12b7981f6SKowalski, Kamil /* 22b7981f6SKowalski, Kamil // Copyright (c) 2018 Intel Corporation 32b7981f6SKowalski, Kamil // 42b7981f6SKowalski, Kamil // Licensed under the Apache License, Version 2.0 (the "License"); 52b7981f6SKowalski, Kamil // you may not use this file except in compliance with the License. 62b7981f6SKowalski, Kamil // You may obtain a copy of the License at 72b7981f6SKowalski, Kamil // 82b7981f6SKowalski, Kamil // http://www.apache.org/licenses/LICENSE-2.0 92b7981f6SKowalski, Kamil // 102b7981f6SKowalski, Kamil // Unless required by applicable law or agreed to in writing, software 112b7981f6SKowalski, Kamil // distributed under the License is distributed on an "AS IS" BASIS, 122b7981f6SKowalski, Kamil // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 132b7981f6SKowalski, Kamil // See the License for the specific language governing permissions and 142b7981f6SKowalski, Kamil // limitations under the License. 152b7981f6SKowalski, Kamil */ 162b7981f6SKowalski, Kamil #pragma once 1743a095abSBorawski.Lukasz 18f4c4dcf4SKowalski, Kamil #include "error_messages.hpp" 1952cc112dSEd Tanous #include "persistent_data.hpp" 202b7981f6SKowalski, Kamil 217e860f15SJohn Edward Broadbent #include <app.hpp> 22ace85d60SEd Tanous #include <http/utility.hpp> 23ed398213SEd Tanous #include <registries/privilege_registry.hpp> 247e860f15SJohn Edward Broadbent 251abe55efSEd Tanous namespace redfish 261abe55efSEd Tanous { 272b7981f6SKowalski, Kamil 284f48d5f6SEd Tanous inline void fillSessionObject(crow::Response& res, 29faa34ccfSEd Tanous const persistent_data::UserSession& session) 301abe55efSEd Tanous { 31faa34ccfSEd Tanous res.jsonValue["Id"] = session.uniqueId; 32faa34ccfSEd Tanous res.jsonValue["UserName"] = session.username; 33faa34ccfSEd Tanous res.jsonValue["@odata.id"] = 34faa34ccfSEd Tanous "/redfish/v1/SessionService/Sessions/" + session.uniqueId; 35faa34ccfSEd Tanous res.jsonValue["@odata.type"] = "#Session.v1_3_0.Session"; 36faa34ccfSEd Tanous res.jsonValue["Name"] = "User Session"; 37faa34ccfSEd Tanous res.jsonValue["Description"] = "Manager User Session"; 38faa34ccfSEd Tanous res.jsonValue["ClientOriginIPAddress"] = session.clientIp; 39c0ea7ae1SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 40faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["@odata.type"] = 4108bdcc71SSunitha Harish "#OemSession.v1_0_0.Session"; 42faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["ClientID"] = session.clientId; 4308bdcc71SSunitha Harish #endif 442b7981f6SKowalski, Kamil } 452b7981f6SKowalski, Kamil 46*724340d7SEd Tanous inline void 47*724340d7SEd Tanous handleSessionGet(const crow::Request& /*req*/, 48faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 49*724340d7SEd Tanous const std::string& sessionId) 50*724340d7SEd Tanous { 51faa34ccfSEd Tanous // Note that control also reaches here via doPost and doDelete. 52*724340d7SEd Tanous auto session = 53*724340d7SEd Tanous persistent_data::SessionStore::getInstance().getSessionByUid(sessionId); 542b7981f6SKowalski, Kamil 551abe55efSEd Tanous if (session == nullptr) 561abe55efSEd Tanous { 57*724340d7SEd Tanous messages::resourceNotFound(asyncResp->res, "Session", sessionId); 58faa34ccfSEd Tanous return; 59faa34ccfSEd Tanous } 60faa34ccfSEd Tanous 61faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 62*724340d7SEd Tanous } 63faa34ccfSEd Tanous 64*724340d7SEd Tanous inline void 65*724340d7SEd Tanous handleSessionDelete(const crow::Request& req, 66faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 67*724340d7SEd Tanous const std::string& sessionId) 68*724340d7SEd Tanous { 69*724340d7SEd Tanous auto session = 70*724340d7SEd Tanous persistent_data::SessionStore::getInstance().getSessionByUid(sessionId); 71faa34ccfSEd Tanous 72faa34ccfSEd Tanous if (session == nullptr) 73faa34ccfSEd Tanous { 74*724340d7SEd Tanous messages::resourceNotFound(asyncResp->res, "Session", sessionId); 752b7981f6SKowalski, Kamil return; 762b7981f6SKowalski, Kamil } 772b7981f6SKowalski, Kamil 78900f9497SJoseph Reynolds // Perform a proper ConfigureSelf authority check. If a 79900f9497SJoseph Reynolds // session is being used to DELETE some other user's session, 80900f9497SJoseph Reynolds // then the ConfigureSelf privilege does not apply. In that 81900f9497SJoseph Reynolds // case, perform the authority check again without the user's 82900f9497SJoseph Reynolds // ConfigureSelf privilege. 83900f9497SJoseph Reynolds if (session->username != req.session->username) 84900f9497SJoseph Reynolds { 856c51eab1SEd Tanous Privileges effectiveUserPrivileges = 866c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 876c51eab1SEd Tanous 88*724340d7SEd Tanous if (!effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"})) 89900f9497SJoseph Reynolds { 908d1b46d7Szhanghch05 messages::insufficientPrivilege(asyncResp->res); 91900f9497SJoseph Reynolds return; 92900f9497SJoseph Reynolds } 93900f9497SJoseph Reynolds } 94900f9497SJoseph Reynolds 95*724340d7SEd Tanous persistent_data::SessionStore::getInstance().removeSession(session); 965cc148afSEd Tanous messages::success(asyncResp->res); 97*724340d7SEd Tanous } 98f4c4dcf4SKowalski, Kamil 99*724340d7SEd Tanous inline nlohmann::json getSessionCollectionMembers() 100*724340d7SEd Tanous { 10155c7b7a2SEd Tanous std::vector<const std::string*> sessionIds = 10252cc112dSEd Tanous persistent_data::SessionStore::getInstance().getUniqueIds( 10352cc112dSEd Tanous false, persistent_data::PersistenceType::TIMEOUT); 104*724340d7SEd Tanous nlohmann::json ret = nlohmann::json::array(); 1051abe55efSEd Tanous for (const std::string* uid : sessionIds) 1061abe55efSEd Tanous { 107*724340d7SEd Tanous ret.push_back( 108*724340d7SEd Tanous {{"@odata.id", "/redfish/v1/SessionService/Sessions/" + *uid}}); 1092b7981f6SKowalski, Kamil } 110*724340d7SEd Tanous return ret; 111*724340d7SEd Tanous } 112*724340d7SEd Tanous 113*724340d7SEd Tanous inline void handleSessionCollectionGet( 114*724340d7SEd Tanous const crow::Request& /*req*/, 115*724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 116*724340d7SEd Tanous { 117*724340d7SEd Tanous asyncResp->res.jsonValue["Members"] = getSessionCollectionMembers(); 118faa34ccfSEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = 119*724340d7SEd Tanous asyncResp->res.jsonValue["Members"].size(); 1208d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 1218d1b46d7Szhanghch05 "#SessionCollection.SessionCollection"; 1228d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.id"] = 1238d1b46d7Szhanghch05 "/redfish/v1/SessionService/Sessions/"; 1248d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Collection"; 1258d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Collection"; 126*724340d7SEd Tanous } 1272b7981f6SKowalski, Kamil 128*724340d7SEd Tanous inline void handleSessionCollectionMembersGet( 129*724340d7SEd Tanous const crow::Request& /*req*/, 130*724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 131*724340d7SEd Tanous { 132*724340d7SEd Tanous asyncResp->res.jsonValue = getSessionCollectionMembers(); 133*724340d7SEd Tanous } 134*724340d7SEd Tanous 135*724340d7SEd Tanous void handleSessionCollectionPost( 136*724340d7SEd Tanous const crow::Request& req, 137*724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 138*724340d7SEd Tanous { 1399712f8acSEd Tanous std::string username; 1409712f8acSEd Tanous std::string password; 14108bdcc71SSunitha Harish std::optional<nlohmann::json> oemObject; 14208bdcc71SSunitha Harish std::string clientId; 143*724340d7SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username, 144*724340d7SEd Tanous "Password", password, "Oem", oemObject)) 1451abe55efSEd Tanous { 1462b7981f6SKowalski, Kamil return; 1472b7981f6SKowalski, Kamil } 1482b7981f6SKowalski, Kamil 149820ce598SEd Tanous if (password.empty() || username.empty() || 1508d1b46d7Szhanghch05 asyncResp->res.result() != boost::beast::http::status::ok) 1511abe55efSEd Tanous { 1521abe55efSEd Tanous if (username.empty()) 1531abe55efSEd Tanous { 1548d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "UserName"); 155f4c4dcf4SKowalski, Kamil } 156f4c4dcf4SKowalski, Kamil 1571abe55efSEd Tanous if (password.empty()) 1581abe55efSEd Tanous { 1598d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "Password"); 160820ce598SEd Tanous } 161820ce598SEd Tanous 162820ce598SEd Tanous return; 163f4c4dcf4SKowalski, Kamil } 1642b7981f6SKowalski, Kamil 1653bf4e632SJoseph Reynolds int pamrc = pamAuthenticateUser(username, password); 1663bf4e632SJoseph Reynolds bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD; 1673bf4e632SJoseph Reynolds if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly) 1681abe55efSEd Tanous { 169*724340d7SEd Tanous messages::resourceAtUriUnauthorized(asyncResp->res, req.urlView, 170f12894f8SJason M. Bills "Invalid username or password"); 171820ce598SEd Tanous return; 1722b7981f6SKowalski, Kamil } 17308bdcc71SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 17408bdcc71SSunitha Harish if (oemObject) 17508bdcc71SSunitha Harish { 17608bdcc71SSunitha Harish std::optional<nlohmann::json> bmcOem; 177*724340d7SEd Tanous if (!json_util::readJson(*oemObject, asyncResp->res, "OpenBMC", bmcOem)) 17808bdcc71SSunitha Harish { 17908bdcc71SSunitha Harish return; 18008bdcc71SSunitha Harish } 181*724340d7SEd Tanous if (!json_util::readJson(*bmcOem, asyncResp->res, "ClientID", clientId)) 18208bdcc71SSunitha Harish { 18308bdcc71SSunitha Harish BMCWEB_LOG_ERROR << "Could not read ClientId"; 18408bdcc71SSunitha Harish return; 18508bdcc71SSunitha Harish } 18608bdcc71SSunitha Harish } 18708bdcc71SSunitha Harish #endif 1886f115bbbSManojkiran Eda 189820ce598SEd Tanous // User is authenticated - create session 19052cc112dSEd Tanous std::shared_ptr<persistent_data::UserSession> session = 191*724340d7SEd Tanous persistent_data::SessionStore::getInstance().generateUserSession( 19241d61c82SJiaqing Zhao username, req.ipAddress, clientId, 193*724340d7SEd Tanous persistent_data::PersistenceType::TIMEOUT, isConfigureSelfOnly); 1948d1b46d7Szhanghch05 asyncResp->res.addHeader("X-Auth-Token", session->sessionToken); 195faa34ccfSEd Tanous asyncResp->res.addHeader( 196*724340d7SEd Tanous "Location", "/redfish/v1/SessionService/Sessions/" + session->uniqueId); 1978d1b46d7Szhanghch05 asyncResp->res.result(boost::beast::http::status::created); 1983bf4e632SJoseph Reynolds if (session->isConfigureSelfOnly) 1993bf4e632SJoseph Reynolds { 2003bf4e632SJoseph Reynolds messages::passwordChangeRequired( 201*724340d7SEd Tanous asyncResp->res, 202*724340d7SEd Tanous crow::utility::urlFromPieces("redfish", "v1", "AccountService", 203ace85d60SEd Tanous "Accounts", req.session->username)); 2042b7981f6SKowalski, Kamil } 2052b7981f6SKowalski, Kamil 206faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 207*724340d7SEd Tanous } 208*724340d7SEd Tanous inline void 209*724340d7SEd Tanous handleSessionServiceGet(const crow::Request& /* req */, 210*724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 2112b7981f6SKowalski, Kamil 212*724340d7SEd Tanous { 2138d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 2148d1b46d7Szhanghch05 "#SessionService.v1_0_2.SessionService"; 215*724340d7SEd Tanous asyncResp->res.jsonValue["@odata.id"] = "/redfish/v1/SessionService/"; 2168d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Service"; 2178d1b46d7Szhanghch05 asyncResp->res.jsonValue["Id"] = "SessionService"; 2188d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Service"; 2198d1b46d7Szhanghch05 asyncResp->res.jsonValue["SessionTimeout"] = 220*724340d7SEd Tanous persistent_data::SessionStore::getInstance().getTimeoutInSeconds(); 2218d1b46d7Szhanghch05 asyncResp->res.jsonValue["ServiceEnabled"] = true; 2220f74e643SEd Tanous 2238d1b46d7Szhanghch05 asyncResp->res.jsonValue["Sessions"] = { 2240f261533SEd Tanous {"@odata.id", "/redfish/v1/SessionService/Sessions"}}; 225*724340d7SEd Tanous } 226f2a4a606SManojkiran Eda 227*724340d7SEd Tanous inline void handleSessionServicePatch( 228*724340d7SEd Tanous const crow::Request& req, 229*724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 230*724340d7SEd Tanous { 231f2a4a606SManojkiran Eda std::optional<int64_t> sessionTimeout; 232*724340d7SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "SessionTimeout", 233*724340d7SEd Tanous sessionTimeout)) 234f2a4a606SManojkiran Eda { 235f2a4a606SManojkiran Eda return; 236f2a4a606SManojkiran Eda } 237f2a4a606SManojkiran Eda 238f2a4a606SManojkiran Eda if (sessionTimeout) 239f2a4a606SManojkiran Eda { 240faa34ccfSEd Tanous // The mininum & maximum allowed values for session timeout 241faa34ccfSEd Tanous // are 30 seconds and 86400 seconds respectively as per the 242faa34ccfSEd Tanous // session service schema mentioned at 243f2a4a606SManojkiran Eda // https://redfish.dmtf.org/schemas/v1/SessionService.v1_1_7.json 244f2a4a606SManojkiran Eda 245f2a4a606SManojkiran Eda if (*sessionTimeout <= 86400 && *sessionTimeout >= 30) 246f2a4a606SManojkiran Eda { 247*724340d7SEd Tanous std::chrono::seconds sessionTimeoutInseconds(*sessionTimeout); 248*724340d7SEd Tanous persistent_data::SessionStore::getInstance().updateSessionTimeout( 249*724340d7SEd Tanous sessionTimeoutInseconds); 250*724340d7SEd Tanous messages::propertyValueModified(asyncResp->res, "SessionTimeOut", 251f2a4a606SManojkiran Eda std::to_string(*sessionTimeout)); 252f2a4a606SManojkiran Eda } 253f2a4a606SManojkiran Eda else 254f2a4a606SManojkiran Eda { 255*724340d7SEd Tanous messages::propertyValueNotInList(asyncResp->res, 256*724340d7SEd Tanous std::to_string(*sessionTimeout), 2578d1b46d7Szhanghch05 "SessionTimeOut"); 258f2a4a606SManojkiran Eda } 259f2a4a606SManojkiran Eda } 260*724340d7SEd Tanous } 261*724340d7SEd Tanous 262*724340d7SEd Tanous inline void requestRoutesSession(App& app) 263*724340d7SEd Tanous { 264*724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 265*724340d7SEd Tanous .privileges(redfish::privileges::getSession) 266*724340d7SEd Tanous .methods(boost::beast::http::verb::get)(handleSessionGet); 267*724340d7SEd Tanous 268*724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 269*724340d7SEd Tanous .privileges(redfish::privileges::deleteSession) 270*724340d7SEd Tanous .methods(boost::beast::http::verb::delete_)(handleSessionDelete); 271*724340d7SEd Tanous 272*724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 273*724340d7SEd Tanous .privileges(redfish::privileges::getSessionCollection) 274*724340d7SEd Tanous .methods(boost::beast::http::verb::get)(handleSessionCollectionGet); 275*724340d7SEd Tanous 276*724340d7SEd Tanous // Note, the next route technically doesn't match the privilege 277*724340d7SEd Tanous // registry given the way login mechanisms work. The base privilege 278*724340d7SEd Tanous // registry lists this endpoint as requiring login privilege, but because 279*724340d7SEd Tanous // this is the endpoint responsible for giving the login privilege, and it 280*724340d7SEd Tanous // is itself its own route, it needs to not require Login 281*724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 282*724340d7SEd Tanous .privileges({}) 283*724340d7SEd Tanous .methods(boost::beast::http::verb::post)(handleSessionCollectionPost); 284*724340d7SEd Tanous 285*724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 286*724340d7SEd Tanous .privileges(redfish::privileges::getSessionService) 287*724340d7SEd Tanous .methods(boost::beast::http::verb::get)(handleSessionServiceGet); 288*724340d7SEd Tanous 289*724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 290*724340d7SEd Tanous .privileges(redfish::privileges::patchSessionService) 291*724340d7SEd Tanous .methods(boost::beast::http::verb::patch)(handleSessionServicePatch); 292f2a4a606SManojkiran Eda } 2935d27b854SBorawski.Lukasz 2942b7981f6SKowalski, Kamil } // namespace redfish 295