1 #pragma once 2 3 #include "logging.hpp" 4 #include "ossl_random.hpp" 5 #include "utility.hpp" 6 #include "utils/ip_utils.hpp" 7 8 #include <nlohmann/json.hpp> 9 10 #include <algorithm> 11 #include <csignal> 12 #include <optional> 13 #include <random> 14 #include <string> 15 16 namespace persistent_data 17 { 18 19 // entropy: 20 characters, 62 possibilities. log2(62^20) = 119 bits of 20 // entropy. OWASP recommends at least 64 21 // https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-entropy 22 constexpr std::size_t sessionTokenSize = 20; 23 24 enum class PersistenceType 25 { 26 TIMEOUT, // User session times out after a predetermined amount of time 27 SINGLE_REQUEST // User times out once this request is completed. 28 }; 29 30 struct UserSession 31 { 32 std::string uniqueId; 33 std::string sessionToken; 34 std::string username; 35 std::string csrfToken; 36 std::optional<std::string> clientId; 37 std::string clientIp; 38 std::chrono::time_point<std::chrono::steady_clock> lastUpdated; 39 PersistenceType persistence{PersistenceType::TIMEOUT}; 40 bool cookieAuth = false; 41 bool isConfigureSelfOnly = false; 42 std::string userRole; 43 std::vector<std::string> userGroups; 44 45 // There are two sources of truth for isConfigureSelfOnly: 46 // 1. When pamAuthenticateUser() returns PAM_NEW_AUTHTOK_REQD. 47 // 2. D-Bus User.Manager.GetUserInfo property UserPasswordExpired. 48 // These should be in sync, but the underlying condition can change at any 49 // time. For example, a password can expire or be changed outside of 50 // bmcweb. The value stored here is updated at the start of each 51 // operation and used as the truth within bmcweb. 52 53 /** 54 * @brief Fills object with data from UserSession's JSON representation 55 * 56 * This replaces nlohmann's from_json to ensure no-throw approach 57 * 58 * @param[in] j JSON object from which data should be loaded 59 * 60 * @return a shared pointer if data has been loaded properly, nullptr 61 * otherwise 62 */ 63 static std::shared_ptr<UserSession> fromJson(const nlohmann::json& j) 64 { 65 std::shared_ptr<UserSession> userSession = 66 std::make_shared<UserSession>(); 67 for (const auto& element : j.items()) 68 { 69 const std::string* thisValue = 70 element.value().get_ptr<const std::string*>(); 71 if (thisValue == nullptr) 72 { 73 BMCWEB_LOG_ERROR( 74 "Error reading persistent store. Property {} was not of type string", 75 element.key()); 76 continue; 77 } 78 if (element.key() == "unique_id") 79 { 80 userSession->uniqueId = *thisValue; 81 } 82 else if (element.key() == "session_token") 83 { 84 userSession->sessionToken = *thisValue; 85 } 86 else if (element.key() == "csrf_token") 87 { 88 userSession->csrfToken = *thisValue; 89 } 90 else if (element.key() == "username") 91 { 92 userSession->username = *thisValue; 93 } 94 else if (element.key() == "client_id") 95 { 96 userSession->clientId = *thisValue; 97 } 98 else if (element.key() == "client_ip") 99 { 100 userSession->clientIp = *thisValue; 101 } 102 103 else 104 { 105 BMCWEB_LOG_ERROR( 106 "Got unexpected property reading persistent file: {}", 107 element.key()); 108 continue; 109 } 110 } 111 // If any of these fields are missing, we can't restore the session, as 112 // we don't have enough information. These 4 fields have been present 113 // in every version of this file in bmcwebs history, so any file, even 114 // on upgrade, should have these present 115 if (userSession->uniqueId.empty() || userSession->username.empty() || 116 userSession->sessionToken.empty() || userSession->csrfToken.empty()) 117 { 118 BMCWEB_LOG_DEBUG("Session missing required security " 119 "information, refusing to restore"); 120 return nullptr; 121 } 122 123 // For now, sessions that were persisted through a reboot get their idle 124 // timer reset. This could probably be overcome with a better 125 // understanding of wall clock time and steady timer time, possibly 126 // persisting values with wall clock time instead of steady timer, but 127 // the tradeoffs of all the corner cases involved are non-trivial, so 128 // this is done temporarily 129 userSession->lastUpdated = std::chrono::steady_clock::now(); 130 userSession->persistence = PersistenceType::TIMEOUT; 131 132 return userSession; 133 } 134 }; 135 136 struct AuthConfigMethods 137 { 138 bool basic = BMCWEB_BASIC_AUTH; 139 bool sessionToken = BMCWEB_SESSION_AUTH; 140 bool xtoken = BMCWEB_XTOKEN_AUTH; 141 bool cookie = BMCWEB_COOKIE_AUTH; 142 bool tls = BMCWEB_MUTUAL_TLS_AUTH; 143 144 void fromJson(const nlohmann::json& j) 145 { 146 for (const auto& element : j.items()) 147 { 148 const bool* value = element.value().get_ptr<const bool*>(); 149 if (value == nullptr) 150 { 151 continue; 152 } 153 154 if (element.key() == "XToken") 155 { 156 xtoken = *value; 157 } 158 else if (element.key() == "Cookie") 159 { 160 cookie = *value; 161 } 162 else if (element.key() == "SessionToken") 163 { 164 sessionToken = *value; 165 } 166 else if (element.key() == "BasicAuth") 167 { 168 basic = *value; 169 } 170 else if (element.key() == "TLS") 171 { 172 tls = *value; 173 } 174 } 175 } 176 }; 177 178 class SessionStore 179 { 180 public: 181 std::shared_ptr<UserSession> generateUserSession( 182 std::string_view username, const boost::asio::ip::address& clientIp, 183 const std::optional<std::string>& clientId, 184 PersistenceType persistence = PersistenceType::TIMEOUT, 185 bool isConfigureSelfOnly = false) 186 { 187 // Only need csrf tokens for cookie based auth, token doesn't matter 188 std::string sessionToken = 189 bmcweb::getRandomIdOfLength(sessionTokenSize); 190 std::string csrfToken = bmcweb::getRandomIdOfLength(sessionTokenSize); 191 std::string uniqueId = bmcweb::getRandomIdOfLength(10); 192 193 // 194 if (sessionToken.empty() || csrfToken.empty() || uniqueId.empty()) 195 { 196 BMCWEB_LOG_ERROR("Failed to generate session tokens"); 197 return nullptr; 198 } 199 200 auto session = std::make_shared<UserSession>( 201 UserSession{uniqueId, 202 sessionToken, 203 std::string(username), 204 csrfToken, 205 clientId, 206 redfish::ip_util::toString(clientIp), 207 std::chrono::steady_clock::now(), 208 persistence, 209 false, 210 isConfigureSelfOnly, 211 "", 212 {}}); 213 auto it = authTokens.emplace(sessionToken, session); 214 // Only need to write to disk if session isn't about to be destroyed. 215 needWrite = persistence == PersistenceType::TIMEOUT; 216 return it.first->second; 217 } 218 219 std::shared_ptr<UserSession> loginSessionByToken(std::string_view token) 220 { 221 applySessionTimeouts(); 222 if (token.size() != sessionTokenSize) 223 { 224 return nullptr; 225 } 226 auto sessionIt = authTokens.find(std::string(token)); 227 if (sessionIt == authTokens.end()) 228 { 229 return nullptr; 230 } 231 std::shared_ptr<UserSession> userSession = sessionIt->second; 232 userSession->lastUpdated = std::chrono::steady_clock::now(); 233 return userSession; 234 } 235 236 std::shared_ptr<UserSession> getSessionByUid(std::string_view uid) 237 { 238 applySessionTimeouts(); 239 // TODO(Ed) this is inefficient 240 auto sessionIt = authTokens.begin(); 241 while (sessionIt != authTokens.end()) 242 { 243 if (sessionIt->second->uniqueId == uid) 244 { 245 return sessionIt->second; 246 } 247 sessionIt++; 248 } 249 return nullptr; 250 } 251 252 void removeSession(const std::shared_ptr<UserSession>& session) 253 { 254 authTokens.erase(session->sessionToken); 255 needWrite = true; 256 } 257 258 std::vector<const std::string*> getUniqueIds( 259 bool getAll = true, 260 const PersistenceType& type = PersistenceType::SINGLE_REQUEST) 261 { 262 applySessionTimeouts(); 263 264 std::vector<const std::string*> ret; 265 ret.reserve(authTokens.size()); 266 for (auto& session : authTokens) 267 { 268 if (getAll || type == session.second->persistence) 269 { 270 ret.push_back(&session.second->uniqueId); 271 } 272 } 273 return ret; 274 } 275 276 void removeSessionsByUsername(std::string_view username) 277 { 278 std::erase_if(authTokens, [username](const auto& value) { 279 if (value.second == nullptr) 280 { 281 return false; 282 } 283 return value.second->username == username; 284 }); 285 } 286 287 void removeSessionsByUsernameExceptSession( 288 std::string_view username, const std::shared_ptr<UserSession>& session) 289 { 290 std::erase_if(authTokens, [username, session](const auto& value) { 291 if (value.second == nullptr) 292 { 293 return false; 294 } 295 296 return value.second->username == username && 297 value.second->uniqueId != session->uniqueId; 298 }); 299 } 300 301 void updateAuthMethodsConfig(const AuthConfigMethods& config) 302 { 303 bool isTLSchanged = (authMethodsConfig.tls != config.tls); 304 authMethodsConfig = config; 305 needWrite = true; 306 if (isTLSchanged) 307 { 308 // recreate socket connections with new settings 309 std::raise(SIGHUP); 310 } 311 } 312 313 AuthConfigMethods& getAuthMethodsConfig() 314 { 315 return authMethodsConfig; 316 } 317 318 bool needsWrite() const 319 { 320 return needWrite; 321 } 322 int64_t getTimeoutInSeconds() const 323 { 324 return std::chrono::seconds(timeoutInSeconds).count(); 325 } 326 327 void updateSessionTimeout(std::chrono::seconds newTimeoutInSeconds) 328 { 329 timeoutInSeconds = newTimeoutInSeconds; 330 needWrite = true; 331 } 332 333 static SessionStore& getInstance() 334 { 335 static SessionStore sessionStore; 336 return sessionStore; 337 } 338 339 void applySessionTimeouts() 340 { 341 auto timeNow = std::chrono::steady_clock::now(); 342 if (timeNow - lastTimeoutUpdate > std::chrono::seconds(1)) 343 { 344 lastTimeoutUpdate = timeNow; 345 auto authTokensIt = authTokens.begin(); 346 while (authTokensIt != authTokens.end()) 347 { 348 if (timeNow - authTokensIt->second->lastUpdated >= 349 timeoutInSeconds) 350 { 351 authTokensIt = authTokens.erase(authTokensIt); 352 353 needWrite = true; 354 } 355 else 356 { 357 authTokensIt++; 358 } 359 } 360 } 361 } 362 363 SessionStore(const SessionStore&) = delete; 364 SessionStore& operator=(const SessionStore&) = delete; 365 SessionStore(SessionStore&&) = delete; 366 SessionStore& operator=(const SessionStore&&) = delete; 367 ~SessionStore() = default; 368 369 std::unordered_map<std::string, std::shared_ptr<UserSession>, 370 std::hash<std::string>, 371 crow::utility::ConstantTimeCompare> 372 authTokens; 373 374 std::chrono::time_point<std::chrono::steady_clock> lastTimeoutUpdate; 375 bool needWrite{false}; 376 std::chrono::seconds timeoutInSeconds; 377 AuthConfigMethods authMethodsConfig; 378 379 private: 380 SessionStore() : timeoutInSeconds(1800) {} 381 }; 382 383 } // namespace persistent_data 384