Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / e51df0bb1aeb153bb2f22016e7b01617789ef5df / . / include / dbus_privileges.hpp
blob: 524ff1b42a58a29301a37c5e4fc869df24a3713c [file] [log] [blame]
Ed Tanous40e9b922024-09-10 13:50:16 -0700[diff] [blame]1// SPDX-License-Identifier: Apache-2.0
2// SPDX-FileCopyrightText: Copyright OpenBMC Authors
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]3#pragma once
4
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]5#include "async_resp.hpp"
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]6#include "dbus_utility.hpp"
7#include "error_messages.hpp"
8#include "http_request.hpp"
9#include "http_response.hpp"
10#include "logging.hpp"
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]11#include "privileges.hpp"
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]12#include "routing/baserule.hpp"
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]13#include "sessions.hpp"
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]14#include "utils/dbus_utils.hpp"
15
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]16#include <boost/beast/http/status.hpp>
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]17#include <boost/url/format.hpp>
18#include <sdbusplus/unpack_properties.hpp>
19
Ed Tanousbb1c7d32025-02-09 09:39:19 -0800[diff] [blame]20#include <functional>
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]21#include <memory>
Ed Tanousd7857202025-01-28 15:32:26 -0800[diff] [blame]22#include <optional>
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]23#include <string>
24#include <utility>
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]25#include <vector>
26
27namespace crow
28{
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]29// Populate session with user information.
Patrick Williams504af5a2025-02-03 14:29:03 -0500[diff] [blame]30inline bool populateUserInfo(
31 persistent_data::UserSession& session,
32 const dbus::utility::DBusPropertiesMap& userInfoMap)
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]33{
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]34 std::string userRole;
35 bool remoteUser = false;
36 std::optional<bool> passwordExpired;
37 std::optional<std::vector<std::string>> userGroups;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]38
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]39 const bool success = sdbusplus::unpackPropertiesNoThrow(
40 redfish::dbus_utils::UnpackErrorPrinter(), userInfoMap, "UserPrivilege",
41 userRole, "RemoteUser", remoteUser, "UserPasswordExpired",
42 passwordExpired, "UserGroups", userGroups);
43
44 if (!success)
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]45 {
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]46 BMCWEB_LOG_ERROR("Failed to unpack user properties.");
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]47 return false;
48 }
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]49
50 if (!remoteUser && (!passwordExpired || !userGroups))
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]51 {
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]52 BMCWEB_LOG_ERROR(
53 "Missing UserPasswordExpired or UserGroups property for local user");
54 return false;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]55 }
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]56
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]57 session.userRole = userRole;
58 BMCWEB_LOG_DEBUG("userName = {} userRole = {}", session.username, userRole);
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]59
60 // Set isConfigureSelfOnly based on D-Bus results. This
61 // ignores the results from both pamAuthenticateUser and the
62 // value from any previous use of this session.
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]63 session.isConfigureSelfOnly = passwordExpired.value_or(false);
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]64
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]65 session.userGroups.clear();
Jonathan Doman522377d2023-08-18 15:27:54 -0700[diff] [blame]66 if (userGroups)
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]67 {
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]68 session.userGroups.swap(*userGroups);
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]69 }
70
71 return true;
72}
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]73
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]74inline bool isUserPrivileged(
75 Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
76 BaseRule& rule)
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]77{
Ed Tanousd3dfb6e2023-07-27 09:33:49 -0700[diff] [blame]78 if (req.session == nullptr)
79 {
80 return false;
81 }
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]82 // Get the user's privileges from the role
83 redfish::Privileges userPrivileges =
84 redfish::getUserPrivileges(*req.session);
85
86 // Modify privileges if isConfigureSelfOnly.
87 if (req.session->isConfigureSelfOnly)
88 {
89 // Remove all privileges except ConfigureSelf
90 userPrivileges =
91 userPrivileges.intersection(redfish::Privileges{"ConfigureSelf"});
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]92 BMCWEB_LOG_DEBUG("Operation limited to ConfigureSelf");
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]93 }
94
95 if (!rule.checkPrivileges(userPrivileges))
96 {
97 asyncResp->res.result(boost::beast::http::status::forbidden);
98 if (req.session->isConfigureSelfOnly)
99 {
100 redfish::messages::passwordChangeRequired(
101 asyncResp->res,
102 boost::urls::format("/redfish/v1/AccountService/Accounts/{}",
103 req.session->username));
104 }
105 return false;
106 }
107
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]108 req.userRole = req.session->userRole;
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]109 return true;
110}
111
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]112inline bool afterGetUserInfoValidate(
113 Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
114 BaseRule& rule, const dbus::utility::DBusPropertiesMap& userInfoMap)
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]115{
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]116 if (req.session == nullptr || !populateUserInfo(*req.session, userInfoMap))
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]117 {
118 BMCWEB_LOG_ERROR("Failed to populate user information");
119 asyncResp->res.result(
120 boost::beast::http::status::internal_server_error);
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]121 return false;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]122 }
123
124 if (!isUserPrivileged(req, asyncResp, rule))
125 {
126 // User is not privileged
127 BMCWEB_LOG_ERROR("Insufficient Privilege");
128 asyncResp->res.result(boost::beast::http::status::forbidden);
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]129 return false;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]130 }
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]131
132 return true;
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]133}
134
Ed Tanousbb1c7d32025-02-09 09:39:19 -0800[diff] [blame]135inline void requestUserInfo(
136 const std::string& username,
137 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
138 std::move_only_function<void(const dbus::utility::DBusPropertiesMap&)>&&
139 callback)
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]140{
Ed Tanous177612a2025-02-14 15:16:09 -0800[diff] [blame]141 dbus::utility::async_method_call(
142 asyncResp,
Ed Tanousbb1c7d32025-02-09 09:39:19 -0800[diff] [blame]143 [asyncResp, callback = std::move(callback)](
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]144 const boost::system::error_code& ec,
145 const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]146 if (ec)
147 {
148 BMCWEB_LOG_ERROR("GetUserInfo failed...");
149 asyncResp->res.result(
150 boost::beast::http::status::internal_server_error);
151 return;
152 }
153 callback(userInfoMap);
154 },
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]155 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
156 "xyz.openbmc_project.User.Manager", "GetUserInfo", username);
157}
158
Ed Tanousbb1c7d32025-02-09 09:39:19 -0800[diff] [blame]159inline void validatePrivilege(
160 const std::shared_ptr<Request>& req,
161 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, BaseRule& rule,
162 std::move_only_function<void()>&& callback)
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]163{
Jonathan Doman102a4cd2024-04-15 16:56:23 -0700[diff] [blame]164 if (req->session == nullptr)
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]165 {
166 return;
167 }
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]168
169 requestUserInfo(
170 req->session->username, asyncResp,
Ed Tanousbb1c7d32025-02-09 09:39:19 -0800[diff] [blame]171 [req, asyncResp, &rule, callback = std::move(callback)](
Gunnar Mills59ba6382023-08-01 12:41:17 -0500[diff] [blame]172 const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]173 if (afterGetUserInfoValidate(*req, asyncResp, rule, userInfoMap))
174 {
175 callback();
176 }
177 });
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]178}
179
Ed Tanousbb1c7d32025-02-09 09:39:19 -0800[diff] [blame]180inline void getUserInfo(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
181 const std::string& username,
182 std::shared_ptr<persistent_data::UserSession>& session,
183 std::move_only_function<void()>&& callback)
Paul Fertser478c5a52024-06-26 22:27:59 +0000[diff] [blame]184{
185 requestUserInfo(
186 username, asyncResp,
Ed Tanousbb1c7d32025-02-09 09:39:19 -0800[diff] [blame]187 [asyncResp, session, callback = std::move(callback)](
188 const dbus::utility::DBusPropertiesMap& userInfoMap) mutable {
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]189 if (!populateUserInfo(*session, userInfoMap))
190 {
191 BMCWEB_LOG_ERROR("Failed to populate user information");
192 asyncResp->res.result(
193 boost::beast::http::status::internal_server_error);
194 return;
195 }
196 callback();
197 });
Ed Tanous08bbe112023-04-06 13:10:02 -0700[diff] [blame]198}
199
200} // namespace crow