Implement Redfish PasswordChangeRequired
This implements the Redfish PasswordChangeRequired handling. See
section 13.3.7.1 "Password change required handling" in the 1.9.1 spec:
https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.9.1.pdf
These portions of the spec are implemented:
- Authenticatation with a correct but expired password creates a
session:
- The session is restricted to the ConfigureSelf privilege which
allows a user to change their own password (via GET and PATCH
Password for their own account). Support for the ConfigureSelf
privilege is already in BMCWeb.
- The session object has the PasswordChangeRequired message.
- All other operations respond with http status code 403 Forbidden
and include the PasswordChangeRequired message.
- The ManagerAccount (URI /redfish/v1/AccountService/Accounts/USER)
PasswordChangeRequired property is implemented for local accounts
but not present for remote accounts.
This has the following additional behavior:
The PasswordChangeRequired property is updated at the start of each new
REST operation, even within an existing session. This behavior
implements a "dynamic" PasswordChangeRequired handling that responds to
changes to the underlying "password expired" status. Specifically:
- Sessions restricted by the PasswordChangeRequired handling lose that
restriction when the underlying account password is changed.
- Sessions become subject to the PasswordChangeRequired handling
restrictions whenever the underlying account password expires.
- The mechanism is to check if the password is expired at the start of
every new REST API operation, effectively updating the ManagerAccount
PasswordChangeRequired property each time. This makes BMCWeb
responsive to changes in the underlying account due to other activity
on the BMC.
Notes:
1. Note that when an account password status is changed (for example,
the password becomes expired or is changed) and that account has
active sessions, those sessions remain. They are not deleted. Any
current operations are allowed to complete. Subsequent operations
with that session pick up the new password status.
2. This does not implement OWASP recommendations which call for sessions
to be dropped when there is a significant change to the underlying
account. For example, when the password is changed, the password
becomes expired, or when the account's Role changes. OWASP's
recommendation is due to the session fixation vulnerability. See the
OWASP Session Management Cheat Sheet section "Renew the Session ID
After Any Privilege Level Change":
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change
BMCWeb protects against session fixation vulnerabilities because it
always regenerates new session IDs when successful authentication
creates a new session.
3. Users authenticating via mTLS are not subject to the
PasswordChangeRequired behavior because mTLS takes precedence over
password-based authentication.
Tested:
0. Setup:
- The `passwd --expire USERNAME` command was used to expire
passwords. The `chage USER` command was also used.
- The following were used to change the password: Redfish API,
passwd command, and the SSH password change dialog.
- Tested the following via Basic Auth, /login, and Redfish login
(except where Basic Auth does not create a persistent session).
- Only local user account were tested.
- Did not test authentication via mTLS or with LDAP users.
1. When the password is not expired, authentication behaves as usual
for both correct and incorrect passwords.
2. When the password is incorrect and expired, authentication fails as
usual.
3. When the password is correct but expired:
A. A session is created and has the PasswordChangeRequired message.
B. That session cannot access resources that require Login privilege
and the 403 message contains the PasswordChangeRequired message.
C. That session can be used to GET the user's account, PATCH the
Password, and DELETE the session object.
D. The account PasswordChangeRequired reports true.
4. While a session is established, try expiring and changing
(unexpiring) the password using various mechanisms. Ensure both the
session object and the ManagerAccount PasswordChangeRequired property
report the correct condition, and ensure PasswordChangeRequired
handling (restricting operations to ConfigureSelf when
PasswordChangeRequired is true) is applied correctly.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: Iedc61dea8f949e4b182e14dc189de02d1f74d3e8
diff --git a/http/routing.h b/http/routing.h
index c2a7503..cc5c75f 100644
--- a/http/routing.h
+++ b/http/routing.h
@@ -1,5 +1,6 @@
#pragma once
+#include "error_messages.hpp"
#include "privileges.hpp"
#include "sessions.hpp"
@@ -1287,13 +1288,77 @@
<< " userRole = " << *userRolePtr;
}
+ bool* remoteUserPtr = nullptr;
+ auto remoteUserIter = userInfo.find("RemoteUser");
+ if (remoteUserIter != userInfo.end())
+ {
+ remoteUserPtr = std::get_if<bool>(&remoteUserIter->second);
+ }
+ if (remoteUserPtr == nullptr)
+ {
+ BMCWEB_LOG_ERROR
+ << "RemoteUser property missing or wrong type";
+ res.result(
+ boost::beast::http::status::internal_server_error);
+ res.end();
+ return;
+ }
+ bool remoteUser = *remoteUserPtr;
+
+ bool passwordExpired = false; // default for remote user
+ if (!remoteUser)
+ {
+ bool* passwordExpiredPtr = nullptr;
+ auto passwordExpiredIter =
+ userInfo.find("UserPasswordExpired");
+ if (passwordExpiredIter != userInfo.end())
+ {
+ passwordExpiredPtr =
+ std::get_if<bool>(&passwordExpiredIter->second);
+ }
+ if (passwordExpiredPtr != nullptr)
+ {
+ passwordExpired = *passwordExpiredPtr;
+ }
+ else
+ {
+ BMCWEB_LOG_ERROR
+ << "UserPasswordExpired property is expected for"
+ " local user but is missing or wrong type";
+ res.result(
+ boost::beast::http::status::internal_server_error);
+ res.end();
+ return;
+ }
+ }
+
// Get the user privileges from the role
redfish::Privileges userPrivileges =
redfish::getUserPrivileges(userRole);
+ // Set isConfigureSelfOnly based on D-Bus results. This
+ // ignores the results from both pamAuthenticateUser and the
+ // value from any previous use of this session.
+ req.session->isConfigureSelfOnly = passwordExpired;
+
+ // Modify privileges if isConfigureSelfOnly.
+ if (req.session->isConfigureSelfOnly)
+ {
+ // Remove all privileges except ConfigureSelf
+ userPrivileges = userPrivileges.intersection(
+ redfish::Privileges{"ConfigureSelf"});
+ BMCWEB_LOG_DEBUG << "Operation limited to ConfigureSelf";
+ }
+
if (!rules[ruleIndex]->checkPrivileges(userPrivileges))
{
res.result(boost::beast::http::status::forbidden);
+ if (req.session->isConfigureSelfOnly)
+ {
+ redfish::messages::passwordChangeRequired(
+ res, "/redfish/v1/AccountService/Accounts/" +
+ req.session->username);
+ }
res.end();
return;
}
diff --git a/include/sessions.hpp b/include/sessions.hpp
index 9d24327..a7ffe28 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -45,6 +45,15 @@
std::chrono::time_point<std::chrono::steady_clock> lastUpdated;
PersistenceType persistence;
bool cookieAuth = false;
+ bool isConfigureSelfOnly = false;
+
+ // There are two sources of truth for isConfigureSelfOnly:
+ // 1. When pamAuthenticateUser() returns PAM_NEW_AUTHTOK_REQD.
+ // 2. D-Bus User.Manager.GetUserInfo property UserPasswordExpired.
+ // These should be in sync, but the underlying condition can change at any
+ // time. For example, a password can expire or be changed outside of
+ // bmcweb. The value stored here is updated at the start of each
+ // operation and used as the truth within bmcweb.
/**
* @brief Fills object with data from UserSession's JSON representation
@@ -196,7 +205,8 @@
public:
std::shared_ptr<UserSession> generateUserSession(
const std::string_view username,
- PersistenceType persistence = PersistenceType::TIMEOUT)
+ PersistenceType persistence = PersistenceType::TIMEOUT,
+ bool isConfigureSelfOnly = false)
{
// TODO(ed) find a secure way to not generate session identifiers if
// persistence is set to SINGLE_REQUEST
@@ -244,9 +254,10 @@
}
}
- auto session = std::make_shared<UserSession>(UserSession{
- uniqueId, sessionToken, std::string(username), csrfToken,
- std::chrono::steady_clock::now(), persistence});
+ auto session = std::make_shared<UserSession>(
+ UserSession{uniqueId, sessionToken, std::string(username),
+ csrfToken, std::chrono::steady_clock::now(),
+ persistence, false, isConfigureSelfOnly});
auto it = authTokens.emplace(std::make_pair(sessionToken, session));
// Only need to write to disk if session isn't about to be destroyed.
needWrite = persistence == PersistenceType::TIMEOUT;
diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp
index aaa1325..ccea929 100644
--- a/include/token_authorization_middleware.hpp
+++ b/include/token_authorization_middleware.hpp
@@ -138,7 +138,9 @@
BMCWEB_LOG_DEBUG << "[AuthMiddleware] Authenticating user: " << user;
- if (pamAuthenticateUser(user, pass) != PAM_SUCCESS)
+ int pamrc = pamAuthenticateUser(user, pass);
+ bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
+ if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
{
return nullptr;
}
@@ -150,7 +152,8 @@
// This whole flow needs to be revisited anyway, as we can't be
// calling directly into pam for every request
return persistent_data::SessionStore::getInstance().generateUserSession(
- user, crow::persistent_data::PersistenceType::SINGLE_REQUEST);
+ user, crow::persistent_data::PersistenceType::SINGLE_REQUEST,
+ isConfigureSelfOnly);
}
const std::shared_ptr<crow::persistent_data::UserSession>
@@ -397,14 +400,20 @@
if (!username.empty() && !password.empty())
{
- if (pamAuthenticateUser(username, password) != PAM_SUCCESS)
+ int pamrc = pamAuthenticateUser(username, password);
+ bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
+ if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
{
res.result(boost::beast::http::status::unauthorized);
}
else
{
- auto session = persistent_data::SessionStore::getInstance()
- .generateUserSession(username);
+ auto session =
+ persistent_data::SessionStore::getInstance()
+ .generateUserSession(
+ username,
+ crow::persistent_data::PersistenceType::TIMEOUT,
+ isConfigureSelfOnly);
if (looksLikePhosphorRest)
{
diff --git a/redfish-core/include/error_messages.hpp b/redfish-core/include/error_messages.hpp
index 4d71745..6e280c0 100644
--- a/redfish-core/include/error_messages.hpp
+++ b/redfish-core/include/error_messages.hpp
@@ -764,6 +764,17 @@
void queryParameterOutOfRange(crow::Response& res, const std::string& arg1,
const std::string& arg2, const std::string& arg3);
+/**
+ * @brief Formats PasswordChangeRequired message into JSON
+ * Message body: The password provided for this account must be changed
+ * before access is granted. PATCH the 'Password' property for this
+ * account located at the target URI '%1' to complete this process.
+ *
+ * @param[in] arg1 Parameter of message that will replace %1 in its body.
+ *
+ * @returns Message PasswordChangeRequired formatted to JSON */
+void passwordChangeRequired(crow::Response& res, const std::string& arg1);
+
} // namespace messages
} // namespace redfish
diff --git a/redfish-core/include/node.hpp b/redfish-core/include/node.hpp
index 9086f1e..a6e1e27 100644
--- a/redfish-core/include/node.hpp
+++ b/redfish-core/include/node.hpp
@@ -169,8 +169,8 @@
res.end();
}
- /* @brief Would the operation be allowed if the user did not have
- * the ConfigureSelf Privilege?
+ /* @brief Would the operation be allowed if the user did not have the
+ * ConfigureSelf Privilege? Also honors session.isConfigureSelfOnly.
*
* @param req the request
*
@@ -181,9 +181,18 @@
const std::string& userRole = req.userRole;
BMCWEB_LOG_DEBUG << "isAllowedWithoutConfigureSelf for the role "
<< req.userRole;
- Privileges effectiveUserPrivileges =
- redfish::getUserPrivileges(userRole);
- effectiveUserPrivileges.resetSinglePrivilege("ConfigureSelf");
+ Privileges effectiveUserPrivileges;
+ if (req.session && req.session->isConfigureSelfOnly)
+ {
+ // The session has no privileges because it is limited to
+ // configureSelfOnly and we are disregarding that privilege.
+ // Note that some operations do not require any privilege.
+ }
+ else
+ {
+ effectiveUserPrivileges = redfish::getUserPrivileges(userRole);
+ effectiveUserPrivileges.resetSinglePrivilege("ConfigureSelf");
+ }
const auto& requiredPrivilegesIt = entityPrivileges.find(req.method());
return (requiredPrivilegesIt != entityPrivileges.end()) &&
isOperationAllowedWithPrivileges(requiredPrivilegesIt->second,
diff --git a/redfish-core/include/privileges.hpp b/redfish-core/include/privileges.hpp
index 1ca57fa..35f619b 100644
--- a/redfish-core/include/privileges.hpp
+++ b/redfish-core/include/privileges.hpp
@@ -196,7 +196,23 @@
return (privilegeBitset & p.privilegeBitset) == p.privilegeBitset;
}
+ /**
+ * @brief Returns the intersection of two Privilege sets.
+ *
+ * @param[in] privilege Privilege set to intersect with.
+ *
+ * @return The new Privilege set.
+ *
+ */
+ Privileges intersection(const Privileges& p) const
+ {
+ return Privileges{privilegeBitset & p.privilegeBitset};
+ }
+
private:
+ Privileges(const std::bitset<maxPrivilegeCount>& p) : privilegeBitset{p}
+ {
+ }
std::bitset<maxPrivilegeCount> privilegeBitset = 0;
};
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index b579994..609c7db 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1618,7 +1618,7 @@
*userLocked;
asyncResp->res.jsonValue
["Locked@Redfish.AllowableValues"] = {
- "false"};
+ "false"}; // can only unlock accounts
}
else if (property.first == "UserPrivilege")
{
@@ -1647,6 +1647,22 @@
"Roles/" +
role}};
}
+ else if (property.first == "UserPasswordExpired")
+ {
+ const bool* userPasswordExpired =
+ std::get_if<bool>(&property.second);
+ if (userPasswordExpired == nullptr)
+ {
+ BMCWEB_LOG_ERROR << "UserPassword"
+ "Expired "
+ "wasn't a bool";
+ messages::internalError(asyncResp->res);
+ return;
+ }
+ asyncResp->res
+ .jsonValue["PasswordChangeRequired"] =
+ *userPasswordExpired;
+ }
}
}
}
diff --git a/redfish-core/lib/redfish_sessions.hpp b/redfish-core/lib/redfish_sessions.hpp
index c3e11a3..515f5be 100644
--- a/redfish-core/lib/redfish_sessions.hpp
+++ b/redfish-core/lib/redfish_sessions.hpp
@@ -192,7 +192,9 @@
return;
}
- if (pamAuthenticateUser(username, password) != PAM_SUCCESS)
+ int pamrc = pamAuthenticateUser(username, password);
+ bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
+ if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
{
messages::resourceAtUriUnauthorized(res, std::string(req.url),
"Invalid username or password");
@@ -204,11 +206,19 @@
// User is authenticated - create session
std::shared_ptr<crow::persistent_data::UserSession> session =
crow::persistent_data::SessionStore::getInstance()
- .generateUserSession(username);
+ .generateUserSession(
+ username, crow::persistent_data::PersistenceType::TIMEOUT,
+ isConfigureSelfOnly);
res.addHeader("X-Auth-Token", session->sessionToken);
res.addHeader("Location", "/redfish/v1/SessionService/Sessions/" +
session->uniqueId);
res.result(boost::beast::http::status::created);
+ if (session->isConfigureSelfOnly)
+ {
+ messages::passwordChangeRequired(
+ res,
+ "/redfish/v1/AccountService/Accounts/" + session->username);
+ }
memberSession.doGet(res, req, {session->uniqueId});
}
diff --git a/redfish-core/src/error_messages.cpp b/redfish-core/src/error_messages.cpp
index bc5ba77..4be2687 100644
--- a/redfish-core/src/error_messages.cpp
+++ b/redfish-core/src/error_messages.cpp
@@ -1699,6 +1699,32 @@
queryParameterOutOfRange(arg1, arg2, arg3));
}
+/**
+ * @internal
+ * @brief Formats PasswordChangeRequired message into JSON
+ *
+ * See header file for more information
+ * @endinternal
+ */
+void passwordChangeRequired(crow::Response& res, const std::string& arg1)
+{
+ messages::addMessageToJsonRoot(
+ res.jsonValue,
+ nlohmann::json{
+ {"@odata.type", "/redfish/v1/$metadata#Message.v1_5_0.Message"},
+ {"MessageId", "Base.1.5.0.PasswordChangeRequired"},
+ {"Message", "The password provided for this account must be "
+ "changed before access is granted. PATCH the "
+ "'Password' property for this account located at "
+ "the target URI '" +
+ arg1 + "' to complete this process."},
+ {"MessageArgs", {arg1}},
+ {"Severity", "Critical"},
+ {"Resolution", "Change the password for this account using "
+ "a PATCH to the 'Password' property at the URI "
+ "provided."}});
+}
+
} // namespace messages
} // namespace redfish