1 /*
2 // Copyright (c) 2018 Intel Corporation
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 */
16 #pragma once
17 
18 #include "app.hpp"
19 #include "error_messages.hpp"
20 #include "http/utility.hpp"
21 #include "persistent_data.hpp"
22 #include "query.hpp"
23 #include "registries/privilege_registry.hpp"
24 #include "utils/json_utils.hpp"
25 
26 namespace redfish
27 {
28 
29 inline void fillSessionObject(crow::Response& res,
30                               const persistent_data::UserSession& session)
31 {
32     res.jsonValue["Id"] = session.uniqueId;
33     res.jsonValue["UserName"] = session.username;
34     res.jsonValue["@odata.id"] =
35         "/redfish/v1/SessionService/Sessions/" + session.uniqueId;
36     res.jsonValue["@odata.type"] = "#Session.v1_5_0.Session";
37     res.jsonValue["Name"] = "User Session";
38     res.jsonValue["Description"] = "Manager User Session";
39     res.jsonValue["ClientOriginIPAddress"] = session.clientIp;
40     if (session.clientId)
41     {
42         res.jsonValue["Context"] = *session.clientId;
43     }
44 }
45 
46 inline void
47     handleSessionHead(crow::App& app, const crow::Request& req,
48                       const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
49                       const std::string& /*sessionId*/)
50 {
51 
52     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
53     {
54         return;
55     }
56     asyncResp->res.addHeader(
57         boost::beast::http::field::link,
58         "</redfish/v1/JsonSchemas/Session/Session.json>; rel=describedby");
59 }
60 
61 inline void
62     handleSessionGet(crow::App& app, const crow::Request& req,
63                      const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
64                      const std::string& sessionId)
65 {
66     handleSessionHead(app, req, asyncResp, sessionId);
67 
68     // Note that control also reaches here via doPost and doDelete.
69     auto session =
70         persistent_data::SessionStore::getInstance().getSessionByUid(sessionId);
71 
72     if (session == nullptr)
73     {
74         messages::resourceNotFound(asyncResp->res, "Session", sessionId);
75         return;
76     }
77 
78     fillSessionObject(asyncResp->res, *session);
79 }
80 
81 inline void
82     handleSessionDelete(crow::App& app, const crow::Request& req,
83                         const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
84                         const std::string& sessionId)
85 {
86     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
87     {
88         return;
89     }
90     auto session =
91         persistent_data::SessionStore::getInstance().getSessionByUid(sessionId);
92 
93     if (session == nullptr)
94     {
95         messages::resourceNotFound(asyncResp->res, "Session", sessionId);
96         return;
97     }
98 
99     // Perform a proper ConfigureSelf authority check.  If a
100     // session is being used to DELETE some other user's session,
101     // then the ConfigureSelf privilege does not apply.  In that
102     // case, perform the authority check again without the user's
103     // ConfigureSelf privilege.
104     if (req.session != nullptr && !session->username.empty() &&
105         session->username != req.session->username)
106     {
107         Privileges effectiveUserPrivileges =
108             redfish::getUserPrivileges(req.userRole);
109 
110         if (!effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}))
111         {
112             messages::insufficientPrivilege(asyncResp->res);
113             return;
114         }
115     }
116 
117     persistent_data::SessionStore::getInstance().removeSession(session);
118     messages::success(asyncResp->res);
119 }
120 
121 inline nlohmann::json getSessionCollectionMembers()
122 {
123     std::vector<const std::string*> sessionIds =
124         persistent_data::SessionStore::getInstance().getUniqueIds(
125             false, persistent_data::PersistenceType::TIMEOUT);
126     nlohmann::json ret = nlohmann::json::array();
127     for (const std::string* uid : sessionIds)
128     {
129         nlohmann::json::object_t session;
130         session["@odata.id"] = "/redfish/v1/SessionService/Sessions/" + *uid;
131         ret.push_back(std::move(session));
132     }
133     return ret;
134 }
135 
136 inline void handleSessionCollectionHead(
137     crow::App& app, const crow::Request& req,
138     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
139 {
140 
141     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
142     {
143         return;
144     }
145     asyncResp->res.addHeader(
146         boost::beast::http::field::link,
147         "</redfish/v1/JsonSchemas/SessionCollection.json>; rel=describedby");
148 }
149 
150 inline void handleSessionCollectionGet(
151     crow::App& app, const crow::Request& req,
152     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
153 {
154     handleSessionCollectionHead(app, req, asyncResp);
155     asyncResp->res.jsonValue["Members"] = getSessionCollectionMembers();
156     asyncResp->res.jsonValue["Members@odata.count"] =
157         asyncResp->res.jsonValue["Members"].size();
158     asyncResp->res.jsonValue["@odata.type"] =
159         "#SessionCollection.SessionCollection";
160     asyncResp->res.jsonValue["@odata.id"] =
161         "/redfish/v1/SessionService/Sessions/";
162     asyncResp->res.jsonValue["Name"] = "Session Collection";
163     asyncResp->res.jsonValue["Description"] = "Session Collection";
164 }
165 
166 inline void handleSessionCollectionMembersGet(
167     crow::App& app, const crow::Request& req,
168     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
169 {
170     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
171     {
172         return;
173     }
174     asyncResp->res.jsonValue = getSessionCollectionMembers();
175 }
176 
177 inline void handleSessionCollectionPost(
178     crow::App& app, const crow::Request& req,
179     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
180 {
181     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
182     {
183         return;
184     }
185     std::string username;
186     std::string password;
187     std::optional<std::string> clientId;
188     if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
189                                   "Password", password, "Context", clientId))
190     {
191         return;
192     }
193 
194     if (password.empty() || username.empty() ||
195         asyncResp->res.result() != boost::beast::http::status::ok)
196     {
197         if (username.empty())
198         {
199             messages::propertyMissing(asyncResp->res, "UserName");
200         }
201 
202         if (password.empty())
203         {
204             messages::propertyMissing(asyncResp->res, "Password");
205         }
206 
207         return;
208     }
209 
210     int pamrc = pamAuthenticateUser(username, password);
211     bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
212     if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
213     {
214         messages::resourceAtUriUnauthorized(asyncResp->res, req.urlView,
215                                             "Invalid username or password");
216         return;
217     }
218 
219     // User is authenticated - create session
220     std::shared_ptr<persistent_data::UserSession> session =
221         persistent_data::SessionStore::getInstance().generateUserSession(
222             username, req.ipAddress, clientId,
223             persistent_data::PersistenceType::TIMEOUT, isConfigureSelfOnly);
224     if (session == nullptr)
225     {
226         messages::internalError(asyncResp->res);
227         return;
228     }
229 
230     asyncResp->res.addHeader("X-Auth-Token", session->sessionToken);
231     asyncResp->res.addHeader(
232         "Location", "/redfish/v1/SessionService/Sessions/" + session->uniqueId);
233     asyncResp->res.result(boost::beast::http::status::created);
234     if (session->isConfigureSelfOnly)
235     {
236         messages::passwordChangeRequired(
237             asyncResp->res,
238             crow::utility::urlFromPieces("redfish", "v1", "AccountService",
239                                          "Accounts", session->username));
240     }
241 
242     fillSessionObject(asyncResp->res, *session);
243 }
244 inline void handleSessionServiceHead(
245     crow::App& app, const crow::Request& req,
246     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
247 {
248 
249     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
250     {
251         return;
252     }
253     asyncResp->res.addHeader(
254         boost::beast::http::field::link,
255         "</redfish/v1/JsonSchemas/SessionService/SessionService.json>; rel=describedby");
256 }
257 inline void
258     handleSessionServiceGet(crow::App& app, const crow::Request& req,
259                             const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
260 
261 {
262     handleSessionServiceHead(app, req, asyncResp);
263     asyncResp->res.jsonValue["@odata.type"] =
264         "#SessionService.v1_0_2.SessionService";
265     asyncResp->res.jsonValue["@odata.id"] = "/redfish/v1/SessionService/";
266     asyncResp->res.jsonValue["Name"] = "Session Service";
267     asyncResp->res.jsonValue["Id"] = "SessionService";
268     asyncResp->res.jsonValue["Description"] = "Session Service";
269     asyncResp->res.jsonValue["SessionTimeout"] =
270         persistent_data::SessionStore::getInstance().getTimeoutInSeconds();
271     asyncResp->res.jsonValue["ServiceEnabled"] = true;
272 
273     asyncResp->res.jsonValue["Sessions"]["@odata.id"] =
274         "/redfish/v1/SessionService/Sessions";
275 }
276 
277 inline void handleSessionServicePatch(
278     crow::App& app, const crow::Request& req,
279     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
280 {
281     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
282     {
283         return;
284     }
285     std::optional<int64_t> sessionTimeout;
286     if (!json_util::readJsonPatch(req, asyncResp->res, "SessionTimeout",
287                                   sessionTimeout))
288     {
289         return;
290     }
291 
292     if (sessionTimeout)
293     {
294         // The mininum & maximum allowed values for session timeout
295         // are 30 seconds and 86400 seconds respectively as per the
296         // session service schema mentioned at
297         // https://redfish.dmtf.org/schemas/v1/SessionService.v1_1_7.json
298 
299         if (*sessionTimeout <= 86400 && *sessionTimeout >= 30)
300         {
301             std::chrono::seconds sessionTimeoutInseconds(*sessionTimeout);
302             persistent_data::SessionStore::getInstance().updateSessionTimeout(
303                 sessionTimeoutInseconds);
304             messages::propertyValueModified(asyncResp->res, "SessionTimeOut",
305                                             std::to_string(*sessionTimeout));
306         }
307         else
308         {
309             messages::propertyValueNotInList(asyncResp->res,
310                                              std::to_string(*sessionTimeout),
311                                              "SessionTimeOut");
312         }
313     }
314 }
315 
316 inline void requestRoutesSession(App& app)
317 {
318     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/")
319         .privileges(redfish::privileges::headSession)
320         .methods(boost::beast::http::verb::head)(
321             std::bind_front(handleSessionHead, std::ref(app)));
322 
323     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/")
324         .privileges(redfish::privileges::getSession)
325         .methods(boost::beast::http::verb::get)(
326             std::bind_front(handleSessionGet, std::ref(app)));
327 
328     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/")
329         .privileges(redfish::privileges::deleteSession)
330         .methods(boost::beast::http::verb::delete_)(
331             std::bind_front(handleSessionDelete, std::ref(app)));
332 
333     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/")
334         .privileges(redfish::privileges::headSessionCollection)
335         .methods(boost::beast::http::verb::head)(
336             std::bind_front(handleSessionCollectionHead, std::ref(app)));
337 
338     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/")
339         .privileges(redfish::privileges::getSessionCollection)
340         .methods(boost::beast::http::verb::get)(
341             std::bind_front(handleSessionCollectionGet, std::ref(app)));
342 
343     // Note, the next two routes technically don't match the privilege
344     // registry given the way login mechanisms work.  The base privilege
345     // registry lists this endpoint as requiring login privilege, but because
346     // this is the endpoint responsible for giving the login privilege, and it
347     // is itself its own route, it needs to not require Login
348     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/")
349         .privileges({})
350         .methods(boost::beast::http::verb::post)(
351             std::bind_front(handleSessionCollectionPost, std::ref(app)));
352 
353     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/Members/")
354         .privileges({})
355         .methods(boost::beast::http::verb::post)(
356             std::bind_front(handleSessionCollectionPost, std::ref(app)));
357 
358     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/")
359         .privileges(redfish::privileges::headSessionService)
360         .methods(boost::beast::http::verb::head)(
361             std::bind_front(handleSessionServiceHead, std::ref(app)));
362 
363     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/")
364         .privileges(redfish::privileges::getSessionService)
365         .methods(boost::beast::http::verb::get)(
366             std::bind_front(handleSessionServiceGet, std::ref(app)));
367 
368     BMCWEB_ROUTE(app, "/redfish/v1/SessionService/")
369         .privileges(redfish::privileges::patchSessionService)
370         .methods(boost::beast::http::verb::patch)(
371             std::bind_front(handleSessionServicePatch, std::ref(app)));
372 }
373 
374 } // namespace redfish
375