Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / ef4c65b741724d724452a3a0efe8dff0d450514a / . / redfish-core / lib / redfish_sessions.hpp
blob: 065878e373b6d0267566e00a7a0cda21a1271de0 [file] [log] [blame]
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]1/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Borawski.Lukasz43a095a2018-02-19 15:39:01 +0100[diff] [blame]17
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]18#include "app.hpp"
Kowalski, Kamilf4c4dcf2018-01-29 14:55:35 +0100[diff] [blame]19#include "error_messages.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]20#include "http/utility.hpp"
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]21#include "persistent_data.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]22#include "query.hpp"
23#include "registries/privilege_registry.hpp"
24#include "utils/json_utils.hpp"
John Edward Broadbent7e860f12021-04-08 15:57:16 -0700[diff] [blame]25
Ed Tanousef4c65b2023-04-24 15:28:50 -0700[diff] [blame^]26#include <boost/url/format.hpp>
27
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]28namespace redfish
29{
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]30
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]31inline void fillSessionObject(crow::Response& res,
32 const persistent_data::UserSession& session)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]33{
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]34 res.jsonValue["Id"] = session.uniqueId;
35 res.jsonValue["UserName"] = session.username;
Ed Tanousef4c65b2023-04-24 15:28:50 -0700[diff] [blame^]36 res.jsonValue["@odata.id"] = boost::urls::format(
37 "/redfish/v1/SessionService/Sessions/{}", session.uniqueId);
Ed Tanousbb759e32022-08-02 17:07:54 -0700[diff] [blame]38 res.jsonValue["@odata.type"] = "#Session.v1_5_0.Session";
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]39 res.jsonValue["Name"] = "User Session";
40 res.jsonValue["Description"] = "Manager User Session";
41 res.jsonValue["ClientOriginIPAddress"] = session.clientIp;
Ed Tanousbb759e32022-08-02 17:07:54 -0700[diff] [blame]42 if (session.clientId)
43 {
44 res.jsonValue["Context"] = *session.clientId;
45 }
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]46}
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]47
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]48inline void
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]49 handleSessionHead(crow::App& app, const crow::Request& req,
50 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
51 const std::string& /*sessionId*/)
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]52{
Carson Labrado3ba00072022-06-06 19:40:56 +0000[diff] [blame]53 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]54 {
55 return;
56 }
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]57 asyncResp->res.addHeader(
58 boost::beast::http::field::link,
59 "</redfish/v1/JsonSchemas/Session/Session.json>; rel=describedby");
60}
61
62inline void
63 handleSessionGet(crow::App& app, const crow::Request& req,
64 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
65 const std::string& sessionId)
66{
67 handleSessionHead(app, req, asyncResp, sessionId);
68
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]69 // Note that control also reaches here via doPost and doDelete.
70 auto session =
71 persistent_data::SessionStore::getInstance().getSessionByUid(sessionId);
72
73 if (session == nullptr)
74 {
75 messages::resourceNotFound(asyncResp->res, "Session", sessionId);
76 return;
77 }
78
79 fillSessionObject(asyncResp->res, *session);
80}
81
82inline void
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]83 handleSessionDelete(crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]84 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
85 const std::string& sessionId)
86{
Carson Labrado3ba00072022-06-06 19:40:56 +0000[diff] [blame]87 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]88 {
89 return;
90 }
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]91 auto session =
92 persistent_data::SessionStore::getInstance().getSessionByUid(sessionId);
93
94 if (session == nullptr)
95 {
96 messages::resourceNotFound(asyncResp->res, "Session", sessionId);
97 return;
98 }
99
100 // Perform a proper ConfigureSelf authority check. If a
101 // session is being used to DELETE some other user's session,
102 // then the ConfigureSelf privilege does not apply. In that
103 // case, perform the authority check again without the user's
104 // ConfigureSelf privilege.
wukaihua-fii-na0fd29862022-05-18 09:19:16 +0800[diff] [blame]105 if (req.session != nullptr && !session->username.empty() &&
106 session->username != req.session->username)
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]107 {
108 Privileges effectiveUserPrivileges =
109 redfish::getUserPrivileges(req.userRole);
110
111 if (!effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}))
112 {
113 messages::insufficientPrivilege(asyncResp->res);
114 return;
115 }
116 }
117
118 persistent_data::SessionStore::getInstance().removeSession(session);
119 messages::success(asyncResp->res);
120}
121
122inline nlohmann::json getSessionCollectionMembers()
123{
124 std::vector<const std::string*> sessionIds =
125 persistent_data::SessionStore::getInstance().getUniqueIds(
126 false, persistent_data::PersistenceType::TIMEOUT);
127 nlohmann::json ret = nlohmann::json::array();
128 for (const std::string* uid : sessionIds)
129 {
Ed Tanous14766872022-03-15 10:44:42 -0700[diff] [blame]130 nlohmann::json::object_t session;
Ed Tanousef4c65b2023-04-24 15:28:50 -0700[diff] [blame^]131 session["@odata.id"] =
132 boost::urls::format("/redfish/v1/SessionService/Sessions/{}", *uid);
Patrick Williamsb2ba3072023-05-12 10:27:39 -0500[diff] [blame]133 ret.emplace_back(std::move(session));
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]134 }
135 return ret;
136}
137
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]138inline void handleSessionCollectionHead(
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]139 crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]140 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
141{
Carson Labrado3ba00072022-06-06 19:40:56 +0000[diff] [blame]142 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]143 {
144 return;
145 }
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]146 asyncResp->res.addHeader(
147 boost::beast::http::field::link,
148 "</redfish/v1/JsonSchemas/SessionCollection.json>; rel=describedby");
149}
150
151inline void handleSessionCollectionGet(
152 crow::App& app, const crow::Request& req,
153 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
154{
155 handleSessionCollectionHead(app, req, asyncResp);
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]156 asyncResp->res.jsonValue["Members"] = getSessionCollectionMembers();
157 asyncResp->res.jsonValue["Members@odata.count"] =
158 asyncResp->res.jsonValue["Members"].size();
159 asyncResp->res.jsonValue["@odata.type"] =
160 "#SessionCollection.SessionCollection";
161 asyncResp->res.jsonValue["@odata.id"] =
162 "/redfish/v1/SessionService/Sessions/";
163 asyncResp->res.jsonValue["Name"] = "Session Collection";
164 asyncResp->res.jsonValue["Description"] = "Session Collection";
165}
166
167inline void handleSessionCollectionMembersGet(
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]168 crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]169 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
170{
Carson Labrado3ba00072022-06-06 19:40:56 +0000[diff] [blame]171 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]172 {
173 return;
174 }
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]175 asyncResp->res.jsonValue = getSessionCollectionMembers();
176}
177
Ed Tanous4ee8e212022-05-28 09:42:51 -0700[diff] [blame]178inline void handleSessionCollectionPost(
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]179 crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]180 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
181{
Carson Labrado3ba00072022-06-06 19:40:56 +0000[diff] [blame]182 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]183 {
184 return;
185 }
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]186 std::string username;
187 std::string password;
Ed Tanousbb759e32022-08-02 17:07:54 -0700[diff] [blame]188 std::optional<std::string> clientId;
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]189 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
Ed Tanousd678d4f2023-01-07 14:40:40 -0800[diff] [blame]190 "Password", password, "Context", clientId))
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]191 {
192 return;
193 }
194
195 if (password.empty() || username.empty() ||
196 asyncResp->res.result() != boost::beast::http::status::ok)
197 {
198 if (username.empty())
199 {
200 messages::propertyMissing(asyncResp->res, "UserName");
201 }
202
203 if (password.empty())
204 {
205 messages::propertyMissing(asyncResp->res, "Password");
206 }
207
208 return;
209 }
210
211 int pamrc = pamAuthenticateUser(username, password);
212 bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
213 if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
214 {
Ed Tanous39662a32023-02-06 15:09:46 -0800[diff] [blame]215 messages::resourceAtUriUnauthorized(asyncResp->res, req.url(),
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]216 "Invalid username or password");
217 return;
218 }
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]219
220 // User is authenticated - create session
221 std::shared_ptr<persistent_data::UserSession> session =
222 persistent_data::SessionStore::getInstance().generateUserSession(
223 username, req.ipAddress, clientId,
224 persistent_data::PersistenceType::TIMEOUT, isConfigureSelfOnly);
Brad Bishop02e53ae2022-07-29 14:38:40 -0400[diff] [blame]225 if (session == nullptr)
226 {
227 messages::internalError(asyncResp->res);
228 return;
229 }
230
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]231 asyncResp->res.addHeader("X-Auth-Token", session->sessionToken);
232 asyncResp->res.addHeader(
233 "Location", "/redfish/v1/SessionService/Sessions/" + session->uniqueId);
234 asyncResp->res.result(boost::beast::http::status::created);
235 if (session->isConfigureSelfOnly)
236 {
237 messages::passwordChangeRequired(
238 asyncResp->res,
Ed Tanousef4c65b2023-04-24 15:28:50 -0700[diff] [blame^]239 boost::urls::format("/redfish/v1/AccountService/Accounts/{}",
240 session->username));
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]241 }
242
243 fillSessionObject(asyncResp->res, *session);
244}
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]245inline void handleSessionServiceHead(
246 crow::App& app, const crow::Request& req,
247 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
248{
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]249 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
250 {
251 return;
252 }
253 asyncResp->res.addHeader(
254 boost::beast::http::field::link,
255 "</redfish/v1/JsonSchemas/SessionService/SessionService.json>; rel=describedby");
256}
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]257inline void
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]258 handleSessionServiceGet(crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]259 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
260
261{
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]262 handleSessionServiceHead(app, req, asyncResp);
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]263 asyncResp->res.jsonValue["@odata.type"] =
264 "#SessionService.v1_0_2.SessionService";
265 asyncResp->res.jsonValue["@odata.id"] = "/redfish/v1/SessionService/";
266 asyncResp->res.jsonValue["Name"] = "Session Service";
267 asyncResp->res.jsonValue["Id"] = "SessionService";
268 asyncResp->res.jsonValue["Description"] = "Session Service";
269 asyncResp->res.jsonValue["SessionTimeout"] =
270 persistent_data::SessionStore::getInstance().getTimeoutInSeconds();
271 asyncResp->res.jsonValue["ServiceEnabled"] = true;
272
Ed Tanous14766872022-03-15 10:44:42 -0700[diff] [blame]273 asyncResp->res.jsonValue["Sessions"]["@odata.id"] =
274 "/redfish/v1/SessionService/Sessions";
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]275}
276
277inline void handleSessionServicePatch(
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]278 crow::App& app, const crow::Request& req,
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]279 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
280{
Carson Labrado3ba00072022-06-06 19:40:56 +0000[diff] [blame]281 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]282 {
283 return;
284 }
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]285 std::optional<int64_t> sessionTimeout;
286 if (!json_util::readJsonPatch(req, asyncResp->res, "SessionTimeout",
287 sessionTimeout))
288 {
289 return;
290 }
291
292 if (sessionTimeout)
293 {
294 // The mininum & maximum allowed values for session timeout
295 // are 30 seconds and 86400 seconds respectively as per the
296 // session service schema mentioned at
297 // https://redfish.dmtf.org/schemas/v1/SessionService.v1_1_7.json
298
299 if (*sessionTimeout <= 86400 && *sessionTimeout >= 30)
300 {
301 std::chrono::seconds sessionTimeoutInseconds(*sessionTimeout);
302 persistent_data::SessionStore::getInstance().updateSessionTimeout(
303 sessionTimeoutInseconds);
304 messages::propertyValueModified(asyncResp->res, "SessionTimeOut",
305 std::to_string(*sessionTimeout));
306 }
307 else
308 {
309 messages::propertyValueNotInList(asyncResp->res,
310 std::to_string(*sessionTimeout),
311 "SessionTimeOut");
312 }
313 }
314}
315
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]316inline void requestRoutesSession(App& app)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]317{
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]318 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/")
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]319 .privileges(redfish::privileges::headSession)
320 .methods(boost::beast::http::verb::head)(
321 std::bind_front(handleSessionHead, std::ref(app)));
322
323 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]324 .privileges(redfish::privileges::getSession)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]325 .methods(boost::beast::http::verb::get)(
326 std::bind_front(handleSessionGet, std::ref(app)));
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]327
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]328 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]329 .privileges(redfish::privileges::deleteSession)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]330 .methods(boost::beast::http::verb::delete_)(
331 std::bind_front(handleSessionDelete, std::ref(app)));
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]332
333 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/")
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]334 .privileges(redfish::privileges::headSessionCollection)
335 .methods(boost::beast::http::verb::head)(
336 std::bind_front(handleSessionCollectionHead, std::ref(app)));
337
338 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]339 .privileges(redfish::privileges::getSessionCollection)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]340 .methods(boost::beast::http::verb::get)(
341 std::bind_front(handleSessionCollectionGet, std::ref(app)));
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]342
Ed Tanouse76cd862022-03-14 09:12:00 -0700[diff] [blame]343 // Note, the next two routes technically don't match the privilege
Ed Tanous724340d2022-03-14 09:10:07 -0700[diff] [blame]344 // registry given the way login mechanisms work. The base privilege
345 // registry lists this endpoint as requiring login privilege, but because
346 // this is the endpoint responsible for giving the login privilege, and it
347 // is itself its own route, it needs to not require Login
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]348 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/")
349 .privileges({})
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]350 .methods(boost::beast::http::verb::post)(
351 std::bind_front(handleSessionCollectionPost, std::ref(app)));
Kowalski, Kamil2b7981f2018-01-31 13:24:59 +0100[diff] [blame]352
Ed Tanouse76cd862022-03-14 09:12:00 -0700[diff] [blame]353 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/Sessions/Members/")
354 .privileges({})
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]355 .methods(boost::beast::http::verb::post)(
356 std::bind_front(handleSessionCollectionPost, std::ref(app)));
Ed Tanouse76cd862022-03-14 09:12:00 -0700[diff] [blame]357
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]358 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/")
Ed Tanousa1e08712022-07-07 16:10:39 -0700[diff] [blame]359 .privileges(redfish::privileges::headSessionService)
360 .methods(boost::beast::http::verb::head)(
361 std::bind_front(handleSessionServiceHead, std::ref(app)));
362
363 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]364 .privileges(redfish::privileges::getSessionService)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]365 .methods(boost::beast::http::verb::get)(
366 std::bind_front(handleSessionServiceGet, std::ref(app)));
Borawski.Lukasz5d27b852018-02-08 13:24:24 +0100[diff] [blame]367
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]368 BMCWEB_ROUTE(app, "/redfish/v1/SessionService/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]369 .privileges(redfish::privileges::patchSessionService)
Ed Tanous45ca1b82022-03-25 13:07:27 -0700[diff] [blame]370 .methods(boost::beast::http::verb::patch)(
371 std::bind_front(handleSessionServicePatch, std::ref(app)));
Ed Tanousfaa34cc2021-06-03 13:27:02 -0700[diff] [blame]372}
Borawski.Lukasz5d27b852018-02-08 13:24:24 +0100[diff] [blame]373
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]374} // namespace redfish