Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 1e4bc6ffdb30d32315ea5c0a4758b28c9cd733ed / . / include / dbus_privileges.hpp
blob: f174991bee7059d7a47462780fe20cb6fec61a48 [file] [log] [blame]
Ed Tanous40e9b922024-09-10 13:50:16 -0700[diff] [blame]1// SPDX-License-Identifier: Apache-2.0
2// SPDX-FileCopyrightText: Copyright OpenBMC Authors
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]3#pragma once
4
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]5#include "async_resp.hpp"
6#include "dbus_singleton.hpp"
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]7#include "dbus_utility.hpp"
8#include "error_messages.hpp"
9#include "http_request.hpp"
10#include "http_response.hpp"
11#include "logging.hpp"
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]12#include "privileges.hpp"
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]13#include "routing/baserule.hpp"
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]14#include "sessions.hpp"
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]15#include "utils/dbus_utils.hpp"
16
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]17#include <boost/beast/http/status.hpp>
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]18#include <boost/url/format.hpp>
19#include <sdbusplus/unpack_properties.hpp>
20
21#include <memory>
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]22#include <optional>
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]23#include <string>
24#include <utility>
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]25#include <vector>
26
27namespace crow
28{
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]29// Populate session with user information.
30inline bool
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]31 populateUserInfo(persistent_data::UserSession& session,
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]32 const dbus::utility::DBusPropertiesMap& userInfoMap)
33{
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]34 std::string userRole;
35 bool remoteUser = false;
36 std::optional<bool> passwordExpired;
37 std::optional<std::vector<std::string>> userGroups;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]38
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]39 const bool success = sdbusplus::unpackPropertiesNoThrow(
40 redfish::dbus_utils::UnpackErrorPrinter(), userInfoMap, "UserPrivilege",
41 userRole, "RemoteUser", remoteUser, "UserPasswordExpired",
42 passwordExpired, "UserGroups", userGroups);
43
44 if (!success)
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]45 {
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]46 BMCWEB_LOG_ERROR("Failed to unpack user properties.");
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]47 return false;
48 }
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]49
50 if (!remoteUser && (!passwordExpired || !userGroups))
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]51 {
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]52 BMCWEB_LOG_ERROR(
53 "Missing UserPasswordExpired or UserGroups property for local user");
54 return false;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]55 }
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]56
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]57 session.userRole = userRole;
58 BMCWEB_LOG_DEBUG("userName = {} userRole = {}", session.username, userRole);
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]59
60 // Set isConfigureSelfOnly based on D-Bus results. This
61 // ignores the results from both pamAuthenticateUser and the
62 // value from any previous use of this session.
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]63 session.isConfigureSelfOnly = passwordExpired.value_or(false);
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]64
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]65 session.userGroups.clear();
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]66 if (userGroups)
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]67 {
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]68 session.userGroups.swap(*userGroups);
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]69 }
70
71 return true;
72}
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]73
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]74inline bool isUserPrivileged(
75 Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
76 BaseRule& rule)
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]77{
Ed Tanousd3dfb6e2023-07-27 09:33:49 -0700[diff] [blame]78 if (req.session == nullptr)
79 {
80 return false;
81 }
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]82 // Get the user's privileges from the role
83 redfish::Privileges userPrivileges =
84 redfish::getUserPrivileges(*req.session);
85
86 // Modify privileges if isConfigureSelfOnly.
87 if (req.session->isConfigureSelfOnly)
88 {
89 // Remove all privileges except ConfigureSelf
90 userPrivileges =
91 userPrivileges.intersection(redfish::Privileges{"ConfigureSelf"});
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]92 BMCWEB_LOG_DEBUG("Operation limited to ConfigureSelf");
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]93 }
94
95 if (!rule.checkPrivileges(userPrivileges))
96 {
97 asyncResp->res.result(boost::beast::http::status::forbidden);
98 if (req.session->isConfigureSelfOnly)
99 {
100 redfish::messages::passwordChangeRequired(
101 asyncResp->res,
102 boost::urls::format("/redfish/v1/AccountService/Accounts/{}",
103 req.session->username));
104 }
105 return false;
106 }
107
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]108 req.userRole = req.session->userRole;
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]109 return true;
110}
111
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]112inline bool afterGetUserInfoValidate(
113 Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
114 BaseRule& rule, const dbus::utility::DBusPropertiesMap& userInfoMap)
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]115{
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]116 if (req.session == nullptr || !populateUserInfo(*req.session, userInfoMap))
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]117 {
118 BMCWEB_LOG_ERROR("Failed to populate user information");
119 asyncResp->res.result(
120 boost::beast::http::status::internal_server_error);
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]121 return false;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]122 }
123
124 if (!isUserPrivileged(req, asyncResp, rule))
125 {
126 // User is not privileged
127 BMCWEB_LOG_ERROR("Insufficient Privilege");
128 asyncResp->res.result(boost::beast::http::status::forbidden);
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]129 return false;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]130 }
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]131
132 return true;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]133}
134
135template <typename CallbackFn>
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]136void requestUserInfo(const std::string& username,
137 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
138 CallbackFn&& callback)
139{
140 crow::connections::systemBus->async_method_call(
141 [asyncResp, callback = std::forward<CallbackFn>(callback)](
142 const boost::system::error_code& ec,
143 const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]144 if (ec)
145 {
146 BMCWEB_LOG_ERROR("GetUserInfo failed...");
147 asyncResp->res.result(
148 boost::beast::http::status::internal_server_error);
149 return;
150 }
151 callback(userInfoMap);
152 },
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]153 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
154 "xyz.openbmc_project.User.Manager", "GetUserInfo", username);
155}
156
157template <typename CallbackFn>
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]158void validatePrivilege(const std::shared_ptr<Request>& req,
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]159 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
160 BaseRule& rule, CallbackFn&& callback)
161{
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]162 if (req->session == nullptr)
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]163 {
164 return;
165 }
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]166
167 requestUserInfo(
168 req->session->username, asyncResp,
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]169 [req, asyncResp, &rule, callback = std::forward<CallbackFn>(callback)](
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]170 const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]171 if (afterGetUserInfoValidate(*req, asyncResp, rule, userInfoMap))
172 {
173 callback();
174 }
175 });
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]176}
177
178template <typename CallbackFn>
179void getUserInfo(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
180 const std::string& username,
181 std::shared_ptr<persistent_data::UserSession>& session,
182 CallbackFn&& callback)
183{
184 requestUserInfo(
185 username, asyncResp,
186 [asyncResp, session, callback = std::forward<CallbackFn>(callback)](
187 const dbus::utility::DBusPropertiesMap& userInfoMap) {
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]188 if (!populateUserInfo(*session, userInfoMap))
189 {
190 BMCWEB_LOG_ERROR("Failed to populate user information");
191 asyncResp->res.result(
192 boost::beast::http::status::internal_server_error);
193 return;
194 }
195 callback();
196 });
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]197}
198
199} // namespace crow