Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 8fd315a55515124fc3cb0f5975fec415454595ec^! / . / include / pam_authenticate.hpp
commit8fd315a55515124fc3cb0f5975fec415454595ec[log] [tgz]
authorJoseph Reynolds <joseph-reynolds@charter.net>Thu Sep 12 12:02:33 2019 -0500
committerJoseph Reynolds <joseph-reynolds@charter.net>Tue Oct 15 16:37:28 2019 -0500
treea79098979c5751b44c51f854557639c5b2298e67
parent49d734ff2f17f5f623e60e52a144d6304866aad3 [diff] [blame]
Handle Redfish PasswordChangeRequired

This enhances BMCWeb authentication to recognize when the user's password is
correct but expired.  The Redfish SessionService is enhanced to comply with
the Redfish PasswordChangeRequired spec which allows the session to be
created, but limits that sesion to changing the password only, and includes
the PasswordChangeRequired message in the response body.

Specifically, when the account's password is expired, a successful
authentication via the following interfaces will have these results:
- POST /redfish/v1/SessionService/Sessions -- follows Redfish spec
- POST /login -- creates a session limited to changing the password,
                 similar to Redfish
- Basic authentication -- continues to treat the password
  change required condition as an authentication failure and gives no
  indication the password is expired.
- Cookie auth -- works as before
- Token auth -- works as before

This patchset is intended to allow web applications to use the presence
of the Redfish PasswordChangeRequired message or the extendedMessage
field to trigger the password change dialog.

This does not implement the PasswordChangeRequired property in the
ManagerAccount resource.

This implements the Redfish privilege overrides associated with the
ConfigureSelf privilege.  Specifically, this correctly implements the
Password property override, and the ManagerAccount Resource URI override.

When an API results in 403 Forbidden and the issuing session has the
PasswordChangeRequired condition, appropriate JSON is given.

Tested:
  Yes, see https://github.com/openbmc/bmcweb/issues/103
  No, did not run Redfish validator

Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: Ibbf5f6414ac55c0e7bea14c721f6db227b52fe40

diff --git a/include/pam_authenticate.hpp b/include/pam_authenticate.hpp
index f211a29..68ce64a 100644
--- a/include/pam_authenticate.hpp
+++ b/include/pam_authenticate.hpp

@@ -48,10 +48,12 @@
 }
 
 inline bool pamAuthenticateUser(const std::string_view username,
-                                const std::string_view password)
+                                const std::string_view password,
+                                bool& passwordChangeRequired)
 {
     std::string userStr(username);
     std::string passStr(password);
+    passwordChangeRequired = false;
     const struct pam_conv localConversation = {
         pamFunctionConversation, const_cast<char*>(passStr.c_str())};
     pam_handle_t* localAuthHandle = NULL; // this gets set by pam_start
@@ -70,12 +72,18 @@
         return false;
     }
 
-    /* check that the account is healthy */
-    if (pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK) !=
-        PAM_SUCCESS)
+    /* check if the account is healthy */
+    switch (pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK))
     {
-        pam_end(localAuthHandle, PAM_SUCCESS);
-        return false;
+        case PAM_SUCCESS:
+            break;
+        case PAM_NEW_AUTHTOK_REQD:
+            passwordChangeRequired = true;
+            break;
+        default:
+            pam_end(localAuthHandle, PAM_SUCCESS);
+            return false;
+            break;
     }
 
     if (pam_end(localAuthHandle, PAM_SUCCESS) != PAM_SUCCESS)