12b7981f6SKowalski, Kamil /* 22b7981f6SKowalski, Kamil // Copyright (c) 2018 Intel Corporation 32b7981f6SKowalski, Kamil // 42b7981f6SKowalski, Kamil // Licensed under the Apache License, Version 2.0 (the "License"); 52b7981f6SKowalski, Kamil // you may not use this file except in compliance with the License. 62b7981f6SKowalski, Kamil // You may obtain a copy of the License at 72b7981f6SKowalski, Kamil // 82b7981f6SKowalski, Kamil // http://www.apache.org/licenses/LICENSE-2.0 92b7981f6SKowalski, Kamil // 102b7981f6SKowalski, Kamil // Unless required by applicable law or agreed to in writing, software 112b7981f6SKowalski, Kamil // distributed under the License is distributed on an "AS IS" BASIS, 122b7981f6SKowalski, Kamil // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 132b7981f6SKowalski, Kamil // See the License for the specific language governing permissions and 142b7981f6SKowalski, Kamil // limitations under the License. 152b7981f6SKowalski, Kamil */ 162b7981f6SKowalski, Kamil #pragma once 1743a095abSBorawski.Lukasz 18f4c4dcf4SKowalski, Kamil #include "error_messages.hpp" 1952cc112dSEd Tanous #include "persistent_data.hpp" 202b7981f6SKowalski, Kamil 217e860f15SJohn Edward Broadbent #include <app.hpp> 22*ace85d60SEd Tanous #include <http/utility.hpp> 23ed398213SEd Tanous #include <registries/privilege_registry.hpp> 247e860f15SJohn Edward Broadbent 251abe55efSEd Tanous namespace redfish 261abe55efSEd Tanous { 272b7981f6SKowalski, Kamil 282b7981f6SKowalski, Kamil class SessionCollection; 292b7981f6SKowalski, Kamil 304f48d5f6SEd Tanous inline void fillSessionObject(crow::Response& res, 31faa34ccfSEd Tanous const persistent_data::UserSession& session) 321abe55efSEd Tanous { 33faa34ccfSEd Tanous res.jsonValue["Id"] = session.uniqueId; 34faa34ccfSEd Tanous res.jsonValue["UserName"] = session.username; 35faa34ccfSEd Tanous res.jsonValue["@odata.id"] = 36faa34ccfSEd Tanous "/redfish/v1/SessionService/Sessions/" + session.uniqueId; 37faa34ccfSEd Tanous res.jsonValue["@odata.type"] = "#Session.v1_3_0.Session"; 38faa34ccfSEd Tanous res.jsonValue["Name"] = "User Session"; 39faa34ccfSEd Tanous res.jsonValue["Description"] = "Manager User Session"; 40faa34ccfSEd Tanous res.jsonValue["ClientOriginIPAddress"] = session.clientIp; 41c0ea7ae1SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 42faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["@odata.type"] = 4308bdcc71SSunitha Harish "#OemSession.v1_0_0.Session"; 44faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["ClientID"] = session.clientId; 4508bdcc71SSunitha Harish #endif 462b7981f6SKowalski, Kamil } 472b7981f6SKowalski, Kamil 48faa34ccfSEd Tanous inline void requestRoutesSession(App& app) 491abe55efSEd Tanous { 50faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 51ed398213SEd Tanous .privileges(redfish::privileges::getSession) 52faa34ccfSEd Tanous .methods(boost::beast::http::verb::get)( 53faa34ccfSEd Tanous [](const crow::Request& /*req*/, 54faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 55faa34ccfSEd Tanous const std::string& sessionId) -> void { 56faa34ccfSEd Tanous // Note that control also reaches here via doPost and doDelete. 57faa34ccfSEd Tanous auto session = persistent_data::SessionStore::getInstance() 58faa34ccfSEd Tanous .getSessionByUid(sessionId); 592b7981f6SKowalski, Kamil 601abe55efSEd Tanous if (session == nullptr) 611abe55efSEd Tanous { 62faa34ccfSEd Tanous messages::resourceNotFound(asyncResp->res, "Session", 63faa34ccfSEd Tanous sessionId); 64faa34ccfSEd Tanous return; 65faa34ccfSEd Tanous } 66faa34ccfSEd Tanous 67faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 68faa34ccfSEd Tanous }); 69faa34ccfSEd Tanous 70faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 71ed398213SEd Tanous .privileges(redfish::privileges::deleteSession) 72faa34ccfSEd Tanous .methods(boost::beast::http::verb::delete_)( 73faa34ccfSEd Tanous [](const crow::Request& req, 74faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 75faa34ccfSEd Tanous const std::string& sessionId) -> void { 76faa34ccfSEd Tanous auto session = persistent_data::SessionStore::getInstance() 77faa34ccfSEd Tanous .getSessionByUid(sessionId); 78faa34ccfSEd Tanous 79faa34ccfSEd Tanous if (session == nullptr) 80faa34ccfSEd Tanous { 81faa34ccfSEd Tanous messages::resourceNotFound(asyncResp->res, "Session", 82faa34ccfSEd Tanous sessionId); 832b7981f6SKowalski, Kamil return; 842b7981f6SKowalski, Kamil } 852b7981f6SKowalski, Kamil 86900f9497SJoseph Reynolds // Perform a proper ConfigureSelf authority check. If a 87900f9497SJoseph Reynolds // session is being used to DELETE some other user's session, 88900f9497SJoseph Reynolds // then the ConfigureSelf privilege does not apply. In that 89900f9497SJoseph Reynolds // case, perform the authority check again without the user's 90900f9497SJoseph Reynolds // ConfigureSelf privilege. 91900f9497SJoseph Reynolds if (session->username != req.session->username) 92900f9497SJoseph Reynolds { 936c51eab1SEd Tanous Privileges effectiveUserPrivileges = 946c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 956c51eab1SEd Tanous 96faa34ccfSEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 974f48d5f6SEd Tanous {"ConfigureUsers"})) 98900f9497SJoseph Reynolds { 998d1b46d7Szhanghch05 messages::insufficientPrivilege(asyncResp->res); 100900f9497SJoseph Reynolds return; 101900f9497SJoseph Reynolds } 102900f9497SJoseph Reynolds } 103900f9497SJoseph Reynolds 104faa34ccfSEd Tanous persistent_data::SessionStore::getInstance().removeSession( 105faa34ccfSEd Tanous session); 1065cc148afSEd Tanous messages::success(asyncResp->res); 107faa34ccfSEd Tanous }); 108f4c4dcf4SKowalski, Kamil 109faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 110ed398213SEd Tanous .privileges(redfish::privileges::getSessionCollection) 111faa34ccfSEd Tanous .methods(boost::beast::http::verb::get)( 112faa34ccfSEd Tanous [](const crow::Request& /*req*/, 113faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 11455c7b7a2SEd Tanous std::vector<const std::string*> sessionIds = 11552cc112dSEd Tanous persistent_data::SessionStore::getInstance().getUniqueIds( 11652cc112dSEd Tanous false, persistent_data::PersistenceType::TIMEOUT); 1172b7981f6SKowalski, Kamil 118faa34ccfSEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = 119faa34ccfSEd Tanous sessionIds.size(); 1208d1b46d7Szhanghch05 asyncResp->res.jsonValue["Members"] = nlohmann::json::array(); 1211abe55efSEd Tanous for (const std::string* uid : sessionIds) 1221abe55efSEd Tanous { 1238d1b46d7Szhanghch05 asyncResp->res.jsonValue["Members"].push_back( 124faa34ccfSEd Tanous {{"@odata.id", 125faa34ccfSEd Tanous "/redfish/v1/SessionService/Sessions/" + *uid}}); 1262b7981f6SKowalski, Kamil } 127faa34ccfSEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = 128faa34ccfSEd Tanous sessionIds.size(); 1298d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 1308d1b46d7Szhanghch05 "#SessionCollection.SessionCollection"; 1318d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.id"] = 1328d1b46d7Szhanghch05 "/redfish/v1/SessionService/Sessions/"; 1338d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Collection"; 1348d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Collection"; 135faa34ccfSEd Tanous }); 1362b7981f6SKowalski, Kamil 137faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 138ed398213SEd Tanous // Note, this technically doesn't match the privilege registry given the 139ed398213SEd Tanous // way login mechanisms work. The base privilege registry lists this 140ed398213SEd Tanous // endpoint as requiring login privilege, but because this is the 141ed398213SEd Tanous // endpoint responsible for giving the login privilege, and it is itself 142ed398213SEd Tanous // its own route, it needs to not require Login 143faa34ccfSEd Tanous .privileges({}) 144faa34ccfSEd Tanous .methods(boost::beast::http::verb::post)( 145faa34ccfSEd Tanous [](const crow::Request& req, 146faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 1479712f8acSEd Tanous std::string username; 1489712f8acSEd Tanous std::string password; 14908bdcc71SSunitha Harish std::optional<nlohmann::json> oemObject; 15008bdcc71SSunitha Harish std::string clientId; 15115ed6780SWilly Tu if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", 15215ed6780SWilly Tu username, "Password", password, 15315ed6780SWilly Tu "Oem", oemObject)) 1541abe55efSEd Tanous { 1552b7981f6SKowalski, Kamil return; 1562b7981f6SKowalski, Kamil } 1572b7981f6SKowalski, Kamil 158820ce598SEd Tanous if (password.empty() || username.empty() || 1598d1b46d7Szhanghch05 asyncResp->res.result() != boost::beast::http::status::ok) 1601abe55efSEd Tanous { 1611abe55efSEd Tanous if (username.empty()) 1621abe55efSEd Tanous { 1638d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "UserName"); 164f4c4dcf4SKowalski, Kamil } 165f4c4dcf4SKowalski, Kamil 1661abe55efSEd Tanous if (password.empty()) 1671abe55efSEd Tanous { 1688d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "Password"); 169820ce598SEd Tanous } 170820ce598SEd Tanous 171820ce598SEd Tanous return; 172f4c4dcf4SKowalski, Kamil } 1732b7981f6SKowalski, Kamil 1743bf4e632SJoseph Reynolds int pamrc = pamAuthenticateUser(username, password); 1753bf4e632SJoseph Reynolds bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD; 1763bf4e632SJoseph Reynolds if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly) 1771abe55efSEd Tanous { 178faa34ccfSEd Tanous messages::resourceAtUriUnauthorized( 179*ace85d60SEd Tanous asyncResp->res, req.urlView, 180f12894f8SJason M. Bills "Invalid username or password"); 181820ce598SEd Tanous return; 1822b7981f6SKowalski, Kamil } 18308bdcc71SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 18408bdcc71SSunitha Harish if (oemObject) 18508bdcc71SSunitha Harish { 18608bdcc71SSunitha Harish std::optional<nlohmann::json> bmcOem; 187faa34ccfSEd Tanous if (!json_util::readJson(*oemObject, asyncResp->res, 188faa34ccfSEd Tanous "OpenBMC", bmcOem)) 18908bdcc71SSunitha Harish { 19008bdcc71SSunitha Harish return; 19108bdcc71SSunitha Harish } 192faa34ccfSEd Tanous if (!json_util::readJson(*bmcOem, asyncResp->res, 193faa34ccfSEd Tanous "ClientID", clientId)) 19408bdcc71SSunitha Harish { 19508bdcc71SSunitha Harish BMCWEB_LOG_ERROR << "Could not read ClientId"; 19608bdcc71SSunitha Harish return; 19708bdcc71SSunitha Harish } 19808bdcc71SSunitha Harish } 19908bdcc71SSunitha Harish #endif 2006f115bbbSManojkiran Eda 201820ce598SEd Tanous // User is authenticated - create session 20252cc112dSEd Tanous std::shared_ptr<persistent_data::UserSession> session = 203faa34ccfSEd Tanous persistent_data::SessionStore::getInstance() 204faa34ccfSEd Tanous .generateUserSession( 20541d61c82SJiaqing Zhao username, req.ipAddress, clientId, 206faa34ccfSEd Tanous persistent_data::PersistenceType::TIMEOUT, 207faa34ccfSEd Tanous isConfigureSelfOnly); 2088d1b46d7Szhanghch05 asyncResp->res.addHeader("X-Auth-Token", session->sessionToken); 209faa34ccfSEd Tanous asyncResp->res.addHeader( 210faa34ccfSEd Tanous "Location", 211faa34ccfSEd Tanous "/redfish/v1/SessionService/Sessions/" + session->uniqueId); 2128d1b46d7Szhanghch05 asyncResp->res.result(boost::beast::http::status::created); 2133bf4e632SJoseph Reynolds if (session->isConfigureSelfOnly) 2143bf4e632SJoseph Reynolds { 2153bf4e632SJoseph Reynolds messages::passwordChangeRequired( 216*ace85d60SEd Tanous asyncResp->res, crow::utility::urlFromPieces( 217*ace85d60SEd Tanous "redfish", "v1", "AccountService", 218*ace85d60SEd Tanous "Accounts", req.session->username)); 2192b7981f6SKowalski, Kamil } 2202b7981f6SKowalski, Kamil 221faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 222faa34ccfSEd Tanous }); 2232b7981f6SKowalski, Kamil 224faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 225ed398213SEd Tanous .privileges(redfish::privileges::getSessionService) 226faa34ccfSEd Tanous .methods(boost::beast::http::verb::get)( 227faa34ccfSEd Tanous [](const crow::Request& /* req */, 228faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 2298d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 2308d1b46d7Szhanghch05 "#SessionService.v1_0_2.SessionService"; 231faa34ccfSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 232faa34ccfSEd Tanous "/redfish/v1/SessionService/"; 2338d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Service"; 2348d1b46d7Szhanghch05 asyncResp->res.jsonValue["Id"] = "SessionService"; 2358d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Service"; 2368d1b46d7Szhanghch05 asyncResp->res.jsonValue["SessionTimeout"] = 237faa34ccfSEd Tanous persistent_data::SessionStore::getInstance() 238faa34ccfSEd Tanous .getTimeoutInSeconds(); 2398d1b46d7Szhanghch05 asyncResp->res.jsonValue["ServiceEnabled"] = true; 2400f74e643SEd Tanous 2418d1b46d7Szhanghch05 asyncResp->res.jsonValue["Sessions"] = { 2420f261533SEd Tanous {"@odata.id", "/redfish/v1/SessionService/Sessions"}}; 243faa34ccfSEd Tanous }); 244f2a4a606SManojkiran Eda 245faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 246ed398213SEd Tanous .privileges(redfish::privileges::patchSessionService) 247faa34ccfSEd Tanous .methods(boost::beast::http::verb::patch)( 248faa34ccfSEd Tanous [](const crow::Request& req, 249faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 250f2a4a606SManojkiran Eda std::optional<int64_t> sessionTimeout; 25115ed6780SWilly Tu if (!json_util::readJsonPatch(req, asyncResp->res, 25215ed6780SWilly Tu "SessionTimeout", sessionTimeout)) 253f2a4a606SManojkiran Eda { 254f2a4a606SManojkiran Eda return; 255f2a4a606SManojkiran Eda } 256f2a4a606SManojkiran Eda 257f2a4a606SManojkiran Eda if (sessionTimeout) 258f2a4a606SManojkiran Eda { 259faa34ccfSEd Tanous // The mininum & maximum allowed values for session timeout 260faa34ccfSEd Tanous // are 30 seconds and 86400 seconds respectively as per the 261faa34ccfSEd Tanous // session service schema mentioned at 262f2a4a606SManojkiran Eda // https://redfish.dmtf.org/schemas/v1/SessionService.v1_1_7.json 263f2a4a606SManojkiran Eda 264f2a4a606SManojkiran Eda if (*sessionTimeout <= 86400 && *sessionTimeout >= 30) 265f2a4a606SManojkiran Eda { 266faa34ccfSEd Tanous std::chrono::seconds sessionTimeoutInseconds( 267faa34ccfSEd Tanous *sessionTimeout); 268f2a4a606SManojkiran Eda persistent_data::SessionStore::getInstance() 269f2a4a606SManojkiran Eda .updateSessionTimeout(sessionTimeoutInseconds); 270f2a4a606SManojkiran Eda messages::propertyValueModified( 271f2a4a606SManojkiran Eda asyncResp->res, "SessionTimeOut", 272f2a4a606SManojkiran Eda std::to_string(*sessionTimeout)); 273f2a4a606SManojkiran Eda } 274f2a4a606SManojkiran Eda else 275f2a4a606SManojkiran Eda { 276f2a4a606SManojkiran Eda messages::propertyValueNotInList( 2778d1b46d7Szhanghch05 asyncResp->res, std::to_string(*sessionTimeout), 2788d1b46d7Szhanghch05 "SessionTimeOut"); 279f2a4a606SManojkiran Eda } 280f2a4a606SManojkiran Eda } 281faa34ccfSEd Tanous }); 282f2a4a606SManojkiran Eda } 2835d27b854SBorawski.Lukasz 2842b7981f6SKowalski, Kamil } // namespace redfish 285