1 /* 2 // Copyright (c) 2018 Intel Corporation 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 */ 16 #pragma once 17 18 #include "error_messages.hpp" 19 #include "node.hpp" 20 #include "persistent_data_middleware.hpp" 21 22 namespace redfish 23 { 24 25 class SessionCollection; 26 27 class Sessions : public Node 28 { 29 public: 30 Sessions(CrowApp& app) : 31 Node(app, "/redfish/v1/SessionService/Sessions/<str>/", std::string()) 32 { 33 entityPrivileges = { 34 {boost::beast::http::verb::get, {{"Login"}}}, 35 {boost::beast::http::verb::head, {{"Login"}}}, 36 {boost::beast::http::verb::patch, {{"ConfigureManager"}}}, 37 {boost::beast::http::verb::put, {{"ConfigureManager"}}}, 38 {boost::beast::http::verb::delete_, 39 {{"ConfigureManager"}, {"ConfigureSelf"}}}, 40 {boost::beast::http::verb::post, {{"ConfigureManager"}}}}; 41 } 42 43 private: 44 void doGet(crow::Response& res, const crow::Request& req, 45 const std::vector<std::string>& params) override 46 { 47 // Note that control also reaches here via doPost and doDelete. 48 auto session = 49 crow::persistent_data::SessionStore::getInstance().getSessionByUid( 50 params[0]); 51 52 if (session == nullptr) 53 { 54 messages::resourceNotFound(res, "Session", params[0]); 55 res.end(); 56 return; 57 } 58 59 res.jsonValue["Id"] = session->uniqueId; 60 res.jsonValue["UserName"] = session->username; 61 res.jsonValue["@odata.id"] = 62 "/redfish/v1/SessionService/Sessions/" + session->uniqueId; 63 res.jsonValue["@odata.type"] = "#Session.v1_0_2.Session"; 64 res.jsonValue["@odata.context"] = 65 "/redfish/v1/$metadata#Session.Session"; 66 res.jsonValue["Name"] = "User Session"; 67 res.jsonValue["Description"] = "Manager User Session"; 68 69 res.end(); 70 } 71 72 void doDelete(crow::Response& res, const crow::Request& req, 73 const std::vector<std::string>& params) override 74 { 75 // Need only 1 param which should be id of session to be deleted 76 if (params.size() != 1) 77 { 78 // This should be handled by crow and never happen 79 BMCWEB_LOG_ERROR << "Session DELETE has been called with invalid " 80 "number of params"; 81 82 messages::generalError(res); 83 res.end(); 84 return; 85 } 86 87 auto session = 88 crow::persistent_data::SessionStore::getInstance().getSessionByUid( 89 params[0]); 90 91 if (session == nullptr) 92 { 93 messages::resourceNotFound(res, "Session", params[0]); 94 res.end(); 95 return; 96 } 97 98 // Perform a proper ConfigureSelf authority check. If a 99 // session is being used to DELETE some other user's session, 100 // then the ConfigureSelf privilege does not apply. In that 101 // case, perform the authority check again without the user's 102 // ConfigureSelf privilege. 103 if (session->username != req.session->username) 104 { 105 if (!isAllowedWithoutConfigureSelf(req)) 106 { 107 BMCWEB_LOG_WARNING << "DELETE Session denied access"; 108 messages::insufficientPrivilege(res); 109 res.end(); 110 return; 111 } 112 } 113 114 // DELETE should return representation of object that will be removed 115 doGet(res, req, params); 116 117 crow::persistent_data::SessionStore::getInstance().removeSession( 118 session); 119 } 120 121 /** 122 * This allows SessionCollection to reuse this class' doGet method, to 123 * maintain consistency of returned data, as Collection's doPost should 124 * return data for created member which should match member's doGet result 125 * in 100% 126 */ 127 friend SessionCollection; 128 }; 129 130 class SessionCollection : public Node 131 { 132 public: 133 SessionCollection(CrowApp& app) : 134 Node(app, "/redfish/v1/SessionService/Sessions/"), memberSession(app) 135 { 136 entityPrivileges = { 137 {boost::beast::http::verb::get, {{"Login"}}}, 138 {boost::beast::http::verb::head, {{"Login"}}}, 139 {boost::beast::http::verb::patch, {{"ConfigureManager"}}}, 140 {boost::beast::http::verb::put, {{"ConfigureManager"}}}, 141 {boost::beast::http::verb::delete_, {{"ConfigureManager"}}}, 142 {boost::beast::http::verb::post, {}}}; 143 } 144 145 private: 146 void doGet(crow::Response& res, const crow::Request& req, 147 const std::vector<std::string>& params) override 148 { 149 std::vector<const std::string*> sessionIds = 150 crow::persistent_data::SessionStore::getInstance().getUniqueIds( 151 false, crow::persistent_data::PersistenceType::TIMEOUT); 152 153 res.jsonValue["Members@odata.count"] = sessionIds.size(); 154 res.jsonValue["Members"] = nlohmann::json::array(); 155 for (const std::string* uid : sessionIds) 156 { 157 res.jsonValue["Members"].push_back( 158 {{"@odata.id", "/redfish/v1/SessionService/Sessions/" + *uid}}); 159 } 160 res.jsonValue["Members@odata.count"] = sessionIds.size(); 161 res.jsonValue["@odata.type"] = "#SessionCollection.SessionCollection"; 162 res.jsonValue["@odata.id"] = "/redfish/v1/SessionService/Sessions/"; 163 res.jsonValue["@odata.context"] = 164 "/redfish/v1/$metadata#SessionCollection.SessionCollection"; 165 res.jsonValue["Name"] = "Session Collection"; 166 res.jsonValue["Description"] = "Session Collection"; 167 res.end(); 168 } 169 170 void doPost(crow::Response& res, const crow::Request& req, 171 const std::vector<std::string>& params) override 172 { 173 std::string username; 174 std::string password; 175 if (!json_util::readJson(req, res, "UserName", username, "Password", 176 password)) 177 { 178 res.end(); 179 return; 180 } 181 182 if (password.empty() || username.empty() || 183 res.result() != boost::beast::http::status::ok) 184 { 185 if (username.empty()) 186 { 187 messages::propertyMissing(res, "UserName"); 188 } 189 190 if (password.empty()) 191 { 192 messages::propertyMissing(res, "Password"); 193 } 194 res.end(); 195 196 return; 197 } 198 199 if (pamAuthenticateUser(username, password) != PAM_SUCCESS) 200 { 201 messages::resourceAtUriUnauthorized(res, std::string(req.url), 202 "Invalid username or password"); 203 res.end(); 204 205 return; 206 } 207 208 // User is authenticated - create session 209 std::shared_ptr<crow::persistent_data::UserSession> session = 210 crow::persistent_data::SessionStore::getInstance() 211 .generateUserSession(username); 212 res.addHeader("X-Auth-Token", session->sessionToken); 213 res.addHeader("Location", "/redfish/v1/SessionService/Sessions/" + 214 session->uniqueId); 215 res.result(boost::beast::http::status::created); 216 memberSession.doGet(res, req, {session->uniqueId}); 217 } 218 219 /** 220 * Member session to ensure consistency between collection's doPost and 221 * member's doGet, as they should return 100% matching data 222 */ 223 Sessions memberSession; 224 }; 225 226 class SessionService : public Node 227 { 228 public: 229 SessionService(CrowApp& app) : Node(app, "/redfish/v1/SessionService/") 230 { 231 232 entityPrivileges = { 233 {boost::beast::http::verb::get, {{"Login"}}}, 234 {boost::beast::http::verb::head, {{"Login"}}}, 235 {boost::beast::http::verb::patch, {{"ConfigureManager"}}}, 236 {boost::beast::http::verb::put, {{"ConfigureManager"}}}, 237 {boost::beast::http::verb::delete_, {{"ConfigureManager"}}}, 238 {boost::beast::http::verb::post, {{"ConfigureManager"}}}}; 239 } 240 241 private: 242 void doGet(crow::Response& res, const crow::Request& req, 243 const std::vector<std::string>& params) override 244 { 245 res.jsonValue["@odata.type"] = "#SessionService.v1_0_2.SessionService"; 246 res.jsonValue["@odata.id"] = "/redfish/v1/SessionService/"; 247 res.jsonValue["@odata.context"] = 248 "/redfish/v1/$metadata#SessionService.SessionService"; 249 res.jsonValue["Name"] = "Session Service"; 250 res.jsonValue["Id"] = "SessionService"; 251 res.jsonValue["Description"] = "Session Service"; 252 res.jsonValue["SessionTimeout"] = 253 crow::persistent_data::SessionStore::getInstance() 254 .getTimeoutInSeconds(); 255 res.jsonValue["ServiceEnabled"] = true; 256 257 res.jsonValue["Sessions"] = { 258 {"@odata.id", "/redfish/v1/SessionService/Sessions"}}; 259 260 res.end(); 261 } 262 }; 263 264 } // namespace redfish 265