Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 56d0bb068b69c5b8853e44d7af179030adcacd64 / . / include / sessions.hpp
blob: 1d0b620fb1025e9388cb563ef36a816fef577e6a [file] [log] [blame]
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]1#pragma once
2
Ed Tanous04e438c2020-10-03 08:06:26 -0700[diff] [blame]3#include "logging.hpp"
Ed Tanous2c6ffdb2023-06-28 11:28:38 -0700[diff] [blame]4#include "ossl_random.hpp"
Ed Tanous04e438c2020-10-03 08:06:26 -0700[diff] [blame]5#include "utility.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]6#include "utils/ip_utils.hpp"
Ed Tanousfc76b8a2020-09-28 17:21:52 -0700[diff] [blame]7
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]8#include <nlohmann/json.hpp>
Ratan Gupta12c04ef2019-04-03 10:08:11 +0530[diff] [blame]9
Xie Ning9fa06f12022-06-29 18:27:47 +0800[diff] [blame]10#include <algorithm>
Gunnar Mills1214b7e2020-06-04 10:11:30 -0500[diff] [blame]11#include <csignal>
Ed Tanousbb759e32022-08-02 17:07:54 -0700[diff] [blame]12#include <optional>
Gunnar Mills1214b7e2020-06-04 10:11:30 -0500[diff] [blame]13#include <random>
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]14
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]15namespace persistent_data
16{
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]17
Ed Tanous51dae672018-09-05 16:07:32 -0700[diff] [blame]18// entropy: 20 characters, 62 possibilities. log2(62^20) = 119 bits of
19// entropy. OWASP recommends at least 64
20// https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-entropy
21constexpr std::size_t sessionTokenSize = 20;
22
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]23enum class PersistenceType
24{
25 TIMEOUT, // User session times out after a predetermined amount of time
26 SINGLE_REQUEST // User times out once this request is completed.
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]27};
28
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]29struct UserSession
30{
31 std::string uniqueId;
32 std::string sessionToken;
33 std::string username;
34 std::string csrfToken;
Ed Tanousbb759e32022-08-02 17:07:54 -0700[diff] [blame]35 std::optional<std::string> clientId;
Sunitha Harish92f68222020-05-28 05:09:09 -0500[diff] [blame]36 std::string clientIp;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]37 std::chrono::time_point<std::chrono::steady_clock> lastUpdated;
Ed Tanousd3a9e082022-01-07 09:30:41 -0800[diff] [blame]38 PersistenceType persistence{PersistenceType::TIMEOUT};
Ed Tanous7e9c08e2023-06-16 11:29:37 -0700[diff] [blame]39 bool cookieAuth = false;
Joseph Reynolds3bf4e632020-02-06 14:44:32 -0600[diff] [blame]40 bool isConfigureSelfOnly = false;
Ed Tanous47f29342024-03-19 12:18:06 -0700[diff] [blame]41 std::string userRole;
42 std::vector<std::string> userGroups;
Joseph Reynolds3bf4e632020-02-06 14:44:32 -0600[diff] [blame]43
44 // There are two sources of truth for isConfigureSelfOnly:
45 // 1. When pamAuthenticateUser() returns PAM_NEW_AUTHTOK_REQD.
46 // 2. D-Bus User.Manager.GetUserInfo property UserPasswordExpired.
47 // These should be in sync, but the underlying condition can change at any
48 // time. For example, a password can expire or be changed outside of
49 // bmcweb. The value stored here is updated at the start of each
50 // operation and used as the truth within bmcweb.
Kowalski, Kamil5cef0f72018-02-15 15:26:51 +0100[diff] [blame]51
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]52 /**
53 * @brief Fills object with data from UserSession's JSON representation
54 *
55 * This replaces nlohmann's from_json to ensure no-throw approach
56 *
57 * @param[in] j JSON object from which data should be loaded
58 *
59 * @return a shared pointer if data has been loaded properly, nullptr
60 * otherwise
61 */
62 static std::shared_ptr<UserSession> fromJson(const nlohmann::json& j)
63 {
64 std::shared_ptr<UserSession> userSession =
65 std::make_shared<UserSession>();
66 for (const auto& element : j.items())
67 {
68 const std::string* thisValue =
69 element.value().get_ptr<const std::string*>();
70 if (thisValue == nullptr)
71 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]72 BMCWEB_LOG_ERROR(
73 "Error reading persistent store. Property {} was not of type string",
74 element.key());
Ed Tanousdc511aa2020-10-21 12:33:42 -0700[diff] [blame]75 continue;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]76 }
77 if (element.key() == "unique_id")
78 {
79 userSession->uniqueId = *thisValue;
80 }
81 else if (element.key() == "session_token")
82 {
83 userSession->sessionToken = *thisValue;
84 }
85 else if (element.key() == "csrf_token")
86 {
87 userSession->csrfToken = *thisValue;
88 }
89 else if (element.key() == "username")
90 {
91 userSession->username = *thisValue;
92 }
Sunitha Harish08bdcc72020-05-12 05:17:57 -0500[diff] [blame]93 else if (element.key() == "client_id")
94 {
95 userSession->clientId = *thisValue;
96 }
Sunitha Harish92f68222020-05-28 05:09:09 -0500[diff] [blame]97 else if (element.key() == "client_ip")
98 {
99 userSession->clientIp = *thisValue;
100 }
101
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]102 else
103 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]104 BMCWEB_LOG_ERROR(
105 "Got unexpected property reading persistent file: {}",
106 element.key());
Ed Tanousdc511aa2020-10-21 12:33:42 -0700[diff] [blame]107 continue;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]108 }
109 }
Ed Tanousdc511aa2020-10-21 12:33:42 -0700[diff] [blame]110 // If any of these fields are missing, we can't restore the session, as
111 // we don't have enough information. These 4 fields have been present
112 // in every version of this file in bmcwebs history, so any file, even
113 // on upgrade, should have these present
114 if (userSession->uniqueId.empty() || userSession->username.empty() ||
115 userSession->sessionToken.empty() || userSession->csrfToken.empty())
116 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]117 BMCWEB_LOG_DEBUG("Session missing required security "
118 "information, refusing to restore");
Ed Tanousdc511aa2020-10-21 12:33:42 -0700[diff] [blame]119 return nullptr;
120 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]121
122 // For now, sessions that were persisted through a reboot get their idle
123 // timer reset. This could probably be overcome with a better
124 // understanding of wall clock time and steady timer time, possibly
125 // persisting values with wall clock time instead of steady timer, but
126 // the tradeoffs of all the corner cases involved are non-trivial, so
127 // this is done temporarily
128 userSession->lastUpdated = std::chrono::steady_clock::now();
129 userSession->persistence = PersistenceType::TIMEOUT;
130
131 return userSession;
Kowalski, Kamil5cef0f72018-02-15 15:26:51 +0100[diff] [blame]132 }
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]133};
134
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]135struct AuthConfigMethods
136{
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]137#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]138 bool basic = true;
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]139#else
140 bool basic = false;
141#endif
142
143#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION
144 bool sessionToken = true;
145#else
146 bool sessionToken = false;
147#endif
148
149#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
150 bool xtoken = true;
151#else
152 bool xtoken = false;
153#endif
154
155#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
156 bool cookie = true;
157#else
158 bool cookie = false;
159#endif
160
161#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
162 bool tls = true;
163#else
Zbigniew Kurzynskicac94c52019-11-07 12:55:04 +0100[diff] [blame]164 bool tls = false;
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]165#endif
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]166
167 void fromJson(const nlohmann::json& j)
168 {
169 for (const auto& element : j.items())
170 {
171 const bool* value = element.value().get_ptr<const bool*>();
172 if (value == nullptr)
173 {
174 continue;
175 }
176
177 if (element.key() == "XToken")
178 {
179 xtoken = *value;
180 }
181 else if (element.key() == "Cookie")
182 {
183 cookie = *value;
184 }
185 else if (element.key() == "SessionToken")
186 {
187 sessionToken = *value;
188 }
189 else if (element.key() == "BasicAuth")
190 {
191 basic = *value;
192 }
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]193 else if (element.key() == "TLS")
194 {
195 tls = *value;
196 }
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]197 }
198 }
199};
200
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]201class SessionStore
202{
203 public:
204 std::shared_ptr<UserSession> generateUserSession(
Ed Tanous26ccae32023-02-16 10:28:44 -0800[diff] [blame]205 std::string_view username, const boost::asio::ip::address& clientIp,
Ed Tanousbb759e32022-08-02 17:07:54 -0700[diff] [blame]206 const std::optional<std::string>& clientId,
Joseph Reynolds3bf4e632020-02-06 14:44:32 -0600[diff] [blame]207 PersistenceType persistence = PersistenceType::TIMEOUT,
Sunitha Harishd3239222021-02-24 15:33:29 +0530[diff] [blame]208 bool isConfigureSelfOnly = false)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]209 {
210 // TODO(ed) find a secure way to not generate session identifiers if
211 // persistence is set to SINGLE_REQUEST
212 static constexpr std::array<char, 62> alphanum = {
Joseph Reynolds368b1d42019-08-15 15:29:06 -0500[diff] [blame]213 '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C',
214 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
215 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c',
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]216 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p',
217 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'};
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]218
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]219 std::string sessionToken;
Ed Tanous51dae672018-09-05 16:07:32 -0700[diff] [blame]220 sessionToken.resize(sessionTokenSize, '0');
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]221 std::uniform_int_distribution<size_t> dist(0, alphanum.size() - 1);
James Feista68a8042020-04-15 15:46:44 -0700[diff] [blame]222
Ed Tanousfc76b8a2020-09-28 17:21:52 -0700[diff] [blame]223 bmcweb::OpenSSLGenerator gen;
James Feista68a8042020-04-15 15:46:44 -0700[diff] [blame]224
Ed Tanous0dfeda62019-10-24 11:21:38 -0700[diff] [blame]225 for (char& sessionChar : sessionToken)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]226 {
Ed Tanous0dfeda62019-10-24 11:21:38 -0700[diff] [blame]227 sessionChar = alphanum[dist(gen)];
James Feista68a8042020-04-15 15:46:44 -0700[diff] [blame]228 if (gen.error())
229 {
230 return nullptr;
231 }
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]232 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]233 // Only need csrf tokens for cookie based auth, token doesn't matter
234 std::string csrfToken;
Ed Tanous51dae672018-09-05 16:07:32 -0700[diff] [blame]235 csrfToken.resize(sessionTokenSize, '0');
Ed Tanous0dfeda62019-10-24 11:21:38 -0700[diff] [blame]236 for (char& csrfChar : csrfToken)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]237 {
Ed Tanous0dfeda62019-10-24 11:21:38 -0700[diff] [blame]238 csrfChar = alphanum[dist(gen)];
James Feista68a8042020-04-15 15:46:44 -0700[diff] [blame]239 if (gen.error())
240 {
241 return nullptr;
242 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]243 }
244
245 std::string uniqueId;
246 uniqueId.resize(10, '0');
Ed Tanous0dfeda62019-10-24 11:21:38 -0700[diff] [blame]247 for (char& uidChar : uniqueId)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]248 {
Ed Tanous0dfeda62019-10-24 11:21:38 -0700[diff] [blame]249 uidChar = alphanum[dist(gen)];
James Feista68a8042020-04-15 15:46:44 -0700[diff] [blame]250 if (gen.error())
251 {
252 return nullptr;
253 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]254 }
Jiaqing Zhao41d61c82021-12-07 13:21:47 +0800[diff] [blame]255
Ed Tanous47f29342024-03-19 12:18:06 -0700[diff] [blame]256 auto session = std::make_shared<UserSession>(
257 UserSession{uniqueId,
258 sessionToken,
259 std::string(username),
260 csrfToken,
261 clientId,
262 redfish::ip_util::toString(clientIp),
263 std::chrono::steady_clock::now(),
264 persistence,
265 false,
266 isConfigureSelfOnly,
267 "",
268 {}});
Patrick Williams41713dd2022-09-28 06:48:07 -0500[diff] [blame]269 auto it = authTokens.emplace(sessionToken, session);
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]270 // Only need to write to disk if session isn't about to be destroyed.
271 needWrite = persistence == PersistenceType::TIMEOUT;
272 return it.first->second;
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]273 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]274
Ed Tanous26ccae32023-02-16 10:28:44 -0800[diff] [blame]275 std::shared_ptr<UserSession> loginSessionByToken(std::string_view token)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]276 {
277 applySessionTimeouts();
Ed Tanous51dae672018-09-05 16:07:32 -0700[diff] [blame]278 if (token.size() != sessionTokenSize)
279 {
280 return nullptr;
281 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]282 auto sessionIt = authTokens.find(std::string(token));
283 if (sessionIt == authTokens.end())
284 {
285 return nullptr;
286 }
287 std::shared_ptr<UserSession> userSession = sessionIt->second;
288 userSession->lastUpdated = std::chrono::steady_clock::now();
289 return userSession;
290 }
291
Ed Tanous26ccae32023-02-16 10:28:44 -0800[diff] [blame]292 std::shared_ptr<UserSession> getSessionByUid(std::string_view uid)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]293 {
294 applySessionTimeouts();
295 // TODO(Ed) this is inefficient
296 auto sessionIt = authTokens.begin();
297 while (sessionIt != authTokens.end())
298 {
299 if (sessionIt->second->uniqueId == uid)
300 {
301 return sessionIt->second;
302 }
303 sessionIt++;
304 }
305 return nullptr;
306 }
307
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]308 void removeSession(const std::shared_ptr<UserSession>& session)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]309 {
310 authTokens.erase(session->sessionToken);
311 needWrite = true;
312 }
313
314 std::vector<const std::string*> getUniqueIds(
315 bool getAll = true,
316 const PersistenceType& type = PersistenceType::SINGLE_REQUEST)
317 {
318 applySessionTimeouts();
319
320 std::vector<const std::string*> ret;
321 ret.reserve(authTokens.size());
322 for (auto& session : authTokens)
323 {
324 if (getAll || type == session.second->persistence)
325 {
326 ret.push_back(&session.second->uniqueId);
327 }
328 }
329 return ret;
330 }
331
Xie Ning9fa06f12022-06-29 18:27:47 +0800[diff] [blame]332 void removeSessionsByUsername(std::string_view username)
333 {
334 std::erase_if(authTokens, [username](const auto& value) {
335 if (value.second == nullptr)
336 {
337 return false;
338 }
339 return value.second->username == username;
340 });
341 }
342
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]343 void updateAuthMethodsConfig(const AuthConfigMethods& config)
344 {
Zbigniew Kurzynski009c2a42019-11-14 13:37:15 +0100[diff] [blame]345 bool isTLSchanged = (authMethodsConfig.tls != config.tls);
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]346 authMethodsConfig = config;
347 needWrite = true;
Zbigniew Kurzynski009c2a42019-11-14 13:37:15 +0100[diff] [blame]348 if (isTLSchanged)
349 {
350 // recreate socket connections with new settings
351 std::raise(SIGHUP);
352 }
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]353 }
354
355 AuthConfigMethods& getAuthMethodsConfig()
356 {
357 return authMethodsConfig;
358 }
359
Ed Tanous9eb808c2022-01-25 10:19:23 -0800[diff] [blame]360 bool needsWrite() const
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]361 {
362 return needWrite;
363 }
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]364 int64_t getTimeoutInSeconds() const
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]365 {
Manojkiran Edaf2a4a602020-08-27 16:04:26 +0530[diff] [blame]366 return std::chrono::seconds(timeoutInSeconds).count();
367 }
368
369 void updateSessionTimeout(std::chrono::seconds newTimeoutInSeconds)
370 {
371 timeoutInSeconds = newTimeoutInSeconds;
372 needWrite = true;
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]373 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]374
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]375 static SessionStore& getInstance()
376 {
377 static SessionStore sessionStore;
378 return sessionStore;
379 }
380
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]381 void applySessionTimeouts()
382 {
383 auto timeNow = std::chrono::steady_clock::now();
Manojkiran Edaf2a4a602020-08-27 16:04:26 +0530[diff] [blame]384 if (timeNow - lastTimeoutUpdate > std::chrono::seconds(1))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]385 {
386 lastTimeoutUpdate = timeNow;
387 auto authTokensIt = authTokens.begin();
388 while (authTokensIt != authTokens.end())
389 {
390 if (timeNow - authTokensIt->second->lastUpdated >=
Manojkiran Edaf2a4a602020-08-27 16:04:26 +0530[diff] [blame]391 timeoutInSeconds)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]392 {
393 authTokensIt = authTokens.erase(authTokensIt);
Ratan Gupta07386c62019-12-14 14:06:09 +0530[diff] [blame]394
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]395 needWrite = true;
396 }
397 else
398 {
399 authTokensIt++;
400 }
401 }
402 }
403 }
Gunnar Mills83cf8182020-11-11 15:37:34 -0600[diff] [blame]404
405 SessionStore(const SessionStore&) = delete;
406 SessionStore& operator=(const SessionStore&) = delete;
Ed Tanousecd6a3a2022-01-07 09:18:40 -0800[diff] [blame]407 SessionStore(SessionStore&&) = delete;
408 SessionStore& operator=(const SessionStore&&) = delete;
409 ~SessionStore() = default;
Gunnar Mills83cf8182020-11-11 15:37:34 -0600[diff] [blame]410
411 std::unordered_map<std::string, std::shared_ptr<UserSession>,
412 std::hash<std::string>,
413 crow::utility::ConstantTimeCompare>
414 authTokens;
415
416 std::chrono::time_point<std::chrono::steady_clock> lastTimeoutUpdate;
417 bool needWrite{false};
418 std::chrono::seconds timeoutInSeconds;
419 AuthConfigMethods authMethodsConfig;
420
421 private:
Patrick Williams89492a12023-05-10 07:51:34 -0500[diff] [blame]422 SessionStore() : timeoutInSeconds(1800) {}
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]423};
424
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]425} // namespace persistent_data