Adding Set Password API support in Userlayer

Moved the pam function from libusercommand to libuserlayer Added the setPassword API in user layer. There are modules which requires to use set password functionality (other ipmi providers-OEM),so it's better to keep the set-password abstracted in user-layer instead of user-commands. LIBS macro hold libpam and libmapper. we want to separate the libpam from lib usercommand. so,replaced LIBS with libmapper alone. Tested:Able to set the password in ipmi using userlayer. ex: ipmitool user set password <userid> <password> user password should set properly. Change-Id: I32d55ff5c042613c89805c6b9393d18cbf880461 Signed-off-by: Suryakanth Sekar <suryakanth.sekar@linux.intel.com>
author: Suryakanth Sekar <suryakanth.sekar@linux.intel.com> 2019-01-16 10:37:57 +0530
committer: Vernon Mauery <vernon.mauery@linux.intel.com> 2019-03-26 16:38:59 +0000
commit: 90b00c71067df78597db92bb60dbacf654a6f80a (patch)
tree: 518214e15a188a194a795dc40e2cae72fceba845 /user_channel/user_mgmt.cpp
parent: 17898f625b04d4fee6c2fd0626c47c93f2c2e7bd (diff)
download: phosphor-host-ipmid-90b00c71067df78597db92bb60dbacf654a6f80a.tar.gz
phosphor-host-ipmid-90b00c71067df78597db92bb60dbacf654a6f80a.zip
1 files changed, 111 insertions, 0 deletions
diff --git a/user_channel/user_mgmt.cpp b/user_channel/user_mgmt.cpp
index 86f51da..f0cd7ad 100644
--- a/user_channel/user_mgmt.cpp
+++ b/user_channel/user_mgmt.cpp
@@ -17,6 +17,7 @@
 
 #include "apphandler.hpp"
 
+#include <security/pam_appl.h>
 #include <sys/stat.h>
 #include <unistd.h>
 
@@ -635,6 +636,116 @@ bool UserAccess::isValidUserName(const char* userNameInChar)
     return true;
 }
 
+/** @brief Information exchanged by pam module and application.
+ *
+ *  @param[in] numMsg - length of the array of pointers,msg.
+ *
+ *  @param[in] msg -  pointer  to an array of pointers to pam_message structure
+ *
+ *  @param[out] resp - struct pam response array
+ *
+ *  @param[in] appdataPtr - member of pam_conv structure
+ *
+ *  @return the response in pam response structure.
+ */
+
+static int pamFunctionConversation(int numMsg, const struct pam_message** msg,
+                                   struct pam_response** resp, void* appdataPtr)
+{
+    if (appdataPtr == nullptr)
+    {
+        return PAM_AUTH_ERR;
+    }
+    size_t passSize = std::strlen(reinterpret_cast<char*>(appdataPtr)) + 1;
+    char* pass = reinterpret_cast<char*>(malloc(passSize));
+    std::strncpy(pass, reinterpret_cast<char*>(appdataPtr), passSize);
+
+    *resp = reinterpret_cast<pam_response*>(
+        calloc(numMsg, sizeof(struct pam_response)));
+
+    for (int i = 0; i < numMsg; ++i)
+    {
+        if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF)
+        {
+            continue;
+        }
+        resp[i]->resp = pass;
+    }
+    return PAM_SUCCESS;
+}
+
+/** @brief Updating the PAM password
+ *
+ *  @param[in] username - username in string
+ *
+ *  @param[in] password  - new password in string
+ *
+ *  @return status
+ */
+
+bool pamUpdatePasswd(const char* username, const char* password)
+{
+    const struct pam_conv localConversation = {pamFunctionConversation,
+                                               const_cast<char*>(password)};
+    pam_handle_t* localAuthHandle = NULL; // this gets set by pam_start
+
+    if (pam_start("passwd", username, &localConversation, &localAuthHandle) !=
+        PAM_SUCCESS)
+    {
+        return false;
+    }
+    int retval = pam_chauthtok(localAuthHandle, PAM_SILENT);
+
+    if (retval != PAM_SUCCESS)
+    {
+        if (retval == PAM_AUTHTOK_ERR)
+        {
+            log<level::DEBUG>("Authentication Failure");
+        }
+        else
+        {
+            log<level::DEBUG>("pam_chauthtok returned failure",
+                              entry("ERROR=%d", retval));
+        }
+        pam_end(localAuthHandle, retval);
+        return false;
+    }
+    if (pam_end(localAuthHandle, PAM_SUCCESS) != PAM_SUCCESS)
+    {
+        return false;
+    }
+    return true;
+}
+
+ipmi_ret_t UserAccess::setUserPassword(const uint8_t userId,
+                                       const char* userPassword)
+{
+    std::string userName;
+    if (ipmiUserGetUserName(userId, userName) != IPMI_CC_OK)
+    {
+        log<level::DEBUG>("User Name not found",
+                          entry("USER-ID:%d", (uint8_t)userId));
+        return IPMI_CC_PARM_OUT_OF_RANGE;
+    }
+    std::string passwd;
+    passwd.assign(reinterpret_cast<const char*>(userPassword), 0,
+                  maxIpmi20PasswordSize);
+    if (!std::regex_match(passwd.c_str(),
+                          std::regex("[a-zA-z_0-9][a-zA-Z_0-9,?:`!\"]*")))
+    {
+        log<level::DEBUG>("Invalid password fields",
+                          entry("USER-ID:%d", (uint8_t)userId));
+        return IPMI_CC_INVALID_FIELD_REQUEST;
+    }
+    if (!pamUpdatePasswd(userName.c_str(), passwd.c_str()))
+    {
+        log<level::DEBUG>("Failed to update password",
+                          entry("USER-ID:%d", (uint8_t)userId));
+        return IPMI_CC_UNSPECIFIED_ERROR;
+    }
+    return IPMI_CC_OK;
+}
+
 ipmi_ret_t UserAccess::setUserEnabledState(const uint8_t userId,
                                            const bool& enabledState)
 {
author	Suryakanth Sekar <suryakanth.sekar@linux.intel.com>	2019-01-16 10:37:57 +0530
committer	Vernon Mauery <vernon.mauery@linux.intel.com>	2019-03-26 16:38:59 +0000
commit	90b00c71067df78597db92bb60dbacf654a6f80a (patch)
tree	518214e15a188a194a795dc40e2cae72fceba845 /user_channel/user_mgmt.cpp
parent	17898f625b04d4fee6c2fd0626c47c93f2c2e7bd (diff)
download	phosphor-host-ipmid-90b00c71067df78597db92bb60dbacf654a6f80a.tar.gz phosphor-host-ipmid-90b00c71067df78597db92bb60dbacf654a6f80a.zip