12b7981f6SKowalski, Kamil /* 22b7981f6SKowalski, Kamil // Copyright (c) 2018 Intel Corporation 32b7981f6SKowalski, Kamil // 42b7981f6SKowalski, Kamil // Licensed under the Apache License, Version 2.0 (the "License"); 52b7981f6SKowalski, Kamil // you may not use this file except in compliance with the License. 62b7981f6SKowalski, Kamil // You may obtain a copy of the License at 72b7981f6SKowalski, Kamil // 82b7981f6SKowalski, Kamil // http://www.apache.org/licenses/LICENSE-2.0 92b7981f6SKowalski, Kamil // 102b7981f6SKowalski, Kamil // Unless required by applicable law or agreed to in writing, software 112b7981f6SKowalski, Kamil // distributed under the License is distributed on an "AS IS" BASIS, 122b7981f6SKowalski, Kamil // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 132b7981f6SKowalski, Kamil // See the License for the specific language governing permissions and 142b7981f6SKowalski, Kamil // limitations under the License. 152b7981f6SKowalski, Kamil */ 162b7981f6SKowalski, Kamil #pragma once 1743a095abSBorawski.Lukasz 18f4c4dcf4SKowalski, Kamil #include "error_messages.hpp" 1952cc112dSEd Tanous #include "persistent_data.hpp" 202b7981f6SKowalski, Kamil 217e860f15SJohn Edward Broadbent #include <app.hpp> 22ace85d60SEd Tanous #include <http/utility.hpp> 2345ca1b86SEd Tanous #include <query.hpp> 24ed398213SEd Tanous #include <registries/privilege_registry.hpp> 25*840098bfSEd Tanous #include <utils/json_utils.hpp> 267e860f15SJohn Edward Broadbent 271abe55efSEd Tanous namespace redfish 281abe55efSEd Tanous { 292b7981f6SKowalski, Kamil 304f48d5f6SEd Tanous inline void fillSessionObject(crow::Response& res, 31faa34ccfSEd Tanous const persistent_data::UserSession& session) 321abe55efSEd Tanous { 33faa34ccfSEd Tanous res.jsonValue["Id"] = session.uniqueId; 34faa34ccfSEd Tanous res.jsonValue["UserName"] = session.username; 35faa34ccfSEd Tanous res.jsonValue["@odata.id"] = 36faa34ccfSEd Tanous "/redfish/v1/SessionService/Sessions/" + session.uniqueId; 37faa34ccfSEd Tanous res.jsonValue["@odata.type"] = "#Session.v1_3_0.Session"; 38faa34ccfSEd Tanous res.jsonValue["Name"] = "User Session"; 39faa34ccfSEd Tanous res.jsonValue["Description"] = "Manager User Session"; 40faa34ccfSEd Tanous res.jsonValue["ClientOriginIPAddress"] = session.clientIp; 41c0ea7ae1SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 42faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["@odata.type"] = 4308bdcc71SSunitha Harish "#OemSession.v1_0_0.Session"; 44faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["ClientID"] = session.clientId; 4508bdcc71SSunitha Harish #endif 462b7981f6SKowalski, Kamil } 472b7981f6SKowalski, Kamil 48724340d7SEd Tanous inline void 4945ca1b86SEd Tanous handleSessionGet(crow::App& app, const crow::Request& req, 50faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 51724340d7SEd Tanous const std::string& sessionId) 52724340d7SEd Tanous { 533ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 5445ca1b86SEd Tanous { 5545ca1b86SEd Tanous return; 5645ca1b86SEd Tanous } 57faa34ccfSEd Tanous // Note that control also reaches here via doPost and doDelete. 58724340d7SEd Tanous auto session = 59724340d7SEd Tanous persistent_data::SessionStore::getInstance().getSessionByUid(sessionId); 602b7981f6SKowalski, Kamil 611abe55efSEd Tanous if (session == nullptr) 621abe55efSEd Tanous { 63724340d7SEd Tanous messages::resourceNotFound(asyncResp->res, "Session", sessionId); 64faa34ccfSEd Tanous return; 65faa34ccfSEd Tanous } 66faa34ccfSEd Tanous 67faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 68724340d7SEd Tanous } 69faa34ccfSEd Tanous 70724340d7SEd Tanous inline void 7145ca1b86SEd Tanous handleSessionDelete(crow::App& app, const crow::Request& req, 72faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 73724340d7SEd Tanous const std::string& sessionId) 74724340d7SEd Tanous { 753ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 7645ca1b86SEd Tanous { 7745ca1b86SEd Tanous return; 7845ca1b86SEd Tanous } 79724340d7SEd Tanous auto session = 80724340d7SEd Tanous persistent_data::SessionStore::getInstance().getSessionByUid(sessionId); 81faa34ccfSEd Tanous 82faa34ccfSEd Tanous if (session == nullptr) 83faa34ccfSEd Tanous { 84724340d7SEd Tanous messages::resourceNotFound(asyncResp->res, "Session", sessionId); 852b7981f6SKowalski, Kamil return; 862b7981f6SKowalski, Kamil } 872b7981f6SKowalski, Kamil 88900f9497SJoseph Reynolds // Perform a proper ConfigureSelf authority check. If a 89900f9497SJoseph Reynolds // session is being used to DELETE some other user's session, 90900f9497SJoseph Reynolds // then the ConfigureSelf privilege does not apply. In that 91900f9497SJoseph Reynolds // case, perform the authority check again without the user's 92900f9497SJoseph Reynolds // ConfigureSelf privilege. 930fd29865Swukaihua-fii-na if (req.session != nullptr && !session->username.empty() && 940fd29865Swukaihua-fii-na session->username != req.session->username) 95900f9497SJoseph Reynolds { 966c51eab1SEd Tanous Privileges effectiveUserPrivileges = 976c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 986c51eab1SEd Tanous 99724340d7SEd Tanous if (!effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"})) 100900f9497SJoseph Reynolds { 1018d1b46d7Szhanghch05 messages::insufficientPrivilege(asyncResp->res); 102900f9497SJoseph Reynolds return; 103900f9497SJoseph Reynolds } 104900f9497SJoseph Reynolds } 105900f9497SJoseph Reynolds 106724340d7SEd Tanous persistent_data::SessionStore::getInstance().removeSession(session); 1075cc148afSEd Tanous messages::success(asyncResp->res); 108724340d7SEd Tanous } 109f4c4dcf4SKowalski, Kamil 110724340d7SEd Tanous inline nlohmann::json getSessionCollectionMembers() 111724340d7SEd Tanous { 11255c7b7a2SEd Tanous std::vector<const std::string*> sessionIds = 11352cc112dSEd Tanous persistent_data::SessionStore::getInstance().getUniqueIds( 11452cc112dSEd Tanous false, persistent_data::PersistenceType::TIMEOUT); 115724340d7SEd Tanous nlohmann::json ret = nlohmann::json::array(); 1161abe55efSEd Tanous for (const std::string* uid : sessionIds) 1171abe55efSEd Tanous { 1181476687dSEd Tanous nlohmann::json::object_t session; 1191476687dSEd Tanous session["@odata.id"] = "/redfish/v1/SessionService/Sessions/" + *uid; 1201476687dSEd Tanous ret.push_back(std::move(session)); 1212b7981f6SKowalski, Kamil } 122724340d7SEd Tanous return ret; 123724340d7SEd Tanous } 124724340d7SEd Tanous 125724340d7SEd Tanous inline void handleSessionCollectionGet( 12645ca1b86SEd Tanous crow::App& app, const crow::Request& req, 127724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 128724340d7SEd Tanous { 1293ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 13045ca1b86SEd Tanous { 13145ca1b86SEd Tanous return; 13245ca1b86SEd Tanous } 133724340d7SEd Tanous asyncResp->res.jsonValue["Members"] = getSessionCollectionMembers(); 134faa34ccfSEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = 135724340d7SEd Tanous asyncResp->res.jsonValue["Members"].size(); 1368d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 1378d1b46d7Szhanghch05 "#SessionCollection.SessionCollection"; 1388d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.id"] = 1398d1b46d7Szhanghch05 "/redfish/v1/SessionService/Sessions/"; 1408d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Collection"; 1418d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Collection"; 142724340d7SEd Tanous } 1432b7981f6SKowalski, Kamil 144724340d7SEd Tanous inline void handleSessionCollectionMembersGet( 14545ca1b86SEd Tanous crow::App& app, const crow::Request& req, 146724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 147724340d7SEd Tanous { 1483ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 14945ca1b86SEd Tanous { 15045ca1b86SEd Tanous return; 15145ca1b86SEd Tanous } 152724340d7SEd Tanous asyncResp->res.jsonValue = getSessionCollectionMembers(); 153724340d7SEd Tanous } 154724340d7SEd Tanous 1554ee8e211SEd Tanous inline void handleSessionCollectionPost( 15645ca1b86SEd Tanous crow::App& app, const crow::Request& req, 157724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 158724340d7SEd Tanous { 1593ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 16045ca1b86SEd Tanous { 16145ca1b86SEd Tanous return; 16245ca1b86SEd Tanous } 1639712f8acSEd Tanous std::string username; 1649712f8acSEd Tanous std::string password; 16508bdcc71SSunitha Harish std::optional<nlohmann::json> oemObject; 16608bdcc71SSunitha Harish std::string clientId; 167724340d7SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username, 168724340d7SEd Tanous "Password", password, "Oem", oemObject)) 1691abe55efSEd Tanous { 1702b7981f6SKowalski, Kamil return; 1712b7981f6SKowalski, Kamil } 1722b7981f6SKowalski, Kamil 173820ce598SEd Tanous if (password.empty() || username.empty() || 1748d1b46d7Szhanghch05 asyncResp->res.result() != boost::beast::http::status::ok) 1751abe55efSEd Tanous { 1761abe55efSEd Tanous if (username.empty()) 1771abe55efSEd Tanous { 1788d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "UserName"); 179f4c4dcf4SKowalski, Kamil } 180f4c4dcf4SKowalski, Kamil 1811abe55efSEd Tanous if (password.empty()) 1821abe55efSEd Tanous { 1838d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "Password"); 184820ce598SEd Tanous } 185820ce598SEd Tanous 186820ce598SEd Tanous return; 187f4c4dcf4SKowalski, Kamil } 1882b7981f6SKowalski, Kamil 1893bf4e632SJoseph Reynolds int pamrc = pamAuthenticateUser(username, password); 1903bf4e632SJoseph Reynolds bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD; 1913bf4e632SJoseph Reynolds if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly) 1921abe55efSEd Tanous { 193724340d7SEd Tanous messages::resourceAtUriUnauthorized(asyncResp->res, req.urlView, 194f12894f8SJason M. Bills "Invalid username or password"); 195820ce598SEd Tanous return; 1962b7981f6SKowalski, Kamil } 19708bdcc71SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 19808bdcc71SSunitha Harish if (oemObject) 19908bdcc71SSunitha Harish { 20008bdcc71SSunitha Harish std::optional<nlohmann::json> bmcOem; 201724340d7SEd Tanous if (!json_util::readJson(*oemObject, asyncResp->res, "OpenBMC", bmcOem)) 20208bdcc71SSunitha Harish { 20308bdcc71SSunitha Harish return; 20408bdcc71SSunitha Harish } 205724340d7SEd Tanous if (!json_util::readJson(*bmcOem, asyncResp->res, "ClientID", clientId)) 20608bdcc71SSunitha Harish { 20708bdcc71SSunitha Harish BMCWEB_LOG_ERROR << "Could not read ClientId"; 20808bdcc71SSunitha Harish return; 20908bdcc71SSunitha Harish } 21008bdcc71SSunitha Harish } 21108bdcc71SSunitha Harish #endif 2126f115bbbSManojkiran Eda 213820ce598SEd Tanous // User is authenticated - create session 21452cc112dSEd Tanous std::shared_ptr<persistent_data::UserSession> session = 215724340d7SEd Tanous persistent_data::SessionStore::getInstance().generateUserSession( 21641d61c82SJiaqing Zhao username, req.ipAddress, clientId, 217724340d7SEd Tanous persistent_data::PersistenceType::TIMEOUT, isConfigureSelfOnly); 2188d1b46d7Szhanghch05 asyncResp->res.addHeader("X-Auth-Token", session->sessionToken); 219faa34ccfSEd Tanous asyncResp->res.addHeader( 220724340d7SEd Tanous "Location", "/redfish/v1/SessionService/Sessions/" + session->uniqueId); 2218d1b46d7Szhanghch05 asyncResp->res.result(boost::beast::http::status::created); 2223bf4e632SJoseph Reynolds if (session->isConfigureSelfOnly) 2233bf4e632SJoseph Reynolds { 2243bf4e632SJoseph Reynolds messages::passwordChangeRequired( 225724340d7SEd Tanous asyncResp->res, 226724340d7SEd Tanous crow::utility::urlFromPieces("redfish", "v1", "AccountService", 227ace85d60SEd Tanous "Accounts", req.session->username)); 2282b7981f6SKowalski, Kamil } 2292b7981f6SKowalski, Kamil 230faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 231724340d7SEd Tanous } 232724340d7SEd Tanous inline void 23345ca1b86SEd Tanous handleSessionServiceGet(crow::App& app, const crow::Request& req, 234724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 2352b7981f6SKowalski, Kamil 236724340d7SEd Tanous { 2373ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 23845ca1b86SEd Tanous { 23945ca1b86SEd Tanous return; 24045ca1b86SEd Tanous } 2418d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 2428d1b46d7Szhanghch05 "#SessionService.v1_0_2.SessionService"; 243724340d7SEd Tanous asyncResp->res.jsonValue["@odata.id"] = "/redfish/v1/SessionService/"; 2448d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Service"; 2458d1b46d7Szhanghch05 asyncResp->res.jsonValue["Id"] = "SessionService"; 2468d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Service"; 2478d1b46d7Szhanghch05 asyncResp->res.jsonValue["SessionTimeout"] = 248724340d7SEd Tanous persistent_data::SessionStore::getInstance().getTimeoutInSeconds(); 2498d1b46d7Szhanghch05 asyncResp->res.jsonValue["ServiceEnabled"] = true; 2500f74e643SEd Tanous 2511476687dSEd Tanous asyncResp->res.jsonValue["Sessions"]["@odata.id"] = 2521476687dSEd Tanous "/redfish/v1/SessionService/Sessions"; 253724340d7SEd Tanous } 254f2a4a606SManojkiran Eda 255724340d7SEd Tanous inline void handleSessionServicePatch( 25645ca1b86SEd Tanous crow::App& app, const crow::Request& req, 257724340d7SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 258724340d7SEd Tanous { 2593ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 26045ca1b86SEd Tanous { 26145ca1b86SEd Tanous return; 26245ca1b86SEd Tanous } 263f2a4a606SManojkiran Eda std::optional<int64_t> sessionTimeout; 264724340d7SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "SessionTimeout", 265724340d7SEd Tanous sessionTimeout)) 266f2a4a606SManojkiran Eda { 267f2a4a606SManojkiran Eda return; 268f2a4a606SManojkiran Eda } 269f2a4a606SManojkiran Eda 270f2a4a606SManojkiran Eda if (sessionTimeout) 271f2a4a606SManojkiran Eda { 272faa34ccfSEd Tanous // The mininum & maximum allowed values for session timeout 273faa34ccfSEd Tanous // are 30 seconds and 86400 seconds respectively as per the 274faa34ccfSEd Tanous // session service schema mentioned at 275f2a4a606SManojkiran Eda // https://redfish.dmtf.org/schemas/v1/SessionService.v1_1_7.json 276f2a4a606SManojkiran Eda 277f2a4a606SManojkiran Eda if (*sessionTimeout <= 86400 && *sessionTimeout >= 30) 278f2a4a606SManojkiran Eda { 279724340d7SEd Tanous std::chrono::seconds sessionTimeoutInseconds(*sessionTimeout); 280724340d7SEd Tanous persistent_data::SessionStore::getInstance().updateSessionTimeout( 281724340d7SEd Tanous sessionTimeoutInseconds); 282724340d7SEd Tanous messages::propertyValueModified(asyncResp->res, "SessionTimeOut", 283f2a4a606SManojkiran Eda std::to_string(*sessionTimeout)); 284f2a4a606SManojkiran Eda } 285f2a4a606SManojkiran Eda else 286f2a4a606SManojkiran Eda { 287724340d7SEd Tanous messages::propertyValueNotInList(asyncResp->res, 288724340d7SEd Tanous std::to_string(*sessionTimeout), 2898d1b46d7Szhanghch05 "SessionTimeOut"); 290f2a4a606SManojkiran Eda } 291f2a4a606SManojkiran Eda } 292724340d7SEd Tanous } 293724340d7SEd Tanous 294724340d7SEd Tanous inline void requestRoutesSession(App& app) 295724340d7SEd Tanous { 296724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 297724340d7SEd Tanous .privileges(redfish::privileges::getSession) 29845ca1b86SEd Tanous .methods(boost::beast::http::verb::get)( 29945ca1b86SEd Tanous std::bind_front(handleSessionGet, std::ref(app))); 300724340d7SEd Tanous 301724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 302724340d7SEd Tanous .privileges(redfish::privileges::deleteSession) 30345ca1b86SEd Tanous .methods(boost::beast::http::verb::delete_)( 30445ca1b86SEd Tanous std::bind_front(handleSessionDelete, std::ref(app))); 305724340d7SEd Tanous 306724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 307724340d7SEd Tanous .privileges(redfish::privileges::getSessionCollection) 30845ca1b86SEd Tanous .methods(boost::beast::http::verb::get)( 30945ca1b86SEd Tanous std::bind_front(handleSessionCollectionGet, std::ref(app))); 310724340d7SEd Tanous 311e76cd868SEd Tanous // Note, the next two routes technically don't match the privilege 312724340d7SEd Tanous // registry given the way login mechanisms work. The base privilege 313724340d7SEd Tanous // registry lists this endpoint as requiring login privilege, but because 314724340d7SEd Tanous // this is the endpoint responsible for giving the login privilege, and it 315724340d7SEd Tanous // is itself its own route, it needs to not require Login 316724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 317724340d7SEd Tanous .privileges({}) 31845ca1b86SEd Tanous .methods(boost::beast::http::verb::post)( 31945ca1b86SEd Tanous std::bind_front(handleSessionCollectionPost, std::ref(app))); 320724340d7SEd Tanous 321e76cd868SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/Members/") 322e76cd868SEd Tanous .privileges({}) 32345ca1b86SEd Tanous .methods(boost::beast::http::verb::post)( 32445ca1b86SEd Tanous std::bind_front(handleSessionCollectionPost, std::ref(app))); 325e76cd868SEd Tanous 326724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 327724340d7SEd Tanous .privileges(redfish::privileges::getSessionService) 32845ca1b86SEd Tanous .methods(boost::beast::http::verb::get)( 32945ca1b86SEd Tanous std::bind_front(handleSessionServiceGet, std::ref(app))); 330724340d7SEd Tanous 331724340d7SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 332724340d7SEd Tanous .privileges(redfish::privileges::patchSessionService) 33345ca1b86SEd Tanous .methods(boost::beast::http::verb::patch)( 33445ca1b86SEd Tanous std::bind_front(handleSessionServicePatch, std::ref(app))); 335f2a4a606SManojkiran Eda } 3365d27b854SBorawski.Lukasz 3372b7981f6SKowalski, Kamil } // namespace redfish 338