Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 05ecd3a9a2bb7d63470a183e23b3a158572003f4 / . / include / pam_authenticate.hpp
blob: 22c869529f0c8a4e05c707d520045c7b7bd711a1 [file] [log] [blame]
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]1#pragma once
2
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]3#include <security/pam_appl.h>
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]4
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]5#include <cstring>
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame]6#include <memory>
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]7#include <span>
Ed Tanous5b904292024-04-16 11:10:17 -0700[diff] [blame]8#include <string_view>
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]9
10// function used to get user input
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame^]11inline int pamFunctionConversation(int numMsg, const struct pam_message** msgs,
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]12 struct pam_response** resp, void* appdataPtr)
13{
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame^]14 if ((appdataPtr == nullptr) || (msgs == nullptr) || (resp == nullptr))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]15 {
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]16 return PAM_CONV_ERR;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]17 }
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]18
19 if (numMsg <= 0 || numMsg >= PAM_MAX_NUM_MSG)
Ed Tanousf1eebf02019-03-04 15:57:09 -0800[diff] [blame]20 {
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]21 return PAM_CONV_ERR;
Ed Tanousf1eebf02019-03-04 15:57:09 -0800[diff] [blame]22 }
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]23 auto msgCount = static_cast<size_t>(numMsg);
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]24
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame^]25 // NOLINTNEXTLINE(cppcoreguidelines-avoid-c-arrays)
26 auto responseArrPtr = std::make_unique<pam_response[]>(msgCount);
27 auto responses = std::span(responseArrPtr.get(), msgCount);
28 auto messagePtrs = std::span(msgs, msgCount);
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]29 for (size_t i = 0; i < msgCount; ++i)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]30 {
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame^]31 const pam_message& msg = *(messagePtrs[i]);
32
33 pam_response& response = responses[i];
34 response.resp_retcode = 0;
35 response.resp = nullptr;
36
37 switch (msg.msg_style)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]38 {
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame^]39 case PAM_PROMPT_ECHO_ON:
40 break;
41 case PAM_PROMPT_ECHO_OFF:
42 {
43 // Assume PAM is only prompting for the password as hidden input
44 // Allocate memory only when PAM_PROMPT_ECHO_OFF is encounterred
45 char* appPass = static_cast<char*>(appdataPtr);
46 size_t appPassSize = std::strlen(appPass);
47
48 if ((appPassSize + 1) > PAM_MAX_RESP_SIZE)
49 {
50 return PAM_CONV_ERR;
51 }
52 // Create an array for pam to own
53 // NOLINTNEXTLINE(cppcoreguidelines-avoid-c-arrays)
54 auto passPtr = std::make_unique<char[]>(appPassSize + 1);
55 std::strncpy(passPtr.get(), appPass, appPassSize + 1);
56
57 responses[i].resp = passPtr.release();
58 }
59 break;
60 case PAM_ERROR_MSG:
61 BMCWEB_LOG_ERROR("Pam error {}", msg.msg);
62 break;
63 case PAM_TEXT_INFO:
64 BMCWEB_LOG_ERROR("Pam info {}", msg.msg);
65 break;
66 default:
67 return PAM_CONV_ERR;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]68 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]69 }
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]70
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame^]71 *resp = responseArrPtr.release();
72 return PAM_SUCCESS;
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]73}
74
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]75/**
76 * @brief Attempt username/password authentication via PAM.
77 * @param username The provided username aka account name.
78 * @param password The provided password.
79 * @returns PAM error code or PAM_SUCCESS for success. */
Ed Tanous26ccae32023-02-16 10:28:44 -0800[diff] [blame]80inline int pamAuthenticateUser(std::string_view username,
81 std::string_view password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]82{
83 std::string userStr(username);
84 std::string passStr(password);
Ed Tanous4ecc6182022-01-07 09:36:26 -0800[diff] [blame]85
Ed Tanousf9c794f2023-06-06 11:46:49 -0700[diff] [blame]86 char* passStrNoConst = passStr.data();
Ed Tanous4ecc6182022-01-07 09:36:26 -0800[diff] [blame]87 const struct pam_conv localConversation = {pamFunctionConversation,
88 passStrNoConst};
Ed Tanous99131cd2019-10-24 11:12:47 -0700[diff] [blame]89 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]90
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]91 int retval = pam_start("webserver", userStr.c_str(), &localConversation,
92 &localAuthHandle);
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]93 if (retval != PAM_SUCCESS)
94 {
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]95 return retval;
96 }
97
98 retval = pam_authenticate(localAuthHandle,
99 PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
100 if (retval != PAM_SUCCESS)
101 {
102 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
103 return retval;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]104 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]105
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]106 /* check that the account is healthy */
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]107 retval = pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK);
108 if (retval != PAM_SUCCESS)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]109 {
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]110 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
111 return retval;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]112 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]113
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]114 return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]115}
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]116
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]117inline int pamUpdatePassword(const std::string& username,
118 const std::string& password)
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]119{
Ed Tanous4ecc6182022-01-07 09:36:26 -0800[diff] [blame]120 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)
121 char* passStrNoConst = const_cast<char*>(password.c_str());
122 const struct pam_conv localConversation = {pamFunctionConversation,
123 passStrNoConst};
Ed Tanous99131cd2019-10-24 11:12:47 -0700[diff] [blame]124 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]125
Joseph Reynolds96b39e02019-12-05 17:53:35 -0600[diff] [blame]126 int retval = pam_start("webserver", username.c_str(), &localConversation,
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]127 &localAuthHandle);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]128
129 if (retval != PAM_SUCCESS)
130 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]131 return retval;
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]132 }
133
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]134 retval = pam_chauthtok(localAuthHandle, PAM_SILENT);
135 if (retval != PAM_SUCCESS)
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]136 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]137 pam_end(localAuthHandle, PAM_SUCCESS);
138 return retval;
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]139 }
140
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]141 return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]142}