12b7981f6SKowalski, Kamil /* 22b7981f6SKowalski, Kamil // Copyright (c) 2018 Intel Corporation 32b7981f6SKowalski, Kamil // 42b7981f6SKowalski, Kamil // Licensed under the Apache License, Version 2.0 (the "License"); 52b7981f6SKowalski, Kamil // you may not use this file except in compliance with the License. 62b7981f6SKowalski, Kamil // You may obtain a copy of the License at 72b7981f6SKowalski, Kamil // 82b7981f6SKowalski, Kamil // http://www.apache.org/licenses/LICENSE-2.0 92b7981f6SKowalski, Kamil // 102b7981f6SKowalski, Kamil // Unless required by applicable law or agreed to in writing, software 112b7981f6SKowalski, Kamil // distributed under the License is distributed on an "AS IS" BASIS, 122b7981f6SKowalski, Kamil // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 132b7981f6SKowalski, Kamil // See the License for the specific language governing permissions and 142b7981f6SKowalski, Kamil // limitations under the License. 152b7981f6SKowalski, Kamil */ 162b7981f6SKowalski, Kamil #pragma once 1743a095abSBorawski.Lukasz 18f4c4dcf4SKowalski, Kamil #include "error_messages.hpp" 1952cc112dSEd Tanous #include "persistent_data.hpp" 202b7981f6SKowalski, Kamil 217e860f15SJohn Edward Broadbent #include <app.hpp> 22ace85d60SEd Tanous #include <http/utility.hpp> 23*45ca1b86SEd Tanous #include <query.hpp> 24ed398213SEd Tanous #include <registries/privilege_registry.hpp> 257e860f15SJohn Edward Broadbent 261abe55efSEd Tanous namespace redfish 271abe55efSEd Tanous { 282b7981f6SKowalski, Kamil 294f48d5f6SEd Tanous inline void fillSessionObject(crow::Response& res, 30faa34ccfSEd Tanous const persistent_data::UserSession& session) 311abe55efSEd Tanous { 32faa34ccfSEd Tanous res.jsonValue["Id"] = session.uniqueId; 33faa34ccfSEd Tanous res.jsonValue["UserName"] = session.username; 34faa34ccfSEd Tanous res.jsonValue["@odata.id"] = 35faa34ccfSEd Tanous "/redfish/v1/SessionService/Sessions/" + session.uniqueId; 36faa34ccfSEd Tanous res.jsonValue["@odata.type"] = "#Session.v1_3_0.Session"; 37faa34ccfSEd Tanous res.jsonValue["Name"] = "User Session"; 38faa34ccfSEd Tanous res.jsonValue["Description"] = "Manager User Session"; 39faa34ccfSEd Tanous res.jsonValue["ClientOriginIPAddress"] = session.clientIp; 40c0ea7ae1SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 41faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["@odata.type"] = 4208bdcc71SSunitha Harish "#OemSession.v1_0_0.Session"; 43faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["ClientID"] = session.clientId; 4408bdcc71SSunitha Harish #endif 452b7981f6SKowalski, Kamil } 462b7981f6SKowalski, Kamil 47724340d7SEd Tanous inline void 48*45ca1b86SEd Tanous handleSessionGet(crow::App& app, const crow::Request& req, 49faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 50724340d7SEd Tanous const std::string& sessionId) 51724340d7SEd Tanous { 52*45ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 53*45ca1b86SEd Tanous { 54*45ca1b86SEd Tanous return; 55*45ca1b86SEd Tanous } 56faa34ccfSEd Tanous // Note that control also reaches here via doPost and doDelete. 57724340d7SEd Tanous auto session = 58724340d7SEd Tanous persistent_data::SessionStore::getInstance().getSessionByUid(sessionId); 592b7981f6SKowalski, Kamil 601abe55efSEd Tanous if (session == nullptr) 611abe55efSEd Tanous { 62724340d7SEd Tanous messages::resourceNotFound(asyncResp->res, "Session", sessionId); 63faa34ccfSEd Tanous return; 64faa34ccfSEd Tanous } 65faa34ccfSEd Tanous 66faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 67724340d7SEd Tanous } 68faa34ccfSEd Tanous 69724340d7SEd Tanous inline void 70*45ca1b86SEd Tanous handleSessionDelete(crow::App& app, const crow::Request& req, 71faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 72724340d7SEd Tanous const std::string& sessionId) 73724340d7SEd Tanous { 74*45ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 75*45ca1b86SEd Tanous { 76*45ca1b86SEd Tanous return; 77*45ca1b86SEd Tanous } 78724340d7SEd Tanous auto session = 79724340d7SEd Tanous persistent_data::SessionStore::getInstance().getSessionByUid(sessionId); 80faa34ccfSEd Tanous 81faa34ccfSEd Tanous if (session == nullptr) 82faa34ccfSEd Tanous { 83724340d7SEd Tanous messages::resourceNotFound(asyncResp->res, "Session", sessionId); 842b7981f6SKowalski, Kamil return; 852b7981f6SKowalski, Kamil } 862b7981f6SKowalski, Kamil 87900f9497SJoseph Reynolds // Perform a proper ConfigureSelf authority check. If a 88900f9497SJoseph Reynolds // session is being used to DELETE some other user's session, 89900f9497SJoseph Reynolds // then the ConfigureSelf privilege does not apply. In that 90900f9497SJoseph Reynolds // case, perform the authority check again without the user's 91900f9497SJoseph Reynolds // ConfigureSelf privilege. 92900f9497SJoseph Reynolds if (session->username != req.session->username) 93900f9497SJoseph Reynolds { 946c51eab1SEd Tanous Privileges effectiveUserPrivileges = 956c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 966c51eab1SEd Tanous 97724340d7SEd Tanous if (!effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"})) 98900f9497SJoseph Reynolds { 998d1b46d7Szhanghch05 messages::insufficientPrivilege(asyncResp->res); 100900f9497SJoseph Reynolds return; 101900f9497SJoseph Reynolds } 102900f9497SJoseph Reynolds } 103900f9497SJoseph Reynolds 104724340d7SEd Tanous persistent_data::SessionStore::getInstance().removeSession(session); 1055cc148afSEd Tanous messages::success(asyncResp->res); 106724340d7SEd Tanous } 107f4c4dcf4SKowalski, Kamil 108724340d7SEd Tanous inline nlohmann::json getSessionCollectionMembers() 109724340d7SEd Tanous { 11055c7b7a2SEd Tanous std::vector<const std::string*> sessionIds = 11152cc112dSEd Tanous persistent_data::SessionStore::getInstance().getUniqueIds( 11252cc112dSEd Tanous false, persistent_data::PersistenceType::TIMEOUT); 113724340d7SEd Tanous nlohmann::json ret = nlohmann::json::array(); 1141abe55efSEd Tanous for (const std::string* uid : sessionIds) 1151abe55efSEd Tanous { 116724340d7SEd Tanous ret.push_back( 117724340d7SEd Tanous {{"@odata.id", "/redfish/v1/SessionService/Sessions/" + *uid}}); 1182b7981f6SKowalski, Kamil } 119724340d7SEd Tanous return ret; 120724340d7SEd Tanous } 121724340d7SEd Tanous 122724340d7SEd Tanous inline void handleSessionCollectionGet( 123*45ca1b86SEd Tanous crow::App& app, const crow::Request& req, 124724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 125724340d7SEd Tanous { 126*45ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 127*45ca1b86SEd Tanous { 128*45ca1b86SEd Tanous return; 129*45ca1b86SEd Tanous } 130724340d7SEd Tanous asyncResp->res.jsonValue["Members"] = getSessionCollectionMembers(); 131faa34ccfSEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = 132724340d7SEd Tanous asyncResp->res.jsonValue["Members"].size(); 1338d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 1348d1b46d7Szhanghch05 "#SessionCollection.SessionCollection"; 1358d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.id"] = 1368d1b46d7Szhanghch05 "/redfish/v1/SessionService/Sessions/"; 1378d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Collection"; 1388d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Collection"; 139724340d7SEd Tanous } 1402b7981f6SKowalski, Kamil 141724340d7SEd Tanous inline void handleSessionCollectionMembersGet( 142*45ca1b86SEd Tanous crow::App& app, const crow::Request& req, 143724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 144724340d7SEd Tanous { 145*45ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 146*45ca1b86SEd Tanous { 147*45ca1b86SEd Tanous return; 148*45ca1b86SEd Tanous } 149724340d7SEd Tanous asyncResp->res.jsonValue = getSessionCollectionMembers(); 150724340d7SEd Tanous } 151724340d7SEd Tanous 152724340d7SEd Tanous void handleSessionCollectionPost( 153*45ca1b86SEd Tanous crow::App& app, const crow::Request& req, 154724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 155724340d7SEd Tanous { 156*45ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 157*45ca1b86SEd Tanous { 158*45ca1b86SEd Tanous return; 159*45ca1b86SEd Tanous } 1609712f8acSEd Tanous std::string username; 1619712f8acSEd Tanous std::string password; 16208bdcc71SSunitha Harish std::optional<nlohmann::json> oemObject; 16308bdcc71SSunitha Harish std::string clientId; 164724340d7SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username, 165724340d7SEd Tanous "Password", password, "Oem", oemObject)) 1661abe55efSEd Tanous { 1672b7981f6SKowalski, Kamil return; 1682b7981f6SKowalski, Kamil } 1692b7981f6SKowalski, Kamil 170820ce598SEd Tanous if (password.empty() || username.empty() || 1718d1b46d7Szhanghch05 asyncResp->res.result() != boost::beast::http::status::ok) 1721abe55efSEd Tanous { 1731abe55efSEd Tanous if (username.empty()) 1741abe55efSEd Tanous { 1758d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "UserName"); 176f4c4dcf4SKowalski, Kamil } 177f4c4dcf4SKowalski, Kamil 1781abe55efSEd Tanous if (password.empty()) 1791abe55efSEd Tanous { 1808d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "Password"); 181820ce598SEd Tanous } 182820ce598SEd Tanous 183820ce598SEd Tanous return; 184f4c4dcf4SKowalski, Kamil } 1852b7981f6SKowalski, Kamil 1863bf4e632SJoseph Reynolds int pamrc = pamAuthenticateUser(username, password); 1873bf4e632SJoseph Reynolds bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD; 1883bf4e632SJoseph Reynolds if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly) 1891abe55efSEd Tanous { 190724340d7SEd Tanous messages::resourceAtUriUnauthorized(asyncResp->res, req.urlView, 191f12894f8SJason M. Bills "Invalid username or password"); 192820ce598SEd Tanous return; 1932b7981f6SKowalski, Kamil } 19408bdcc71SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 19508bdcc71SSunitha Harish if (oemObject) 19608bdcc71SSunitha Harish { 19708bdcc71SSunitha Harish std::optional<nlohmann::json> bmcOem; 198724340d7SEd Tanous if (!json_util::readJson(*oemObject, asyncResp->res, "OpenBMC", bmcOem)) 19908bdcc71SSunitha Harish { 20008bdcc71SSunitha Harish return; 20108bdcc71SSunitha Harish } 202724340d7SEd Tanous if (!json_util::readJson(*bmcOem, asyncResp->res, "ClientID", clientId)) 20308bdcc71SSunitha Harish { 20408bdcc71SSunitha Harish BMCWEB_LOG_ERROR << "Could not read ClientId"; 20508bdcc71SSunitha Harish return; 20608bdcc71SSunitha Harish } 20708bdcc71SSunitha Harish } 20808bdcc71SSunitha Harish #endif 2096f115bbbSManojkiran Eda 210820ce598SEd Tanous // User is authenticated - create session 21152cc112dSEd Tanous std::shared_ptr<persistent_data::UserSession> session = 212724340d7SEd Tanous persistent_data::SessionStore::getInstance().generateUserSession( 21341d61c82SJiaqing Zhao username, req.ipAddress, clientId, 214724340d7SEd Tanous persistent_data::PersistenceType::TIMEOUT, isConfigureSelfOnly); 2158d1b46d7Szhanghch05 asyncResp->res.addHeader("X-Auth-Token", session->sessionToken); 216faa34ccfSEd Tanous asyncResp->res.addHeader( 217724340d7SEd Tanous "Location", "/redfish/v1/SessionService/Sessions/" + session->uniqueId); 2188d1b46d7Szhanghch05 asyncResp->res.result(boost::beast::http::status::created); 2193bf4e632SJoseph Reynolds if (session->isConfigureSelfOnly) 2203bf4e632SJoseph Reynolds { 2213bf4e632SJoseph Reynolds messages::passwordChangeRequired( 222724340d7SEd Tanous asyncResp->res, 223724340d7SEd Tanous crow::utility::urlFromPieces("redfish", "v1", "AccountService", 224ace85d60SEd Tanous "Accounts", req.session->username)); 2252b7981f6SKowalski, Kamil } 2262b7981f6SKowalski, Kamil 227faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 228724340d7SEd Tanous } 229724340d7SEd Tanous inline void 230*45ca1b86SEd Tanous handleSessionServiceGet(crow::App& app, const crow::Request& req, 231724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 2322b7981f6SKowalski, Kamil 233724340d7SEd Tanous { 234*45ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 235*45ca1b86SEd Tanous { 236*45ca1b86SEd Tanous return; 237*45ca1b86SEd Tanous } 2388d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 2398d1b46d7Szhanghch05 "#SessionService.v1_0_2.SessionService"; 240724340d7SEd Tanous asyncResp->res.jsonValue["@odata.id"] = "/redfish/v1/SessionService/"; 2418d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Service"; 2428d1b46d7Szhanghch05 asyncResp->res.jsonValue["Id"] = "SessionService"; 2438d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Service"; 2448d1b46d7Szhanghch05 asyncResp->res.jsonValue["SessionTimeout"] = 245724340d7SEd Tanous persistent_data::SessionStore::getInstance().getTimeoutInSeconds(); 2468d1b46d7Szhanghch05 asyncResp->res.jsonValue["ServiceEnabled"] = true; 2470f74e643SEd Tanous 2488d1b46d7Szhanghch05 asyncResp->res.jsonValue["Sessions"] = { 2490f261533SEd Tanous {"@odata.id", "/redfish/v1/SessionService/Sessions"}}; 250724340d7SEd Tanous } 251f2a4a606SManojkiran Eda 252724340d7SEd Tanous inline void handleSessionServicePatch( 253*45ca1b86SEd Tanous crow::App& app, const crow::Request& req, 254724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 255724340d7SEd Tanous { 256*45ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 257*45ca1b86SEd Tanous { 258*45ca1b86SEd Tanous return; 259*45ca1b86SEd Tanous } 260f2a4a606SManojkiran Eda std::optional<int64_t> sessionTimeout; 261724340d7SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "SessionTimeout", 262724340d7SEd Tanous sessionTimeout)) 263f2a4a606SManojkiran Eda { 264f2a4a606SManojkiran Eda return; 265f2a4a606SManojkiran Eda } 266f2a4a606SManojkiran Eda 267f2a4a606SManojkiran Eda if (sessionTimeout) 268f2a4a606SManojkiran Eda { 269faa34ccfSEd Tanous // The mininum & maximum allowed values for session timeout 270faa34ccfSEd Tanous // are 30 seconds and 86400 seconds respectively as per the 271faa34ccfSEd Tanous // session service schema mentioned at 272f2a4a606SManojkiran Eda // https://redfish.dmtf.org/schemas/v1/SessionService.v1_1_7.json 273f2a4a606SManojkiran Eda 274f2a4a606SManojkiran Eda if (*sessionTimeout <= 86400 && *sessionTimeout >= 30) 275f2a4a606SManojkiran Eda { 276724340d7SEd Tanous std::chrono::seconds sessionTimeoutInseconds(*sessionTimeout); 277724340d7SEd Tanous persistent_data::SessionStore::getInstance().updateSessionTimeout( 278724340d7SEd Tanous sessionTimeoutInseconds); 279724340d7SEd Tanous messages::propertyValueModified(asyncResp->res, "SessionTimeOut", 280f2a4a606SManojkiran Eda std::to_string(*sessionTimeout)); 281f2a4a606SManojkiran Eda } 282f2a4a606SManojkiran Eda else 283f2a4a606SManojkiran Eda { 284724340d7SEd Tanous messages::propertyValueNotInList(asyncResp->res, 285724340d7SEd Tanous std::to_string(*sessionTimeout), 2868d1b46d7Szhanghch05 "SessionTimeOut"); 287f2a4a606SManojkiran Eda } 288f2a4a606SManojkiran Eda } 289724340d7SEd Tanous } 290724340d7SEd Tanous 291724340d7SEd Tanous inline void requestRoutesSession(App& app) 292724340d7SEd Tanous { 293724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 294724340d7SEd Tanous .privileges(redfish::privileges::getSession) 295*45ca1b86SEd Tanous .methods(boost::beast::http::verb::get)( 296*45ca1b86SEd Tanous std::bind_front(handleSessionGet, std::ref(app))); 297724340d7SEd Tanous 298724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 299724340d7SEd Tanous .privileges(redfish::privileges::deleteSession) 300*45ca1b86SEd Tanous .methods(boost::beast::http::verb::delete_)( 301*45ca1b86SEd Tanous std::bind_front(handleSessionDelete, std::ref(app))); 302724340d7SEd Tanous 303724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 304724340d7SEd Tanous .privileges(redfish::privileges::getSessionCollection) 305*45ca1b86SEd Tanous .methods(boost::beast::http::verb::get)( 306*45ca1b86SEd Tanous std::bind_front(handleSessionCollectionGet, std::ref(app))); 307724340d7SEd Tanous 308e76cd868SEd Tanous // Note, the next two routes technically don't match the privilege 309724340d7SEd Tanous // registry given the way login mechanisms work. The base privilege 310724340d7SEd Tanous // registry lists this endpoint as requiring login privilege, but because 311724340d7SEd Tanous // this is the endpoint responsible for giving the login privilege, and it 312724340d7SEd Tanous // is itself its own route, it needs to not require Login 313724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 314724340d7SEd Tanous .privileges({}) 315*45ca1b86SEd Tanous .methods(boost::beast::http::verb::post)( 316*45ca1b86SEd Tanous std::bind_front(handleSessionCollectionPost, std::ref(app))); 317724340d7SEd Tanous 318e76cd868SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/Members/") 319e76cd868SEd Tanous .privileges({}) 320*45ca1b86SEd Tanous .methods(boost::beast::http::verb::post)( 321*45ca1b86SEd Tanous std::bind_front(handleSessionCollectionPost, std::ref(app))); 322e76cd868SEd Tanous 323724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 324724340d7SEd Tanous .privileges(redfish::privileges::getSessionService) 325*45ca1b86SEd Tanous .methods(boost::beast::http::verb::get)( 326*45ca1b86SEd Tanous std::bind_front(handleSessionServiceGet, std::ref(app))); 327724340d7SEd Tanous 328724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 329724340d7SEd Tanous .privileges(redfish::privileges::patchSessionService) 330*45ca1b86SEd Tanous .methods(boost::beast::http::verb::patch)( 331*45ca1b86SEd Tanous std::bind_front(handleSessionServicePatch, std::ref(app))); 332f2a4a606SManojkiran Eda } 3335d27b854SBorawski.Lukasz 3342b7981f6SKowalski, Kamil } // namespace redfish 335