Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / e0d918bc397350aa21af3dab9faa6e21748f6373 / . / include / sessions.hpp
blob: fdd12000f48b3dd25c64e39221c2e27b7bb9ae9f [file] [log] [blame]
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]1#pragma once
2
3#include <nlohmann/json.hpp>
4#include <pam_authenticate.hpp>
5#include <webassets.hpp>
6#include <random>
7#include <crow/app.h>
8#include <crow/http_request.h>
9#include <crow/http_response.h>
10#include <boost/container/flat_map.hpp>
11#include <boost/uuid/uuid.hpp>
12#include <boost/uuid/uuid_generators.hpp>
13#include <boost/uuid/uuid_io.hpp>
14
15namespace crow {
16
17namespace PersistentData {
18
19enum class PersistenceType {
20 TIMEOUT, // User session times out after a predetermined amount of time
21 SINGLE_REQUEST // User times out once this request is completed.
22};
23
24struct UserSession {
25 std::string unique_id;
26 std::string session_token;
27 std::string username;
28 std::string csrf_token;
29 std::chrono::time_point<std::chrono::steady_clock> last_updated;
30 PersistenceType persistence;
Kowalski, Kamil5cef0f72018-02-15 15:26:51 +0100[diff] [blame]31
32 /**
33 * @brief Fills object with data from UserSession's JSON representation
34 *
35 * This replaces nlohmann's from_json to ensure no-throw approach
36 *
37 * @param[in] j JSON object from which data should be loaded
38 *
39 * @return true if data has been loaded properly, false otherwise
40 */
41 bool fromJson(const nlohmann::json& j) {
42 auto jUid = j.find("unique_id");
43 auto jToken = j.find("session_token");
44 auto jUsername = j.find("username");
45 auto jCsrf = j.find("csrf_token");
46
47 // Verify existence
48 if (jUid == j.end() || jToken == j.end() || jUsername == j.end() ||
49 jCsrf == j.end()) {
50 return false;
51 }
52
53 // Verify types
54 if (!jUid->is_string() || !jToken->is_string() || !jUsername->is_string() ||
55 !jCsrf->is_string()) {
56 return false;
57 }
58
59 unique_id = jUid->get<std::string>();
60 session_token = jToken->get<std::string>();
61 username = jUsername->get<std::string>();
62 csrf_token = jCsrf->get<std::string>();
63
64 // For now, sessions that were persisted through a reboot get their timer
65 // reset. This could probably be overcome with a better understanding of
66 // wall clock time and steady timer time, possibly persisting values with
67 // wall clock time instead of steady timer, but the tradeoffs of all the
68 // corner cases involved are non-trivial, so this is done temporarily
69 last_updated = std::chrono::steady_clock::now();
70 persistence = PersistenceType::TIMEOUT;
71
72 return true;
73 }
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]74};
75
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]76void to_json(nlohmann::json& j, const std::shared_ptr<UserSession> p) {
77 if (p->persistence != PersistenceType::SINGLE_REQUEST) {
78 j = {{"unique_id", p->unique_id},
79 {"session_token", p->session_token},
80 {"username", p->username},
81 {"csrf_token", p->csrf_token}};
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]82 }
83}
84
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]85class Middleware;
86
87class SessionStore {
88 public:
Borawski.Lukasz5d27b852018-02-08 13:24:24 +0100[diff] [blame]89 SessionStore() : timeout_in_minutes(60) {}
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]90 std::shared_ptr<UserSession> generate_user_session(
91 const boost::string_view username,
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]92 PersistenceType persistence = PersistenceType::TIMEOUT) {
93 // TODO(ed) find a secure way to not generate session identifiers if
94 // persistence is set to SINGLE_REQUEST
95 static constexpr std::array<char, 62> alphanum = {
96 '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C',
97 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
98 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c',
99 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p',
100 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'};
101
102 // entropy: 30 characters, 62 possibilities. log2(62^30) = 178 bits of
103 // entropy. OWASP recommends at least 60
104 // https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Entropy
105 std::string session_token;
106 session_token.resize(20, '0');
107 std::uniform_int_distribution<int> dist(0, alphanum.size() - 1);
108 for (int i = 0; i < session_token.size(); ++i) {
109 session_token[i] = alphanum[dist(rd)];
110 }
111 // Only need csrf tokens for cookie based auth, token doesn't matter
112 std::string csrf_token;
113 csrf_token.resize(20, '0');
114 for (int i = 0; i < csrf_token.size(); ++i) {
115 csrf_token[i] = alphanum[dist(rd)];
116 }
117
118 std::string unique_id;
119 unique_id.resize(10, '0');
120 for (int i = 0; i < unique_id.size(); ++i) {
121 unique_id[i] = alphanum[dist(rd)];
122 }
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]123 auto session = std::make_shared<UserSession>(
124 UserSession{unique_id, session_token, std::string(username), csrf_token,
125 std::chrono::steady_clock::now(), persistence});
126 auto it = auth_tokens.emplace(std::make_pair(session_token, session));
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]127 // Only need to write to disk if session isn't about to be destroyed.
128 need_write_ = persistence == PersistenceType::TIMEOUT;
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]129 return it.first->second;
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]130 }
131
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]132 std::shared_ptr<UserSession> login_session_by_token(
133 const boost::string_view token) {
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]134 apply_session_timeouts();
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]135 auto session_it = auth_tokens.find(std::string(token));
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]136 if (session_it == auth_tokens.end()) {
137 return nullptr;
138 }
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]139 std::shared_ptr<UserSession> user_session = session_it->second;
140 user_session->last_updated = std::chrono::steady_clock::now();
141 return user_session;
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]142 }
143
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]144 std::shared_ptr<UserSession> get_session_by_uid(
145 const boost::string_view uid) {
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]146 apply_session_timeouts();
147 // TODO(Ed) this is inefficient
148 auto session_it = auth_tokens.begin();
149 while (session_it != auth_tokens.end()) {
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]150 if (session_it->second->unique_id == uid) {
151 return session_it->second;
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]152 }
153 session_it++;
154 }
155 return nullptr;
156 }
157
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]158 void remove_session(std::shared_ptr<UserSession> session) {
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]159 auth_tokens.erase(session->session_token);
160 need_write_ = true;
161 }
162
163 std::vector<const std::string*> get_unique_ids(
164 bool getAll = true,
165 const PersistenceType& type = PersistenceType::SINGLE_REQUEST) {
166 apply_session_timeouts();
167
168 std::vector<const std::string*> ret;
169 ret.reserve(auth_tokens.size());
170 for (auto& session : auth_tokens) {
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]171 if (getAll || type == session.second->persistence) {
172 ret.push_back(&session.second->unique_id);
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]173 }
174 }
175 return ret;
176 }
177
178 bool needs_write() { return need_write_; }
Borawski.Lukasz5d27b852018-02-08 13:24:24 +0100[diff] [blame]179 int get_timeout_in_seconds() const {
180 return std::chrono::seconds(timeout_in_minutes).count();
181 };
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]182
183 // Persistent data middleware needs to be able to serialize our auth_tokens
184 // structure, which is private
185 friend Middleware;
186
187 private:
188 void apply_session_timeouts() {
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]189 auto time_now = std::chrono::steady_clock::now();
190 if (time_now - last_timeout_update > std::chrono::minutes(1)) {
191 last_timeout_update = time_now;
192 auto auth_tokens_it = auth_tokens.begin();
193 while (auth_tokens_it != auth_tokens.end()) {
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]194 if (time_now - auth_tokens_it->second->last_updated >=
Borawski.Lukasz5d27b852018-02-08 13:24:24 +0100[diff] [blame]195 timeout_in_minutes) {
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]196 auth_tokens_it = auth_tokens.erase(auth_tokens_it);
197 need_write_ = true;
198 } else {
199 auth_tokens_it++;
200 }
201 }
202 }
203 }
204 std::chrono::time_point<std::chrono::steady_clock> last_timeout_update;
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]205 boost::container::flat_map<std::string, std::shared_ptr<UserSession>>
206 auth_tokens;
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]207 std::random_device rd;
208 bool need_write_{false};
Borawski.Lukasz5d27b852018-02-08 13:24:24 +0100[diff] [blame]209 std::chrono::minutes timeout_in_minutes;
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]210};
211
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame^]212} // namespace PersistentData
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]213} // namespace crow