12b7981f6SKowalski, Kamil /* 22b7981f6SKowalski, Kamil // Copyright (c) 2018 Intel Corporation 32b7981f6SKowalski, Kamil // 42b7981f6SKowalski, Kamil // Licensed under the Apache License, Version 2.0 (the "License"); 52b7981f6SKowalski, Kamil // you may not use this file except in compliance with the License. 62b7981f6SKowalski, Kamil // You may obtain a copy of the License at 72b7981f6SKowalski, Kamil // 82b7981f6SKowalski, Kamil // http://www.apache.org/licenses/LICENSE-2.0 92b7981f6SKowalski, Kamil // 102b7981f6SKowalski, Kamil // Unless required by applicable law or agreed to in writing, software 112b7981f6SKowalski, Kamil // distributed under the License is distributed on an "AS IS" BASIS, 122b7981f6SKowalski, Kamil // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 132b7981f6SKowalski, Kamil // See the License for the specific language governing permissions and 142b7981f6SKowalski, Kamil // limitations under the License. 152b7981f6SKowalski, Kamil */ 162b7981f6SKowalski, Kamil #pragma once 1743a095abSBorawski.Lukasz 18f4c4dcf4SKowalski, Kamil #include "error_messages.hpp" 192b7981f6SKowalski, Kamil #include "node.hpp" 2052cc112dSEd Tanous #include "persistent_data.hpp" 212b7981f6SKowalski, Kamil 227e860f15SJohn Edward Broadbent #include <app.hpp> 237e860f15SJohn Edward Broadbent 241abe55efSEd Tanous namespace redfish 251abe55efSEd Tanous { 262b7981f6SKowalski, Kamil 272b7981f6SKowalski, Kamil class SessionCollection; 282b7981f6SKowalski, Kamil 29*faa34ccfSEd Tanous void fillSessionObject(crow::Response& res, 30*faa34ccfSEd Tanous const persistent_data::UserSession& session) 311abe55efSEd Tanous { 32*faa34ccfSEd Tanous res.jsonValue["Id"] = session.uniqueId; 33*faa34ccfSEd Tanous res.jsonValue["UserName"] = session.username; 34*faa34ccfSEd Tanous res.jsonValue["@odata.id"] = 35*faa34ccfSEd Tanous "/redfish/v1/SessionService/Sessions/" + session.uniqueId; 36*faa34ccfSEd Tanous res.jsonValue["@odata.type"] = "#Session.v1_3_0.Session"; 37*faa34ccfSEd Tanous res.jsonValue["Name"] = "User Session"; 38*faa34ccfSEd Tanous res.jsonValue["Description"] = "Manager User Session"; 39*faa34ccfSEd Tanous res.jsonValue["ClientOriginIPAddress"] = session.clientIp; 40c0ea7ae1SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 41*faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["@odata.type"] = 4208bdcc71SSunitha Harish "#OemSession.v1_0_0.Session"; 43*faa34ccfSEd Tanous res.jsonValue["Oem"]["OpenBMC"]["ClientID"] = session.clientId; 4408bdcc71SSunitha Harish #endif 452b7981f6SKowalski, Kamil } 462b7981f6SKowalski, Kamil 47*faa34ccfSEd Tanous inline void requestRoutesSession(App& app) 481abe55efSEd Tanous { 49*faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 50*faa34ccfSEd Tanous .privileges({{"Login"}}) 51*faa34ccfSEd Tanous .methods(boost::beast::http::verb::get)( 52*faa34ccfSEd Tanous [](const crow::Request& /*req*/, 53*faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 54*faa34ccfSEd Tanous const std::string& sessionId) -> void { 55*faa34ccfSEd Tanous // Note that control also reaches here via doPost and doDelete. 56*faa34ccfSEd Tanous auto session = persistent_data::SessionStore::getInstance() 57*faa34ccfSEd Tanous .getSessionByUid(sessionId); 582b7981f6SKowalski, Kamil 591abe55efSEd Tanous if (session == nullptr) 601abe55efSEd Tanous { 61*faa34ccfSEd Tanous messages::resourceNotFound(asyncResp->res, "Session", 62*faa34ccfSEd Tanous sessionId); 63*faa34ccfSEd Tanous return; 64*faa34ccfSEd Tanous } 65*faa34ccfSEd Tanous 66*faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 67*faa34ccfSEd Tanous }); 68*faa34ccfSEd Tanous 69*faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 70*faa34ccfSEd Tanous .privileges({{"ConfigureManager"}, {"ConfigureSelf"}}) 71*faa34ccfSEd Tanous .methods(boost::beast::http::verb::delete_)( 72*faa34ccfSEd Tanous [](const crow::Request& req, 73*faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 74*faa34ccfSEd Tanous const std::string& sessionId) -> void { 75*faa34ccfSEd Tanous auto session = persistent_data::SessionStore::getInstance() 76*faa34ccfSEd Tanous .getSessionByUid(sessionId); 77*faa34ccfSEd Tanous 78*faa34ccfSEd Tanous if (session == nullptr) 79*faa34ccfSEd Tanous { 80*faa34ccfSEd Tanous messages::resourceNotFound(asyncResp->res, "Session", 81*faa34ccfSEd Tanous sessionId); 822b7981f6SKowalski, Kamil return; 832b7981f6SKowalski, Kamil } 842b7981f6SKowalski, Kamil 85900f9497SJoseph Reynolds // Perform a proper ConfigureSelf authority check. If a 86900f9497SJoseph Reynolds // session is being used to DELETE some other user's session, 87900f9497SJoseph Reynolds // then the ConfigureSelf privilege does not apply. In that 88900f9497SJoseph Reynolds // case, perform the authority check again without the user's 89900f9497SJoseph Reynolds // ConfigureSelf privilege. 90900f9497SJoseph Reynolds if (session->username != req.session->username) 91900f9497SJoseph Reynolds { 926c51eab1SEd Tanous Privileges effectiveUserPrivileges = 936c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 946c51eab1SEd Tanous 95*faa34ccfSEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 96*faa34ccfSEd Tanous {{"ConfigureUsers"}})) 97900f9497SJoseph Reynolds { 988d1b46d7Szhanghch05 messages::insufficientPrivilege(asyncResp->res); 99900f9497SJoseph Reynolds return; 100900f9497SJoseph Reynolds } 101900f9497SJoseph Reynolds } 102900f9497SJoseph Reynolds 103*faa34ccfSEd Tanous persistent_data::SessionStore::getInstance().removeSession( 104*faa34ccfSEd Tanous session); 105*faa34ccfSEd Tanous asyncResp->res.result(boost::beast::http::status::no_content); 106*faa34ccfSEd Tanous }); 107f4c4dcf4SKowalski, Kamil 108*faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 109*faa34ccfSEd Tanous .privileges({{"Login"}}) 110*faa34ccfSEd Tanous .methods(boost::beast::http::verb::get)( 111*faa34ccfSEd Tanous [](const crow::Request& /*req*/, 112*faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 11355c7b7a2SEd Tanous std::vector<const std::string*> sessionIds = 11452cc112dSEd Tanous persistent_data::SessionStore::getInstance().getUniqueIds( 11552cc112dSEd Tanous false, persistent_data::PersistenceType::TIMEOUT); 1162b7981f6SKowalski, Kamil 117*faa34ccfSEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = 118*faa34ccfSEd Tanous sessionIds.size(); 1198d1b46d7Szhanghch05 asyncResp->res.jsonValue["Members"] = nlohmann::json::array(); 1201abe55efSEd Tanous for (const std::string* uid : sessionIds) 1211abe55efSEd Tanous { 1228d1b46d7Szhanghch05 asyncResp->res.jsonValue["Members"].push_back( 123*faa34ccfSEd Tanous {{"@odata.id", 124*faa34ccfSEd Tanous "/redfish/v1/SessionService/Sessions/" + *uid}}); 1252b7981f6SKowalski, Kamil } 126*faa34ccfSEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = 127*faa34ccfSEd Tanous sessionIds.size(); 1288d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 1298d1b46d7Szhanghch05 "#SessionCollection.SessionCollection"; 1308d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.id"] = 1318d1b46d7Szhanghch05 "/redfish/v1/SessionService/Sessions/"; 1328d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Collection"; 1338d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Collection"; 134*faa34ccfSEd Tanous }); 1352b7981f6SKowalski, Kamil 136*faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 137*faa34ccfSEd Tanous .privileges({}) 138*faa34ccfSEd Tanous .methods(boost::beast::http::verb::post)( 139*faa34ccfSEd Tanous [](const crow::Request& req, 140*faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 1419712f8acSEd Tanous std::string username; 1429712f8acSEd Tanous std::string password; 14308bdcc71SSunitha Harish std::optional<nlohmann::json> oemObject; 14408bdcc71SSunitha Harish std::string clientId; 145*faa34ccfSEd Tanous if (!json_util::readJson(req, asyncResp->res, "UserName", 146*faa34ccfSEd Tanous username, "Password", password, "Oem", 147*faa34ccfSEd Tanous oemObject)) 1481abe55efSEd Tanous { 1492b7981f6SKowalski, Kamil return; 1502b7981f6SKowalski, Kamil } 1512b7981f6SKowalski, Kamil 152820ce598SEd Tanous if (password.empty() || username.empty() || 1538d1b46d7Szhanghch05 asyncResp->res.result() != boost::beast::http::status::ok) 1541abe55efSEd Tanous { 1551abe55efSEd Tanous if (username.empty()) 1561abe55efSEd Tanous { 1578d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "UserName"); 158f4c4dcf4SKowalski, Kamil } 159f4c4dcf4SKowalski, Kamil 1601abe55efSEd Tanous if (password.empty()) 1611abe55efSEd Tanous { 1628d1b46d7Szhanghch05 messages::propertyMissing(asyncResp->res, "Password"); 163820ce598SEd Tanous } 164820ce598SEd Tanous 165820ce598SEd Tanous return; 166f4c4dcf4SKowalski, Kamil } 1672b7981f6SKowalski, Kamil 1683bf4e632SJoseph Reynolds int pamrc = pamAuthenticateUser(username, password); 1693bf4e632SJoseph Reynolds bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD; 1703bf4e632SJoseph Reynolds if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly) 1711abe55efSEd Tanous { 172*faa34ccfSEd Tanous messages::resourceAtUriUnauthorized( 173*faa34ccfSEd Tanous asyncResp->res, std::string(req.url), 174f12894f8SJason M. Bills "Invalid username or password"); 175820ce598SEd Tanous return; 1762b7981f6SKowalski, Kamil } 17708bdcc71SSunitha Harish #ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE 17808bdcc71SSunitha Harish if (oemObject) 17908bdcc71SSunitha Harish { 18008bdcc71SSunitha Harish std::optional<nlohmann::json> bmcOem; 181*faa34ccfSEd Tanous if (!json_util::readJson(*oemObject, asyncResp->res, 182*faa34ccfSEd Tanous "OpenBMC", bmcOem)) 18308bdcc71SSunitha Harish { 18408bdcc71SSunitha Harish return; 18508bdcc71SSunitha Harish } 186*faa34ccfSEd Tanous if (!json_util::readJson(*bmcOem, asyncResp->res, 187*faa34ccfSEd Tanous "ClientID", clientId)) 18808bdcc71SSunitha Harish { 18908bdcc71SSunitha Harish BMCWEB_LOG_ERROR << "Could not read ClientId"; 19008bdcc71SSunitha Harish return; 19108bdcc71SSunitha Harish } 19208bdcc71SSunitha Harish } 19308bdcc71SSunitha Harish #endif 1946f115bbbSManojkiran Eda 195820ce598SEd Tanous // User is authenticated - create session 19652cc112dSEd Tanous std::shared_ptr<persistent_data::UserSession> session = 197*faa34ccfSEd Tanous persistent_data::SessionStore::getInstance() 198*faa34ccfSEd Tanous .generateUserSession( 199d3239224SSunitha Harish username, req.ipAddress.to_string(), clientId, 200*faa34ccfSEd Tanous persistent_data::PersistenceType::TIMEOUT, 201*faa34ccfSEd Tanous isConfigureSelfOnly); 2028d1b46d7Szhanghch05 asyncResp->res.addHeader("X-Auth-Token", session->sessionToken); 203*faa34ccfSEd Tanous asyncResp->res.addHeader( 204*faa34ccfSEd Tanous "Location", 205*faa34ccfSEd Tanous "/redfish/v1/SessionService/Sessions/" + session->uniqueId); 2068d1b46d7Szhanghch05 asyncResp->res.result(boost::beast::http::status::created); 2073bf4e632SJoseph Reynolds if (session->isConfigureSelfOnly) 2083bf4e632SJoseph Reynolds { 2093bf4e632SJoseph Reynolds messages::passwordChangeRequired( 210*faa34ccfSEd Tanous asyncResp->res, "/redfish/v1/AccountService/Accounts/" + 211*faa34ccfSEd Tanous session->username); 2122b7981f6SKowalski, Kamil } 2132b7981f6SKowalski, Kamil 214*faa34ccfSEd Tanous fillSessionObject(asyncResp->res, *session); 215*faa34ccfSEd Tanous }); 2162b7981f6SKowalski, Kamil 217*faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 218*faa34ccfSEd Tanous .privileges({{"Login"}}) 219*faa34ccfSEd Tanous .methods(boost::beast::http::verb::get)( 220*faa34ccfSEd Tanous [](const crow::Request& /* req */, 221*faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 2228d1b46d7Szhanghch05 asyncResp->res.jsonValue["@odata.type"] = 2238d1b46d7Szhanghch05 "#SessionService.v1_0_2.SessionService"; 224*faa34ccfSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 225*faa34ccfSEd Tanous "/redfish/v1/SessionService/"; 2268d1b46d7Szhanghch05 asyncResp->res.jsonValue["Name"] = "Session Service"; 2278d1b46d7Szhanghch05 asyncResp->res.jsonValue["Id"] = "SessionService"; 2288d1b46d7Szhanghch05 asyncResp->res.jsonValue["Description"] = "Session Service"; 2298d1b46d7Szhanghch05 asyncResp->res.jsonValue["SessionTimeout"] = 230*faa34ccfSEd Tanous persistent_data::SessionStore::getInstance() 231*faa34ccfSEd Tanous .getTimeoutInSeconds(); 2328d1b46d7Szhanghch05 asyncResp->res.jsonValue["ServiceEnabled"] = true; 2330f74e643SEd Tanous 2348d1b46d7Szhanghch05 asyncResp->res.jsonValue["Sessions"] = { 2350f261533SEd Tanous {"@odata.id", "/redfish/v1/SessionService/Sessions"}}; 236*faa34ccfSEd Tanous }); 237f2a4a606SManojkiran Eda 238*faa34ccfSEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 239*faa34ccfSEd Tanous .privileges({{"ConfigureManager"}}) 240*faa34ccfSEd Tanous .methods(boost::beast::http::verb::patch)( 241*faa34ccfSEd Tanous [](const crow::Request& req, 242*faa34ccfSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 243f2a4a606SManojkiran Eda std::optional<int64_t> sessionTimeout; 2448d1b46d7Szhanghch05 if (!json_util::readJson(req, asyncResp->res, "SessionTimeout", 2458d1b46d7Szhanghch05 sessionTimeout)) 246f2a4a606SManojkiran Eda { 247f2a4a606SManojkiran Eda return; 248f2a4a606SManojkiran Eda } 249f2a4a606SManojkiran Eda 250f2a4a606SManojkiran Eda if (sessionTimeout) 251f2a4a606SManojkiran Eda { 252*faa34ccfSEd Tanous // The mininum & maximum allowed values for session timeout 253*faa34ccfSEd Tanous // are 30 seconds and 86400 seconds respectively as per the 254*faa34ccfSEd Tanous // session service schema mentioned at 255f2a4a606SManojkiran Eda // https://redfish.dmtf.org/schemas/v1/SessionService.v1_1_7.json 256f2a4a606SManojkiran Eda 257f2a4a606SManojkiran Eda if (*sessionTimeout <= 86400 && *sessionTimeout >= 30) 258f2a4a606SManojkiran Eda { 259*faa34ccfSEd Tanous std::chrono::seconds sessionTimeoutInseconds( 260*faa34ccfSEd Tanous *sessionTimeout); 261f2a4a606SManojkiran Eda persistent_data::SessionStore::getInstance() 262f2a4a606SManojkiran Eda .updateSessionTimeout(sessionTimeoutInseconds); 263f2a4a606SManojkiran Eda messages::propertyValueModified( 264f2a4a606SManojkiran Eda asyncResp->res, "SessionTimeOut", 265f2a4a606SManojkiran Eda std::to_string(*sessionTimeout)); 266f2a4a606SManojkiran Eda } 267f2a4a606SManojkiran Eda else 268f2a4a606SManojkiran Eda { 269f2a4a606SManojkiran Eda messages::propertyValueNotInList( 2708d1b46d7Szhanghch05 asyncResp->res, std::to_string(*sessionTimeout), 2718d1b46d7Szhanghch05 "SessionTimeOut"); 272f2a4a606SManojkiran Eda } 273f2a4a606SManojkiran Eda } 274*faa34ccfSEd Tanous }); 275f2a4a606SManojkiran Eda } 2765d27b854SBorawski.Lukasz 2772b7981f6SKowalski, Kamil } // namespace redfish 278