1 /*.
2 // Copyright (c) 2018 Intel Corporation
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 */
16 #pragma once
17 #include "user_layer.hpp"
18 
19 #include <boost/interprocess/sync/file_lock.hpp>
20 #include <boost/interprocess/sync/named_recursive_mutex.hpp>
21 #include <cstdint>
22 #include <ctime>
23 #include <ipmid/api.hpp>
24 #include <sdbusplus/bus.hpp>
25 #include <variant>
26 
27 namespace ipmi
28 {
29 
30 using DbusUserPropVariant =
31     std::variant<std::vector<std::string>, std::string, bool>;
32 
33 using DbusUserObjPath = sdbusplus::message::object_path;
34 
35 using DbusUserObjProperties =
36     std::vector<std::pair<std::string, DbusUserPropVariant>>;
37 
38 using DbusUserObjValue = std::map<std::string, DbusUserObjProperties>;
39 
40 /**
41  * @enum User update events.
42  */
43 enum class UserUpdateEvent
44 {
45     reservedEvent,
46     userCreated,
47     userDeleted,
48     userRenamed,
49     userGrpUpdated,
50     userPrivUpdated,
51     userStateUpdated
52 };
53 
54 /** @struct UserPrivAccess
55  *
56  *  Structure for user privilege access (refer spec sec 22.22)
57  */
58 struct UserPrivAccess
59 {
60     uint8_t privilege;
61     bool ipmiEnabled;
62     bool linkAuthEnabled;
63     bool accessCallback;
64 };
65 
66 /** @struct UserInfo
67  *
68  *  Structure for user related information
69  */
70 struct UserInfo
71 {
72     uint8_t userName[ipmiMaxUserName];
73     UserPrivAccess userPrivAccess[ipmiMaxChannels];
74     bool userEnabled;
75     bool userInSystem;
76     bool fixedUserName;
77     PayloadAccess payloadAccess[ipmiMaxChannels];
78 };
79 
80 /** @struct UsersTbl
81  *
82  *  Structure for array of user related information
83  */
84 struct UsersTbl
85 {
86     //+1 to map with UserId directly. UserId 0 is reserved.
87     UserInfo user[ipmiMaxUsers + 1];
88 };
89 
90 /** @brief PAM User Authentication check
91  *
92  *  @param[in] username - username in string
93  *  @param[in] password	- password in string
94  *
95  *  @return status
96  */
97 bool pamUserCheckAuthenticate(std::string_view username,
98                               std::string_view password);
99 
100 class UserAccess;
101 
102 UserAccess& getUserAccessObject();
103 
104 class UserAccess
105 {
106   public:
107     UserAccess(const UserAccess&) = delete;
108     UserAccess& operator=(const UserAccess&) = delete;
109     UserAccess(UserAccess&&) = delete;
110     UserAccess& operator=(UserAccess&&) = delete;
111 
112     ~UserAccess();
113     UserAccess();
114 
115     /** @brief determines valid channel
116      *
117      *  @param[in] chNum - channel number
118      *
119      *  @return true if valid, false otherwise
120      */
121     static bool isValidChannel(const uint8_t chNum);
122 
123     /** @brief determines valid userId
124      *
125      *  @param[in] userId - user id
126      *
127      *  @return true if valid, false otherwise
128      */
129     static bool isValidUserId(const uint8_t userId);
130 
131     /** @brief determines valid user privilege
132      *
133      *  @param[in] priv - Privilege
134      *
135      *  @return true if valid, false otherwise
136      */
137     static bool isValidPrivilege(const uint8_t priv);
138 
139     /** @brief determines sync index to be mapped with common-user-management
140      *
141      *  @return Index which will be used as sync index
142      */
143     static uint8_t getUsrMgmtSyncIndex();
144 
145     /** @brief Converts system privilege to IPMI privilege
146      *
147      *  @param[in] value - Privilege in string
148      *
149      *  @return CommandPrivilege - IPMI privilege type
150      */
151     static CommandPrivilege convertToIPMIPrivilege(const std::string& value);
152 
153     /** @brief Converts IPMI privilege to system privilege
154      *
155      *  @param[in] value - IPMI privilege
156      *
157      *  @return System privilege in string
158      */
159     static std::string convertToSystemPrivilege(const CommandPrivilege& value);
160 
161     /** @brief determines whether user name is valid
162      *
163      *  @param[in] userNameInChar - user name
164      *
165      *  @return true if valid, false otherwise
166      */
167     bool isValidUserName(const std::string& userName);
168 
169     /** @brief determines whether ipmi is in available groups list
170      *
171      * @return true if ipmi group is present, false otherwise
172      */
173     bool isIpmiInAvailableGroupList();
174 
175     /** @brief provides user id of the user
176      *
177      *  @param[in] userName - user name
178      *
179      *  @return user id of the user, else invalid user id (0xFF), if user not
180      * found
181      */
182     uint8_t getUserId(const std::string& userName);
183 
184     /** @brief provides user information
185      *
186      *  @param[in] userId - user id
187      *
188      *  @return UserInfo for the specified user id
189      */
190     UserInfo* getUserInfo(const uint8_t userId);
191 
192     /** @brief sets user information
193      *
194      *  @param[in] userId - user id
195      *  @param[in] userInfo - user information
196      *
197      */
198     void setUserInfo(const uint8_t userId, UserInfo* userInfo);
199 
200     /** @brief provides user name
201      *
202      *  @param[in] userId - user id
203      *  @param[out] userName - user name
204      *
205      *  @return ccSuccess for success, others for failure.
206      */
207     Cc getUserName(const uint8_t userId, std::string& userName);
208 
209     /** @brief to set user name
210      *
211      *  @param[in] userId - user id
212      *  @param[in] userName - user name
213      *
214      *  @return ccSuccess for success, others for failure.
215      */
216     Cc setUserName(const uint8_t userId, const std::string& userName);
217 
218     /** @brief to set user enabled state
219      *
220      *  @param[in] userId - user id
221      *  @param[in] enabledState - enabled state of the user
222      *
223      *  @return ccSuccess for success, others for failure.
224      */
225     Cc setUserEnabledState(const uint8_t userId, const bool& enabledState);
226 
227     /** @brief to set user password
228      *
229      *  @param[in] userId - user id
230      *  @param[in] userPassword  - new password of the user
231      *
232      *  @return ccSuccess for success, others for failure.
233      */
234     Cc setUserPassword(const uint8_t userId, const char* userPassword);
235 
236     /** @brief to set special user password
237      *
238      *  @param[in] userName - user name
239      *  @param[in] userPassword  - new password of the user
240      *
241      *  @return ccSuccess for success, others for failure.
242      */
243     Cc setSpecialUserPassword(const std::string& userName,
244                               const SecureString& userPassword);
245 
246     /** @brief to set user privilege and access details
247      *
248      *  @param[in] userId - user id
249      *  @param[in] chNum - channel number
250      *  @param[in] privAccess - privilege access
251      *  @param[in] otherPrivUpdates - other privilege update flag to update ipmi
252      * enable, link authentication and access callback
253      *
254      *  @return ccSuccess for success, others for failure.
255      */
256     Cc setUserPrivilegeAccess(const uint8_t userId, const uint8_t chNum,
257                               const UserPrivAccess& privAccess,
258                               const bool& otherPrivUpdates);
259 
260     /** @brief to get user payload access details from userInfo entry.
261      *
262      *  @param[in] userInfo    - userInfo entry in usersTbl.
263      *  @param[out] stdPayload - stdPayloadEnables1 in a 2D-array.
264      *  @param[out] oemPayload - oemPayloadEnables1 in a 2D-array.
265      *
266      *  @details Update the given 2D-arrays using the payload access details
267      *  available in the given userInfo entry (from usersTbl).
268      *  This 2D-array will be mapped to a JSON object (which will be written to
269      *  a JSON file subsequently).
270      */
271     void readPayloadAccessFromUserInfo(
272         const UserInfo& userInfo,
273         std::array<std::array<bool, ipmiMaxChannels>, payloadsPerByte>&
274             stdPayload,
275         std::array<std::array<bool, ipmiMaxChannels>, payloadsPerByte>&
276             oemPayload);
277 
278     /** @brief to update user payload access details in userInfo entry.
279      *
280      *  @param[in] stdPayload - stdPayloadEnables1 in a 2D-array.
281      *  @param[in] oemPayload - oemPayloadEnables1 in a 2D-array.
282      *  @param[out] userInfo  - userInfo entry in usersTbl.
283      *
284      *  @details Update user payload access details of a given userInfo
285      *  entry (in usersTbl) with the information provided in given 2D-arrays.
286      *  This 2D-array was created out of a JSON object (which was created by
287      *  parsing a JSON file).
288      */
289     void updatePayloadAccessInUserInfo(
290         const std::array<std::array<bool, ipmiMaxChannels>, payloadsPerByte>&
291             stdPayload,
292         const std::array<std::array<bool, ipmiMaxChannels>, payloadsPerByte>&
293             oemPayload,
294         UserInfo& userInfo);
295 
296     /** @brief to set user payload access details
297      *
298      *  @param[in] chNum - channel number
299      *  @param[in] operation - Enable / Disable
300      *  @param[in] userId - user id
301      *  @param[in] payloadAccess - payload access
302      *
303      *  @return ccSuccess for success, others for failure.
304      */
305     Cc setUserPayloadAccess(const uint8_t chNum, const uint8_t operation,
306                             const uint8_t userId,
307                             const PayloadAccess& payloadAccess);
308 
309     /** @brief reads user management related data from configuration file
310      *
311      */
312     void readUserData();
313 
314     /** @brief writes user management related data to configuration file
315      *
316      */
317     void writeUserData();
318 
319     /** @brief Funtion which checks and reload configuration file data if
320      * needed.
321      *
322      */
323     void checkAndReloadUserData();
324 
325     /** @brief provides user details from D-Bus user property data
326      *
327      *  @param[in] properties - D-Bus user property
328      *  @param[out] usrGrps - user group details
329      *  @param[out] usrPriv - user privilege
330      *  @param[out] usrEnabled - enabled state of the user.
331      *
332      *  @return 0 for success, -errno for failure.
333      */
334     void getUserProperties(const DbusUserObjProperties& properties,
335                            std::vector<std::string>& usrGrps,
336                            std::string& usrPriv, bool& usrEnabled);
337 
338     /** @brief provides user details from D-Bus user object data
339      *
340      *  @param[in] userObjs - D-Bus user object
341      *  @param[out] usrGrps - user group details
342      *  @param[out] usrPriv - user privilege
343      *  @param[out] usrEnabled - enabled state of the user.
344      *
345      *  @return 0 for success, -errno for failure.
346      */
347     int getUserObjProperties(const DbusUserObjValue& userObjs,
348                              std::vector<std::string>& usrGrps,
349                              std::string& usrPriv, bool& usrEnabled);
350 
351     /** @brief function to add user entry information to the configuration
352      *
353      *  @param[in] userName - user name
354      *  @param[in] priv - privilege of the user
355      *  @param[in] enabled - enabled state of the user
356      *
357      *  @return true for success, false for failure
358      */
359     bool addUserEntry(const std::string& userName, const std::string& priv,
360                       const bool& enabled);
361 
362     /** @brief function to delete user entry based on user index
363      *
364      *  @param[in] usrIdx - user index
365      *
366      */
367     void deleteUserIndex(const size_t& usrIdx);
368 
369     /** @brief function to get users table
370      *
371      */
372     UsersTbl* getUsersTblPtr();
373 
374     std::unique_ptr<boost::interprocess::named_recursive_mutex> userMutex{
375         nullptr};
376 
377   private:
378     UsersTbl usersTbl;
379     std::vector<std::string> availablePrivileges;
380     std::vector<std::string> availableGroups;
381     sdbusplus::bus::bus bus;
382     std::timespec fileLastUpdatedTime;
383     bool signalHndlrObject = false;
384     boost::interprocess::file_lock sigHndlrLock;
385     boost::interprocess::file_lock mutexCleanupLock;
386 
387     /** @brief function to get user configuration file timestamp
388      *
389      *  @return time stamp or -EIO for failure
390      */
391     std::timespec getUpdatedFileTime();
392 
393     /** @brief function to available system privileges and groups
394      *
395      */
396     void getSystemPrivAndGroups();
397 
398     /** @brief function to init user data from configuration & D-Bus objects
399      * and to register for signals
400      *
401      */
402     void cacheUserDataFile();
403 };
404 
405 } // namespace ipmi
406