blob: 035a9a8be84c32214243ba35cea76a41b05f24fd [file] [log] [blame]
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +01001/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Borawski.Lukasz43a095a2018-02-19 15:39:01 +010017
Kowalski, Kamilf4c4dcf2018-01-29 14:55:35 +010018#include "error_messages.hpp"
Ed Tanous52cc1122020-07-18 13:51:21 -070019#include "persistent_data.hpp"
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +010020
John Edward Broadbent7e860f12021-04-08 15:57:16 -070021#include <app.hpp>
Ed Tanousace85d62021-10-26 12:45:59 -070022#include <http/utility.hpp>
Ed Tanous45ca1b82022-03-25 13:07:27 -070023#include <query.hpp>
Ed Tanoused398212021-06-09 17:05:54 -070024#include <registries/privilege_registry.hpp>
John Edward Broadbent7e860f12021-04-08 15:57:16 -070025
Ed Tanous1abe55e2018-09-05 08:30:59 -070026namespace redfish
27{
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +010028
Ed Tanous4f48d5f2021-06-21 08:27:45 -070029inline void fillSessionObject(crow::Response& res,
30 const persistent_data::UserSession& session)
Ed Tanous1abe55e2018-09-05 08:30:59 -070031{
Ed Tanousfaa34cc2021-06-03 13:27:02 -070032 res.jsonValue["Id"] = session.uniqueId;
33 res.jsonValue["UserName"] = session.username;
34 res.jsonValue["@odata.id"] =
35 "/redfish/v1/SessionService/Sessions/" + session.uniqueId;
36 res.jsonValue["@odata.type"] = "#Session.v1_3_0.Session";
37 res.jsonValue["Name"] = "User Session";
38 res.jsonValue["Description"] = "Manager User Session";
39 res.jsonValue["ClientOriginIPAddress"] = session.clientIp;
Sunitha Harishc0ea7ae2020-10-30 02:37:30 -050040#ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE
Ed Tanousfaa34cc2021-06-03 13:27:02 -070041 res.jsonValue["Oem"]["OpenBMC"]["@odata.type"] =
42 "#OemSession.v1_0_0.Session";
43 res.jsonValue["Oem"]["OpenBMC"]["ClientID"] = session.clientId;
Sunitha Harish08bdcc72020-05-12 05:17:57 -050044#endif
Ed Tanousfaa34cc2021-06-03 13:27:02 -070045}
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +010046
Ed Tanous724340d2022-03-14 09:10:07 -070047inline void
Ed Tanous45ca1b82022-03-25 13:07:27 -070048 handleSessionGet(crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -070049 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
50 const std::string& sessionId)
51{
Carson Labrado3ba00072022-06-06 19:40:56 +000052 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -070053 {
54 return;
55 }
Ed Tanous724340d2022-03-14 09:10:07 -070056 // Note that control also reaches here via doPost and doDelete.
57 auto session =
58 persistent_data::SessionStore::getInstance().getSessionByUid(sessionId);
59
60 if (session == nullptr)
61 {
62 messages::resourceNotFound(asyncResp->res, "Session", sessionId);
63 return;
64 }
65
66 fillSessionObject(asyncResp->res, *session);
67}
68
69inline void
Ed Tanous45ca1b82022-03-25 13:07:27 -070070 handleSessionDelete(crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -070071 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
72 const std::string& sessionId)
73{
Carson Labrado3ba00072022-06-06 19:40:56 +000074 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -070075 {
76 return;
77 }
Ed Tanous724340d2022-03-14 09:10:07 -070078 auto session =
79 persistent_data::SessionStore::getInstance().getSessionByUid(sessionId);
80
81 if (session == nullptr)
82 {
83 messages::resourceNotFound(asyncResp->res, "Session", sessionId);
84 return;
85 }
86
87 // Perform a proper ConfigureSelf authority check. If a
88 // session is being used to DELETE some other user's session,
89 // then the ConfigureSelf privilege does not apply. In that
90 // case, perform the authority check again without the user's
91 // ConfigureSelf privilege.
wukaihua-fii-na0fd29862022-05-18 09:19:16 +080092 if (req.session != nullptr && !session->username.empty() &&
93 session->username != req.session->username)
Ed Tanous724340d2022-03-14 09:10:07 -070094 {
95 Privileges effectiveUserPrivileges =
96 redfish::getUserPrivileges(req.userRole);
97
98 if (!effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}))
99 {
100 messages::insufficientPrivilege(asyncResp->res);
101 return;
102 }
103 }
104
105 persistent_data::SessionStore::getInstance().removeSession(session);
106 messages::success(asyncResp->res);
107}
108
109inline nlohmann::json getSessionCollectionMembers()
110{
111 std::vector<const std::string*> sessionIds =
112 persistent_data::SessionStore::getInstance().getUniqueIds(
113 false, persistent_data::PersistenceType::TIMEOUT);
114 nlohmann::json ret = nlohmann::json::array();
115 for (const std::string* uid : sessionIds)
116 {
Ed Tanous14766872022-03-15 10:44:42 -0700117 nlohmann::json::object_t session;
118 session["@odata.id"] = "/redfish/v1/SessionService/Sessions/" + *uid;
119 ret.push_back(std::move(session));
Ed Tanous724340d2022-03-14 09:10:07 -0700120 }
121 return ret;
122}
123
124inline void handleSessionCollectionGet(
Ed Tanous45ca1b82022-03-25 13:07:27 -0700125 crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700126 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
127{
Carson Labrado3ba00072022-06-06 19:40:56 +0000128 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700129 {
130 return;
131 }
Ed Tanous724340d2022-03-14 09:10:07 -0700132 asyncResp->res.jsonValue["Members"] = getSessionCollectionMembers();
133 asyncResp->res.jsonValue["Members@odata.count"] =
134 asyncResp->res.jsonValue["Members"].size();
135 asyncResp->res.jsonValue["@odata.type"] =
136 "#SessionCollection.SessionCollection";
137 asyncResp->res.jsonValue["@odata.id"] =
138 "/redfish/v1/SessionService/Sessions/";
139 asyncResp->res.jsonValue["Name"] = "Session Collection";
140 asyncResp->res.jsonValue["Description"] = "Session Collection";
141}
142
143inline void handleSessionCollectionMembersGet(
Ed Tanous45ca1b82022-03-25 13:07:27 -0700144 crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700145 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
146{
Carson Labrado3ba00072022-06-06 19:40:56 +0000147 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700148 {
149 return;
150 }
Ed Tanous724340d2022-03-14 09:10:07 -0700151 asyncResp->res.jsonValue = getSessionCollectionMembers();
152}
153
Ed Tanous4ee8e212022-05-28 09:42:51 -0700154inline void handleSessionCollectionPost(
Ed Tanous45ca1b82022-03-25 13:07:27 -0700155 crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700156 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
157{
Carson Labrado3ba00072022-06-06 19:40:56 +0000158 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700159 {
160 return;
161 }
Ed Tanous724340d2022-03-14 09:10:07 -0700162 std::string username;
163 std::string password;
164 std::optional<nlohmann::json> oemObject;
165 std::string clientId;
166 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
167 "Password", password, "Oem", oemObject))
168 {
169 return;
170 }
171
172 if (password.empty() || username.empty() ||
173 asyncResp->res.result() != boost::beast::http::status::ok)
174 {
175 if (username.empty())
176 {
177 messages::propertyMissing(asyncResp->res, "UserName");
178 }
179
180 if (password.empty())
181 {
182 messages::propertyMissing(asyncResp->res, "Password");
183 }
184
185 return;
186 }
187
188 int pamrc = pamAuthenticateUser(username, password);
189 bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
190 if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
191 {
192 messages::resourceAtUriUnauthorized(asyncResp->res, req.urlView,
193 "Invalid username or password");
194 return;
195 }
196#ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE
197 if (oemObject)
198 {
199 std::optional<nlohmann::json> bmcOem;
200 if (!json_util::readJson(*oemObject, asyncResp->res, "OpenBMC", bmcOem))
201 {
202 return;
203 }
204 if (!json_util::readJson(*bmcOem, asyncResp->res, "ClientID", clientId))
205 {
206 BMCWEB_LOG_ERROR << "Could not read ClientId";
207 return;
208 }
209 }
210#endif
211
212 // User is authenticated - create session
213 std::shared_ptr<persistent_data::UserSession> session =
214 persistent_data::SessionStore::getInstance().generateUserSession(
215 username, req.ipAddress, clientId,
216 persistent_data::PersistenceType::TIMEOUT, isConfigureSelfOnly);
217 asyncResp->res.addHeader("X-Auth-Token", session->sessionToken);
218 asyncResp->res.addHeader(
219 "Location", "/redfish/v1/SessionService/Sessions/" + session->uniqueId);
220 asyncResp->res.result(boost::beast::http::status::created);
221 if (session->isConfigureSelfOnly)
222 {
223 messages::passwordChangeRequired(
224 asyncResp->res,
225 crow::utility::urlFromPieces("redfish", "v1", "AccountService",
226 "Accounts", req.session->username));
227 }
228
229 fillSessionObject(asyncResp->res, *session);
230}
231inline void
Ed Tanous45ca1b82022-03-25 13:07:27 -0700232 handleSessionServiceGet(crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700233 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
234
235{
Carson Labrado3ba00072022-06-06 19:40:56 +0000236 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700237 {
238 return;
239 }
Ed Tanous724340d2022-03-14 09:10:07 -0700240 asyncResp->res.jsonValue["@odata.type"] =
241 "#SessionService.v1_0_2.SessionService";
242 asyncResp->res.jsonValue["@odata.id"] = "/redfish/v1/SessionService/";
243 asyncResp->res.jsonValue["Name"] = "Session Service";
244 asyncResp->res.jsonValue["Id"] = "SessionService";
245 asyncResp->res.jsonValue["Description"] = "Session Service";
246 asyncResp->res.jsonValue["SessionTimeout"] =
247 persistent_data::SessionStore::getInstance().getTimeoutInSeconds();
248 asyncResp->res.jsonValue["ServiceEnabled"] = true;
249
Ed Tanous14766872022-03-15 10:44:42 -0700250 asyncResp->res.jsonValue["Sessions"]["@odata.id"] =
251 "/redfish/v1/SessionService/Sessions";
Ed Tanous724340d2022-03-14 09:10:07 -0700252}
253
254inline void handleSessionServicePatch(
Ed Tanous45ca1b82022-03-25 13:07:27 -0700255 crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700256 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
257{
Carson Labrado3ba00072022-06-06 19:40:56 +0000258 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700259 {
260 return;
261 }
Ed Tanous724340d2022-03-14 09:10:07 -0700262 std::optional<int64_t> sessionTimeout;
263 if (!json_util::readJsonPatch(req, asyncResp->res, "SessionTimeout",
264 sessionTimeout))
265 {
266 return;
267 }
268
269 if (sessionTimeout)
270 {
271 // The mininum & maximum allowed values for session timeout
272 // are 30 seconds and 86400 seconds respectively as per the
273 // session service schema mentioned at
274 // https://redfish.dmtf.org/schemas/v1/SessionService.v1_1_7.json
275
276 if (*sessionTimeout <= 86400 && *sessionTimeout >= 30)
277 {
278 std::chrono::seconds sessionTimeoutInseconds(*sessionTimeout);
279 persistent_data::SessionStore::getInstance().updateSessionTimeout(
280 sessionTimeoutInseconds);
281 messages::propertyValueModified(asyncResp->res, "SessionTimeOut",
282 std::to_string(*sessionTimeout));
283 }
284 else
285 {
286 messages::propertyValueNotInList(asyncResp->res,
287 std::to_string(*sessionTimeout),
288 "SessionTimeOut");
289 }
290 }
291}
292
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700293inline void requestRoutesSession(App& app)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700294{
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700295 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700296 .privileges(redfish::privileges::getSession)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700297 .methods(boost::beast::http::verb::get)(
298 std::bind_front(handleSessionGet, std::ref(app)));
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100299
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700300 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700301 .privileges(redfish::privileges::deleteSession)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700302 .methods(boost::beast::http::verb::delete_)(
303 std::bind_front(handleSessionDelete, std::ref(app)));
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700304
305 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/")
Ed Tanoused398212021-06-09 17:05:54 -0700306 .privileges(redfish::privileges::getSessionCollection)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700307 .methods(boost::beast::http::verb::get)(
308 std::bind_front(handleSessionCollectionGet, std::ref(app)));
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700309
Ed Tanouse76cd862022-03-14 09:12:00 -0700310 // Note, the next two routes technically don't match the privilege
Ed Tanous724340d2022-03-14 09:10:07 -0700311 // registry given the way login mechanisms work. The base privilege
312 // registry lists this endpoint as requiring login privilege, but because
313 // this is the endpoint responsible for giving the login privilege, and it
314 // is itself its own route, it needs to not require Login
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700315 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/")
316 .privileges({})
Ed Tanous45ca1b82022-03-25 13:07:27 -0700317 .methods(boost::beast::http::verb::post)(
318 std::bind_front(handleSessionCollectionPost, std::ref(app)));
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100319
Ed Tanouse76cd862022-03-14 09:12:00 -0700320 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/Members/")
321 .privileges({})
Ed Tanous45ca1b82022-03-25 13:07:27 -0700322 .methods(boost::beast::http::verb::post)(
323 std::bind_front(handleSessionCollectionPost, std::ref(app)));
Ed Tanouse76cd862022-03-14 09:12:00 -0700324
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700325 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/")
Ed Tanoused398212021-06-09 17:05:54 -0700326 .privileges(redfish::privileges::getSessionService)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700327 .methods(boost::beast::http::verb::get)(
328 std::bind_front(handleSessionServiceGet, std::ref(app)));
Borawski.Lukasz5d27b852018-02-08 13:24:24 +0100329
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700330 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/")
Ed Tanoused398212021-06-09 17:05:54 -0700331 .privileges(redfish::privileges::patchSessionService)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700332 .methods(boost::beast::http::verb::patch)(
333 std::bind_front(handleSessionServicePatch, std::ref(app)));
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700334}
Borawski.Lukasz5d27b852018-02-08 13:24:24 +0100335
Ed Tanous1abe55e2018-09-05 08:30:59 -0700336} // namespace redfish