include/dbus_privileges.hpp - openbmc/bmcweb - Gitiles

 #pragma once

 #include "dbus_utility.hpp"
 #include "error_messages.hpp"
 #include "http_request.hpp"
 #include "http_response.hpp"
 #include "logging.hpp"
 #include "routing/baserule.hpp"
 #include "utils/dbus_utils.hpp"

 #include <boost/url/format.hpp>
 #include <sdbusplus/unpack_properties.hpp>

 #include <memory>
 #include <string>
 #include <utility>
 #include <vector>

 namespace crow
 {
 // Populate session with user information.
 inline bool
     populateUserInfo(persistent_data::UserSession& session,
                      const dbus::utility::DBusPropertiesMap& userInfoMap)
 {
     std::string userRole;
     bool remoteUser = false;
     std::optional<bool> passwordExpired;
     std::optional<std::vector<std::string>> userGroups;

     const bool success = sdbusplus::unpackPropertiesNoThrow(
         redfish::dbus_utils::UnpackErrorPrinter(), userInfoMap, "UserPrivilege",
         userRole, "RemoteUser", remoteUser, "UserPasswordExpired",
         passwordExpired, "UserGroups", userGroups);

     if (!success)
     {
         BMCWEB_LOG_ERROR("Failed to unpack user properties.");
         return false;
     }

     if (!remoteUser && (!passwordExpired || !userGroups))
     {
         BMCWEB_LOG_ERROR(
             "Missing UserPasswordExpired or UserGroups property for local user");
         return false;
     }

     session.userRole = userRole;
     BMCWEB_LOG_DEBUG("userName = {} userRole = {}", session.username, userRole);

     // Set isConfigureSelfOnly based on D-Bus results.  This
     // ignores the results from both pamAuthenticateUser and the
     // value from any previous use of this session.
     session.isConfigureSelfOnly = passwordExpired.value_or(false);

     session.userGroups.clear();
     if (userGroups)
     {
         session.userGroups.swap(*userGroups);
     }

     return true;
 }

 inline bool isUserPrivileged(
     Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
     BaseRule& rule)
 {
     if (req.session == nullptr)
     {
         return false;
     }
     // Get the user's privileges from the role
     redfish::Privileges userPrivileges =
         redfish::getUserPrivileges(*req.session);

     // Modify privileges if isConfigureSelfOnly.
     if (req.session->isConfigureSelfOnly)
     {
         // Remove all privileges except ConfigureSelf
         userPrivileges =
             userPrivileges.intersection(redfish::Privileges{"ConfigureSelf"});
         BMCWEB_LOG_DEBUG("Operation limited to ConfigureSelf");
     }

     if (!rule.checkPrivileges(userPrivileges))
     {
         asyncResp->res.result(boost::beast::http::status::forbidden);
         if (req.session->isConfigureSelfOnly)
         {
             redfish::messages::passwordChangeRequired(
                 asyncResp->res,
                 boost::urls::format("/redfish/v1/AccountService/Accounts/{}",
                                     req.session->username));
         }
         return false;
     }

     req.userRole = req.session->userRole;
     return true;
 }

 inline bool afterGetUserInfoValidate(
     Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
     BaseRule& rule, const dbus::utility::DBusPropertiesMap& userInfoMap)
 {
     if (req.session == nullptr || !populateUserInfo(*req.session, userInfoMap))
     {
         BMCWEB_LOG_ERROR("Failed to populate user information");
         asyncResp->res.result(
             boost::beast::http::status::internal_server_error);
         return false;
     }

     if (!isUserPrivileged(req, asyncResp, rule))
     {
         // User is not privileged
         BMCWEB_LOG_ERROR("Insufficient Privilege");
         asyncResp->res.result(boost::beast::http::status::forbidden);
         return false;
     }

     return true;
 }

 template <typename CallbackFn>
 void requestUserInfo(const std::string& username,
                      const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
                      CallbackFn&& callback)
 {
     crow::connections::systemBus->async_method_call(
         [asyncResp, callback = std::forward<CallbackFn>(callback)](
             const boost::system::error_code& ec,
             const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
             if (ec)
             {
                 BMCWEB_LOG_ERROR("GetUserInfo failed...");
                 asyncResp->res.result(
                     boost::beast::http::status::internal_server_error);
                 return;
             }
             callback(userInfoMap);
         },
         "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
         "xyz.openbmc_project.User.Manager", "GetUserInfo", username);
 }

 template <typename CallbackFn>
 void validatePrivilege(const std::shared_ptr<Request>& req,
                        const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
                        BaseRule& rule, CallbackFn&& callback)
 {
     if (req->session == nullptr)
     {
         return;
     }

     requestUserInfo(
         req->session->username, asyncResp,
         [req, asyncResp, &rule, callback = std::forward<CallbackFn>(callback)](
             const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
             if (afterGetUserInfoValidate(*req, asyncResp, rule, userInfoMap))
             {
                 callback();
             }
         });
 }

 template <typename CallbackFn>
 void getUserInfo(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
                  const std::string& username,
                  std::shared_ptr<persistent_data::UserSession>& session,
                  CallbackFn&& callback)
 {
     requestUserInfo(
         username, asyncResp,
         [asyncResp, session, callback = std::forward<CallbackFn>(callback)](
             const dbus::utility::DBusPropertiesMap& userInfoMap) {
             if (!populateUserInfo(*session, userInfoMap))
             {
                 BMCWEB_LOG_ERROR("Failed to populate user information");
                 asyncResp->res.result(
                     boost::beast::http::status::internal_server_error);
                 return;
             }
             callback();
         });
 }

 } // namespace crow
	#pragma once

	#include "dbus_utility.hpp"
	#include "error_messages.hpp"
	#include "http_request.hpp"
	#include "http_response.hpp"
	#include "logging.hpp"
	#include "routing/baserule.hpp"
	#include "utils/dbus_utils.hpp"

	#include <boost/url/format.hpp>
	#include <sdbusplus/unpack_properties.hpp>

	#include <memory>
	#include <string>
	#include <utility>
	#include <vector>

	namespace crow
	{
	// Populate session with user information.
	inline bool
	populateUserInfo(persistent_data::UserSession& session,
	const dbus::utility::DBusPropertiesMap& userInfoMap)
	{
	std::string userRole;
	bool remoteUser = false;
	std::optional<bool> passwordExpired;
	std::optional<std::vector<std::string>> userGroups;

	const bool success = sdbusplus::unpackPropertiesNoThrow(
	redfish::dbus_utils::UnpackErrorPrinter(), userInfoMap, "UserPrivilege",
	userRole, "RemoteUser", remoteUser, "UserPasswordExpired",
	passwordExpired, "UserGroups", userGroups);

	if (!success)
	{
	BMCWEB_LOG_ERROR("Failed to unpack user properties.");
	return false;
	}

	if (!remoteUser && (!passwordExpired \|\| !userGroups))
	{
	BMCWEB_LOG_ERROR(
	"Missing UserPasswordExpired or UserGroups property for local user");
	return false;
	}

	session.userRole = userRole;
	BMCWEB_LOG_DEBUG("userName = {} userRole = {}", session.username, userRole);

	// Set isConfigureSelfOnly based on D-Bus results. This
	// ignores the results from both pamAuthenticateUser and the
	// value from any previous use of this session.
	session.isConfigureSelfOnly = passwordExpired.value_or(false);

	session.userGroups.clear();
	if (userGroups)
	{
	session.userGroups.swap(*userGroups);
	}

	return true;
	}

	inline bool isUserPrivileged(
	Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
	BaseRule& rule)
	{
	if (req.session == nullptr)
	{
	return false;
	}
	// Get the user's privileges from the role
	redfish::Privileges userPrivileges =
	redfish::getUserPrivileges(*req.session);

	// Modify privileges if isConfigureSelfOnly.
	if (req.session->isConfigureSelfOnly)
	{
	// Remove all privileges except ConfigureSelf
	userPrivileges =
	userPrivileges.intersection(redfish::Privileges{"ConfigureSelf"});
	BMCWEB_LOG_DEBUG("Operation limited to ConfigureSelf");
	}

	if (!rule.checkPrivileges(userPrivileges))
	{
	asyncResp->res.result(boost::beast::http::status::forbidden);
	if (req.session->isConfigureSelfOnly)
	{
	redfish::messages::passwordChangeRequired(
	asyncResp->res,
	boost::urls::format("/redfish/v1/AccountService/Accounts/{}",
	req.session->username));
	}
	return false;
	}

	req.userRole = req.session->userRole;
	return true;
	}

	inline bool afterGetUserInfoValidate(
	Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
	BaseRule& rule, const dbus::utility::DBusPropertiesMap& userInfoMap)
	{
	if (req.session == nullptr \|\| !populateUserInfo(*req.session, userInfoMap))
	{
	BMCWEB_LOG_ERROR("Failed to populate user information");
	asyncResp->res.result(
	boost::beast::http::status::internal_server_error);
	return false;
	}

	if (!isUserPrivileged(req, asyncResp, rule))
	{
	// User is not privileged
	BMCWEB_LOG_ERROR("Insufficient Privilege");
	asyncResp->res.result(boost::beast::http::status::forbidden);
	return false;
	}

	return true;
	}

	template <typename CallbackFn>
	void requestUserInfo(const std::string& username,
	const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
	CallbackFn&& callback)
	{
	crow::connections::systemBus->async_method_call(
	[asyncResp, callback = std::forward<CallbackFn>(callback)](
	const boost::system::error_code& ec,
	const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
	if (ec)
	{
	BMCWEB_LOG_ERROR("GetUserInfo failed...");
	asyncResp->res.result(
	boost::beast::http::status::internal_server_error);
	return;
	}
	callback(userInfoMap);
	},
	"xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
	"xyz.openbmc_project.User.Manager", "GetUserInfo", username);
	}

	template <typename CallbackFn>
	void validatePrivilege(const std::shared_ptr<Request>& req,
	const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
	BaseRule& rule, CallbackFn&& callback)
	{
	if (req->session == nullptr)
	{
	return;
	}

	requestUserInfo(
	req->session->username, asyncResp,
	[req, asyncResp, &rule, callback = std::forward<CallbackFn>(callback)](
	const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
	if (afterGetUserInfoValidate(*req, asyncResp, rule, userInfoMap))
	{
	callback();
	}
	});
	}

	template <typename CallbackFn>
	void getUserInfo(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
	const std::string& username,
	std::shared_ptr<persistent_data::UserSession>& session,
	CallbackFn&& callback)
	{
	requestUserInfo(
	username, asyncResp,
	[asyncResp, session, callback = std::forward<CallbackFn>(callback)](
	const dbus::utility::DBusPropertiesMap& userInfoMap) {
	if (!populateUserInfo(*session, userInfoMap))
	{
	BMCWEB_LOG_ERROR("Failed to populate user information");
	asyncResp->res.result(
	boost::beast::http::status::internal_server_error);
	return;
	}
	callback();
	});
	}

	} // namespace crow