Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 478b7adffab38c98d880ad2c39c8dc421433bd92 / . / include / pam_authenticate.hpp
blob: fbb3f6165c5883c84a80b3ec929026aedca75aaf [file] [log] [blame]
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]1#pragma once
2
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]3#include <security/pam_appl.h>
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]4
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]5#include <cstring>
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame]6#include <memory>
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]7#include <span>
Ed Tanous5b904292024-04-16 11:10:17 -0700[diff] [blame]8#include <string_view>
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]9
Ravi Teja2ccce1f2024-08-10 04:05:36 -0500[diff] [blame]10struct PasswordData
11{
12 std::string password;
13 std::optional<std::string> token;
14};
15
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]16// function used to get user input
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame]17inline int pamFunctionConversation(int numMsg, const struct pam_message** msgs,
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]18 struct pam_response** resp, void* appdataPtr)
19{
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame]20 if ((appdataPtr == nullptr) || (msgs == nullptr) || (resp == nullptr))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]21 {
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]22 return PAM_CONV_ERR;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]23 }
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]24
25 if (numMsg <= 0 || numMsg >= PAM_MAX_NUM_MSG)
Ed Tanousf1eebf02019-03-04 15:57:09 -0800[diff] [blame]26 {
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]27 return PAM_CONV_ERR;
Ed Tanousf1eebf02019-03-04 15:57:09 -0800[diff] [blame]28 }
Ravi Teja2ccce1f2024-08-10 04:05:36 -0500[diff] [blame]29 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
30 PasswordData* appPass = reinterpret_cast<PasswordData*>(appdataPtr);
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]31 auto msgCount = static_cast<size_t>(numMsg);
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame]32 // NOLINTNEXTLINE(cppcoreguidelines-avoid-c-arrays)
33 auto responseArrPtr = std::make_unique<pam_response[]>(msgCount);
34 auto responses = std::span(responseArrPtr.get(), msgCount);
35 auto messagePtrs = std::span(msgs, msgCount);
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]36 for (size_t i = 0; i < msgCount; ++i)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]37 {
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame]38 const pam_message& msg = *(messagePtrs[i]);
39
40 pam_response& response = responses[i];
41 response.resp_retcode = 0;
42 response.resp = nullptr;
43
44 switch (msg.msg_style)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]45 {
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame]46 case PAM_PROMPT_ECHO_ON:
47 break;
48 case PAM_PROMPT_ECHO_OFF:
49 {
50 // Assume PAM is only prompting for the password as hidden input
Ravi Teja2ccce1f2024-08-10 04:05:36 -0500[diff] [blame]51 // Allocate memory only when PAM_PROMPT_ECHO_OFF is encountered
52 size_t appPassSize = appPass->password.size();
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame]53 if ((appPassSize + 1) > PAM_MAX_RESP_SIZE)
54 {
55 return PAM_CONV_ERR;
56 }
Ravi Teja2ccce1f2024-08-10 04:05:36 -0500[diff] [blame]57 std::string_view message(msg.msg);
58 constexpr std::string_view passwordPrompt = "Password: ";
59 // String used by Google authenticator to ask for one time code
60 constexpr std::string_view totpPrompt = "Verification code: ";
61 if (message.starts_with(passwordPrompt))
62 {
63 response.resp =
64 strdup(appPass->password.c_str()); // Password input
65 }
66 else if (message.starts_with(totpPrompt))
67 {
68 if (!appPass->token)
69 {
70 return PAM_CONV_ERR;
71 }
72 response.resp =
73 strdup(appPass->token->c_str()); // TOTP input
74 }
75 else
76 {
77 return PAM_CONV_ERR;
78 }
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame]79 }
80 break;
81 case PAM_ERROR_MSG:
82 BMCWEB_LOG_ERROR("Pam error {}", msg.msg);
83 break;
84 case PAM_TEXT_INFO:
85 BMCWEB_LOG_ERROR("Pam info {}", msg.msg);
86 break;
87 default:
88 return PAM_CONV_ERR;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]89 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]90 }
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]91
Ed Tanous05ecd3a2024-02-16 08:13:57 -0800[diff] [blame]92 *resp = responseArrPtr.release();
93 return PAM_SUCCESS;
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]94}
95
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]96/**
97 * @brief Attempt username/password authentication via PAM.
98 * @param username The provided username aka account name.
99 * @param password The provided password.
Ravi Teja2ccce1f2024-08-10 04:05:36 -0500[diff] [blame]100 * @param token The provided MFA token.
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]101 * @returns PAM error code or PAM_SUCCESS for success. */
Ed Tanous26ccae32023-02-16 10:28:44 -0800[diff] [blame]102inline int pamAuthenticateUser(std::string_view username,
Ravi Teja2ccce1f2024-08-10 04:05:36 -0500[diff] [blame]103 std::string_view password,
104 std::optional<std::string> token)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]105{
106 std::string userStr(username);
Ravi Teja2ccce1f2024-08-10 04:05:36 -0500[diff] [blame]107 PasswordData data{std::string(password), std::move(token)};
108 const struct pam_conv localConversation = {pamFunctionConversation, &data};
Ed Tanous99131cd2019-10-24 11:12:47 -0700[diff] [blame]109 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]110
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]111 int retval = pam_start("webserver", userStr.c_str(), &localConversation,
112 &localAuthHandle);
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]113 if (retval != PAM_SUCCESS)
114 {
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]115 return retval;
116 }
117
118 retval = pam_authenticate(localAuthHandle,
119 PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
120 if (retval != PAM_SUCCESS)
121 {
122 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
123 return retval;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]124 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]125
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]126 /* check that the account is healthy */
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]127 retval = pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK);
128 if (retval != PAM_SUCCESS)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]129 {
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]130 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
131 return retval;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]132 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]133
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]134 return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]135}
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]136
Ed Tanous9be245e2024-08-26 09:06:45 -0700[diff] [blame]137inline int pamUpdatePasswordFunctionConversation(
138 int numMsg, const struct pam_message** msgs, struct pam_response** resp,
139 void* appdataPtr)
140{
141 if ((appdataPtr == nullptr) || (msgs == nullptr) || (resp == nullptr))
142 {
143 return PAM_CONV_ERR;
144 }
145
146 if (numMsg <= 0 || numMsg >= PAM_MAX_NUM_MSG)
147 {
148 return PAM_CONV_ERR;
149 }
150 auto msgCount = static_cast<size_t>(numMsg);
151
152 // NOLINTNEXTLINE(cppcoreguidelines-avoid-c-arrays)
153 auto responseArrPtr = std::make_unique<pam_response[]>(msgCount);
154 auto responses = std::span(responseArrPtr.get(), msgCount);
155 auto messagePtrs = std::span(msgs, msgCount);
156 for (size_t i = 0; i < msgCount; ++i)
157 {
158 const pam_message& msg = *(messagePtrs[i]);
159
160 pam_response& response = responses[i];
161 response.resp_retcode = 0;
162 response.resp = nullptr;
163
164 switch (msg.msg_style)
165 {
166 case PAM_PROMPT_ECHO_ON:
167 break;
168 case PAM_PROMPT_ECHO_OFF:
169 {
170 // Assume PAM is only prompting for the password as hidden input
171 // Allocate memory only when PAM_PROMPT_ECHO_OFF is encounterred
172 char* appPass = static_cast<char*>(appdataPtr);
173 size_t appPassSize = std::strlen(appPass);
174
175 if ((appPassSize + 1) > PAM_MAX_RESP_SIZE)
176 {
177 return PAM_CONV_ERR;
178 }
179 // Create an array for pam to own
180 // NOLINTNEXTLINE(cppcoreguidelines-avoid-c-arrays)
181 auto passPtr = std::make_unique<char[]>(appPassSize + 1);
182 std::strncpy(passPtr.get(), appPass, appPassSize + 1);
183
184 responses[i].resp = passPtr.release();
185 }
186 break;
187 case PAM_ERROR_MSG:
188 BMCWEB_LOG_ERROR("Pam error {}", msg.msg);
189 break;
190 case PAM_TEXT_INFO:
191 BMCWEB_LOG_ERROR("Pam info {}", msg.msg);
192 break;
193 default:
194 return PAM_CONV_ERR;
195 }
196 }
197 *resp = responseArrPtr.release();
198 return PAM_SUCCESS;
199}
200
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]201inline int pamUpdatePassword(const std::string& username,
202 const std::string& password)
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]203{
Ed Tanous4ecc6182022-01-07 09:36:26 -0800[diff] [blame]204 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)
205 char* passStrNoConst = const_cast<char*>(password.c_str());
Ed Tanous9be245e2024-08-26 09:06:45 -0700[diff] [blame]206 const struct pam_conv localConversation = {
207 pamUpdatePasswordFunctionConversation, passStrNoConst};
Ed Tanous99131cd2019-10-24 11:12:47 -0700[diff] [blame]208 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]209
Joseph Reynolds96b39e02019-12-05 17:53:35 -0600[diff] [blame]210 int retval = pam_start("webserver", username.c_str(), &localConversation,
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]211 &localAuthHandle);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]212
213 if (retval != PAM_SUCCESS)
214 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]215 return retval;
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]216 }
217
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]218 retval = pam_chauthtok(localAuthHandle, PAM_SILENT);
219 if (retval != PAM_SUCCESS)
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]220 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]221 pam_end(localAuthHandle, PAM_SUCCESS);
222 return retval;
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]223 }
224
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]225 return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]226}