blob: a58f9bebd0a721156ae3d217fac1c7d86d31d7ba [file] [log] [blame]
Ed Tanous08bbe112023-04-06 13:10:02 -07001#pragma once
2
3#include "dbus_utility.hpp"
4#include "error_messages.hpp"
5#include "http_request.hpp"
6#include "http_response.hpp"
7#include "logging.hpp"
8#include "routing/baserule.hpp"
9#include "utils/dbus_utils.hpp"
10
11#include <boost/url/format.hpp>
12#include <sdbusplus/unpack_properties.hpp>
13
14#include <memory>
15#include <vector>
16
17namespace crow
18{
Gunnar Mills59ba6382023-08-01 12:41:17 -050019// Populate session with user information.
20inline bool
21 populateUserInfo(Request& req,
Gunnar Mills59ba6382023-08-01 12:41:17 -050022 const dbus::utility::DBusPropertiesMap& userInfoMap)
23{
Gunnar Mills59ba6382023-08-01 12:41:17 -050024 if (req.session == nullptr)
25 {
26 return false;
27 }
28
Jonathan Doman522377d2023-08-18 15:27:54 -070029 std::string userRole;
30 bool remoteUser = false;
31 std::optional<bool> passwordExpired;
32 std::optional<std::vector<std::string>> userGroups;
Gunnar Mills59ba6382023-08-01 12:41:17 -050033
Jonathan Doman522377d2023-08-18 15:27:54 -070034 const bool success = sdbusplus::unpackPropertiesNoThrow(
35 redfish::dbus_utils::UnpackErrorPrinter(), userInfoMap, "UserPrivilege",
36 userRole, "RemoteUser", remoteUser, "UserPasswordExpired",
37 passwordExpired, "UserGroups", userGroups);
38
39 if (!success)
Gunnar Mills59ba6382023-08-01 12:41:17 -050040 {
Jonathan Doman522377d2023-08-18 15:27:54 -070041 BMCWEB_LOG_ERROR("Failed to unpack user properties.");
Gunnar Mills59ba6382023-08-01 12:41:17 -050042 return false;
43 }
Jonathan Doman522377d2023-08-18 15:27:54 -070044
45 if (!remoteUser && (!passwordExpired || !userGroups))
Gunnar Mills59ba6382023-08-01 12:41:17 -050046 {
Jonathan Doman522377d2023-08-18 15:27:54 -070047 BMCWEB_LOG_ERROR(
48 "Missing UserPasswordExpired or UserGroups property for local user");
49 return false;
Gunnar Mills59ba6382023-08-01 12:41:17 -050050 }
Jonathan Doman522377d2023-08-18 15:27:54 -070051
52 req.session->userRole = userRole;
53 BMCWEB_LOG_DEBUG("userName = {} userRole = {}", req.session->username,
54 userRole);
Gunnar Mills59ba6382023-08-01 12:41:17 -050055
56 // Set isConfigureSelfOnly based on D-Bus results. This
57 // ignores the results from both pamAuthenticateUser and the
58 // value from any previous use of this session.
Jonathan Doman522377d2023-08-18 15:27:54 -070059 req.session->isConfigureSelfOnly = passwordExpired.value_or(false);
Gunnar Mills59ba6382023-08-01 12:41:17 -050060
Jonathan Doman522377d2023-08-18 15:27:54 -070061 req.session->userGroups.clear();
62 if (userGroups)
Gunnar Mills59ba6382023-08-01 12:41:17 -050063 {
Jonathan Doman522377d2023-08-18 15:27:54 -070064 req.session->userGroups.swap(*userGroups);
Gunnar Mills59ba6382023-08-01 12:41:17 -050065 }
66
67 return true;
68}
Ed Tanous08bbe112023-04-06 13:10:02 -070069
70inline bool
71 isUserPrivileged(Request& req,
72 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
73 BaseRule& rule)
74{
Ed Tanousd3dfb6e2023-07-27 09:33:49 -070075 if (req.session == nullptr)
76 {
77 return false;
78 }
Ed Tanous08bbe112023-04-06 13:10:02 -070079 // Get the user's privileges from the role
80 redfish::Privileges userPrivileges =
81 redfish::getUserPrivileges(*req.session);
82
83 // Modify privileges if isConfigureSelfOnly.
84 if (req.session->isConfigureSelfOnly)
85 {
86 // Remove all privileges except ConfigureSelf
87 userPrivileges =
88 userPrivileges.intersection(redfish::Privileges{"ConfigureSelf"});
Ed Tanous62598e32023-07-17 17:06:25 -070089 BMCWEB_LOG_DEBUG("Operation limited to ConfigureSelf");
Ed Tanous08bbe112023-04-06 13:10:02 -070090 }
91
92 if (!rule.checkPrivileges(userPrivileges))
93 {
94 asyncResp->res.result(boost::beast::http::status::forbidden);
95 if (req.session->isConfigureSelfOnly)
96 {
97 redfish::messages::passwordChangeRequired(
98 asyncResp->res,
99 boost::urls::format("/redfish/v1/AccountService/Accounts/{}",
100 req.session->username));
101 }
102 return false;
103 }
104
Gunnar Mills59ba6382023-08-01 12:41:17 -0500105 req.userRole = req.session->userRole;
Ed Tanous08bbe112023-04-06 13:10:02 -0700106 return true;
107}
108
109template <typename CallbackFn>
Gunnar Mills59ba6382023-08-01 12:41:17 -0500110void afterGetUserInfo(Request& req,
111 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ed Tanous8cb2c022024-03-27 16:31:46 -0700112 BaseRule& rule, CallbackFn callback,
Gunnar Mills59ba6382023-08-01 12:41:17 -0500113 const boost::system::error_code& ec,
114 const dbus::utility::DBusPropertiesMap& userInfoMap)
115{
116 if (ec)
117 {
118 BMCWEB_LOG_ERROR("GetUserInfo failed...");
119 asyncResp->res.result(
120 boost::beast::http::status::internal_server_error);
121 return;
122 }
123
Jonathan Doman522377d2023-08-18 15:27:54 -0700124 if (!populateUserInfo(req, userInfoMap))
Gunnar Mills59ba6382023-08-01 12:41:17 -0500125 {
126 BMCWEB_LOG_ERROR("Failed to populate user information");
127 asyncResp->res.result(
128 boost::beast::http::status::internal_server_error);
129 return;
130 }
131
132 if (!isUserPrivileged(req, asyncResp, rule))
133 {
134 // User is not privileged
135 BMCWEB_LOG_ERROR("Insufficient Privilege");
136 asyncResp->res.result(boost::beast::http::status::forbidden);
137 return;
138 }
139 callback(req);
140}
141
142template <typename CallbackFn>
Ed Tanous08bbe112023-04-06 13:10:02 -0700143void validatePrivilege(Request& req,
144 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
145 BaseRule& rule, CallbackFn&& callback)
146{
147 if (req.session == nullptr)
148 {
149 return;
150 }
151 std::string username = req.session->username;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500152 crow::connections::systemBus->async_method_call(
Myung Bae41b25aa2024-02-24 10:50:23 -0500153 [req{std::move(req)}, asyncResp, &rule,
Ed Tanous8cb2c022024-03-27 16:31:46 -0700154 callback = std::forward<CallbackFn>(callback)](
Gunnar Mills59ba6382023-08-01 12:41:17 -0500155 const boost::system::error_code& ec,
156 const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
157 afterGetUserInfo(req, asyncResp, rule,
158 std::forward<CallbackFn>(callback), ec, userInfoMap);
Patrick Williams5a39f772023-10-20 11:20:21 -0500159 },
Gunnar Mills59ba6382023-08-01 12:41:17 -0500160 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
161 "xyz.openbmc_project.User.Manager", "GetUserInfo", username);
Ed Tanous08bbe112023-04-06 13:10:02 -0700162}
163
164} // namespace crow