1 // SPDX-License-Identifier: Apache-2.0 2 // SPDX-FileCopyrightText: Copyright OpenBMC Authors 3 // SPDX-FileCopyrightText: Copyright 2018 Intel Corporation 4 #pragma once 5 6 #include "account_service.hpp" 7 #include "app.hpp" 8 #include "async_resp.hpp" 9 #include "cookies.hpp" 10 #include "dbus_privileges.hpp" 11 #include "error_messages.hpp" 12 #include "http_request.hpp" 13 #include "http_response.hpp" 14 #include "pam_authenticate.hpp" 15 #include "privileges.hpp" 16 #include "query.hpp" 17 #include "registries/privilege_registry.hpp" 18 #include "sessions.hpp" 19 #include "utils/json_utils.hpp" 20 21 #include <security/_pam_types.h> 22 23 #include <boost/beast/http/field.hpp> 24 #include <boost/beast/http/status.hpp> 25 #include <boost/beast/http/verb.hpp> 26 #include <boost/url/format.hpp> 27 28 #include <chrono> 29 #include <cstdint> 30 #include <functional> 31 #include <memory> 32 #include <optional> 33 #include <string> 34 #include <utility> 35 #include <vector> 36 37 namespace redfish 38 { 39 40 inline void fillSessionObject(crow::Response& res, 41 const persistent_data::UserSession& session) 42 { 43 res.jsonValue["Id"] = session.uniqueId; 44 res.jsonValue["UserName"] = session.username; 45 nlohmann::json::array_t roles; 46 roles.emplace_back(redfish::getRoleIdFromPrivilege(session.userRole)); 47 res.jsonValue["Roles"] = std::move(roles); 48 res.jsonValue["@odata.id"] = boost::urls::format( 49 "/redfish/v1/SessionService/Sessions/{}", session.uniqueId); 50 res.jsonValue["@odata.type"] = "#Session.v1_7_0.Session"; 51 res.jsonValue["Name"] = "User Session"; 52 res.jsonValue["Description"] = "Manager User Session"; 53 res.jsonValue["ClientOriginIPAddress"] = session.clientIp; 54 if (session.clientId) 55 { 56 res.jsonValue["Context"] = *session.clientId; 57 } 58 } 59 60 inline void 61 handleSessionHead(crow::App& app, const crow::Request& req, 62 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 63 const std::string& /*sessionId*/) 64 { 65 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 66 { 67 return; 68 } 69 asyncResp->res.addHeader( 70 boost::beast::http::field::link, 71 "</redfish/v1/JsonSchemas/Session/Session.json>; rel=describedby"); 72 } 73 74 inline void 75 handleSessionGet(crow::App& app, const crow::Request& req, 76 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 77 const std::string& sessionId) 78 { 79 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 80 { 81 return; 82 } 83 asyncResp->res.addHeader( 84 boost::beast::http::field::link, 85 "</redfish/v1/JsonSchemas/Session/Session.json>; rel=describedby"); 86 87 // Note that control also reaches here via doPost and doDelete. 88 auto session = 89 persistent_data::SessionStore::getInstance().getSessionByUid(sessionId); 90 91 if (session == nullptr) 92 { 93 messages::resourceNotFound(asyncResp->res, "Session", sessionId); 94 return; 95 } 96 97 fillSessionObject(asyncResp->res, *session); 98 } 99 100 inline void 101 handleSessionDelete(crow::App& app, const crow::Request& req, 102 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 103 const std::string& sessionId) 104 { 105 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 106 { 107 return; 108 } 109 auto session = 110 persistent_data::SessionStore::getInstance().getSessionByUid(sessionId); 111 112 if (session == nullptr) 113 { 114 messages::resourceNotFound(asyncResp->res, "Session", sessionId); 115 return; 116 } 117 118 // Perform a proper ConfigureSelf authority check. If a 119 // session is being used to DELETE some other user's session, 120 // then the ConfigureSelf privilege does not apply. In that 121 // case, perform the authority check again without the user's 122 // ConfigureSelf privilege. 123 if (req.session != nullptr && !session->username.empty() && 124 session->username != req.session->username) 125 { 126 Privileges effectiveUserPrivileges = 127 redfish::getUserPrivileges(*req.session); 128 129 if (!effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"})) 130 { 131 messages::insufficientPrivilege(asyncResp->res); 132 return; 133 } 134 } 135 136 if (req.session != nullptr && req.session->uniqueId == sessionId && 137 session->cookieAuth) 138 { 139 bmcweb::clearSessionCookies(asyncResp->res); 140 } 141 142 persistent_data::SessionStore::getInstance().removeSession(session); 143 messages::success(asyncResp->res); 144 } 145 146 inline nlohmann::json getSessionCollectionMembers() 147 { 148 std::vector<std::string> sessionIds = 149 persistent_data::SessionStore::getInstance().getAllUniqueIds(); 150 nlohmann::json ret = nlohmann::json::array(); 151 for (const std::string& uid : sessionIds) 152 { 153 nlohmann::json::object_t session; 154 session["@odata.id"] = 155 boost::urls::format("/redfish/v1/SessionService/Sessions/{}", uid); 156 ret.emplace_back(std::move(session)); 157 } 158 return ret; 159 } 160 161 inline void handleSessionCollectionHead( 162 crow::App& app, const crow::Request& req, 163 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 164 { 165 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 166 { 167 return; 168 } 169 asyncResp->res.addHeader( 170 boost::beast::http::field::link, 171 "</redfish/v1/JsonSchemas/SessionCollection.json>; rel=describedby"); 172 } 173 174 inline void handleSessionCollectionGet( 175 crow::App& app, const crow::Request& req, 176 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 177 { 178 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 179 { 180 return; 181 } 182 asyncResp->res.addHeader( 183 boost::beast::http::field::link, 184 "</redfish/v1/JsonSchemas/SessionCollection.json>; rel=describedby"); 185 186 asyncResp->res.jsonValue["Members"] = getSessionCollectionMembers(); 187 asyncResp->res.jsonValue["Members@odata.count"] = 188 asyncResp->res.jsonValue["Members"].size(); 189 asyncResp->res.jsonValue["@odata.type"] = 190 "#SessionCollection.SessionCollection"; 191 asyncResp->res.jsonValue["@odata.id"] = 192 "/redfish/v1/SessionService/Sessions"; 193 asyncResp->res.jsonValue["Name"] = "Session Collection"; 194 asyncResp->res.jsonValue["Description"] = "Session Collection"; 195 } 196 197 inline void handleSessionCollectionMembersGet( 198 crow::App& app, const crow::Request& req, 199 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 200 { 201 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 202 { 203 return; 204 } 205 asyncResp->res.jsonValue = getSessionCollectionMembers(); 206 } 207 208 inline void processAfterSessionCreation( 209 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 210 const crow::Request& req, const std::string& username, 211 std::shared_ptr<persistent_data::UserSession>& session) 212 { 213 // When session is created by webui-vue give it session cookies as a 214 // non-standard Redfish extension. This is needed for authentication for 215 // WebSockets-based functionality. 216 if (!req.getHeaderValue("X-Requested-With").empty()) 217 { 218 bmcweb::setSessionCookies(asyncResp->res, *session); 219 } 220 else 221 { 222 asyncResp->res.addHeader("X-Auth-Token", session->sessionToken); 223 } 224 225 asyncResp->res.addHeader( 226 "Location", "/redfish/v1/SessionService/Sessions/" + session->uniqueId); 227 asyncResp->res.result(boost::beast::http::status::created); 228 if (session->isConfigureSelfOnly) 229 { 230 messages::passwordChangeRequired( 231 asyncResp->res, 232 boost::urls::format("/redfish/v1/AccountService/Accounts/{}", 233 session->username)); 234 } 235 236 crow::getUserInfo(asyncResp, username, session, [asyncResp, session]() { 237 fillSessionObject(asyncResp->res, *session); 238 }); 239 } 240 241 inline void handleSessionCollectionPost( 242 crow::App& app, const crow::Request& req, 243 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 244 { 245 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 246 { 247 return; 248 } 249 std::string username; 250 std::string password; 251 std::optional<std::string> clientId; 252 std::optional<std::string> token; 253 if (!json_util::readJsonPatch( // 254 req, asyncResp->res, // 255 "Context", clientId, // 256 "Password", password, // 257 "Token", token, // 258 "UserName", username // 259 )) 260 { 261 return; 262 } 263 if (password.empty() || username.empty() || 264 asyncResp->res.result() != boost::beast::http::status::ok) 265 { 266 if (username.empty()) 267 { 268 messages::propertyMissing(asyncResp->res, "UserName"); 269 } 270 271 if (password.empty()) 272 { 273 messages::propertyMissing(asyncResp->res, "Password"); 274 } 275 276 return; 277 } 278 279 int pamrc = pamAuthenticateUser(username, password, token); 280 bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD; 281 if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly) 282 { 283 messages::resourceAtUriUnauthorized(asyncResp->res, req.url(), 284 "Invalid username or password"); 285 return; 286 } 287 288 // User is authenticated - create session 289 std::shared_ptr<persistent_data::UserSession> session = 290 persistent_data::SessionStore::getInstance().generateUserSession( 291 username, req.ipAddress, clientId, 292 persistent_data::SessionType::Session, isConfigureSelfOnly); 293 if (session == nullptr) 294 { 295 messages::internalError(asyncResp->res); 296 return; 297 } 298 processAfterSessionCreation(asyncResp, req, username, session); 299 } 300 301 inline void handleSessionServiceHead( 302 crow::App& app, const crow::Request& req, 303 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 304 { 305 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 306 { 307 return; 308 } 309 asyncResp->res.addHeader( 310 boost::beast::http::field::link, 311 "</redfish/v1/JsonSchemas/SessionService/SessionService.json>; rel=describedby"); 312 } 313 inline void 314 handleSessionServiceGet(crow::App& app, const crow::Request& req, 315 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 316 317 { 318 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 319 { 320 return; 321 } 322 asyncResp->res.addHeader( 323 boost::beast::http::field::link, 324 "</redfish/v1/JsonSchemas/SessionService/SessionService.json>; rel=describedby"); 325 326 asyncResp->res.jsonValue["@odata.type"] = 327 "#SessionService.v1_0_2.SessionService"; 328 asyncResp->res.jsonValue["@odata.id"] = "/redfish/v1/SessionService"; 329 asyncResp->res.jsonValue["Name"] = "Session Service"; 330 asyncResp->res.jsonValue["Id"] = "SessionService"; 331 asyncResp->res.jsonValue["Description"] = "Session Service"; 332 asyncResp->res.jsonValue["SessionTimeout"] = 333 persistent_data::SessionStore::getInstance().getTimeoutInSeconds(); 334 asyncResp->res.jsonValue["ServiceEnabled"] = true; 335 336 asyncResp->res.jsonValue["Sessions"]["@odata.id"] = 337 "/redfish/v1/SessionService/Sessions"; 338 } 339 340 inline void handleSessionServicePatch( 341 crow::App& app, const crow::Request& req, 342 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 343 { 344 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 345 { 346 return; 347 } 348 std::optional<int64_t> sessionTimeout; 349 if (!json_util::readJsonPatch( // 350 req, asyncResp->res, // 351 "SessionTimeout", sessionTimeout // 352 )) 353 { 354 return; 355 } 356 357 if (sessionTimeout) 358 { 359 // The minimum & maximum allowed values for session timeout 360 // are 30 seconds and 86400 seconds respectively as per the 361 // session service schema mentioned at 362 // https://redfish.dmtf.org/schemas/v1/SessionService.v1_1_7.json 363 364 if (*sessionTimeout <= 86400 && *sessionTimeout >= 30) 365 { 366 std::chrono::seconds sessionTimeoutInseconds(*sessionTimeout); 367 persistent_data::SessionStore::getInstance().updateSessionTimeout( 368 sessionTimeoutInseconds); 369 messages::propertyValueModified(asyncResp->res, "SessionTimeOut", 370 std::to_string(*sessionTimeout)); 371 } 372 else 373 { 374 messages::propertyValueNotInList(asyncResp->res, *sessionTimeout, 375 "SessionTimeOut"); 376 } 377 } 378 } 379 380 inline void requestRoutesSession(App& app) 381 { 382 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 383 .privileges(redfish::privileges::headSession) 384 .methods(boost::beast::http::verb::head)( 385 std::bind_front(handleSessionHead, std::ref(app))); 386 387 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 388 .privileges(redfish::privileges::getSession) 389 .methods(boost::beast::http::verb::get)( 390 std::bind_front(handleSessionGet, std::ref(app))); 391 392 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/") 393 .privileges(redfish::privileges::deleteSession) 394 .methods(boost::beast::http::verb::delete_)( 395 std::bind_front(handleSessionDelete, std::ref(app))); 396 397 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 398 .privileges(redfish::privileges::headSessionCollection) 399 .methods(boost::beast::http::verb::head)( 400 std::bind_front(handleSessionCollectionHead, std::ref(app))); 401 402 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 403 .privileges(redfish::privileges::getSessionCollection) 404 .methods(boost::beast::http::verb::get)( 405 std::bind_front(handleSessionCollectionGet, std::ref(app))); 406 407 // Note, the next two routes technically don't match the privilege 408 // registry given the way login mechanisms work. The base privilege 409 // registry lists this endpoint as requiring login privilege, but because 410 // this is the endpoint responsible for giving the login privilege, and it 411 // is itself its own route, it needs to not require Login 412 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/") 413 .privileges({}) 414 .methods(boost::beast::http::verb::post)( 415 std::bind_front(handleSessionCollectionPost, std::ref(app))); 416 417 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/Members/") 418 .privileges({}) 419 .methods(boost::beast::http::verb::post)( 420 std::bind_front(handleSessionCollectionPost, std::ref(app))); 421 422 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 423 .privileges(redfish::privileges::headSessionService) 424 .methods(boost::beast::http::verb::head)( 425 std::bind_front(handleSessionServiceHead, std::ref(app))); 426 427 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 428 .privileges(redfish::privileges::getSessionService) 429 .methods(boost::beast::http::verb::get)( 430 std::bind_front(handleSessionServiceGet, std::ref(app))); 431 432 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/") 433 .privileges(redfish::privileges::patchSessionService) 434 .methods(boost::beast::http::verb::patch)( 435 std::bind_front(handleSessionServicePatch, std::ref(app))); 436 } 437 438 } // namespace redfish 439