UserSession 44 { 45 std::string uniqueId; 46 std::string sessionToken; 47 std::string username; 48 std::string csrfToken; 49 std::optional<std::string> clientId; 50 std::string clientIp; 51 std::chrono::time_point<std::chrono::steady_clock> lastUpdated; 52 SessionType sessionType{SessionType::None}; 53 bool cookieAuth = false; 54 bool isConfigureSelfOnly = false; 55 std::string userRole; 56 std::vector<std::string> userGroups; 57 58 // There are two sources of truth for isConfigureSelfOnly: 59 // 1. When pamAuthenticateUser() returns PAM_NEW_AUTHTOK_REQD. 60 // 2. D-Bus User.Manager.GetUserInfo property UserPasswordExpired. 61 // These should be in sync, but the underlying condition can change at any 62 // time. For example, a password can expire or be changed outside of 63 // bmcweb. The value stored here is updated at the start of each 64 // operation and used as the truth within bmcweb. 65 66 /** 67 * @brief Fills object with data from UserSession's JSON representation 68 * 69 * This replaces nlohmann's from_json to ensure no-throw approach 70 * 71 * @param[in] j JSON object from which data should be loaded 72 * 73 * @return a shared pointer if data has been loaded properly, nullptr 74 * otherwise 75 */ fromJsonpersistent_data::UserSession76 static std::shared_ptr<UserSession> fromJson( 77 const nlohmann::json::object_t& j) 78 { 79 std::shared_ptr<UserSession> userSession = 80 std::make_shared<UserSession>(); 81 for (const auto& element : j) 82 { 83 const std::string* thisValue = 84 element.second.get_ptr<const std::string*>(); 85 if (thisValue == nullptr) 86 { 87 BMCWEB_LOG_ERROR( 88 "Error reading persistent store. Property {} was not of type string", 89 element.first); 90 continue; 91 } 92 if (element.first == "unique_id") 93 { 94 userSession->uniqueId = *thisValue; 95 } 96 else if (element.first == "session_token") 97 { 98 userSession->sessionToken = *thisValue; 99 } 100 else if (element.first == "csrf_token") 101 { 102 userSession->csrfToken = *thisValue; 103 } 104 else if (element.first == "username") 105 { 106 userSession->username = *thisValue; 107 } 108 else if (element.first == "client_id") 109 { 110 userSession->clientId = *thisValue; 111 } 112 else if (element.first == "client_ip") 113 { 114 userSession->clientIp = *thisValue; 115 } 116 117 else 118 { 119 BMCWEB_LOG_ERROR( 120 "Got unexpected property reading persistent file: {}", 121 element.first); 122 continue; 123 } 124 } 125 // If any of these fields are missing, we can't restore the session, as 126 // we don't have enough information. These 4 fields have been present 127 // in every version of this file in bmcwebs history, so any file, even 128 // on upgrade, should have these present 129 if (userSession->uniqueId.empty() || userSession->username.empty() || 130 userSession->sessionToken.empty() || userSession->csrfToken.empty()) 131 { 132 BMCWEB_LOG_DEBUG("Session missing required security " 133 "information, refusing to restore"); 134 return nullptr; 135 } 136 137 // For now, sessions that were persisted through a reboot get their idle 138 // timer reset. This could probably be overcome with a better 139 // understanding of wall clock time and steady timer time, possibly 140 // persisting values with wall clock time instead of steady timer, but 141 // the tradeoffs of all the corner cases involved are non-trivial, so 142 // this is done temporarily 143 userSession->lastUpdated = std::chrono::steady_clock::now(); 144 userSession->sessionType = SessionType::Session; 145 146 return userSession; 147 } 148 }; 149 150 enum class MTLSCommonNameParseMode 151 { 152 Invalid = 0, 153 // This section approximately matches Redfish AccountService 154 // CertificateMappingAttribute, plus bmcweb defined OEM ones. 155 // Note, IDs in this enum must be maintained between versions, as they are 156 // persisted to disk 157 Whole = 1, 158 CommonName = 2, 159 UserPrincipalName = 3, 160 161 // Intentional gap for future DMTF-defined enums 162 163 // OEM parsing modes for various OEMs 164 Meta = 100, 165 }; 166 getMTLSCommonNameParseMode(std::string_view name)167 inline MTLSCommonNameParseMode getMTLSCommonNameParseMode(std::string_view name) 168 { 169 if (name == "CommonName") 170 { 171 return MTLSCommonNameParseMode::CommonName; 172 } 173 if (name == "Whole") 174 { 175 // Not yet supported 176 // return MTLSCommonNameParseMode::Whole; 177 } 178 if (name == "UserPrincipalName") 179 { 180 return MTLSCommonNameParseMode::UserPrincipalName; 181 } 182 if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING) 183 { 184 if (name == "Meta") 185 { 186 return MTLSCommonNameParseMode::Meta; 187 } 188 } 189 return MTLSCommonNameParseMode::Invalid; 190 } 191 192 struct AuthConfigMethods 193 { 194 // Authentication paths 195 bool basic = BMCWEB_BASIC_AUTH; 196 bool sessionToken = BMCWEB_SESSION_AUTH; 197 bool xtoken = BMCWEB_XTOKEN_AUTH; 198 bool cookie = BMCWEB_COOKIE_AUTH; 199 bool tls = BMCWEB_MUTUAL_TLS_AUTH; 200 201 // Whether or not unauthenticated TLS should be accepted 202 // true = reject connections if mutual tls is not provided 203 // false = allow connection, and allow user to use other auth method 204 // Always default to false, because root certificates will not 205 // be provisioned at startup 206 bool tlsStrict = false; 207 208 MTLSCommonNameParseMode mTLSCommonNameParsingMode = 209 getMTLSCommonNameParseMode( 210 BMCWEB_MUTUAL_TLS_COMMON_NAME_PARSING_DEFAULT); 211 fromJsonpersistent_data::AuthConfigMethods212 void fromJson(const nlohmann::json::object_t& j) 213 { 214 for (const auto& element : j) 215 { 216 const bool* value = element.second.get_ptr<const bool*>(); 217 if (value != nullptr) 218 { 219 if (element.first == "XToken") 220 { 221 xtoken = *value; 222 } 223 else if (element.first == "Cookie") 224 { 225 cookie = *value; 226 } 227 else if (element.first == "SessionToken") 228 { 229 sessionToken = *value; 230 } 231 else if (element.first == "BasicAuth") 232 { 233 basic = *value; 234 } 235 else if (element.first == "TLS") 236 { 237 tls = *value; 238 } 239 else if (element.first == "TLSStrict") 240 { 241 tlsStrict = *value; 242 } 243 } 244 const uint64_t* intValue = 245 element.second.get_ptr<const uint64_t*>(); 246 if (intValue != nullptr) 247 { 248 if (element.first == "MTLSCommonNameParseMode") 249 { 250 MTLSCommonNameParseMode tmpMTLSCommonNameParseMode = 251 static_cast<MTLSCommonNameParseMode>(*intValue); 252 if (tmpMTLSCommonNameParseMode <= 253 MTLSCommonNameParseMode::UserPrincipalName || 254 tmpMTLSCommonNameParseMode == 255 MTLSCommonNameParseMode::Meta) 256 { 257 mTLSCommonNameParsingMode = tmpMTLSCommonNameParseMode; 258 } 259 else 260 { 261 BMCWEB_LOG_WARNING( 262 "Json value of {} was out of range of the enum. Ignoring", 263 *intValue); 264 } 265 } 266 } 267 } 268 } 269 }; 270 271 class SessionStore 272 { 273 public: generateUserSession(std::string_view username,const boost::asio::ip::address & clientIp,const std::optional<std::string> & clientId,SessionType sessionType,bool isConfigureSelfOnly=false)274 std::shared_ptr<UserSession> generateUserSession( 275 std::string_view username, const boost::asio::ip::address& clientIp, 276 const std::optional<std::string>& clientId, SessionType sessionType, 277 bool isConfigureSelfOnly = false) 278 { 279 // Only need csrf tokens for cookie based auth, token doesn't matter 280 std::string sessionToken = 281 bmcweb::getRandomIdOfLength(sessionTokenSize); 282 std::string csrfToken = bmcweb::getRandomIdOfLength(sessionTokenSize); 283 std::string uniqueId = bmcweb::getRandomIdOfLength(10); 284 285 // 286 if (sessionToken.empty() || csrfToken.empty() || uniqueId.empty()) 287 { 288 BMCWEB_LOG_ERROR("Failed to generate session tokens"); 289 return nullptr; 290 } 291 292 auto session = std::make_shared<UserSession>(UserSession{ 293 uniqueId, 294 sessionToken, 295 std::string(username), 296 csrfToken, 297 clientId, 298 redfish::ip_util::toString(clientIp), 299 std::chrono::steady_clock::now(), 300 sessionType, 301 false, 302 isConfigureSelfOnly, 303 "", 304 {}}); 305 auto it = authTokens.emplace(sessionToken, session); 306 // Only need to write to disk if session isn't about to be destroyed. 307 needWrite = sessionType != SessionType::Basic && 308 sessionType != SessionType::MutualTLS; 309 return it.first->second; 310 } 311 loginSessionByToken(std::string_view token)312 std::shared_ptr<UserSession> loginSessionByToken(std::string_view token) 313 { 314 applySessionTimeouts(); 315 if (token.size() != sessionTokenSize) 316 { 317 return nullptr; 318 } 319 auto sessionIt = authTokens.find(std::string(token)); 320 if (sessionIt == authTokens.end()) 321 { 322 return nullptr; 323 } 324 std::shared_ptr<UserSession> userSession = sessionIt->second; 325 userSession->lastUpdated = std::chrono::steady_clock::now(); 326 return userSession; 327 } 328 getSessionByUid(std::string_view uid)329 std::shared_ptr<UserSession> getSessionByUid(std::string_view uid) 330 { 331 applySessionTimeouts(); 332 // TODO(Ed) this is inefficient 333 auto sessionIt = authTokens.begin(); 334 while (sessionIt != authTokens.end()) 335 { 336 if (sessionIt->second->uniqueId == uid) 337 { 338 return sessionIt->second; 339 } 340 sessionIt++; 341 } 342 return nullptr; 343 } 344 removeSession(const std::shared_ptr<UserSession> & session)345 void removeSession(const std::shared_ptr<UserSession>& session) 346 { 347 authTokens.erase(session->sessionToken); 348 needWrite = true; 349 } 350 getAllUniqueIds()351 std::vector<std::string> getAllUniqueIds() 352 { 353 applySessionTimeouts(); 354 std::vector<std::string> ret; 355 ret.reserve(authTokens.size()); 356 for (auto& session : authTokens) 357 { 358 ret.push_back(session.second->uniqueId); 359 } 360 return ret; 361 } 362 getUniqueIdsBySessionType(SessionType type)363 std::vector<std::string> getUniqueIdsBySessionType(SessionType type) 364 { 365 applySessionTimeouts(); 366 367 std::vector<std::string> ret; 368 ret.reserve(authTokens.size()); 369 for (auto& session : authTokens) 370 { 371 if (type == session.second->sessionType) 372 { 373 ret.push_back(session.second->uniqueId); 374 } 375 } 376 return ret; 377 } 378 getSessions()379 std::vector<std::shared_ptr<UserSession>> getSessions() 380 { 381 std::vector<std::shared_ptr<UserSession>> sessions; 382 sessions.reserve(authTokens.size()); 383 for (auto& session : authTokens) 384 { 385 sessions.push_back(session.second); 386 } 387 return sessions; 388 } 389 removeSessionsByUsername(std::string_view username)390 void removeSessionsByUsername(std::string_view username) 391 { 392 std::erase_if(authTokens, [username](const auto& value) { 393 if (value.second == nullptr) 394 { 395 return false; 396 } 397 return value.second->username == username; 398 }); 399 } 400 removeSessionsByUsernameExceptSession(std::string_view username,const std::shared_ptr<UserSession> & session)401 void removeSessionsByUsernameExceptSession( 402 std::string_view username, const std::shared_ptr<UserSession>& session) 403 { 404 std::erase_if(authTokens, [username, session](const auto& value) { 405 if (value.second == nullptr) 406 { 407 return false; 408 } 409 410 return value.second->username == username && 411 value.second->uniqueId != session->uniqueId; 412 }); 413 } 414 updateAuthMethodsConfig(const AuthConfigMethods & config)415 void updateAuthMethodsConfig(const AuthConfigMethods& config) 416 { 417 bool isTLSchanged = (authMethodsConfig.tls != config.tls); 418 authMethodsConfig = config; 419 needWrite = true; 420 if (isTLSchanged) 421 { 422 // recreate socket connections with new settings 423 // NOLINTNEXTLINE(misc-include-cleaner) 424 std::raise(SIGHUP); 425 } 426 } 427 getAuthMethodsConfig()428 AuthConfigMethods& getAuthMethodsConfig() 429 { 430 return authMethodsConfig; 431 } 432 needsWrite() const433 bool needsWrite() const 434 { 435 return needWrite; 436 } getTimeoutInSeconds() const437 int64_t getTimeoutInSeconds() const 438 { 439 return std::chrono::seconds(timeoutInSeconds).count(); 440 } 441 updateSessionTimeout(std::chrono::seconds newTimeoutInSeconds)442 void updateSessionTimeout(std::chrono::seconds newTimeoutInSeconds) 443 { 444 timeoutInSeconds = newTimeoutInSeconds; 445 needWrite = true; 446 } 447 getInstance()448 static SessionStore& getInstance() 449 { 450 static SessionStore sessionStore; 451 return sessionStore; 452 } 453 applySessionTimeouts()454 void applySessionTimeouts() 455 { 456 auto timeNow = std::chrono::steady_clock::now(); 457 if (timeNow - lastTimeoutUpdate > std::chrono::seconds(1)) 458 { 459 lastTimeoutUpdate = timeNow; 460 auto authTokensIt = authTokens.begin(); 461 while (authTokensIt != authTokens.end()) 462 { 463 if (timeNow - authTokensIt->second->lastUpdated >= 464 timeoutInSeconds) 465 { 466 authTokensIt = authTokens.erase(authTokensIt); 467 468 needWrite = true; 469 } 470 else 471 { 472 authTokensIt++; 473 } 474 } 475 } 476 } 477 478 SessionStore(const SessionStore&) = delete; 479 SessionStore& operator=(const SessionStore&) = delete; 480 SessionStore(SessionStore&&) = delete; 481 SessionStore& operator=(const SessionStore&&) = delete; 482 ~SessionStore() = default; 483 484 std::unordered_map<std::string, std::shared_ptr<UserSession>, 485 std::hash<std::string>, bmcweb::ConstantTimeCompare> 486 authTokens; 487 488 std::chrono::time_point<std::chrono::steady_clock> lastTimeoutUpdate; 489 bool needWrite{false}; 490 std::chrono::seconds timeoutInSeconds; 491 AuthConfigMethods authMethodsConfig; 492 493 private: SessionStore()494 SessionStore() : timeoutInSeconds(1800) {} 495 }; 496 497 } // namespace persistent_data 498